Welcome to our fully functional beta site. We welcome all comments
The Informatica blog - Authored by Claudiu Popa

Is the CBSA Treading a Fine Line Between Deterrence and the Erosion of Public Trust?

CBSA surveillance devicesThe Canadian Border Services Agency (CBSA) has installed equipment designed to record video and audio in Canadian airports. This initiative appears to be based on the 2009 amendment to the Customs Act which allows for the creation of "Customs Controlled Areas" (CCA) to "combat organized crime and internal conspiracies". However, a CCA is defined simply as an area where border services officers (BSOs) have the authority to examine goods and to question and search people. So is the bit about audio and video recording just an expensive effort to deter miscreant activity or is it a failure to respect the privacy rights of travellers that will only result in lengthy court challenges and a general distrust of Ottawa's future initiatives?
Looking at the problem quasi-rationally - and resisting the urge to pick up Occam's Razor in the process - we see that the CBSA's issue is with the dozens of criminal gangs operating in Canadian airports. To address the problem, security efforts already in place include background checks, separation of duties and video surveillance. With the amendment to the Customs Act, the CBSA gets expanded powers to examine goods, question and search individuals in controlled areas.
But the announcement indicates that new high definition cameras and audio surveillance equipment have already been installed to increase the CBSA's powers of surveillance. Naturally, the Privacy Commissioner of Canada has criticized the CBSA's decision to withhold a Privacy Impact Assessment (PIA) in this instance. The standard exercise carried out by a PIA process serves to provide visibility into processes that risk to infringe upon the human right of privacy and specifically upon the rights of Canadians to have their personal information protected. The Information and Privacy Commissioner of Ontario has called the decision to introduce audio surveillance "appalling". The concise response from Public Safety Minister Vic Toews was that "the CBSA has strict parameters in place surrounding this program" seemingly indicating that respect for due process to demonstrate support for Canada's privacy laws is firmly in the hands of the CBSA and it simply chooses not to exercise it.
(UPDATE: Vic Toews has said that the "program" is now paused pending a PIA: "It is important for agencies tasked with protecting Canadians to have the right tools to catch smugglers and keep criminals and other unwelcome individuals out of Canada," Toews said via proxy. "It is equally important that these tools do not infringe on individuals' privacy in a way that is unjustified or unnecessary to ensure security.".
- Some would argue that it is even more important to not breach basic human rights in the process, but I doubt that anyone would argue that the whole process has left the public with a bad taste for such "programs". No word on progress nor the results of tests already performed and data collected using the equipment).
Far be it of me to question the government's ability to safeguard the surreptitiously recorded conversations of people who may be within range of the controlled areas, but the last company that inadvertently captured out-of-scope data - Google - was publicly and endlessly skewered on the global stage. This, using equipment of unknown provenance, with potentially unknown security vulnerabilities (no Threat/Risk Assessment has been mentioned) and privacy exposures (since no PIA has been submitted), presumably conforming to some policies which a trustworthy subset of employees has been trained to enforce. This seems like an optimal opportunity to mention a certain book - which expertly covers the very best practices large organizations and government should be following in the management of personal information - but I don't want my reader to detect any bias whatsoever. That said, my focuses on the safety of people and the security of data are paramount and I wholeheartedly support any such initiatives, but such noble goals can easily be attained while still following the normal process and by adopting proper public relations.
What does the law say?
Interestingly, the wording of the amended Customs Act appears to be carefully crafted to introduce confusion. On one hand, it wants to indicate that unattended baggage not belonging to anyone can be inspected and detained. On the other it chooses to state that this applies to "any goods, baggage, package or container ... that is not in the possession of any person in a customs controlled area".
Is it me? Perhaps, but a quick lookup of the term possession in a legal context indicates that it refers not just to the presence of an object alongside its owner, but to its ownership and the property of an individual. The referenced article goes on to say:

The U.S. Supreme Court has said that "there is no word more ambiguous in its meaning than possession" (National Safe Deposit Co. v. Stead, 232 U.S. 58, 34 S. Ct. 209, 58 L. Ed. 504 [1914]). Depending on how and when it is used, the term possession has a variety of possible meanings. As a result, possession, or lack of possession, is often the subject of controversy in civil cases involving real and personal property and criminal cases involving drugs and weapons—for example, whether a renter is entitled to possession of an apartment or whether a criminal suspect is in possession of stolen property.

I'm not a lawyer, but it looks like the opportunity for confusion has been exploited and short of the "demonic" kind, the door is left open for the interpretation of the term "possession" in any way that may suit the CBSA - even as they retroactively defend a future decision to inspect the homes of individuals or confiscate crates containing pets or other perishables. 
While we're on the topic of semantic nuances, the wording around the ability to search people in customs controlled areas is, in each instance, supplemented by the additional phrase "or is leaving a customs controlled area" ensuring that not only can one not step outside the zone of scrutiny, but since practically everyone has passed through such a zone, the CBSA has full authority over search and seizure anywhere else on the premises.
In conclusion, it may be that the CBSA intends to show disrespect for the public even as it introduces controls to safeguard travellers and goods at Canadian ports of entry, but pointing to the existence of 'controlled areas' as a licence to eavesdrop on employees or travellers is probably not the right approach to building public trust. And to say that "the microphones have not yet been switched on" but that we "will have ample notice before that happens" is not altogether comforting when evidence points to the fact that this surveillance equipment was not only installed without proper scrutiny but that it may have been in place before the Customs Act was even amended to allow for the creation of customs controlled areas.
Draw your own conclusions.

In the early 1920s, the Enigma machine was a portable encryption machine with rotor scramblers used for encoding and decoding confidential messages....
Bleeding hearts unite, the OpenSSL Heartbleed bug threatens to impact user privacy and business security online. There's a new security vulnerability in town. It's not even that new, we just didn't know about it until now. But it's a whopper and it threatens to i...
Independent risk assessments are the most basic best practice in business.Security is about risk. And risk is about numbers. Given the high probability of suffering data security and privacy breaches, is it any wonder compan...
Netflix just the latest brand used in wave of phone text support fraudEver wonder what the use of stealing millions of email addresses is? All those often downplayed, 'low sensitivity' data breaches have massive potent...
Layered SecurityI'm often surprised at the public's disappointment with the realization that security processes are not directly analogous to the medical notion of im...
Target breach will have serious consequencesThis past Christmas season hasn't been kind to the Target chain of retail stores nor to its brand. A brazen attack took place in December that affecte...

Welcome to Informatica

Be Secure.

Be Trusted.

Follow us on