Reframing the Metadata Debate with Privacy Preserving Lawful Access Technologies (PPLATs)
Student Writer, Windsor Law LTEC Lab
On September 19, 2018, Windsor Law LTEC Lab had the pleasure of hosting Professor Lisa Austin (
What is Metadata?
To put it simply, where the contents of a communication are the words of a text message, transmission metadata may include the time it was sent and received, the phone numbers that sent and received it and the locations of those phone numbers. Subscriber information is yet another category of metadata, and this may include the phone plan you are on, your billing address, your name and ultimately, your identity.
Section 8 of the Canadian Charter of Rights and Freedoms sets forth the constitutional framework for lawful access to data, guaranteeing that “[e]veryone has the right to be secure against unreasonable search or seizure.” In Hunter v Southam, the Supreme Court of Canada held that the state must obtain authorization – such as a warrant – prior to accessing information for which there is a reasonable expectation of privacy. The standard for the issuance of a warrant is that of “reasonable and probable grounds” of believing “that an
In R v Spencer, the Supreme Court unanimously decided that subscriber information stored by a telecommunications company accords a reasonable expectation of privacy. The effect of these two judgments combined is that the state must obtain a warrant prior to accessing subscriber metadata. Did Spencer put an end to the metadata debate? Not quite. There have been attempts to legislate around the decision, with the RCMP stating that they need warrantless access to subscriber metadata. The state continues to request warrantless access to metadata. Additionally, the Cybercrime Working Group has offered interpretations of Spencer that enable potential workarounds.
Access to Metadata Is Not Necessarily Less Invasive Than Content
Professor Austin and her colleagues reject this categorical approach. Instead, they argue that the degree of privacy attached to communications metadata depends upon the context of its use by law enforcement authorities rather than on this abstract, categorical notion of the nature of that information. To be clear, metadata is not necessarily less invasive than content. It reveals who you are and where you called from. You can imagine that a phone call to an abortion clinic is quite revealing, regardless of what was said. The mere fact that you called can matter even more than what you actually said. Yet, it is precisely these forms of metadata that receive
Preserving Privacy During “Cell Tower Dumps”
In investigating a crime, law enforcement authorities may need to determine the number of people that were at the scene of the crime at the relevant time. They may require access to a record of every individual phone number that connected to a particular cell tower. From a technical perspective, they do not require access to any personally identifiable information in making these determinations. Professor Austin and her colleagues propose the following protocol:
1. Law enforcement authority requests service providers to find all the metadata and encrypt it.
2. Proximity analysis is done on the encrypted data to determine the number of individual cell phone numbers that meet their investigative criteria.
3. Law enforcement body is provided with this number.
4. This number is then independently verified in order to ensure that the process and the outputs are correct.
5. Law enforcement authority can then seek a warrant to get the identities of these individuals, subject to satisfying the Southam
The system performs its own analysis rather than allowing the law enforcement body to analyze the data at their behest. When asked about the number of people present at a particular location at a particular time, the system would analyze the data and answer only this question without revealing any personally identifiable information. As a result, a warrant is unnecessary at this point. A warrant could then be granted – meeting the Southam standard – to ascertain information about individuals, provided that the number of people at the location is reasonably small. High numbers of people at the location would be too speculative whereas low numbers more likely meet the reasonable and probable grounds test. But what if time is of the essence and the law enforcement body needs information immediately? Do we throw privacy rights out the window, even for a brief period of time?
Auditing Exigent Circumstances
During “exigent circumstances,” law enforcement authorities can forego the requirement of a warrant in order to access data quickly. This is otherwise referred to as “warrantless access.” However, the service providers from which the police request the metadata are wary of handing over entire swaths of information about their customers, especially when they are not convinced that police have properly invoked the exception. Therefore, service providers find themselves acting as gatekeepers and engaging in these exercises of judgment, often denying such requests. While these exercises of judgment can help protect the privacy of their customers, they undermine the ability of law enforcement bodies to react quickly in real emergency situations. The exigent circumstances exception exists to allow police to have that timely access to data.
Professor Austin and her colleagues developed a protocol for addressing this issue that removes this discretion and hands over the metadata, but checks for abuse afterward. In order to do so, service providers would be directed to initially accept law enforcement’s legal authority to determine the existence of exigent circumstances. This helps to address both the timeliness and the discretion issues. Austin et al. propose the following:
1. When law enforcement body makes an exigent circumstances request, they would also make a separate report to an independent auditor.
2. After fulfilling the request, the service provider would make a report to the same independent auditor.
3. The two reports would be checked against one another by the independent auditor, and any potential discrepancies between the two reports would be further investigated by the independent auditor.
4. The independent auditor would prepare annual transparency reports that provide further details on exigent circumstances requests.
The Idea That Metadata Invokes a Lesser Privacy Right Is
Not Suited to the Digital Age
MIT Computer Science Professor Daniel Weitzner has said that metadata is potentially even more revealing than actual content because it is “much easier to analyze the patterns in a large universe of metadata and correlate them with real-world events than it is to go through a semantic analysis of all of someone’s email and all of someone’s telephone calls.” Indeed, the idea that metadata invokes lesser privacy right is not suited to the digital age. These protocols demonstrate ways in which computation can be utilized to safeguard privacy while simultaneously improving both transparency and accountability. The computer science and policy-based protocols developed by Austin et al. may be the privacy solution that many are waiting. Ultimately, the merit of these solutions is that they may improve privacy protections in the context of law enforcement activities without necessitating a change to existing laws.
*This is a summary of the main ideas presented by Professor Lisa Austin at a seminar organized by Windsor Law LTEC Lab on September 19, 2018. I thank Professor Lisa Austin for sharing her presentation and other materials with me. All errors are mine.
 Other than Professor Austin, IT3 Lab’s “Lawful Access” Project comprises the following members: Andrea Slane (University of Ontario Institute of Technology, Faculty of Social Sciences and Humanities);Ian Goldberg (University of Waterloo, Cheriton School of Computer Science); Michael Vonn (Policy Director, British Columbia Civil Liberties Association); David
 Hunter v Southam,  2 SCR 145 at 168 [Southam].
 R v Spencer, 2014 SCC 43 at para 16 [Spencer].
 Jim Bronskill, “RCMP need warrantless access to online subscriber info: Paulson”, Canadian Broadcast Corporation(25 Nov 2015), online: <https://www.cbc.ca/>.
 The Cybercrime Working Group (CWG) is a subcommittee appointed by the Coordinating Committee of Senior Officials’ (CCSO) Criminal Justice division to study various cybercrime-related matters such as cyberbullying and lawful access in order to make recommendations to a number of government departments based on its findings. Recently, they hosted a roundtable discussion, which included a number of government agencies, in order to discuss the impact of Spencer.
 Austin et al are currently developing the technical means by which this verification process would occur. The aim of this step of the protocol is to ensure that the process has been followed correctly.
 Please see Professor Weitzner’s interview with the Washington Post:Ellen Nakashima, “Metadata reveals the secrets of social position, company hierarchy, terrorist cells”, The Washington Post(15 June 2013), online: <https://www.washingtonpost.com/>.