Employee text messages intercepted without authorization at the Warkworth Institution

Complaint under the Privacy Act

June 4, 2018

Summary

1. We received several complaints alleging that Correctional Service Canada (CSC) contravened the collection provisions of the Privacy Act when cell phone conversations and text messages were collected without authority in the vicinity of the Warkworth Institution (the Institution). Because the complaints are similar in nature we have addressed them in a single report.
2. CSC confirmed that it intercepted six text messages but submitted that it did not intercept or record any cell phone conversations. According to CSC, it did not intend to intercept the text messages that it collected.
3. After considering representations from all parties, we determined that the complaints are well-founded. The reasons for this finding are outlined below.

Background

4. The allegations concern CSC’s use of a cell-site simulator. A cell-site simulator is an electronic device that, when activated, mimics a cell tower in order to attract all nearby cellular phones and other cellular devices to connect to it. Unique identifiers are obtained from these devices and can subsequently be used to track the location of devices or to identify the owner of a device.
5. Cell-site simulators can collect metadata, which provides information about other data. In the context of cell phone communications, metadata provides certain details about the creation, transmission, and distribution of a message. Metadata collected by cell-site simulators can include:
   • The identification number of a cell phone (IMEI);
   • The identification number of the SIM card in a cell phone (IMSI);
   • The carrier network of a cell phone; and,
   • The distance of a cell phone from the cell-site simulator.
6. Some cell-site simulators can also intercept the content of a message, such as a text message or a conversation.
7. The device at issue in this investigation was capable of intercepting both metadata and the content of messages.

Relevant Facts and Issues

The Allegations

8. The complainants include staff working at the Institution and members of the public. They alleged that CSC intercepted and recorded their cell phone conversations and texts without authority from February to September 2015. They expressed concerns that their private cell phone communications were being monitored by CSC.

The Email

9. The complaints relate to an email sent to staff from the warden of the Institution. In the email, the warden informed staff that he had authorized the use of a cell-site simulator to detect the use of cell phones by inmates within and around the Institution. The warden also informed staff that, in addition to collecting information regarding cell phone location and use, the cell-site simulator “recorded all voice and text conversations.”

CSC’s Position

10. According to CSC, the warden’s email contained several inaccuracies. Although a cell-site simulator was used to collect some information, including six text messages, CSC denied intercepting or recording any conversations. Furthermore, CSC submitted that it did not authorize the collection of text messages or conversations.
11. To explain why a cell-site simulator was used at the Institution, CSC submitted that officials had reason to believe that a series of safety and security incidents had involved the use of cell phones by inmates.^{Footnote 1} In order to address this issue, CSC officials hired a contractor to detect the presence and use of cell phones within and around the Institution. According to CSC, it authorized the contractor to collect cell phone metadata on its behalf, but did not authorize the collection of the content of cell phone communications.
12. The cell-site simulator was in operation from mid-May to mid-September of 2015. During this time, the contractor reported that the number of cell phones being used in the institution suggested that staff as well as inmates were using cell phones.^{Footnote 2} The contractor also reported that he had intercepted the content of some text messages. The content of the text messages suggested that they originated from staff cell phones.
13. According to CSC it did not use any of the information collected by the device for any purpose and the contractor was the only individual who had access to the information. When it was notified of the investigation by our Office, CSC secured the computer that held the information collected by the device. CSC provided us with a copy of the information.

The Device

14. We obtained a copy of the operating manual for the cell-site simulator. We confirmed that the device is capable of collecting metadata, including IMEI and IMSI numbers, the carrier network of the cell phone, the time and duration of cell phone communications, and the distance of the cell phone from the cell-site simulator.
15. We also confirmed that the cell-site simulator is capable of intercepting the content of cell phone communications, such as text messages and conversations.
16. The range of the device was sufficient to cover the buildings and grounds of the Institution as well as the parking lot.

The Data

17. We reviewed the information collected and confirmed that metadata from numerous cell phones used within and around the institution was collected.
18. We also confirmed that six text messages were intercepted and collected.
19. We found no evidence that CSC used the metadata collected to identify cell phone users. However, CSC officials indicated that one of the text messages revealed the identity of two staff members (though not the sender). We found no evidence that CSC took any actions based on this information.

The Contract

20. We reviewed the contract between CSC and the contractor. In February of 2015 the contractor was hired to collect metadata from cell phones being used in and around the Institution and report the findings to the warden. The interception and collection of the content of messages were not included in the contract.

Application

21. In making our determination, we considered sections 3 and 4 of the Act.
22. Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form including, without restricting the generality of the foregoing: information relating to race, national or ethnic origin, colour, religion, age, marital status, education, medical, criminal or employment history, financial transactions, identifying numbers, fingerprints, blood type, personal opinions, etc.
23. Section 4 of the Act provides that personal information collected by a government institution must relate directly to an operating program or activity of the institution.

Analysis of Facts and Issues

Is the information at issue personal information?

24. The information at issue includes cell phone metadata, text messages, and in one instance, nicknames that can identify specific individuals.
25. Metadata may be revealing in terms of the identity and location of the cell phone user. The collection of this type of personal information using a cell-site simulator includes information about all third-party cell phones in the range of the cell-site simulator. As such, this qualifies as the personal information of identifiable individuals as defined by the Act.
26. Text messages can reveal information about the sender, the receiver, and third parties that may be the subject of the messages. The text messages collected by the cell-site simulator constitute personal information as defined by the Act.
27. Although we reviewed the information collected by the cell-site simulator, we did not seek to correlate the metadata with the identity of users. Furthermore, we did not attempt to identify the individuals related to the text messages. Therefore, we know that the information in question is about identifiable individuals but we did not identify any of the individuals whose information was collected.

Was the collection of metadata consistent with the collection provisions of the Act?

28. Section 4 of the Act requires that personal information only be collected if it relates directly to an operating program or activity of the institution. CSC is responsible for managing correctional institutions of various security levels. As part of its mandate CSC must take measures to ensure the safety and security of the institutions it manages.
29. CSC demonstrated to our satisfaction that there was reason to believe that the unauthorized use of cell phones within and around the Warkworth Institution presented a serious risk to the safety and security of both inmates and staff. In light of this risk, we recognize that the detection of the unauthorized use of cell phones within and around the Institution is directly related to CSC’s mandate. Furthermore, we acknowledge that the collection of cell phone metadata is an effective means to detect the unauthorized use of cell phones. Given the seriousness of the risks and the fact that CSC did not intend to identify specific users through the metadata collected, we consider the measure to be proportionate. Therefore, in our view the collection of cell phone metadata was consistent with the collection provisions of the Act in this instance.

Was the interception and collection of the content of text messages consistent with the Act?

30. Our investigation confirmed that the contractor was hired by CSC to detect cell phone use within and around institution. While detecting the use of cell phones, the contractor also intercepted and recorded six text messages.
31. In its representations to our Office, CSC submitted that, in its view, the interception and collection of the text messages was not authorized by the Act.
32. CSC argued that it was not responsible for the interception and collection of the text messages because it had not explicitly authorized the contractor to do so. We have investigated other instances where individuals acting on behalf of an organization have acted contrary to the organization’s rules or procedures. In such cases we determined that the organization in question was responsible for the conduct of those acting on its behalf.
33. We found no evidence that CSC instructed the contractor to intercept and record the content of cell phone communications; however, we note that the collection of the text messages was done in the context of conducting work for CSC. In the course of conducting this work, the contractor was given access to the Institution and was authorized to operate a cell-site simulator. In our view, the interception and collection of the text messages was not the result of actions initiated by the contractor, but rather the result of actions that were initiated by and done on behalf of CSC. Therefore, we find that CSC contravened the collection provisions of the Act in this instance.

Finding

34. In light of the above, the complaints are well-founded.

Other

35. During the course of the investigation, CSC informed us that it does not intend to use cell-site simulators in the future. Consequently, it has no policies or procedures in place to govern the use of such devices.
36. We take this opportunity to remind CSC that, if it does consider using cell-site simulators in the future, it would be required to complete and submit a Privacy Impact Assessment (PIA) as per the Treasury Board Secretariat’s Directive on Privacy Impact Assessment.^{Footnote 3} Furthermore, given the technical nature of cell-site simulators, CSC would be required to conduct a threat risk assessment and include it, or a summary of its results, in the PIA at the time of its submission.