On November 28, 2017, the redacted ruling by Chief Justice Paul S. Crampton of the Federal Court of Canada was released in a case where the Canadian Security Intelligence Service (CSIS) seized personal identification data by the deployment of a cell site simulator without a warrant. A cell site simulator (CSS), also known as a mobile device identifier, IMSI-catcher and Stingray, mimics a cell tower forcing devices within range to connect to it. The ruling, reported as In the Matter of Islamist Terrorism, 2017 FC 1047, is an important development in search and seizure law under s. 8 of the Charter of Rights.

1. Background

Everyone who uses a smartphone generates data associated with two numbers. The International Mobile Subscriber Identity or IMSI is a unique number associated with the user of a cellular network stored on the SIM card in the device. The International Mobile Equipment Identity or IMEI is a number assigned to the device itself and has no relation to the subscriber. It may be located in the battery compartment of the device, displayed onscreen or in the settings menu.

The governing statute in this case is the Canadian Security Intelligence Service Act, RSC 1985, c. C-23. The relevant parts of s. 12 provide that, if there are reasonable grounds to believe an activity constitutes a threat to the security of Canada, CSIS may take measures to reduce the threat within or outside Canada. The measures are required to be reasonable and proportionate having regard to (a) the nature of the threat (b) the nature of the measures and (c) the reasonable availability of other means. CSIS shall not take measures to reduce a threat if the measures will contravene the Charter unless a warrant is issued. The issuance of a warrant, based on reasonable grounds, to enable CSIS to investigate a security threat is governed by s. 21.

The issue arose whether the IMSI and IMEI numbers obtained by deployment of a cell site simulator were lawfully seized under s. 12 and could be relied upon to obtain warrants under s. 21. This was the first time CSIS explicitly sought an opinion from the Federal Court regarding the warrantless use of cell site simulators. The court held (a) there is a reasonable expectation of privacy in IMSI and IMEI numbers (b) the use of a cell site simulator to seize that data is a search under s. 8 of the Charter and (c) the search here was not unreasonable because it was narrowly targeted, highly accurate and minimally intrusive.

2. The Ruling

It was not until February 10 , 2016, that the Federal Court became aware that CSIS had been using cell site simulators for many years. According to a declassified report of the Security Intelligence Review Committee (SIRC) titled SIRC Review 2014-03 – Review of CSIS’s use of Metadata, CSIS uses the technology for two purposes. Chief Justice Crampton described the purposes, at paras. 12-3, that I will condense as follows:

“The first such purpose is to attribute a cellular device to a subject of investigation whose identity is often already known. This was the case with [X]. Such attribution is done by obtaining, through CSS technology, the IMSI associated with a subject of investigation’s SIM card, as well as the IMEI that is associated with a specific mobile device. The second use that CSIS makes of CSS technology is to ‘geo-locate’ a subject of investigation’s cellular device. SIRC observed, and CSIS has since conceded, that this use of CSS technology must be sanctioned by a warrant issued by this Court.”

Chief Justice Crampton concluded that, in the course of targeted investigations, CSIS may intercept IMSI and IMEI numbers without a warrant under s. 12 where it (a) does so in a minimally intrusive way without seeking means of identifying the individual (b) does not capture communications content (c) does not geolocate (d) does not interfere with 911 and emergency communications and (e) destroys incidentally collected non-target information.

There are two important points here. First, as Professor Craig Forcese of the University of Ottawa, Faculty of Law, said in a post to National Security Law Blog titled A Warrant for All Seasons: Four New Charter Section 8 Cases, dated December 15, 2017, the requirement of minimal intrusion should be seen in light of actual practice because CSIS agents already know who the target is. That is why they deployed the cell site simulator. Second, the ruling applies to targeted investigations. Chief Justice Crampton specifically excluded bulk collection, at para. 259, where he stated, “[T]he use of CSS technology to conduct the ‘bulk’ capture of the IMSI or IMEI identifiers associated with the mobile devices of members of the general public would not be authorized by section 12.”

Although the narrow ruling is anchored in s. 12, it has broader application because of the finding that there is a reasonable expectation of privacy in IMSI and IMEI data under s. 8 of the Charter. Here is Chief Justice Crampton’s reasoning, at paras. 187-9:

“…CSIS’s capture of the IMSI and IMEI identifiers associated with [X] mobile devices through the use of CSS technology constituted a ‘search’ within the meaning of section 8 of the Charter. In my view, this conclusion is supported by the confidential nature of IMSI and IMEI identifiers, the private and personal nature of the additional information that CSIS may be able to assemble upon obtaining IMSI and IMEI identifiers, the direct nature of [X] interest in that information, the subjective expectation of privacy that [X] likely had in respect of that information, and the objective reasonableness of that subjective expectation.

It bears underscoring that, in a thriving democratic society, it is objectively reasonable that individuals would likely expect that the personal information that may be revealed to CSIS once it begins to analyze captured IMSI and IMEI identifiers will remain private, and will not become known to agents of the state.

Although intrusions on individuals’ anonymity interests do not always engage section 8 of the Charter, I find that the capture of IMSI and IMEI information does reach this threshold, because of the profiles of individuals that CSIS can begin to build upon acquiring that information. Among other things, those technical and personal profiles can assist CSIS to construct a mosaic that reveals who an individual associates with, [X] draw inferences regarding the person’s beliefs…[I]t is those very profiles that may ultimately assist CSIS to obtain a warrant to acquire subscriber information and engage in even more intrusive activities.”

3. Conclusion

I will highlight two other aspects of the ruling in conclusion. First, judicial control is only available after seizure of the IMSI and IMEI numbers under s. 12 when CSIS decides to apply for a warrant under s. 21. The numbers are then used to execute the warrant on the correct device. Where a warrant has not been obtained prior to the deployment of a cell site simulator, there is no opportunity for judicial control in relation to the privacy rights of (a) targets who do not become the subject of requests for warrants or (b) innocent third parties. This is broadly analogous to the sniffer dog cases where after-the-fact review is only available if criminal charges are laid. Chief Justice Crampton therefore concluded, at para. 229, that “the absence of some form of after-the-fact judicial control in respect of all minimally-invasive searches that may be conducted under a law does not, in and of itself, appear to render that law unreasonable.”

Second, Chief Justice Crampton relied on other accountability measures in the statute such as the roles of the Minister of Public Safety and Emergency Preparedness, the Director of CSIS and the Security Intelligence Review Committee to ensure that s. 12 is reasonably administered. That any court would rely on the limited reviewing functions of SIRC under s. 38, in place of a prior authorization process, is extraordinary in light of the long standing criticisms of SIRC as underfunded, understaffed and ineffectual.