Generative AI is transformational technology, but lack of oversight poses ethical risks.  “It’s astonishing how the industry is able to experiment on human populations with such far-reaching technology and largely unrestrained. We need some kind of wrapping around it to control for the harms and consequences,” says Deibert.

Read the article

In a brief submitted by the Citizen Lab to the Standing Committee on Public Safety and National Security (SECU) of Bill C-8, senior research associate Kate Robertson sets out targeted recommendations to respond to constitutional deficits in the bill that were not addressed during the study and amendment of Bill C-26.

According to Robertson, “addressing the warrantless nature of this collection power should be this committee’s priority in studying the legislation.” Adding that Bill C-8 also “needs to be amended to make certain and clarify that its orders cannot be issued to compromise the security of Canada’s communication networks.”

On November 4, 2025, Robertson will testify on Bill C-8 in the House of Commons’ SECU Committee Meeting.

Read the Citizen Lab’s submission.

Read related coverage in The Hill Times:
“Bill aimed at protecting telecom infrastructure against cyberattacks strikes at privacy rights, say civil society groups“

The authors highlight the dangerous rhetoric of “birth registration and certification as a prerequisite for other rights,” which is common even among international organizations, such as UNICEF. They argue that this narrative enables exclusion and abuse through the barring of legal identification (ID), and it fails to recognize that the lack of legal identity does not cause rights abuses; instead, it is part of the system of abuse that marginalizes these people. They also warn of the danger of digital ID systems, which can be covertly abused by governments for unrelated reasons. 

Rather than shoehorning the use of spyware into a legal framework established in the 1970s, Robertson and Tran highlight the urgent need for action by federal lawmakers and privacy regulators across Canada to address the specific dangers of spyware technology, through both legislative reform and comprehensive oversight.

Read more in Policy Options.

On June 3, 2025, the federal government tabled Bill C-2, An Act respecting certain measures relating to the security of the border between Canada and the United States and respecting other related security measures. The bill is omnibus legislation that, if passed, would introduce a wide array of new federal agency and law enforcement powers, and would significantly reform substantive and due process laws in Canada for migrants and asylum seekers. It is widely known that Bill C-2 is being tabled at a time where the Canadian government has entered into negotiations with the United States on matters concerning trade and security. 

For several years, Citizen Lab researchers have been studying cross-border surveillance practices and frameworks around the world, including most recently, potential cross-border data-sharing frameworks between foreign law enforcement authorities. Human rights dangers are particularly acute when it comes to the potential sharing of private, sensitive information with foreign governments and law enforcement authorities. Canadian authorities know first-hand the tragic consequences that inappropriate data sharing with foreign authorities can inflict on even innocent persons. The detention, rendition, and torture of Maher Arar after Canadian authorities shared inappropriate and inaccurate information with U.S. authorities provides a “chilling example of the dangers of unconditional information sharing.” The Commission of Inquiry into the Actions of Canadian Officials in Relation to Maher Arar properly recognized that information sharing with foreign authorities “is a highly sensitive and potentially risky exercise.”¹ Moreover, in the absence of robust human rights safeguards, foreign states are also able to leverage legal procedures in rights-respecting countries in order to engage in acts of transnational repression.

Despite the wider context of negotiations between Canada and the U.S., the federal government’s public statements surrounding Bill C-2–including the Minister of Public Safety’s official summary–have said surprisingly little about the impact of Bill C-2 on potential data-sharing obligations in Canada towards the United States. This explanatory gap is notable given the proposed new powers appear to carry far-reaching implications for data-sharing that have not been acknowledged to the broader public by the federal government, to date, in introducing the legislation. 

While Bill C-2 does not explicitly state that it is paving the way for new and expanded data-sharing with the United States or other countries, the legislation contains references to the potential for “agreement[s] or arrangement[s]” with a foreign state, and references elsewhere the potential that persons in Canada may become compelled by the laws of a foreign state to disclose information.² Other data and surveillance powers in Bill C-2 read like they could have been drafted by U.S. officials. 

Furthermore, in response to questions at a technical briefing on Bill C-2 by Justice Canada on June 9, 2025, Justice Canada officials acknowledged to the persons present at the briefing that the intent of certain provisions within Bill C-2 is to enable Canada to implement and ratify a new data-sharing treaty, publicly known as the “Second Additional Protocol” to the Budapest Convention (“2AP”). The briefing acknowledged that other cross-border “cooperation” tools were foreseeable.

The federal government’s quiet acknowledgement that new provisions in Bill C-2 are being introduced to implement the 2AP treaty raises broader questions about the full extent of Bill C-2’s impacts as it concerns data-sharing with U.S. law enforcement authorities. Bill C-2 is being tabled at a time when it is widely known that the Canadian government has been in closed-door negotiations with the United States over a potential bilateral law enforcement data-sharing agreement between Canada and the United States under a piece of U.S. legislation called the Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”).

As a result, this preliminary analysis of Bill C-2 situates the legislation within the context of existing research by the Citizen Lab about two potential data-sharing treaties that are most relevant to the new proposed powers being introduced in Bill C-2. Part 2 introduces Citizen Lab research analyzing the constitutional and human rights implications of the 2AP. The research was previously submitted as part of the Department of Justice’s 2024 consultation on its consideration of whether Canada should ratify the treaty. Part 3 connects Bill C-2’s proposed powers to Citizen Lab’s recent analysis of the constitutional and human rights implications of a potential CLOUD Act agreement with the United States. Both Parts 2 and 3 underscore the significant democratic, public interest, and human rights implications if Canada were to assume these new data-sharing obligations towards foreign law enforcement authorities. As a result, Parts 4-5 conclude by raising broader issues regarding the public’s and Parliament’s current inability to meaningfully assess the complex and consequential new powers in Bill C-2, given the federal government’s current lack of transparency about its intent as regards to potential new data-sharing obligations towards the United States or other countries. 

2. The Potential Impact of the 2AP to the Budapest Convention: Expediting Human Rights Abuses

Given the government’s acknowledgement that new powers in Bill C-2 are intended to enable Canada to ratify the 2AP, Part 2 of this preliminary analysis of Bill C-2 introduces in-depth analysis of 2AP, as one of the major cross-border data-sharing frameworks under consideration, between Canada and foreign law enforcement authorities in the United States and elsewhere. The Citizen Lab’s analysis of the constitutional and international human rights implications of the 2AP provides broader context regarding the potential implications of Bill C-2, as it relates to the 2AP. The analysis was authored by Kate Robertson and Verónica Arroyo.³

The 2AP is a new law enforcement data-sharing treaty that is designed to bypass existing mutual legal assistance frameworks between countries, and to expand the speed and volume of data-sharing between law enforcement authorities in different countries. The United States is a signatory of the treaty and would potentially be making requests for Canadian data under the framework.⁴ If Canada were to ratify the treaty, it would very likely prompt “a significant increase in the volume of requests for communication-related information by foreign and Canadian investigative entities, with a corresponding impact on the right to privacy.”⁵ Moreover, if the 2AP is adopted as a global standard, it would contribute to the elimination and diminishment of protections that are critical to mutual legal assistance treaties and norms. As a result, “much of the world’s population may be left vulnerable to arbitrary and abusive data collection practices by domestic law enforcement agencies.” Internationally, it has been the subject of significant criticism by human rights organizations around the world.

During a consultation in early 2024 on the question of whether Canada should ratify the 2AP, the Privacy Commissioner of Canada raised concerns with the Department of Justice about “significant privacy implications” of the treaty. The Privacy Commissioner analysis further makes clear that without much needed law reform, Canada does not have “comprehensive, appropriate, and robust safeguards”, given existing gaps in Canadian privacy laws like the Privacy Act. The Information and Privacy Commissioner of Ontario agreed, while emphasizing that “[a]bsent appropriate rule of law or proportionality standards, there is a risk that the Protocol may have the effect of infringing upon the human rights of persons whose data is obtained from Ontario-based public or private sector organizations at the hands of foreign jurisdictions that do not share our free and democratic values.”⁶ While those concerns were raised in respect of Ontario, the same danger would be present across Canada.

In conducting a constitutional and human rights analysis of the 2AP–submitted to the Department of Justice during its consultation on the 2AP–the authors recommend that Canada should decline to ratify the treaty. Canada should instead play a leadership role in prioritizing international efforts to address cross-border gaps in human rights compliance, and to invest in fully resourcing cross-border data-sharing protocols that require and harmonize robust human rights protections from all signatories. In summary, the analysis found:

1. The 2AP permits state signatories to seize, share, retain, and use potentially large volumes of private data from public or private entities in respect of both digital and non-digital information.
2. As a whole, the 2AP’s proposed method of expediting higher volumes of cross-border sharing of evidence is by eliminating or diminishing human rights safeguards, including the obligation to obtain prior, independent judicial authorization when seizing private information and sharing it with foreign law enforcement authorities. Rather than “establishing high standards, the protocol prioritizes law enforcement access at almost every turn.”
3. The 2AP would specifically authorize, if not require, searches and seizures of private data, in circumstances that fall short of international human rights obligations requiring independent authorization and review for just cause. The protocol’s toleration for inadequate human rights safeguards is a direct threat to existing protections under international human rights law. While the 2AP contains some opportunity for Canada to reserve against some of the most intrusive aspects of the treaty, opportunities for reservations are too limited, and fail to offset the broader problem that the instrument itself, as a whole, represents a threat to human rights everywhere. 
4. The 2AP allows signatories to make secret agreements across borders between police agencies on their own, or between governments, that would potentially result in the whole cloth elimination of privacy and human rights safeguards.
5. The optional data protection standards set out in Article 14 of the 2AP either fall short of, or are inconsistent with, modern data protection principles and treaties. These gaps expose Canada to particular dangers given, as noted above by the Privacy Commissioner of Canada and others, Canada’s privacy laws have not been modernized for the digital age, and lack much needed safeguards.
6. By normalizing and tolerating an inadequate data sharing regime, the 2AP may be further weaponized against human rights by authoritarian governments around the world, who would point to the 2AP when justifying their own invasive surveillance and data sharing programs.

The complete analysis and submission can be read here.

3. Additional Implications of Bill C-2 for Data-sharing Between Canada and the U.S. Under a Potential CLOUD Agreement  

On February 24, 2025, the Citizen Lab published an analysis, authored by Cynthia Khoo and Kate Robertson, of the Canada-U.S. negotiations under the CLOUD Act, and summarized key constitutional and human rights considerations relevant to public and democratic debates in Canada. The full text is available here. 

The analysis of a potential Canada-U.S. CLOUD agreement identified a “minefield of incompatibilities and contradictions between Canada’s constitutional and human rights frameworks, and those of the [United States].” The Canadian Supreme Court has established in numerous contexts that the law under Canada’s Charter is different from U.S. law when it comes to human rights—stating as recently as last year that “[o]ur approach is distinct from the United States” when it comes to privacy rights. With the expansion of digital technologies in everyday life, the U.S. approach has shown itself to become increasingly unworkable in the digital age. The linked analysis outlines this historical legal divergence: 

In addition to the risk of subordinating existing Canadian protections to U.S. law if a CLOUD agreement were to be implemented, the analysis outlines further gaps in human rights protections in the United States that point to why “it is more critical than ever that Canada protectively and unwaveringly holds its own constitutional lines.”

However, Bill C-2 would significantly expand law enforcement surveillance powers, by eliminating or watering down existing protections in Canadian law. Preliminary analysis of the law raises significant constitutional issues, including the potential that it appears poised to open the floodgates to a wide array of data-mining practices, including the collection of data from commercial data brokers, and other data-fueled algorithmic surveillance systems. As other recent analysis of Bill C-2 has also pointed out, other new proposed powers in respect of subscriber data are zombie-like proposals from previous failed attempts by past governments, each time using differing rationales. For example, new provisions in Part 14 of Bill C-2 would substantially dilute the legal threshold police must meet for accessing sensitive categories of data, including subscriber data, despite Supreme Court of Canada jurisprudence stating that these types of data requests engage “significant privacy interests.” 

The new powers in Bill C-2 are also notable given they overlap with some of the exact areas that Canada’s constitutional protection provides greater protection against unreasonable surveillance than that of the US constitution, in ways that were anticipated to be the root of incompatibilities between the two countries in reaching a potential CLOUD agreement. As noted in Citizen Lab’s prior analysis, such differences are not arbitrary, but are the result of fundamental constitutional and human rights differences in Canada, as well as decades of Supreme Court of Canada jurisprudence explicitly recognizing that Canada has taken a distinct approach from the United States on these very issues.

For example, Bill C-2 would create a new power allowing law enforcement to obtain warrantless access to any information that is provided to them “voluntarily” by any person (presumptively including a wide range of technology companies and electronic service providers). However, Canadian courts declined to follow U.S. constitutional doctrine when repeatedly making clear that such third-parties do not have the constitutional authority to consent to data disclosures on behalf of another individual. 

Another of the proposed powers in Bill C-2 would give law enforcement authorities a warrantless authorization to demand that any person “who provides services to the public” must disclose if they have provided services to an individual. Among other risks, the provision would open the door to information sharing with law enforcement authorities in states like Mississippi, Idaho, or Tennessee,⁷ by compelling  warrantless access to information about whether a person has obtained services from an abortion clinic in Canada. 

The stakes of a potential CLOUD agreement should not be underestimated. In the process of preparing its analysis of the CLOUD Act, Citizen Lab researchers learned through informal consultations that Canadian officials have also at least at one point considered expanding the potential CLOUD agreement with the United States to include U.S. national security agencies. This would foreseeably expose public and private entities in Canada to data demands directly from U.S. intelligence agencies, without the involvement of the Canadian courts. It is difficult to overstate the reverberations that such an agreement would have on the Canadian landscape. The powers in Bill C-2 applicable to the Canadian Security and Intelligence Service (CSIS), bear additional scrutiny in this regard, given the potential that these powers–alongside existing powers in Canadian law–would simultaneously pave the way for reciprocal powers by U.S. national security agencies. At this time, there is no public information available regarding what such an agreement would include.

4. Putting the Cart Before the Horse: Transparency in Parliament Regarding Treaty-making  

Given significant democratic, public interest, and human rights implications of Canada’s potential agreement to a data-sharing framework with foreign authorities in the United States and/or elsewhere, it is surprising that the federal government is now quietly introducing the powers necessary to ratify the 2AP, without making this intent explicit to the broader public when it introduced Bill C-2. As noted above in Part 3 in relation to the CLOUD Act agreement, transparency is also critical surrounding the purpose of introducing several other new surveillance powers that would erode protections that are well-established in Canadian constitutional law, while concurrently granting U.S. law enforcement significant new reciprocal powers if a CLOUD agreement were to be reached.

At the briefing on June 6, 2025, government officials defended their current approach by stating that the formal ratification of the 2AP would ultimately require–at a later date–compliance with Parliamentary process. However, by proceeding in this manner, the government has bypassed critical democratic accountability controls. There is a significant democratic and public interest imperative in having explicit and fulsome transparency surrounding the intended data-sharing implications of Bill C-2 generally, and towards the United States in particular, before Parliament embarks on its study and debate of the proposed legislation. Providing the public with transparency surrounding the purpose and potential use of the proposed new powers is in keeping with democratic values, serves to protect public trust, and also ensures that Parliamentarians are able to meaningfully and carefully consider the implications of proposed powers–having regard to how they would actually be used. 

It bears noting that the Government of Canada’s Policy on Tabling of Treaties in Parliament itself directs that the federal government should not be quietly introducing treaty-implementing legislation through the backdoor of Parliament without making its intention explicit. The policy states that where reform of Canadian law is required in order to align with the obligations of a potential new treaty, the federal government must observe a waiting period before introducing implementing legislation to enable democratic debate:

For treaties that require implementing legislation before the government can proceed to ratification, acceptance, approval or accession (“ratification”), the government will:

• • Observe a waiting period of at least twenty-one sitting days before the introduction of the necessary implementing legislation in Parliament;
  • Will allow Members of Parliament the same opportunities to debate, present and vote on motions, as for those treaties which do not require implementing legislation;
  • Will subsequently introduce the implementing legislation for these treaties; and
  • Seek, only when the legislation is adopted, the authorization from the Governor in Council to express consent to be bound by the treaty.

By reversing these steps, the Canadian government would be creating a situation where powers relevant to highly controversial data-sharing obligations (under either a potential CLOUD agreement with the United States, or the 2AP) would be implemented under Canada’s nose, without most people in Canada being any the wiser. If the government does not make explicit its intended use of the proposed powers, there may also be no further opportunity outside the context of the study of Bill C-2 for a parliamentary committee to receive expert testimony and study the implications of any intended data-sharing obligations towards the United States or other countries.

5. Conclusion 

This introductory analysis of Citizen Lab’s research concerning cross-border data sharing frameworks relevant to Bill C-2 is not intended to serve as a comprehensive analysis of the new powers in the proposed legislation. Instead, the preliminary analysis points to the need for fulsome transparency from the federal government regarding the intent and potential implications of Bill C-2 for data-sharing with law enforcement authorities from the United States and elsewhere, and for compliance with Canada’s Policy on Tabling of Treaties in Parliament. 

Both the 2AP and CLOUD Act data-sharing frameworks have each been shown to carry significant constitutional and human rights risks. As noted above, Bill C-2 itself contains several areas where proposed powers appear designed to roll out a welcome mat for expanded data-sharing treaties or agreements with the United States and other foreign law enforcement authorities. But, this is not a matter that should be left to mystery, with the public having to gather clues as to the potential implications of complex surveillance powers that are as far-reaching geographically as they appear to be constitutionally. The federal government’s acknowledgement in its briefing on June 6 that it intends to use certain powers in Bill C-2 to seek the ratification of 2AP only engages broader questions, and raises the need for explicit and fulsome explanations to the public regarding its intent in relation to the 2AP, what the implications of the 2AP would be for Canada, and whether it intends to enter other data-sharing obligations with foreign authorities including the United States. Only then should any enabling legislation be put forward and then carefully considered in full.

These negotiations are ongoing, despite the fact that the U.S. does not recognize human rights obligations beyond its own borders, let alone issues such as the new President openly antagonizing Canada, while minions of tech billionaire Elon Musk have been running amok through sensitive government data. Media reports are also surfacing that the CIA will “use espionage to give Trump extra leverage in his trade negotiations”. These destabilizing events should give grave pause to any notion of entering into any such data-sharing agreement with the U.S. at this, of all, times—especially one with as many issues as the CLOUD Act. 

Introduction to Canada-U.S. CLOUD Act agreement

A Canada-U.S. CLOUD agreement would extend the reach of U.S. law enforcement into Canada’s digital terrain to an unprecedented extent. This agreement, if signed, would effectively allow U.S. police to demand personal data directly from any provider of an “electronic communication service” or “remote computing service” in Canada, so long as it had some ties to the U.S. (such as serving U.S. users). No judicial oversight whatsoever would be involved north of the border. The new system would expose personal data stored in Canada directly to U.S. police surveillance, bypassing Canadian court oversight, and in so doing, could violate our own constitutional privacy laws, among other alarming consequences.

The purpose of this agreement is ostensibly to streamline cross-border data requests currently governed by mutual legal assistance treaties, which public officials have said are now too cumbersome in the digital age. The arrangement is thus meant to grant reciprocal powers to Canadian police seeking data from U.S. technology companies. However, a closer look reveals that any such agreement would be reciprocal in name only, where our constitutional and human rights are concerned. 

Canadian and U.S. constitutional law diverge on digital surveillance 

Canada and the U.S. have already long diverged from each other when it comes to our respective legal frameworks addressing surveillance and digital privacy, such that a CLOUD Act agreement can only degrade Canada’s well-established constitutional standards. One would be hard pressed to find two democracies that are more incompatible when it comes to trying to align digital surveillance laws. Since the 1970s, U.S. courts have said that individuals are disentitled from constitutional privacy protections for information that they voluntarily share with a third party—this is known as the “third-party doctrine”. Information caught up in this longstanding doctrine is exposed to warrantless seizures by U.S. law enforcement. 

The U.S. approach has not aged well. Fifty years later, smartphones are now ubiquitous, each loaded to the hilt with third-party apps hoovering up reams of private data about the most intimate and sensitive aspects of our daily lives. Amidst a sprawling data broker market that includes selling targeted ad data to law enforcement and government agencies, U.S. lawmakers and civil society have been trying to close part of this third-party-doctrine-enabled loophole, such as through the aptly titled The Fourth Amendment Is Not For Sale Act. While a 2018 U.S. Supreme Court decision marked an important shift towards a new approach, it is still far from clear if (or how far) the U.S. courts will go down this path.

In contrast, that potential seedling of a new path in the U.S. is already Canada’s well-trodden, constitutionally settled road. Since the early 1990s, Canada’s top courts have repeatedly rejected the United States’ approach to limiting privacy rights through the third-party doctrine. In a landmark judgment, Canada’s Supreme Court decided that it would not follow the U.S. jurisprudence that has ultimately pushed swaths of government surveillance outside the oversight of U.S. judges. The Court foresaw that if electronic surveillance were to be left unregulated, it would have the potential “to annihilate any expectation that our communications will remain private”. Thus, in many cases, the same types of personal data that are considered fair game in the U.S., are constitutionally protected from warrantless search and seizure in Canada.

CLOUD Act agreement risks subordinating Canadian constitution to U.S. law

This longstanding schism running alongside the 49th parallel is why Canada submitting to a CLOUD Act agreement would be so disturbing. The move would deeply undermine a key pillar of Canadian privacy law, blocking Canadian court judges from supervising warrantless U.S. law enforcement surveillance, even in circumstances where a Canadian police service would be required to get a Canadian judge to authorize seizure of the exact same data. 

This fundamental shift in our privacy law landscape would strike a major blow for Canada’s sovereignty over its own constitutional guarantees. In Bykovets, a recent Supreme Court of Canada ruling again underscoring the critical role of judicial supervision over electronic surveillance, the majority opinion described how the concentration of a “mass of information” in the hands of private corporations has “fundamentally altered the the topography of informational privacy.” In an overwhelmingly digital world, even our IP addresses can betray deeply personal information. There are countless examples of information and data in the hands of technology companies, telecommunications providers, banks, universities, or other entities where law enforcement access is supervised by Canadian courts, given the potential that this information might otherwise be “compiled, dissected and analyzed to lend new insights into who we are as individuals or populations.”

U.S. experts themselves have warned potential CLOUD Act signatories of weaknesses in U.S. surveillance laws, given concerns that the CLOUD Act potentially expands cross-border law enforcement powers to issue orders for real-time surveillance, such as wiretapping. That is the difference between police asking your cell phone provider to send them a block of your chat history from a specific past time period, and asking your cell phone provider to start forwarding to them all of your texts that you send or receive in real-time, going forward. A former U.S. judge noted that the language of the CLOUD Act is vague enough that it may authorize additional cross-border real-time surveillance powers, such as remote location tracking or remotely hacking into a person’s device (to the extent a technology company’s cooperation is involved). On top of all of that, nothing would prevent U.S. authorities from sharing and repurposing personal data collected from Canada for matters that have nothing to do with the CLOUD Act or criminal investigations. 

As a base proposition, it would be surprising—to say the least—if the Canadian government were to countenance an agreement that would tolerate hacking by the FBI into Canadian-based phones or computers as a part of routine criminal investigations in the U.S. This is not even to mention potential U.S. demands for data that can be obtained from sources such as cell phone tower dumps, reverse location and keyword warrants, or digital genetic databases, just to name a few examples. 

U.S. fails to protect human rights domestically and internationally

Even supposing subordinating ourselves to U.S. police surveillance were acceptable to our idea of a free and democratic society, it is worth considering what crimes, exactly, these cross-border data-access powers would be used for. A Canada-U.S. CLOUD Act agreement could make the Canadian government and technology sector complicit in the data-fuelled criminalization and persecution of historically marginalized groups in the U.S.—groups whose equality and human rights, if they were in Canada, would be constitutionally guaranteed under the Canadian Charter of Rights and Freedoms. 

The expanded powers granted by CLOUD Act agreements are only supposed to apply to “serious crimes”, which existing agreements with the U.K. and Australia define as an offense with a maximum prison term of three years or more. By that definition, the following activities are considered “serious crimes” according to the U.S.: providing or attempting to provide an abortion in Mississippi (up to 10 years in prison); terminating a pregnancy in Florida (up to 5 years in prison); being a parent in Idaho seeking gender-affirming health care for their trans child (life in prison); and performing in a drag show in Arizona (up to 10 years in prison when the bill was first introduced). Legal developments such as the U.S. Supreme Court eliminating federal protection for abortion in Dobbs v. Jackson Women’s Health Organization have only widened the gap between our countries’ incommensurate constitutional landscapes. 

Technology companies such as social media platforms, targeted ad businesses, and data brokers have already been aiding in the criminal and social targeting of groups besieged by efforts to legislate away their civil rights. These violations include, for instance, Facebook giving police private messages between a mother and daughter discussing the latter’s abortion, resulting in their imprisonment; data brokers selling location data tracking people going to and from abortion clinics; outing someone’s sexual orientation; and the use of healthcare data and student surveillance tech to criminalize transgender kids and their families. Under a CLOUD Act agreement, Canada’s burgeoning so-called “femtech” startup sector, among others, may find itself subjected to U.S. requests to do likewise. Even if the Canadian agreement follows the U.K. and Australia in providing a carve-out against using CLOUD powers for discriminatory targeting, companies may provide limited resistance if faced with any such requests on the ground, and as detailed below, no remedies are available for any rights infringements that nonetheless occur.

The Canadian Supreme Court has repeatedly established in numerous contexts that the law under Canada’s Charter deviates from U.S. law when it comes to human rights—stating as recently as last year that “[o]ur approach is distinct from the United States” when it comes to privacy rights. This begs the question: in the face of such explicit statements and fundamental constitutional differences, why would the federal government entertain an agreement that would bind Canada to a more integrated law enforcement system with a country that does not acknowledge responsibility to respect the rights of either Canadians or other non-U.S. persons? Unlike the Canadian government, the United States and its courts have made it clear that they do not accept responsibility for safeguarding the human rights of non-U.S. citizens when U.S. law enforcement engages in foreign surveillance—contrary to established international consensus under treaties including the International Covenant on Civil and Political Rights. This alone should be an unequivocal dealbreaker for the Canadian government.

Nor can the Canadian government claim ignorance: international human rights bodies have historically and ongoingly criticized the U.S. for its foreign surveillance practices in respect of non-U.S. citizens, and for other human rights violations. U.S. officials have touted CLOUD Act agreements as an opportunity to raise relevant legal standards in potential signatory countries, but recent political developments have debased any assumptions that the U.S. will use its influence for the betterment of human rights or civil liberties. 

No recourse or remedy if people’s rights violated by U.S. police surveillance

Even assuming the Canadian government could insist and enforce that all U.S. surveillance requests were at least authorized by a judge, this would likely not meaningfully uphold Canadian constitutional standards or protect the people they govern. It seems a contradiction in terms to task a U.S. judge with the vital responsibility of protecting the rights of people whom U.S. courts are simply not bound to protect, according to the U.S.’s own laws. CLOUD Act agreements with both the U.K. and Australia have explicitly refused to establish any rights or remedies for individuals or companies whose data is subject to seizure under each agreement. 

The net effect of the U.S. rejecting extraterritorial human rights obligations means that by blocking Canadian courts from supervising U.S. law enforcement surveillance demands, Canadian residents and other non-U.S. persons would be relegated to a remedial no-man’s land, unable to access any recourse in cases of overbroad or inappropriate U.S. requests for data. Given Canada’s courts have previously struck down surveillance laws that failed to be accompanied by meaningful accountability mechanisms, a remedial vacuum in a potential CLOUD agreement would likely prove fatal. 

Under existing CLOUD agreements, only companies who are the recipients of such data requests—whether TD Bank, TELUS, Amazon, or Meta, for instance—may challenge such orders under the CLOUD Act, despite lack of aligned incentives with the rights of those targeted by U.S. surveillance or, indeed, the broader public interest. Canadian courts declined to follow U.S. constitutional doctrine when establishing that such third-party entities do not have the constitutional authority to consent to data disclosures on behalf of their customers. Yet, they will be put in this position in Canada and moreover may be bound to confidentiality about the U.S. police requests they comply with, as Australian companies are poised to be under the Australia-U.S. CLOUD agreement. 

Canadian government should reject CLOUD Act agreement to uphold Canada’s constitutional and human rights

In signing a CLOUD Act agreement, Canada would furthermore make itself vulnerable to additional privacy and national security threats arising from any future bestowing of even broader powers on U.S. law enforcement authorities, by the current or future administrations. This lesson is already being learned painfully by, in fact, the U.S. itself. The Washington Post reported this month that the U.K. government secretly demanded Apple create a way to decrypt its users’ data worldwide for the U.K. government to access. This demand reportedly relied on the U.K.’s Investigatory Powers Act, a law amended in 2024—a few short years after the U.S. and U.K. reached their own CLOUD Act agreement in 2019. In response to these revelations, U.S. Senator Ron Wyden circulated a draft bill to address major deficiencies in the CLOUD Act—which is cause for sober second thought by any countries considering an agreement under the Act, such as Canada.

To be sure, some of the assessment we provide in this article is drawn from educated guesses and existing CLOUD Act agreements the U.S. has struck with the U.K. and Australia. Much will depend on the actual text of Canada’s own agreement, which has yet to be made public. However, the broad scope of the CLOUD Act means that any agreement is almost certainly to put our fundamental rights at risk, unless and perhaps even if the Canadian government were somehow able to navigate a veritable minefield of incompatibilities and contradictions between Canada’s constitutional and human rights frameworks, and those of the U.S. Wrangling surveillance standards into theoretical compliance with Canada’s Charter would also still provide no answer to the concerns regarding types of crimes investigated, the U.S.’s lack of extraterritorial human rights obligations, potential repurposing of Canadian data after the fact, and the lack of any recourse for individuals whose rights are violated.  

Absent more compelling evidence and justification than it has demonstrated so far, the Canadian government must reconsider and carefully assess its potential bilateral and international data-sharing obligations with foreign partners, such as the United States. Given all of the above, it seems that Canada cannot in good conscience enter into a far-reaching agreement that could result in sharing even more data to help an increasingly rogue administration persecute vulnerable individuals—among other potential consequences— on grounds that would be illegal here and which fly against principles enshrined in our constitutional and human rights laws. Particularly at a time when democratic institutions and courts are struggling to retain integrity and public legitimacy, especially in the U.S., it is more critical than ever that Canada protectively and unwaveringly holds its own constitutional lines. 

Acknowledgements

Thank you to our colleagues Lex Gill, Tamir Israel, and Leah West for their valuable peer review of this article, which is published under the supervision of Ronald Deibert.

Introduction

The information collected by, and stored within, mobile networks can represent one of the most current and comprehensive dossiers of our life. Our mobile phones are connected to these networks and reveal our behaviours, demographic details, social communities, shopping habits, sleeping patterns, and where we live and work, as well as provide a view into our travel history. This information, in aggregate, is jeopardized, however, by technical vulnerabilities in mobile communications networks. Such vulnerabilities can be used to expose intimate information to many diverse actors and are tightly linked to how mobile phones roam across mobile operators’ networks when we travel. Specifically, these vulnerabilities are most often tied to the signaling messages that are sent between telecommunications networks which expose the phones to different modes of location disclosure.

Telecommunications networks have been designed to rely on private, though open, signaling connections. These connections enable domestic and international roaming, where a mobile phone can seamlessly pass from one company’s network to another. The signaling protocols used for this purpose also allow networks to retrieve information about the user, such as whether a number is active, which services are available to them, to which country network they are registered, and where they are located. These connections and associated signaling protocols, however, are constantly being targeted and exploited by surveillance actors with the effect of exposing our phones to numerous methods of location disclosure.

Most unlawful network-based location disclosure is made possible because of how mobile telecommunications networks interoperate. Foreign intelligence and security services, as well as private intelligence firms, often attempt to obtain location information, as do domestic state actors such as law enforcement. Notably, the methods available to law enforcement and intelligence services are similar to those used by the unlawful actors and enable them to obtain individuals’ geolocation information with high degrees of secrecy. Over the course of this report we will generally refer to all of these actors as ‘surveillance actors’ to refer to their interest in undertaking mobile geolocation surveillance.

Despite the ubiquity of global 4G network penetration and the rapidly expanding 5G network footprint there are many mobile devices, and their owners, who rely on older 3G networks. This is particularly the case in the regions of Eastern Europe, the Middle East, and Sub-Saharan Africa where 3G subscriber penetration is 55% according to the GSMA¹, an organization that provides information, services, and guidelines to members of the mobile industry. Further, at the end of 2021 the UK-based mobile market intelligence firm Mobilesquared estimated that only a quarter of mobile network operators worldwide have deployed a signaling firewall² that is designed to impair geolocation surveillance. Telecom insiders understand that the vulnerabilities in the SS7 signaling protocol used in 3G roaming have enabled the development of commercial surveillance products that provide their operators with anonymity, multiple access points and attack vectors, a ubiquitous and globally-accessible network with an unlimited list of targets, and virtually no financial or legal risks.

This report provides a high-level overview of the geolocation-related threats associated with contemporary networks that depend on the protocols used by 3G, 4G, and 5G network operators, followed by evidence of the proliferation of these threats. Part 1 provides the historical context of unauthorized location disclosures in mobile networks and the importance of the target identifiers used by surveillance actors. Part 2 explains how mobile networks are made vulnerable by signaling protocols used for international roaming, and how networks are made available to surveillance actors to carry out attacks. An overview of the mobile ecosystem lays the foundation for the technical details of domestic versus international network surveillance, while the vectors of active versus passive surveillance techniques with evidence of attacks shows how location information is presented to the actor. Part 3 provides details of a case study from a media report that shows evidence of widespread state-sponsored surveillance, followed by threat intelligence data revealing network sources attributed to attacks detected in 2023. These case studies underscore the significance and relevance of undertaking these kinds of surveillance operations.

Deficiencies in oversight and accountability of network security are discussed in Part 4. This includes outlining the incentives and enablers that are provided to surveillance actors from industry organizations and government regulatory agencies. Part 5 makes clear that the adoption of 5G technologies will not mitigate future surveillance risks unless policymakers quickly move to compel telecommunications providers to adopt the security features that are available in 5G standards and equipment. If policymakers do not move swiftly then surveillance actors may continue to prey upon mobile phone users by tracking their physical location. Such a future paints a bleak picture of user privacy and must be avoided.

1. Roaming, SIMs, and Services 101

Mobile users expect their phones to work wherever they travel beyond the borders of their home country. However, it is when individuals are traveling abroad that they are most vulnerable to network-based geolocation tracking.

When an individual travels internationally with a mobile phone, the phone continues to operate outside of its home mobile network (i.e., the domestic carrier with which it is associated). This ongoing operation is accomplished through a series of global interconnections and agreements between network operators around the world. These interconnections and agreements are often unique to each network type (3G, 4G, and 5G) and these networks have historically been bridged by telephony signaling protocols which have been developed since the 1970s to form the Signaling System Number 7 (SS7 network), and subsequently the Long Term Evolution (LTE/4G) network which uses the Diameter signaling protocol.

When roaming on different foreign networks, those networks charge differing rates for voice, data, and messaging services in exchange for the services provided to users roaming on their networks. To enable these services, the involved network operators open their networks to one another so they can interoperate. It is this interoperation that allows individuals to seamlessly make calls, send text messages, or use data while roaming on a foreign network.

Generally speaking, wholesale roaming agreements, such as the information included in the GSMA framework,³ are used to establish the commercial and operational aspects of sending and receiving signalling messages for service exchange between network roaming partners. Signaling messages are operator-to-operator messages that are used to authenticate and manage user mobility. Functionally, operators use signaling messages to establish and maintain sessions providing services to users. However, while security best practices state that mobile network operators should reject messages sent by non-roaming partners or prevent abusive messages from exposing users to location tracking, these practices are not mandatory or enforced. This voluntary aspect of operator-to-operator signaling message security provides surveillance actors with an entry path into the target network. Further, networks typically connect to at least two network operators per country (and often many more) to minimize roaming costs and maximize network resiliency. While these open connections are a prerequisite for roaming service enablement they have also presented risks to geolocation tracking.

1.1. From SIM to Services – Creating the Path to Network Surveillance

Understanding the points of vulnerability that surveillance actors exploit to track user geolocation requires an understanding of how users are globally and uniquely identified on mobile networks. These identifiers play a critical role in the process of routing and delivering the malicious geolocation tracking messages from the surveillance actor’s software to the network of the target phone, and returning the information back to the actor.

A starting point for understanding the identity of a user’s phone is when the mobile network operator issues the SIM card. While we are accustomed to inserting the ever-smaller cards into mobile devices, these physical cards are rapidly being displaced by a software-based eSIM. Both physical- and software-based SIM cards use a unique identity called the Integrated Circuit Card ID (ICCID). Mobile network operators then use the ICCID to assign a globally unique network identity that is specific to that network operator, known as the International Mobile Subscriber Identity (IMSI), during service activation. This globally unique and network-specific IMSI is the crucial element in the context of delivering services to the phone from any global roaming network. The IMSI, is, also, central to the targeting methods that are used in geolocation tracking operations that are sourced from foreign networks.

After the SIM or eSIM is provisioned to the user account, a phone number-which is referred to by the telecommunications industry as the Mobile Station International Subscriber Directory Number (MSISDN)-is also mapped to the IMSI that is defined by the network operator. This combined information-the MSISDN and the IMSI-is integrated into the network operator’s service delivery, authorization, and authentication systems. Key to these systems is the 3G/4G Home Location Register/Home Subscriber Server (HSS/HLR) and 5G Unified Data Manager (UDM), which are collectively master databases containing the rules to authorize services associated with the subscription plan an individual has purchased on a monthly or pay-as-they-go basis.

Having fully assigned and provisioned the SIM, the mobile device can communicate with the operator’s network for phone calls, text messages, and application data that can be routed globally. It is, also, at this point that malicious signaling messages can be directed towards the device with the effect of exposing its geolocation.

2. Geolocation Attacks Against Telecommunications Networks

This report principally focuses on geolocation threats that result from targeting mobile signaling networks. Surveillance actors can utilize either active or passive surveillance methods to obtain information from mobile signaling networks, with the effect of exposing a user’s location. In some cases they may combine multiple methods to accomplish this goal.

The distinction between the two approaches is notable. Active surveillance implies that an actor uses software to engage with a mobile network to elicit a response with the target phone location, whereas passive surveillance uses a collection device to obtain the location of phones directly from the network. When it comes to active attacks, an adversarial network uses software to send crafted signaling messages to vulnerable target mobile networks to query and obtain a current geolocation of the target phone. Such attacks are possible where the targeted networks do not have properly deployed or configured security controls. Further, an actor accessing a network through a lease arrangement can only use active surveillance methods unless they have the ability to install, or otherwise access, passive collection devices located in networks around the world.

There is, however, the possibility that a mobile operator or other actors could be compelled to undertake both active and passive surveillance. In this situation, the network operator may either be legally compelled to facilitate surveillance or, alternately, suffer from a hostile insider who is accessing mobile systems illicitly or illegally. Further, should a third-party gain access to the operator or provider, such as by compromising VPN access into the targeted network systems, they may be able to obtain location information of targeted users in both active and passive modes.

2.1 Active Attacks

In cases of active attacks, a domestic or foreign surveillance actor uses software to issue signaling messages which are directed at the target user’s mobile phone identity (commonly the IMSI) by manipulating the network signaling data to trigger a response from the target user’s home network. Such surveillance measures can be used to facilitate other communications interception, location disclosure, or service interruption. In this section, we discuss how actors may gain access to networks for geolocation tracking as well as some of the vulnerabilities that can subsequently be exploited by surveillance actors that are undertaking active surveillance operations.

2.1.1 How Actors Access Networks For Geolocation Tracking

Network-based geolocation tracking most commonly involves three interlinked elements:

1. specialized surveillance software;
2. a signaling address that is used to route malicious messages to the target network(s) so as to extract the targeted device’s geolocation data; and
3. network connectivity to the global 3G SS7 and 4G Diameter network.

This global SS7 or Diameter network backbone is known as the IP Exchange (IPX). The purpose of the IPX is to facilitate interconnection between mobile operator networks for the transport of signaling messages according to agreed interoperable service definitions and commercial agreements.⁶ Further, the IPX architecture states that only service providers that are mobile network operators can connect to the network.⁷ Therefore, third-parties who are not part of the mobile network operator community should not be allowed to connect and send mobile signaling messages, where vulnerabilities can expose mobile users to unauthorized geolocation surveillance.

Connections by surveillance actors to the IPX network are generally accomplished through covert commercial arrangements with a mobile operator, intermediary IPX transit, or other third-party service providers, such as SMS messaging providers, private mobile network operators, or sponsored Internet of Things service providers that possess connections to the IPX. While the IPX is designed to enable network roaming between different operators’ networks it can also be abused to enable surreptitious geolocation surveillance. The IPX is used by over 750 mobile networks⁸ spanning 195 countries around the world.⁹ There are a variety of companies with connections to the IPX which may be willing to be explicitly complicit with, or turn a blind eye to, surveillance actors taking advantage of networking vulnerabilities and one-to-many interconnection points to facilitate geolocation tracking.

It is possible for mobile telecommunications companies to ‘lease’ access to their networks. This has the effect of significantly expanding the number of companies which may offer access to the IPX for malicious purposes. Moreover, a lessee can further sublease access to the IPX with the effect of creating further opportunities for a surveillance actor to use an IPX connection while concealing its identity through a number of leases and subleases.

In more detail, telecommunications operators in a given country apply for, and are allocated, bulk telephone number ranges according to a numbering plan as administered by their national telecommunications regulatory authority. These ranges are often used for a variety of purposes such as fixed line telephones, mobile numbers, or toll free numbers. Once the operator is allocated numbers, they can assign and use a portion of numbers as addresses, known as Global Title Addresses (GT), to equipment in their networks that are needed to operationalize domestic and international roaming with other network partners. This includes equipment such as the Visitor Location Register (VLR), Home Location Register (HLR), and other core network equipment.

The operators may, also, assign these GTs to third-party lessees. A malicious lessee may:

• configure surveillance software to use the leased GTs to conduct their own surveillance;
• use the GTs in a cloud-hosted solution to provide a commercial surveillance service; or
• further partition the GT’s for subleasing to other surveillance actors.

Notably, a surveillance actor can potentially lease GTs from either a single telecommunications operator or a range of operators from different jurisdictions. In this latter case, the surveillance actor may rotate attacks between the various subleased GTs either to try and avoid detection or to increase the likelihood of a successful operation if attacks from some of the subleased GTs happen to be blocked by network firewalls.

Surveillance actors’ operations are made possible due to the hub-and-spoke model that the IPX relies on to facilitate international roaming to other networks. In this model, while the IPX is responsible for routing and delivering messages between the home and roaming networks, it also connects other service providers, such as those delivering SMS messages, and other Value Added Service (VAS) providers that offer mobile number/HLR lookup, IoT mobility services, vehicle tracking, or hosted mobile virtual network operators (MVNO) that have agreements with IPXes. The end result is that a mix of third-parties have global access to mobile network operators’ networks despite not having any direct commercial relationship with the foreign networks to which they can connect.

2.1.2. Vulnerabilities Tied to Home Location Register Lookup and Network Identification

One of the methods used to reveal network information associated with a mobile phone number entails using a commercial HLR lookup service. These kinds of commercial services enable organizations which are not telecommunications operators to check the status of a mobile phone number using the SS7 network without a mobile operator agreement. In this kind of situation, a surveillance actor would pay a fee to the HLR lookup provider based on the number of mobile number lookups it submitted to the service.

After receiving the phone numbers to lookup, the lookup service would issue a query using the SS7 network and retrieve a response from the network. That response would disclose information about whether the targeted number was valid and actively registered on a mobile network. If it is valid and active, the response will also disclose the network it was attached to and whether it was in a roaming state. Key information in the query will return the target IMSI associated with the MSISDN and the roaming network Visitor Location Register (VLR) address associated with the target phone. With this information in hand the actor can issue geolocation tracking requests with specific knowledge of the country, network, and the VLR used by the target phone.

Alternatively, if the surveillance actor already has access to the SS7 network under a leasing arrangement with a mobile network, they can perform the same HLR lookup, but without relying on an intermediary commercial HLR lookup service.

The effect is twofold: first, the surveillance actors can directly request and receive geolocation information associated with the IMSI of the targeted device. Second, because the source address must be populated in signaling messages in order to route the message back to the source, it also leaves a fingerprint of the attack. This means that network firewalls operated by telecommunications providers can monitor the network from which the HLR lookup and location tracking messages were sent.

2.1.3. Domestic Threats-Innocent Until Proven Guilty

The risk of domestic location disclosure threats can sometimes be more concerning than those originating from foreign sources when third-parties are authorized by mobile operators to connect to their network. These can be particularly concerning in either low rule-of-law countries where domestic law enforcement or security agencies may abuse this access, or where state institutions in even high rule-of-law countries choose to exploit vulnerabilities in global telecommunications networks instead of working to actively secure and defend them.

Signaling firewalls used by telecommunications providers to prevent foreign operators, or surveillance actors, from illicitly querying the geolocation of their subscribers may be less effective against domestic threats. Specifically, if the signaling firewalls are not appropriately configured then attacks originating within the same network may be undetected because the activity-which is originating from within the operator’s own network–is assumed to be trusted, and networks may not screen and block location tracking messages from sources within their own networks. The result is that the third-parties which are granted 3G and 4G addresses on home networks may, sometimes, have the ability to silently geolocate users without being noticed or filtered by the telecommunications provider.

In some countries, law enforcement and security agencies are allowed to connect directly to a home country network so that they can send location tracking messages domestically as well as internationally. In these cases, location tracking messages sent from that domestic operator network address may be allowed to use networks in that country to track the location of users on other networks in-country or on foreign networks.

An example of the risks associated with state intervention of a telecommunications operator can be demonstrated by recent threat intelligence data showing location tracking attacks from the Vietnam mobile operator Gmobile, owned by GTel Mobile, which in turn is owned by the Vietnam Ministry of Public Security.¹¹ With a role of investigating national security matters, The Ministry of Public Security has been accused of various human rights violations including censorship and restrictions on internet freedom¹²

From November 2022 to June 2023, five different SS7 GTs allocated to GTel/Gmobile were seen conducting surveillance operations targeting mobile users in African countries based on threat telemetry outputs from firewalls deployed in multiple mobile networks. Of the surveillance attempts seen from the data, a majority of the malicious signaling messages were associated with location disclosure.¹³

These conclusions emerge from data which is shown in Figure 4 and was derived from the Mobile Surveillance Monitor project, which tracks surveillance activity from threat intelligence data sources. This data revealed that threats were detected and blocked by Cellusys signaling network firewalls deployed at mobile operator networks. The charts show the distribution of various SS7 message operation types that were used by Gmobile in an attempt to track user locations from each of the source GT addresses which were, themselves, detected targeting phones in African mobile networks. As shown in the figure, various message types were used to attempt the location tracking operations. The technique of using different message types for location tracking is commonly used to try and either circumvent a signaling firewall or to enhance the chances of successfully geolocating the targeted devices.

Gmobile was the only Vietnam network seen conducting targeted SS7 surveillance during this period of time. Given its ownership by the Ministry of Public Security the targeting was either undertaken with the Ministry’s awareness or permission, or was undertaken in spite of the telecommunications operator being owned by the state.

2.2 Passive Attacks

Passive location attacks involve a domestic or foreign mobile network collecting usage or location information associated with a target mobile phone using collection devices installed in the network. The devices collect, and forward, communications and network data to a data warehouse or command and control facility which is operated by the surveillance actor.

2.2.1. Signaling Probes and Network Monitoring Tools

Signaling probes and network monitoring tools are typically placed into mobile networks by telecommunications companies for operational purposes, such as network troubleshooting. These devices are generally placed in strategic network locations to capture network traffic at the user-level as it passes between network equipment. This process involves the probes ingesting raw signaling messages or IP traffic sent within a home network, or between the home and roaming partner networks where the user is currently registered. The network transactions are collected and provided to an upstream platform where they are processed and stored. Once in this platform, the messages can be aggregated to create operational Key Performance Indicators (KPIs) for analytics or saved in a format to trace user activity, such as a packet capture tool or analyzer such as Wireshark.¹⁴ Because the probes intercept user signaling information they can track the general location of a mobile phone, even if the phone is not actively engaged in a voice call or data session.

2.2.2. Packet Capture Examples of Location Monitoring

The following figures (5 and 6) show examples of Packet Capture (PCAP) traces acquired from a mobile network. The traces are derived from an anonymous source to demonstrate how surveillance actors can extract location data from mobile signaling networks. The first two types of messages shown are Provide Subscriber Location (PSL) and Provide Subscriber Information (PSI). These are just two examples of the many types seen in location tracking operations. The final example seen in Figure 7 shows how a passive device capturing a user data session on the mobile network could reveal the location of the phone.

In the PSL message response, the GPS latitude and longitude coordinates of the phone location is disclosed in the message sent back to the source GT, which could be operated by a surveillance actor.

In Figure 6, an international roaming user with a phone number based in Toronto, Canada has been located with a PSI message while using a mobile network in New Zealand. This has the effect of exposing the phone geolocation at the Cell ID level. The location information of the user is encoded in the cellGlobalIdOrServiceAreaIdFixedLength parameter,¹⁵ which is an octet string including the current MCC, MNC, Location Area Code (LAC),¹⁶ and Cell ID. In effect, with the octet string in hand it is possible to geolocate the mobile device.

The packet capture shown in Figure 7 indicates that the IMSI, MSISDN, and IMEI of a mobile user has been revealed while attempting to establish a data session, as indicated by the GPRS Tunneling Protocol “Create Session Request” message. The request specifies the User Location Info (ULI), which provides the information necessary to derive the current global location of the user including the country, mobile network operator, base station, and Cell ID of registered user.

3. Case Studies and Statistics

The following case study reveals a tactic used to track the location of targeted users on a mobile network. It shows how a state sponsored surveillance actor can monitor the location of international traveler phones outside of their country.

3.1 Case Study – Saudi Arabia Tracking Travelers in the United States

The Guardian revealed a particularly notable example of likely state-sponsored geolocation tracking when it exposed activities which were likely conducted by the Kingdom of Saudi Arabia. The outlet reported that the country allegedly tracked the movements of individuals who traveled from Saudi Arabia to the United States and who were subscribers to Saudi telecommunications providers by exploiting the SS7 network.¹⁷

This surveillance was carried out by sending large volumes of Provide Subscriber Information (PSI) messages targeting the mobile devices that were roaming into the United States. These messages were issued by Saudi Arabia’s largest three mobile operators, Saudi Telecom Company (STC), Mobily (Etisalat), and Zain KSA. When a network receives a PSI message, it will respond with the Cell ID (CID) of the targeted device and the CID, in turn, can uniquely identify the base station to which the device is registered at any given point. In effect, the United States network processed the PSI messages which had the effect of exposing the geolocation of the phones in the United States to the surveillance actors in Saudi Arabia. Surveillance actors can link the CID with a CID database to identify the GPS coordinates of the Cell ID. In aggregate, then, any PSI messages allowed into the network acted as a lynchpin to identify individuals’ geolocation at the time of the surveillance and the duration of the targeted persons’ travels in the United States. This would have had the effect of revealing the mobility patterns of residents of Saudi Arabia in the United States. This operation is described in the figure below.

The article noted that these messages were sent to each targeted Saudi phone many times per hour and that the anomalous activity could not be explained or justified under expected network operating procedures.

The transactions shown in Table 1 were aggregated over October to December 2019. They reveal the number of PSI messages that were sent from the three Saudi Arabia mobile operators to a specific United States mobile network, targeting IMSIs of Saudi phones roaming on that network. The total IMSI count is the number of unique phones from the roaming partner seen on the network during the same timeframe.¹⁸

Data in Table 2 calculates the total number of tracking messages which were received from Saudi Arabia network operators during a 24-hour period, broken into hourly segments. Based on these single day statistics, each mobile phone was geolocated approximately every 11 minutes.

Typically, PSI signaling messages from foreign networks are blocked by a network firewall. This defensive measure is intended to prevent unauthorized geolocation lookups. However, this did not occur in this case study because the targeted mobile phones were roaming on a United States network by their respective Saudi Arabia home networks. In contrast, had the messages been sent from a foreign network to a subscriber who did not belong to that same network, such as if a British operator had queried the same Saudi Arabian users while they roamed on United States networks, these messages should have been blocked.

The reason for the blanket surveillance outlined in this case study is not entirely clear. Nevertheless, we can conclude that this was likely state-sponsored activity intended to identify the mobility patterns of Saudi Arabia users who were traveling in the United States.

3.2. Current Statistics – Geolocation Tracking vs Other Threat Types

The failure of effective regulation, accountability, and transparency has been a boon for network-based geolocation surveillance. The figures below provide some context and offer a current view of the global mobile network landscape.

While some industry experts believe that mobile operators use firewalls to block a majority of geolocation tracking, with the effect of limiting the utility of using traditional SS7 surveillance methods, statistics provided by Mobile Surveillance Monitor indicate that geolocation disclosure is the most prevalent network threat type by a wide margin.

Mobile Surveillance Monitor has also identified that approximately 171 networks from 100 source countries have sent targeted geolocation tracking messages to mobile operator networks located in Africa during the first half of 2023, indicating continued widespread attempted SS7 surveillance activity. The top malicious networks from which these messages were sourced in 2023 are shown in Figure 10. The volume disparity between the top two network sources from the rest of the list indicates that GT’s from Millicom Chad and Celtel DRC are likely attempting to harvest user location data. The activities by these GTs stand in contrast to other sources, such as Fink Telecom Services, which was exposed for selling targeted commercial phone surveillance services in the report “Ghost in the network” by the investigative journalism firm Lighthouse Reports.¹⁹

4. Incentives Enabling Geolocation Attacks

From an outsider’s perspective, securing the perimeters of mobile networks would appear to be a straightforward process. Enterprises routinely place rigid security controls and filters at the edges of their networks using a firewall, so why would the same approach not be applied to mobile networks? And why not follow industry standards and widely accepted network security guidelines for mobile networks? In practice, security in mobile telecommunications is not as clear cut as it should be. A deeper look at some of the drivers in this critical infrastructure space can expose some controls which are more easily enforced than others.

Whereas domestic roaming policies can be mandated by the regulatory agencies of each country, such as the CRTC Telecom Regulatory Policies²⁰ or the UK Telecommunications Security Act,²¹ international roaming is based on independent bidirectional negotiations and addressing information exchanges which are not regularly monitored or updated. At the industry level, technical interoperability and commercial aspects are facilitated by the GSMA Wholesale Agreements and Solutions (WAS) Working Group,²² and the interoperability and addressing information that is exchanged between operators is maintained in documents called IR.21²³ and exchanged electronically using the Roaming Agreement Exchange (RAEX).²⁴ The network information in the IR.21 includes assignments of GT addresses or ranges to specific equipment in the operator network, with the purpose of informing each roaming partner for routing, interoperability, and security.

In the mobile telecommunications industry, the lack of strict requirements to maintain an inventory of address assignments to core network equipment has resulted in insufficient diligence by mobile operators around the world in updating their roaming address information. The effect of creating ambivalence about relying on RAEX and the network addresses listed in IR.21 ultimately reduces its reliability as a mobile security resource. The lack of an authorized and validated list of roaming partners with verified network information runs counter to the fundamentals of building a zero trust security posture.²⁵ If a system of strict compliance were properly maintained by each operator around the world, networks could use it to create better perimeter security controls.

4.1. Economic Enablers

As mobile operators deployed analytics to monitor traffic exchanged between their roaming partner networks, it quickly became apparent that the trust model was broken. Millions of unauthorized messages from foreign networks were discovered²⁶ and this drove the industry to develop requirements for a signaling network firewall. While security guidelines and specifications have been designed and released by the GSMA’s Fraud and Security Group (FASG)²⁷ there are, as of writing, no universal accountability or enforcement mechanisms. It is up to each respective mobile network operator–and perhaps their domestic telecommunications regulators and cybersecurity authorities–to decide whether, and how, they should protect their networks and subscribers.

Attention to unauthorized signaling messages became more acute following the presentation of the Carmen Sandiego Project at Blackhat 2010²⁸ and the presentation by Tobias Engel in 2014 at the Chaos Communication Congress.²⁹ The former revealed points of security vulnerability and the latter showed how basic software and SS7 network connectivity could enable limitless surveillance operations.

It was those presentations, and accompanying media attention, that drove vendors to begin developing and selling signaling firewalls. The adoption of these firewalls was often delayed, however, because some mobile network operators had already been leasing their networks to third-party Value Added Service (VAS) providers. This meant they were disincentivized to adopt a security posture which might negatively impact these business relationships and accompanying revenue. It was only after the GSMA finalized SS7 network security guidelines in 2017 that network operators began to deploy firewalls. However, by that time surveillance actors had been leasing GT’s and deployed capabilities in mobile networks around the world, with the effect of mitigating some of the protections that signaling firewalls were meant to provide.

4.2 Industry Enablers

The mutually beneficial revenues associated with the vibrant GT leasing business has provided mobile networks around the world with significant sources of revenue. As of May 2023, network providers such as the Swedish telecommunications provider Telenabler AB, shown in Figure 11, continued to openly promote SS7 Global Title Leasing as a business offering.

The point of GT leasing risks is made clear by examining GT’s assigned to Telenabler by the Swedish Post and Telecom Authority (PTS) as shown in Figure 12 below. The outlined number range identifies a specific block of 10,000 numbers allocated to Telenabler, where a subset of those numbers were seen as the source of location tracking operations.

Four of the telephone numbers assigned to Telenabler were detected attempting geolocation surveillance up until June 29, 2023 as seen in Figure 13 below. Consistent with many surveillance actors, the source numbers used as GT’s assigned to Telenabler are seen using multiple SS7 signaling message operation types, as seen in Figure 13. While different types of signaling messages were used, each had the objective of disclosing the geolocation of a target user’s phone.

GT leasing rates have been removed from most websites due to the perceived negative implications of making networks available for a cost. However, the fees have traditionally been in the $5,000-$15,000 per month range.³⁰ Global Title lessors assert that there are a number of benefits associated with their commercial engagements. First, they assert they can offer SS7 network access to third parties without the resources to obtain number ranges. Second, they claim they can offer access to MVNOs and Global SIM service providers with a core network when they may not otherwise be able to obtain them due to local regulatory requirements. And, third, they assert that by leasing GTs they can offer global connectivity to messaging and value added service providers to mobile networks with low barriers to entry. Regardless of the extent to which these benefits are realized they also open the door to malicious operators to make GTs available to surveillance actors to undertake surreptitious geolocation surveillance.

The GSMA Global Title Leasing Code of Conduct, discussed in Information Box 3, assigns legal liability to the GT Lessor in the event of malicious signaling traffic that causes harm to the target operator. By placing legal liability on the GT lessor that enables malicious cyber activities, such as geolocation tracking, it is difficult to conceive that the benefits to the selling operator outweigh the security, operational, and financial risks. However, telecommunications regulation is a state affair and, as such, it can be challenging to develop uniform cross-national industry policies or mandates that restrict such activities. Consequently, each respective operator is required to maintain strict security controls and firewalls to protect their network and subscribers.

Historically speaking, the impact of industry organizations to encourage restrictions on GT leasing have proven insufficient. While industry working groups such as the GSMA FASG have been formed to create guidelines meant to encourage mobile network operators to deploy security controls, they do not provide enforcement, publicly disclose attack statistics, or offer relevant threat intelligence with active operator participation. The GSMA provides the Telecommunication Information Sharing and Analysis Center (T-ISAC) as a threat intelligence information sharing hub with the intention of distributing information regarding cybersecurity attacks. However, the service is only available to GSMA members and access to this information thus requires an annual financial contribution. In 2023, this contribution was between $14,306-$136,460, effectively serving as a payment gate to access information of benefit to the security and privacy of civil society.³⁴

Mobile operators can directly engage the offending mobile operator whose networks are seen as the source of malicious signaling messages targeting their subscribers. This process traditionally involves the targeted mobile operator contacting the operator that was the source of the malicious signaling messages and giving them notice that if they do not see any responsible mitigation that the targeted operator will block subsequent traffic sent by the offending source GT address. However, if the targeted network operator blocks signaling messages from the source operator GT the surveillance actor can simply shift to sending these messages using another GT leased from the same operator or others from which they have leasing arrangements. This process could continue, where the attacker cycles through the available leased GT’s until they are exhausted. Alternatively, attacks may be spread evenly over multiple networks across the world as a detection avoidance technique. This process ends up being an operationally intensive game of whack-a-mole where the defending operator simply gives up or configures the firewall to block the message types used in the attacks.

4.3. Government Enablers

In addition to some network operators being financially motivated to engage in leasing arrangements to surveillance actors, and the industry being largely unable to self-regulate, governments have generally taken a “hands off” approach to mobile network security. This may be linked to a lack of clear authorities conferred on telecommunications regulators, to assumptions that mobile operators are best situated to solve security issues in their networks and, in other situations, to some government agencies benefitting from mobile network vulnerabilities and the state of weak operator security protocols.

In the first case, some domestic regulators are starting to take more active roles in demanding mobile network security standards. Critical infrastructure legislation is being passed and cybersecurity agencies are becoming more active in requiring telecommunications operators to provide details of how they secure their systems.³⁵ It remains to be seen, however, whether the wave of legislation that is being passed will necessarily lead to effective government action or if, instead, it will just provide a range of powers and tools which governments are either ill-prepared to use or which could lead to insufficiently accountable government interference in telecommunications networks.³⁶

In the second case, as states become more assertive in the kinds of security that telecommunications operators must adopt, the telecommunications operators can push back. They might oppose new government activity on the basis that proposed standards and requirements are overly intrusive, generally unneeded, or are simply inappropriate to the contemporary threat environment. In countries such as Canada there have long been voluntary forums wherein mobile operators and the government establish high-level standards that are accompanied by security review processes by government agencies.³⁷ Such measures may be insufficient given the current state of network insecurity.

In the third case, and perhaps more ominously, intelligence and security agencies that rely on mobile networks for surveillance may balk at the idea of heightening domestic telecommunications networks’ security postures. They may also have an upper hand when it comes to determining what kinds of security elements are most appropriate, on the basis that they can effectively veto cybersecurity solutions that would impede their abilities to conduct surveillance domestically and abroad. While intelligence and security agencies may be most likely to understand how to exploit telecommunications networks for geolocation tracking, policymakers should also be mindful of the potential for law enforcement agencies to similarly misuse access to telecommunications networks, particularly in cases where domestic law enforcement agencies have a history of inappropriately exercising their powers absent suitable oversight and judicial authorization.

5. Geolocation Tracking in 5G Networks and Unimplemented Defensive Measures

Surveillance actors have an ongoing interest in mobile networks and so they will adapt their methods according to the capabilities of the target network. While mobile telecommunications technologies and standards continuously evolve, many of the underlying principles and functionalities of the network architecture and surveillance methodologies remain the same.

Given the historical exposure of users to location tracking by adversaries, and the emergence of new services in 5G such as connected cars, smart homes, smart grids, and healthcare, it is critical that mobile network operators take a holistic and all-encompassing approach to protecting their networks if they are to limit the vulnerabilities which surveillance actors will otherwise exploit and abuse.

5.1. Subscriber Identity Privacy Enhancements

New security features which are available in the 5G standards take a significant step towards preventing network-based location surveillance. Whereas 3G and 4G networks use the IMSI as the user network identity, which has been exposed to adversaries and obtained over the years to conduct geolocation tracking attacks, 5G provides privacy enhancements. These enhancements have the ability to obfuscate the network identity of the user and their device, and they come in the form of the following identifiers:

• Subscription Permanent Identifier (SUPI) – The globally unique identifier that is allocated to each 5G subscription
• Subscription Concealed Identifier (SUCI) – The encrypted equivalent of the SUPI that includes the Mobile Country Code (MCC) and Mobile Network Code (MNC), and the Mobile Subscription Identity Number (MSIN)
• Globally Unique Temporary Identifier (5G-GUTI) – The temporary identifier used in 5G networks to identify a mobile device and its associated subscription information

Implementing security features, however, is highly dependent on telecommunications operators adopting correct network configurations and taking advantage of the available 5G security features . There is a risk that some operators may not adopt these features on the premise that doing so increases the costs of deploying 5G infrastructure. Moreover, users have no ability to determine whether available privacy or security measures have been implemented. This customer-harmful business judgment on implementing privacy or security features should be avoided on the basis that, in doing so, businesses may be placing themselves in legal or regulatory jeopardy should individuals seek recompense for a failure to adequately protect their privacy, or should regulators impose fines on companies that have deliberately failed to protect their customers’ personal information.

5.2. International Signaling and Interconnect Security Enhancements

The ability for foreign networks to target international users with signaling messages to reveal geolocation constitutes the most prevalent known attacks on mobile networks. Despite this being well known within the telecommunication industry the question remains as to whether operators are protecting their customers from these threats.

In fully-compliant, cloud-native 5G deployments,³⁸ international roaming signaling messages transit foreign networks with a new interface called N32 and use a network function called the Security Edge Protection Proxy (SEPP). This function was introduced into the 5G network architecture to add protection to the historically vulnerable communication between foreign network operators. The SEPP provides much needed encryption, integrity, and authentication at the border edge between roaming networks.

However, to provide privacy protection, networks on both ends of the roaming interface must implement the SEPP function. Getting all roaming partners to implement SEPP may be extremely challenging; of the 351 network operators reported to have launched 5G services, only 41 have launched 5G cloud-native architectures according to the Global Mobile Suppliers Association (GSA) as of April 2023.³⁹ The remaining 310 operators are still using the Non-Standalone Architecture (NSA) for 5G, which lets mobile operators bypass the SEPP feature in 5G roaming while still providing the improved speed and reduced latency benefits of the 5G radio access network.

According to interviews with telecommunications security vendors at the Mobile World Congress (MWC) conference in March 2023,⁴⁰ only a handful of operators have deployed SEPP, let alone are actually using it. The effect is that many operators are not integrating the security and privacy benefits of the 5G standards when they are deploying 5G networks.

Many network vulnerabilities are specific to a given mobile network operator’s implementation of telecommunications standards. However, given that many operators have shown a willingness to sell access to third-parties, there is a serious concern that surveillance actors will have software code in place to probe and test the integrity of foreign 5G networks. This will let surveillance actors adjust their tactics, techniques, and procedures for various network type vulnerabilities across each target network implementation. Historically, surveillance actors have quickly learned to modify their attacks to disguise traces and circumvent firewalls, and the slow pace of operator security deployments reduce the challenge that such actors will have in finding and exploiting obvious vulnerabilities.

The slow pace of operator security deployments over the most vulnerable attack vectors should be a wake up call to country regulators. To counter attacks quickly, adherence to 5G security guidelines and standards are imperative, in addition to adequate tools for threat detection. Without these measures, the ways in which 5G networks have been deployed may only be marginally better at protecting users from surveillance actors’ attacks than the prior 3G and 4G networks, if at all.

6. Conclusion

Based on historic, current, and forward-looking assessments of mobile network security, geolocation surveillance should continue to be of significant concern to the public and policymakers. Exploitable vulnerabilities exist in 3G, 4G, and 5G network architectures and are expected to remain, absent forced transparency that exposes bad practices, and accountability measures that compel operators to correct such issues. If anything, the availability of all three network types provides multiple options for surveillance actors. If nation states and organized crime entities can actively monitor the location of mobile phones domestically or in foreign countries, then such vulnerabilities will continue to represent a security risk to the safety of not only at-risk groups, but also corporate staff as well as military and government officials.

The past four years reveal that surveillance originates from networks operating within nations with high internet freedom rankings, small remote island countries, and ostensibly neutral countries. Current vulnerabilities of mobile networks are systematically exploited as a source of intelligence gathering or espionage by surveillance actors, law enforcement, and organized crime groups who exploit vulnerabilities for their own purposes. Threat activity that is emergent from small Caribbean countries, as well as attacks from eastern European and African countries, point to widespread abuse of many telecommunications networks’ Global Title leasing arrangements.

In light of the existent threats, what can be done? While this report does not offer comprehensive policy recommendations or technical suggestions, there are a series of interventions that should be prioritized.

First, attacks which often occur during international travel suggest the likelihood of third-parties sharing private user IMSIs. There should be active efforts by law enforcement and security services to prevent trafficking in such information, such as through the dark web.

Second, network and other third-party service providers, such as those who provide IPX and inter-carrier billing settlement, should be required to encrypt the unique details of a phone’s IMSI and its accompanying mobile data files. Such activities should be accompanied by a strict and regular schedule of compliance audits. These protection and accountability measures would prevent malicious actors within the networks from illicitly monetizing or otherwise leveraging such retained information. Such audits might be undertaken by data protection authorities, privacy commissioners, telecommunications regulators, or consumer rights regulators.

Third, the prospect of inappropriately allowing third-party access to the private IPX network, or brokering information it obtains when exchanging signaling traffic, raises the likelihood for significant malicious surveillance capability.⁴¹ Specifically, surveillance operators could connect and monitor traffic from international signaling hubs between foreign networks and play a key role in the ability to execute these attacks. Telecommunications, cybersecurity, data privacy, and consumer rights regulators should all assess whether mobile participants in their jurisdictions are engaged in questionable business practices that endanger individuals’ security, privacy, and consumer rights. Legislators, too, should be attentive of whether they should provide additional powers to regulators to discipline bad actors or mobile industry participants that are prioritizing revenues over protecting their subscribers.

Fourth, the increasing frequency of geolocation attacks using 4G networks indicates an increased level of sophistication amongst surveillance actors and an evolutionary trend that is elevating espionage risks as the world moves into the 5G era. 5G deployments are already fully launched in many developed nations and geolocation surveillance activity is seen from some of these same countries. This calls into question the security of future roaming partnerships with networks of western countries. While a great deal of attention has been spent on whether or not to include Huawei networking equipment in telecommunications networks, comparatively little has been said about ensuring non-Chinese equipment is well secured and not used to facilitate surveillance activities.⁴² Policy makers, telecommunications regulators, cybersecurity agencies, and legislators alike should move to develop a vendor- and platform-neutral set of mandatory security and privacy standards. They should, also, work to actively enforce these standards and attach significant penalties to companies that are found deliberately not adhering to them.

Consumers might rightfully assume that their telecommunications provider has deployed and configured security firewalls to ensure that signaling messages associated with geolocation attacks, identity attacks, or other malicious activity are not directed towards their phones. Unfortunately this is not often the case. Decades of poor accountability and transparency have contributed to the current environment where extensive geolocation surveillance attacks are not reported. This status quo has effectively created a thriving geolocation surveillance market while also ensuring that some telecommunications providers have benefitted from turning a blind eye to the availability of their network interconnections to the surveillance industry. While it is implausible to expect that all telecommunications networks will adopt security and privacy postures to protect against all threats, the low-hanging geolocation threats detailed in this report should be addressed post-haste.

Operators should be required to: adopt and act to attain and demonstrate compliance with cybersecurity guidelines and frameworks such as zero trust; report when they experience attacks; accept accountability for when their networks are abused by surveillance actors; work towards building security agreements and accreditations; and undertake penetration tests to identify and remediate vulnerabilities. In cases where operators decline to undertake these activities willingly, then regulators should step in to compel corporations to undertake these kinds of activities.

Today, surveillance actors use geolocation to reveal intimate and personal information. It is used to track human rights defenders, senior business leaders, government officials, and members of militaries. In the future, with the blossoming of smart cities, the internet of things, and the growth of internet-connected systems, the capabilities and potentials for attack will only grow. If organizations should fail to act, then advocates in civil society and the broader business community will have to pressure regulators, policy makers, and politicians to actively compel telecommunications providers to adopt appropriate security postures to mitigate the pernicious and silent threats associated with geolocation surveillance.

Acknowledgements

We would like to thank civil society organizations, investigative journalists, and mobile
network security experts who graciously agreed to contribute their insights and share
forensic artifacts in the course of developing this report.

We want to specifically thank Siena Anstis, Kate Robertson, Jakub Dalek, Celine Bauwens, Levi Meletti, and Mohamed Ahmed for their thoughts and expertise, edits, and peer review of this report.

Additionally, we would like to thank Mari Zhou for her design and publishing assistance
and Snigdha Basu for her communications support. This report was undertaken under
the supervision of Professor Ronald Deibert.

Key Findings

• Iran CRA regulations state that all telecom operators in Iran must provide the CRA with direct access to their system for retrieving user information and changing their services. Justified under its own broadly defined “Legal Intercept” provisions, the CRA aims to use this sophisticated system to store user information, allow or deny a user’s access to mobile services, and view historical voice, SMS, and data usage.
• The CRA’s Legal Intercept system uses APIs to integrate directly into mobile service providers’ operational systems, including acquiring detailed data on service ordering, service fulfillment, and billing history stored in the service provider data warehouse. Any new, termination, or change request for a user’s SIM card must be validated by the CRA, using the API from the mobile provider to request approval from the CRA prior to enacting the change.
• This type of state-sponsored system used to directly manage the operations of independent mobile networks in a country is extremely rare in the modern mobile communications industry. If implemented fully as envisioned in the documents we reviewed, it would enable state authorities to directly monitor, intercept, redirect, degrade or deny all Iranians’ mobile communications, including those who are presently challenging the regime.
• Documents indicate that firms based in Russia, the United Kingdom (UK), and Canada engaged in extensive discussions to provide commercial services and technology to support Iran’s Legal Intercept requirements of mobile surveillance, service control, and account management. While the documents we reviewed did not include fully executed agreements, the negotiations among the key stakeholders were advanced and revealed extensive details about Iran’s legal intercept system and the type of services and technologies that would be provisioned from the private sector to support it.
• A list of all documents we reviewed, and their timeframe, is included in Appendix A.

Background on Iran, Information Controls, and Democratic Protests

Iran’s recent history has been marked by repeated periods of political contestation. These include the student protests of 1999, the 2009 Green Movement, and protests over the country’s socio-economic situation in 2017/2018 and 2021. The September 2022 protests, which erupted after Mahsa Jina Amini, a 22-year-old Kurdish woman, was beaten to death in the custody of the morality police for allegedly violating strict hijab rules, are the latest manifestation in a long struggle for political rights and social justice.

The Iranian regime has responded to such protests with severe crackdowns and countless human rights abuses, including through arbitrary detentions, forced disappearances, gender-based and sexual-based violence, executions, and denying detainees a fair trial. Women, the LGBTQ+ community, and religious and ethnic minorities suffer systemic discrimination. In November 2022, the estimated death toll during the fall 2022 protests reportedly stood at over 300 people, along with over 14,000 people being arrested and some sentenced to death (in December 2022, another Iranian human rights organization based in the United States reported over 500 dead and over 18,000 arrested). Security forces have used indiscriminate shooting and live bullets against peaceful demonstrators. In short, Iran’s civil society, journalists, activists, and dissidents operate in a precarious and dangerous environment.

One prominent characteristic of the Iranian regime is the persistent violation of the rights to freedom of expression, association and peaceful assembly, freedom of thought, conscience, and religion, and access to information. The Islamic Republic has sought to impose restrictive measures to control information and activities in the digital space in various ways, including online surveillance, censorship, cyber espionage, the adoption of information control legislation, and policing online discourse. Iran ranks 178 out of 180 countries on the 2022 World Press Freedom Index and is considered “not free” in Freedom House’s 2022 Freedom on the Net report, which describes Internet freedom in the country as “highly restricted.”

For example, Iran has institutionalized Internet censorship through various government bodies. The Supreme Council of Cyberspace, established in 2012 by order of the Supreme Leader, centralized decision-making over internet development and control under the direct authority of Ayatollah Khamenei. Other important institutions include the Working Group to Determine Criminal Content, responsible for identifying web content to be filtered, and the Iranian Cyber Police (FATA), established in 2011 to combat cybercrime and threats against national security. Alongside these bodies, the CRA, founded in 2003, regulates the communications sector, including broadcasting and telecommunications.

The regime employs a range of sophisticated information control measures aimed at influencing and restricting information access, shaping online content, and stifling dissent. At the center is the government-controlled intranet, the National Information Network (NIN), which is also known as SHOMA or “halal internet.” Launched in 2012, the NIN project establishes and incentivizes the use of domestic internet infrastructures, purportedly with the aim of improving bandwidth, deepening internet penetration, protecting information security, and impeding international surveillance. In reality, users are subject to systematic monitoring, content blocking, and filtering. Freedom on the Net has reported that Iranian authorities are able to effectively block access to websites within a few hours. The result is Internet fragmentation, as siloed local infrastructures permit government authorities to block access to the global Internet while maintaining local connectivity.

Recent legislation, in particular the so-called User Protection Bill, threatens to complete Iran’s digital isolation. The highly controversial bill aims to give the security forces control over Iran’s Internet gateways, oblige foreign Internet services to follow the laws of the Islamic Republic, and criminalize the use of VPNs which enable Iranians to bypass censorship. The current administration seems to silently enact these measures although the bill has never been ratified by parliament. As part of the implementation, the government uses methods of deep packet inspection to detect and disrupt VPN connections in data traffic.

The Iranian authorities strategically use Internet shutdowns and disruption during elections and protests. For example, a nation-wide shutdown was implemented in response to the November 2019 protests. During the 5-day blackout, security forces killed an estimated number of up to 1,500 people. During and after the September 2022 protests, OONI reported a significant increase in Internet censorship, including the blocking of commonly used applications such as Instagram, LinkedIn, WhatsApp, Skype, the Google and Apple app stores, and encrypted DNS. The authorities also implemented daily shutdowns to Irancell, Rightel, and MCCI, the country’s top 3 mobile network providers.

Mobile Services in Iran are Far From Normal

The documents shared by The Intercept were a series of emails sent by representatives of the companies listed below, as well as documents attached to these emails (for a complete list of documents reviewed, see Appendix A). Citizen Lab researchers scanned the emails to confirm the authenticity of the sender, recipients, content, body, and document attachments. Companies (and one agency) whose correspondences we reviewed include:

• Ariantel – An Iranian-based Mobile Virtual Network Operator (MVNO), the primary source of the emails.
• Telinsol – A UK-based satellite communications consultancy which appears, based on the documents we reviewed, to have conducted international business transactions with vendors on behalf of Ariantel.
• PROTEI – An international telecommunications systems vendor founded in Russia which was selected, as indicated in the documents reviewed, by Ariantel to provide core network components to the company in support of user authentication, data management and Deep Packet Inspection (DPI), SMS delivery, and mobile network signaling.
• PortaOne – A Canada-based mobile business and support system vendor, which was selected, as indicated in the documents reviewed, by Ariantel to provide mobile account creation, service provisioning, billing, and customized integration with Iran’s Legal Intercept system.
• Iran CRA – Iran’s Communication Regulatory Authority, which is tasked with executing governmental powers, supervision, and executive powers of Iran’s Ministry of Information and Communication Technology.

The technical detail included in the documents sheds new light into the level of sophistication Iranian authorities sought to use to conduct surveillance operations and control access to mobile information and communications. The software and services offered by the vendors allows the CRA to integrate with mobile service provider systems used for billing, service activation, and management functions including a web service API called “SIAM”. The email shown below, sent by the CRA’s “Directorate General of Communications Systems Security,” seems to indicate that Ariantel has deployed a fully operational mobile network in Iran, integrating with the CRA’s Legal Intercept system, which has experienced a service interruption. Translated to English, it reads.

In addition to emails discussing integration requirements and meetings between the vendors regarding Ariantel’s MVNO project, the documents we reviewed provide a detailed overview of Iran’s system including technical specifications, network diagrams, proposals, and scope of work. An acceptance test document from PROTEI was provided to Ariantel confirming a successful test of “Traffic Management” including Internet service bandwidth restrictions, blocking of certain data services, and logging of Internet usage.

There are multiple mobile network operators within Iran, providing users with many options in their selection of service providers. These options include seven mobile network operators, as well as multiple MVNOs who provide their own branded services using those networks. It is general practice around the world for each mobile service provider to implement systems to provision new users onto their service, bill for the service, offer rate plans, and activate various features. These operations are performed within the service provider’s domain of control. However, we discovered that, in Iran, the envisioned domain of control would not belong to the service provider; the domain would be under the administrative control of the CRA legal intercept system (See Figure 2, below). To what extent this vision has been partially or fully implemented since the timeframe of the documents we reviewed is not clear (See Figure 2, below).

The CRA requires that each mobile service provider comply with requirements under a common framework set by the CRA, including directly interfacing with external systems operated by the regulatory authority to ensure legal compliance with information gathering about used services and disabling access to the service.

The Citizen Lab reviewed a document entitled “Legal Intercept”, which was authored by an Ariantel employee describing a new MVNO project with Telinsol. The document details the project with solutions to be supplied by PROTEI and PortaOne.

This document further describes the Iran Legal Intercept system as based on functional components working in tandem throughout Iran which, as described in documents and communications, include the following:

1. LI (Legal Intercept) System – The component for conducting usage surveillance and control activity. The LI system gathers information about service usage from individual mobile users and may disable or modify access to the service. The CRA can request detailed usage records to be provided to the LI platform and disable the corresponding services. The LI system uses the SIAM web services API with each mobile service provider in Iran.
2. CID (Control Illegal Devices) System – The component for alerting the CRA about changes to a user’s service profile of SIM cards provisioned on the network. CID informs the CRA about the current status of active SIM cards currently assigned or which are in the process of being assigned to a user.
3. SHAHKAR System – A data warehouse which stores information about all mobile subscribers in Iran to check the “validity of users” and prohibit any registration attempt if the CRA determines the attempt to be invalid. The purpose of the SHAHKAR system is to notify the CRA of users attempting to change to a different service provider, update their subscription information or change their phone number. SHAHKAR prevents users from acquiring new mobile accounts with multiple service providers. Specifically, the documents refer to a use case where a new registration is attempted: “SHAHKAR verifies sent information and sees that this user is signed up with other providers. User creation is prohibited.” This description implies that Iran maintains a 1:1 mapping of a user to a SIM profile to simplify its ability to conduct surveillance operations. It provides the CRA with the ability to immediately cancel a user request for a new mobile account or make changes to existing accounts.
4. SHAMSA – Shown as an interface for collecting bulk voice and SMS Call Detail Records (CDR’s) and data IP Detail Records (IPDR’s).

Iran’s Legal Intercept Architecture

The Legal Intercept system described in the documents would constitute a significant departure from standardized lawful intercept standards developed by 3GPP working groups and ETSI standards committees. These standards define processes and interfaces for the exchange of legal warrants, activation of communication interception, and delivering the communication content to the legal authority.

Iran’s Legal Intercept system differs from these standards with no facility for legal warrants, blanket delivery of user information during activation, and deep integration into mobile business systems for retrieving user content and changing access to services. Working in concert, the integration of LI, CID, SHAHKAR and SHAMSA components would provide the Iranian government with comprehensive information about Iranian subscribers, including personal information of citizens and non-citizens at the time they purchase SIM cards. The SHAHKAR system, referenced in the email below sent by a CRA staff member to Ariantel, uses a SIM registration API to supply this information during the activation process with mobile service providers, which is then screened by the system to determine whether the SIM activation is approved. Translated to English, the email reads:

The diagram above, created by the Citizen Lab from technical specifications in the documents, shows elements selected by Ariantel which would play key roles in Iran’s legal intercept capabilities. These elements include the business support system providing usage CDR’s, SIM card updates, and the HLR/HSS (Home Location Register and Subscriber Server), which maintains a user’s network location and authorizes voice, SMS, and data services. The LI component uses multiple API commands to query user information and issue control commands to the mobile service provider in real time. It also defines a process to pull historical usage details, such as CDR’s, from the mobile service provider systems into SHAMSA for storage.

The documents show that products from Canadian-based vendor PortaOne and PROTEI, including the PortaBilling Converged Business Support System (BSS), were selected by Ariantel to provide information to Iran’s Legal Intercept system components. While we have no evidence that final agreements were executed for this system, the discussions around its implementation appear to have been well-advanced. The BSS is the primary mobile system used for storing information about customers, configuring and billing for services, and managing services such as provisioning new or changing existing user services. The PortaOne system integrates with systems provided by PROTEI, and, if implemented, would supply detailed usage information to the Legal Intercept system while receiving information about requests for new or updated services (all without user knowledge). In addition, commands from the CRA interact with the Ariantel network to suspend and control voice and data services and supply the location of users on the network.

The surveillance and censorship capabilities resulting from this level of integration with mobile service providers cannot be understated. Because Iranian authorities would receive information from all mobile service providers, they would have deep visibility into all services used, who is communicating with whom, for how long, how often, and where. They could also identify the current phone numbers used in certain geographic areas based on CellID or street address. This information could be used to decide who, what, and when to place restrictions or make changes to a user’s mobile service plan, such as the user’s social community or the location of political demonstrations. They could also view extensive personally identifiable details when users sign up for mobile services including:

1. Name
2. Family
3. Father’s name
4. Number of birth certificate
5. Birth date
6. Birthplace
7. Home Telephone Number
8. Email Address
9. Gender
10. Zip Code
11. Nationality
12. Passport Number
13. Postal Address/Home Addresses

Findings: Iranian Mobile Surveillance and Control Real Time API

The documents show API commands used by Iranian authorities to query user information and change user services. Citizen Lab researchers have extracted the API commands from the SIAM document and grouped them into the tables (presented below) to show those that could be used for surveillance, for modifying services, and testing results for enforcing bandwidth restrictions of data applications.

SURVEILLANCE-RELATED API COMMANDS (SIAM Web Service)

The following commands allow the CRA to search for users and retrieve personal information and related usage.

The commands span virtually all usage associated with a mobile user, or a collection of users within a specific location. The CRA can use the SIAM API with a user parameter (Name, Family, Passport, IP Address, Phone Number, MAC Address, IMEI, etc.) to request information. The API documentation also indicates that Iran may have visibility into the type of network available to the user termed as “Connection base” (such as cellular versus WiFi).

CONTROL-RELATED API COMMANDS (SIAM Web Service)

The following commands (Table 2) allows the CRA to apply immediate changes to a user’s service and remove the requested changes when no longer required.

Media stories suggest that Iran has employed controls to shut down mobile services or block Internet traffic. We can confirm through the documentation shared with the Citizen Lab that in addition to blocking services, the CRA could change call forwarding rules, force the phone to use a slower 2G network, and block access to services based on location. This API allows Iranian authorities to have the flexibility to place partial blocks on phone calls or data services, allowing authorities to apply network policies in a highly granular manner, such as blocking incoming or outgoing calls or modify certain call forwarding criteria.

The screenshot below taken from the SIAM document shows the command used for blocking data services:

IP TRAFFIC MANAGEMENT

While not listed explicitly in the SIAM API document, the Citizen Lab reviewed an acceptance test document from PROTEI, performed on behalf of Ariantel, verifying that data services can be restricted based on multiple criteria – as shown in the screenshot below from the document. The PROTEI DPI can classify user data into service types, such as WhatsApp, Facebook, or Twitter and restrict the bandwidth/Quality of Service (QoS) of that service type, making the service unusable. It allows for the following commands:

1. Restrict bandwidth for certain websites or apps for a user
2. Block data traffic for certain websites or apps for a user
3. Block all data for a user
4. Block all data for all users

These commands and test cases (shown in Figure 16) from PROTEI show the extensive data restriction capabilities available to the CRA via deep mobile network integration to mitigate user communications inside and outside of Iran.

Foreign Corporate Entities: Telinsol, PROTEI, and PortaOne

Our review of the documents provided by The Intercept suggests that companies based in the UK, Russia, and Canada explored providing commercial services that, based on our review of the documents, would support the CRA’s surveillance, control, and account management capabilities.

Prior to publishing this report, on January 4, 2023, we provided a summary of our research findings to Telinsol, PROTEI, and PortaOne and offered them a week to respond along with an undertaking to publish their response in full. We received a response from PortaOne on January 11, 2023 and the company made an official statement on January 11, 2023. We received a response from Telinsol on January 11, 2023, and another on January 13, 2023. All responses and the official statement have been included as Appendix C to the report.

Telinsol Ltd.

Telinsol Ltd. is a UK-based telecommunications company that was founded in 2015. It is a private limited company that, according to their website, engages in telecommunications and information technology consulting, support services, equipment supply, and satellite telecommunications. We viewed the company’s LinkedIn page on December 6, 2022, but it has since been removed.

Nima Eskandari, an Iranian national, is one of the company’s two listed directors (the other director is identified as Simon Edward Maddox). Mr. Eskandari describes himself as the company’s founder on LinkedIn and is identified as the company’s Managing Director in email correspondence. Mr. Maddox was listed as an employee of Telinsol on the company’s LinkedIn profile before it was taken down. He has kept a reference to the company in his LinkedIn byline.

We also noted that, on December 6, 2022 when we viewed his LinkedIn profile, an individual called Akbar Ghahri identified himself as “Head of Satellite Services” at Telinsol from January 2021-Present, while also identifying himself as “Managing Director” of SamanTel, which describes itself as the first MVNO license holder in Iran from October 2020-Present. Mr. Ghahri appears to have removed the reference to Telinsol on his LinkedIn profile. In what appears to be his Twitter profile, Mr. Ghahri identifies himself as working for a telecommunications company and being based in Iran, while his LinkedIn profile lists that he is based in the UK. On this webpage, an “Akbar Gh” is identified as a satellite engineer at Telinsol.

There are several other ties between Telinsol and Iran, including evidence suggesting that Telinsol, as a UK-based company, may be working on behalf of Ariantel.

In one document we reviewed, which was sent by an Ariantel software manager as an attachment to individuals at PortaOne, Ariantel, and Telinsol, the following language is included: “Telinsol is [sic] Mobile Virtual Network Operator in Iran”¹ and that “[t]o provide services in Iran every MVNO must comply with legal requirements and have Legal Intercept.” The document goes on to describe the Legal Intercept system in Iran.

Documents attached in the emails shared with the Citizen Lab appear to show Telinsol facilitating purchases to support Ariantel’s MVNO launch, including SIM cards, the PortaOne solution, and coordinating meeting logistics for training Ariantel staff on the operation of the PROTEI DPI solution. Direct email communications between Mr. Eskandari, PortaOne, and Ariantel include commercial proposals, equipment purchase orders, training, logistics, and contract details. As evidenced by the screenshots of emails below from June and August 2019, an agreement appears to have been concluded among the parties that Ariantel representatives use Telinsol, Gmail or Yahoo email addresses to communicate. A comparison of the two emails confirms that Ariantel representatives are using both Telinsol and Ariantel email addresses, suggesting an affiliation between the companies.

Internal Ariantel emails shown below reference commercial material provided in .zip files, including commercial documents from PortaOne to Mr. Eskandari.

In addition to the PortaOne quotation, an invoice was sent from Valid, a Brazil-based SIM Card provider, to Ariantel email recipients referencing a Telinsol purchase order, further suggesting that Telinsol may have acted as a procurement partner with Ariantel.

Mr. Eskandari was also seen facilitating meetings between Iranian-based Ariantel and Russian-based PROTEI personnel as evidenced by the emails below.

Mr. Eskandari and fellow Telinsol Director, Mr. Maddox, are also directors of Emeatra Ltd., another UK-based company that supplies new and used telecommunications and network equipment. They are also directors in another UK-based company called Agtelligence Ltd., which is described on LinkedIn as “[h]elping UK farmers on their journey to sustainability.”

Response from Telinsol

On January 11, 2023, DLA Piper (Canada) LLP sent an email to the Citizen Lab on behalf of Telinsol. In this response, Telinsol stated that it:

…flatly denies the allegation that it has been involved in activities that would in any way help digital espionage against Iranian citizens. In particular, the suggestion in your letter that Telinsol provides commercial services to support Iran’s Legal Intercept requirements of mobile surveillance, service control and account management is entirely false and any publication of such an allegation would cause irreparable harm to Telinsol, as well as to the reputation of its past and present clients.

The company further urged the Citizen Lab to “eliminate any reference to Telinsol in its report” and that it would “not hesitate to avail itself of all available legal remedies in response to a defamatory publication by Citizen Lab.”

In a subsequent letter dated January 13, 2023, DLA Piper (Canada) LLP followed up with another letter on behalf of Telinsol. In this letter, Telinsol stated, via counsel, that the “hacked emails evidence a relationship between Ariantel and PortaOne which pre-dates the involvement of Telinsol.” The emails “further evidence Telinsol entertaining an initial enquiry by Ariantel and PortaOne and thereafter entering a due diligence process – a due diligence process that ended in September, 2019 with Telinsol rejecting involvement in the project.” Telinsol also claims that “any activities that thereafter continued were with a Portugal-based company called Magicalcharacter.”

As noted in this report, the documents we reviewed did not include a signed agreement between Telinsol and Ariantel. However, the correspondence reviewed above, which took place in 2019, did include a number of indications that Telinsol may have been acting as a procurement partner with Ariantel at one point in time, as well as email exchanges involving Telinsol, PortaOne, PROTEI, and Ariantel.

Further, we also reviewed one email chain from 2021 between Telinsol, PROTEI, and Ariantel. In this correspondence the NFV EPC & PS Core Manager at Ariantel writes to Mr. Eskandari (Telinsol’s Director): “[k]indly based on our phone conversation and CEO order, please arrange PROTEI training team to come to Iran.” In this same email chain, Mr. Eskandari (Telinsol’s Director) asks “Vladimir,” an individual who appears to be working at PROTEI Russia, what the current travel policy is in Russia and whether it would be “possible to fly to Iran.”

This email chain was dated 2021, suggesting that Telinsol had some kind of involvement with Ariantel that arose after September 2019. It is not clear based on the documents we reviewed whether this correspondence from 2021 relates to the earlier discussions between PortaOne, Telinsol, and Ariantel that arose in 2019.

PROTEI Ltd.

PROTEI Ltd. is a Russian telecommunications, software and hardware company founded in 2002 and operating in Eastern Europe, Asia, Latin America, North Africa and the Middle East. While PROTEI advertises its headquarters in Estonia and its Middle East and Northern Africa (MENA) branch in Jordan, its Russian origins are not widely advertised. The original PROTEI, called “PROTEI NTC” (Scientific-Technological Center PROTEI), is located in Saint-Petersburg. PROTEI has a dedicated Russian branch, PROTEI ST or “Special Technical Centre,” created to work with government agencies and military departments in the Russian Federation, including the Ministry of Defence and the National Defence Management Centre.

PROTEI is involved in developing a wide range of solutions for special communications (videoconferencing, Internet and mobile connectivity for the Russian army), but also DPI solutions. These technologies were exported to Kyrgyzstan, Uzbekistan,² Tajikistan, Niger, and Bahrain. PROTEI representatives also visited Syria in August 2022 to discuss potential collaboration.

PROTEI has partnered with PortaOne, integrating numerous products between the two companies. In a joint press release in 2017 the companies announced the integration of PortaOne’s PortaBilling Business Support System (BSS) and PROTEI’s Home Location Register HLR/HSS and Policy Controller PCRF products, which enables MVNOs to manage subscribers and services independently of host network operators, and to launch new mobile networks. They had previously integrated PortaBilling BSS with PROTEI’s CAMEL Gateway and DPI Platform in 2016, which functions as a mechanism to enforce broadband usage policies. According to PortaOne documents, there is also interoperability with PROTEI PCRF, PROTEI PGW, PROTEI SMSC, and PROTEI USSD Gateway. In 2020, PROTEI and PortaOne announced completion of interoperability testing between PortaOne’s PortaBilling Business Support System (BSS) and PROTEI’s Home Location Register HLR/HSS and Policy Controller PCRF products.

As noted above, emails we reviewed included correspondence between Telinsol, PROTEI Russia, and Ariantel, where the parties are discussing the possibility of the “PROTEI training team” flying to Iran for a training on the instruction of Ariantel. As noted, Telinsol’s director, Mr. Eskandari, is asked by Ariantel to arrange this trip.

PortaOne Inc.

PortaOne Inc. is a Canadian telecommunications company based in British Columbia and founded in 2001. The company has two listed directors. Andriy Zhylenko, who has listed an address in Barcelona, Spain and is the company’s CEO, and Oleksandr Kapitanenko, the company’s President who has listed an address in Coquitlam, BC in Canada. PortaOne supplies software for telecommunications companies, including billing and charging platforms (PortaBilling) and service management and delivery systems for voice, messaging, IoT/M2M, and data traffic (PortaSwitch), among other software solutions.³

On the PortaOne customer webpage, they claim to have served over 500 clients in nearly 100 countries. While they do not name Iranian customers, the PortaOne website included, prior to January 11, 2023, a colour-coded installation map that indicated the company was involved in 2-3 installations in Iran. On January 11, 2023, after we received the response from PortaOne (see Appendix C) that installation map was updated to remove the Iran installations (see Figure 14). In a subsequent statement (also included in Appendix C), PortaOne explains that the map on their website mistakenly combined Iraq (where they have customers) with Iran (where they stated not to have customers) and that the map was subsequently corrected.

Responses from PortaOne

PortaOne provided the Citizen Lab with two responses prior to the publication of this report. On January 10, 2023, in the first response sent by their counsel, PortaOne stated that the company “does not provide any products or services to or for use in Iran, it has never done business with Iran, Telinsol or Ariantel” (see Appendix C).

On January 11, 2023, PortaOne issued an official statement contradicting the first response. In this statement, PortaOne stated that, in 2018 and 2019, a PortaOne sales manager engaged in business discussions with Ariantel, acting through Telinsol, regarding PortaOne’s products. The license deal submitted by the sales manager for approval by PortaOne’s management was not with Ariantel but with a Portuguese company. PortaOne explained that it did receive a single payment under the contract between PortaOne and a Portuguese company. The payment they received under this contract came from an unrelated entity, which prompted an investigation by senior management and led to the discovery that the Portuguese company was a front for Ariantel. PortaOne claims that it subsequently canceled the contract with the Portuguese company and returned the payment received.

It is hard to understand how PortaOne’s senior management was not aware of the connection between the Portuguese company (which Telinsol claimed in its January 13, 2023 response to us is named “Magicalcharacter”) and Ariantel and why such an investigation was not conducted by the company prior to entering into negotiations with the Portuguese company, let alone finalizing an agreement and receiving a payment. According to the email correspondence we reviewed, it was the Business Development Director at the time at PortaOne–which suggests a relatively senior position at the company–who was primarily involved in correspondence between PortaOne, Telinsol, and Ariantel. This Business Development Director was the one to request Telinsol to provide a Telinsol email to an individual who appeared to be using an Ariantel email address, and noted in that same email that, “[a]s agreed, all correspondence must be use [sic] ‘Telinsol’ or generic (Gmail or yahoo) email addresses” (See Figure 8).

It is also concerning that a PortaOne employee (and, in particular, a senior employee) would not have considered the adverse human rights impacts of this potential business relationship. This same Business Development Director, as well as the email address “sales@portaone.com,” was copied on an email where a software manager at Ariantel appears to have specifically asked someone in sales (a certain “Alex,” which is likely referring to Alexander Zalugovskiy, Project Manager, who is also identified in the documents reviewed) at PortaOne about “the list of APIs offering required data for LI” and noting that in their “last session talks as you said it seems that it’s possible for us to implement legal requirements.”

The email includes an attached document where it is specifically spelled out that “Telinsol is a Mobile Virtual Network Operator in Iran,” “Telinsol is going to use Protei and PortaOne solutions to run their MVNO services,” and that to provide services in Iran every MVNO “must comply with legal requirements and have Legal Intercept” which is composed of “three components. LI platforms…CID – Control Illegal devices…SHAHKAR – control validity of signed users.” This summary was then followed by an extensive description of each of these Legal Intercept components (See Figures 18 and 19).

Our review of the documents has not identified any exchanges with a Portuguese company or a company called Magicalcharacter acting on behalf of Ariantel. PortaOne’s public statement claims that a sales manager “on his own initiative, engaged in business discussions with Ariantel, acting through Telesol [sic]”. However, according to the email correspondence we have reviewed, PortaOne’s Business Development Director at the time was involved in direct correspondence with at least one individual using an Ariantel email address. As noted above, a document sent to two PortaOne email addresses included direct references to the proposed project involving an MVNO operating in Iran.

A set of documents that appear to have been prepared or edited by a project manager at PortaOne illustrate that at least two PortaOne employees were aware that the proposed project with Telinsol involved providing services to an Iran-based MVNO. In a document describing various features of the services PortaOne would provide to Telinsol, comments attributed to a ‘Alex Zalugovskiy’ at PortaOne make multiple references to components of the project requiring CRA approval. A set of documents from August 2019 that are described as having been prepared by ‘Alexander Zalugovskiy’, described as a ‘project manager’ at PortaOne, indicate that the proposed project with Telinsol required Farsi language support, as well as support for the Jalali calendar used in Iran. Together, the documents indicate that at least two employees of PortaOne were aware, or had reason to be aware, that the proposed project with Telinsol involved providing services to an Iran-based MVNO.

In sum, PortaOne’s communications to us have evolved from a blanket denial to an admission that some business was conducted and then subsequently investigated and closed down. However, the information contained in the documents we reviewed does not fully align with their explanation, nor does it demonstrate the type of due diligence they claim to follow.

Conclusion

The documents reviewed in this report provide a glimpse into the Iranian government’s attempt to build a comprehensive surveillance regime and the role of foreign entities in potentially facilitating that system. While we cannot say whether the surveillance system in question was fully or partially implemented, as we only have insight into a moment in time, these documents clearly do reflect an aspiration for an unprecedented surveillance architecture that would have–based on the Iranian regime’s history of suppressing dissent and human rights–led to further human rights violations. Further research is required to understand whether, and to what extent, this system was fully developed and if so, by whom.

In addition, the documents clearly show that several foreign firms were actively negotiating⁴ to provide services and technology that our analysis suggests would have helped facilitate the Iranian regime’s legal intercept capabilities. In addition to respecting domestic law (such as sanctions regimes), under the framework of the United Nations Guiding Principles on Business and Human Rights (UNGPs), corporate actors have a responsibility to respect human rights and seek to prevent or mitigate adverse human rights impacts that are directly linked to their operations, products or services by their business relationships, even if they have not contributed to those impacts. While businesses may argue that their services are innocuous and not specifically designed for legal interception, this does not absolve them of the responsibility to undertake a human rights due diligence process to identify, prevent, mitigate, and account for how they will address adverse human rights impacts in the context of a potential client.

Further, in this case, the correspondence exchanged by the parties should have put the foreign companies on notice that their products could be integrated into a broad legal intercept architecture being operated by a government with a notoriously poor human rights record. As one example, in email discussions regarding the project exchanged between Ariantel and PortaOne in June 2019, Ariantel provided CRA Legal Intercept requirements, outlining the extent to which Iranian authorities required visibility into, and control of, user mobile services. Citizen Lab’s research into the email communications and documentation shared with vendors provide unmistakable clarity into the intentions of the Iranian regime with regard to regulations over mobile operator services.

UN Special Rapporteurs, governments, multi-stakeholder platforms, and telecommunications industry leaders have all recognized the significant impact of telecommunications products and services on freedom of expression and privacy, and have emphasized the need to implement such human rights assessment procedures. None of the companies who provided a response to this report have offered concrete information regarding having such a human rights due diligence process in place prior to engaging in business with new clients. In particular, PortaOne’s second response to the Citizen Lab raises serious questions regarding how the company vets clients for risks of adverse human rights impacts (as well as potential sanctions violations), what oversight is exercised by senior management, and what measures exist to ensure that similar situations do not arise in the future.

Acknowledgements. We are grateful to Siena Anstis, Jakub Dalek and Bill Marczak for internal review, Mari Zhou for graphics, and Snigdha Basu for copy editing.

Appendix A. Documents Reviewed

The following table lists the documents included as attachments in email communications shared with the Citizen Lab for analysis by The Intercept.

Appendix B. Glossary

The following glossary includes a contextual list of specialized terms and acronyms used in this report.

• Access Point Name (APN) A name configured in the device and network which specifies the type of network data connection assigned to a user, such as an MVNO or other private mobile network.
• Business Support System (BSS) A software function responsible for storing information about mobile service provider products, rates, customers, customer information, or phone lines. It enables customer billing and controls service configuration and activation.
• Credit-Control-Answer (CCA) A command response from a PCRF used to provision rules and triggers to control a user data session, such as bandwidth limiting or data blocking.
• Credit-Control-Request (CCR) A command sent to a PCRF used to request rules to issue user data session controls, such as bandwidth limiting or data blocking.
• Call Detail Record (CDR) Provides detailed information about user voice calls or SMS messages including time, duration, location, source, and destination number.
• Deep Packet Inspection (DPI) An in-line software network function used by mobile service providers that receives and processes user data information, detects and classifies it into service types, and enables controls such as blocking, bandwidth restriction, and deep analysis.
• Home Location Register/Subscriber Server (HLR/HSS) A software network function that supports user mobile services including authentication, authorization, status, and communication with other network functions to enable voice, data, and messaging services.
• Internet Protocol Detail Record (IPDR) Provides detailed information about user data sessions including time, location, server IP address, data volume, service identification, protocol, subscriber identifier.
• Mobile Virtual Network Operator (MVNO) A mobile service provider that sells services under its brand name but uses the radio network of another licensed mobile operator.
• Policy and Charging Rules Function (PCRF) A software function used for receiving and activating rules for controlling a user data session.
• Packet Data Network Gateway (PGW) A software network function that routes and filters user data from the mobile network to external networks such as the Internet.
• Quality of Service (QoS) A description commonly associated with the amount of network bandwidth available to a user’s mobile data services.
• Short Message Center (SMSC) A software network function that stores and forwards SMS messages.
• Unstructured Supplementary Service Data (USSD) An interactive legacy mobile messaging protocol commonly used in mobile networks for basic applications such as order confirmation, mobile account payments, and short surveys.

Appendix C. Correspondence with Companies⁵

PortaOne

Telinsol

PROTEI

• According to a February 2020 report in the publication Bitter Winter, police in Qinghai Province in China have conducted a program of compulsory iris scan collection targeting residents of the city Tsoshar (Haidong). Building on Bitter Winter’s work, this report finds further evidence of police-led mass iris scan collection in Qinghai, a region with a population that is 49.4% non-Han, including Tibetans and Hui Muslims. The evidence in this report includes details of iris scan collection in three regions of Qinghai, the history of the program, how police collect data, the involvement of Chinese surveillance company Super Red, and how many iris scans police have collected.
• Of the 189 publicly available sources we uncovered, 53 contained figures for the number of iris scans police had collected. Based on our analysis of these 53 reports, we estimate that between March 2019 and July 2022, police may have collected between roughly 1,248,075 and 1,452,035 iris scans, representing between one fifth (21.1%) and one quarter (25.6%) of Qinghai’s total population (5.9 million). The number of irises scanned would make mass iris scan collection in Qinghai the largest known program conducted in China relative to population, with the possible exception of an earlier program in the Xinjiang Uyghur Autonomous Region.
• Police have given a number of justifications for mass iris scan collection, including fighting crime, finding missing people, and upgrading national ID cards. Based on our analysis, the lack of a single justification for mass iris scan collection may reflect the fact that police could use the program for multiple purposes. Iris scan collection is part of long-standing police intelligence gathering programs. Through mass iris scan collection, Qinghai’s police are effectively treating entire communities as populated by potential threats to social stability.

Background on Iris Scan Collection Globally

Biometrics is the measurement or calculation of human characteristics like fingerprints, DNA, faces, voices, and gait. These measurements and calculations can in turn be used to verify a person’s identity. One form of biometric identification is iris recognition, or the analysis of the coloured part of the eye surrounding the pupil. To identify a person’s iris, infra-red spectrum cameras are used to map more than 200 features of the iris, with this image then converted into a code that can be algorithmically read. These images can then be compared against the images of other iris scans for the purpose of identifying a person or verifying their identity.

Iris recognition tools are increasingly accurate. The presence of some ocular diseases or the wearing of contact lenses can reduce the accuracy of iris recognition tools. However, a 2018 evaluation found that the most accurate iris recognition algorithms examined had a false negative identification rate of one out of every 150 matches, and a false positive identification rate of one out of every 1,000 matches.

For this reason, border authorities, services run by the United Nations High Commissioner for Refugees, and the Indian government’s biometric ID system Aadhaar have all used iris recognition as part of programs requiring the fast and accurate identification of individuals. Using handheld or surface-mounted infrared cameras, iris patterns can be scanned and then digitized and stored. These scans can be used to verify a person’s identity by matching iris scans against previously captured images, or to identify a person by comparing their irises against a larger database of other people’s scans. How useful iris scans are in identifying people is dependent on the number of iris scans already recorded. The greater the number of individual iris scans in a database, the greater the likelihood that iris recognition technologies can positively identify someone based on an iris scan.

Among the most enthusiastic adopters of these technologies are militaries and police forces. Some of the most well documented cases come from the United States. The US military operating overseas has used biometric recognition tools to identify local national hires since Kosovo in 2001. As part of the war in Afghanistan, the US military collected iris scans and other biometric markers from millions of Afghans, while during the occupation in Iraq the US military collected iris scans for the purpose of screening people entering or leaving particular areas. In both cases, iris scans were collected using mobile iris recognition devices as part of broader counter-insurgency operations.

In the 2010s, domestic law enforcement in the United States began adopting these technologies. In 2013, the FBI began a pilot program to work with local police departments to collect and store iris scans from arrestees. By 2020, the database – part of the FBI’s Next Generation Identification biometric data system – reportedly contained 1.8 million iris scans.

Civil society groups, constitutional rights experts, and researchers have raised privacy concerns about the increasing use of iris recognition technologies, including how iris scans are stored, who has access to them and for what purposes, and how secure iris databases are from unauthorized access. In 2017, sheriffs in counties along the United States-Mexico border voted to participate in a trial of tools used to scan, collect, and analyze irises in order to identify migrants, leading the American Civil Liberties Union to warn that these tools could encourage racial profiling or erode the privacy rights of those subjected to iris scan collection by the police. The potential ability to scan irises at a distance has also led researchers and US constitutional rights experts to warn that police could use iris recognition devices on people unaware police are monitoring them.

Other concerns have focused on data security and privacy. With the end of military conflict, biometric data collected by one military may end up in the hands of another. Following the withdrawal of the US military from Afghanistan in 2021, reports emerged of the Taliban’s potential capture of US military biometric devices containing iris scans, fingerprints, and other identifying information on Afghans who had worked with coalition forces.

Background on Iris Scan Collection in China

In China, iris scan collection dates back at least to the mid-2010s. Some of the earliest iris scan programs focused on the problem of missing children. In 2016, iris recognition technology company EyeSmart (释码大华) proposed the building of 100 stations across Wuhan, Hubei to collect iris scans from children. The following year in November 2017, the Chinese government launched a national children’s iris database containing 40,000 iris scans. By September 2018, authorities were were working with another company IrisKing (中科虹霸) to set up 400 collection stations across China. Participation in these or similar database projects appears to be voluntary, with some schools charging parents of kindergarten students a fee for storing iris scans from their children.

China’s Ministry of Public Security is also interested in iris recognition technologies. Chinese researchers writing in 2021 in Forensic Science and Technology note that, compared with other biometric identifiers like DNA or facial scans, iris scans are a more stable, reliable, and fast way for the police to accurately identify a person.

In 2016, the Beijing Public Security Bureau began building an iris scan database focused on target people. However, one of the earliest known programs of police-led mass iris scan collection in China dates back to at least 2017 in the Xinjiang Uyghur Autonomous Region. As part of a wider campaign of state repression against Uyghurs and others in Xinjiang, police collected biometric data from residents of the region, including iris scans, DNA samples, fingerprints, and facial scans. It is not clear how many iris scans police collected in Xinjiang. In 2017, police in the regional capital Urumqi began building a local iris identity information database (虹膜身份信息数据库), which by January 2018 reportedly contained iris scans of 300,000 people, or roughly 13% of the city’s then-population of 2.2 million. Other reports indicate that coverage could have included everyone aged 12 to 65 years of age in areas targeted by police for data collection.

Outside Xinjiang, police in other areas of China have also conducted iris scan collection programs. Police in Zhengzhou, Henan introduced a program in 2018 to scan the irises of people applying for e-bike drivers licenses, while in 2022 anti-narcotics police in Jinzhong, Shanxi began collecting iris scans and other biometric data like DNA samples and voice samples from registered users of drugs. Yet as late as 2018, China’s Ministry of Public Security did not have a unified national platform for collecting and storing iris scans, according to an article in the Journal of People’s Public Security University of China (Science and Technology).

It was not until 2019 that the Ministry of Public Security began exploring a national program of iris scan collection. Unlike earlier iris scan collection efforts, this program extended beyond any one region of China and or any particular group of Chinese citizens. In April 2019, the Ministry of Public Security released the “Notice on Implementing Iris Information Collection and Application Work” (关于开展虹膜信息采集应用工作的通知). Academic writing and industry publications, however, suggest that the Notice called on Public Security Bureaus across China to support the application of the Ministry of Public Security’s “iris system” (部级虹膜系统) and that provincial-level Criminal Investigation Branches should begin building “province-level iris systems” (省级虹膜系统).

While an original copy of the Notice is not available, another national-level document is: the “Construction Plan for National Criminal Investigation Information Specialized Application System’s Iris Identity Inspection Subsystem” (全国刑侦信息专业应用系统虹膜身份核查子系统建设方案). Released by the Ministry of Public Security in February 2019, the Construction Plan calls for strengthening iris scan database construction for the purpose of “attacking crime and social management and control” (打击犯罪和社会管控) and clarifies the roles that national, provincial, municipal, and county-level public security organs have in constructing the database system.

The Construction Plan also specifies from whom iris scans are to be collected: “target people, crackdown targets, and people who have broken the law” (重点人员、打击处理人员和违法犯罪人员) and “target people from Xinjiang” (新疆重点人员). “Target people” are Chinese citizens who police view as threatening social stability, like users of drugs, practitioners of banned faiths, petitioners, and people with mental health issues. “Crackdown targets” may refer to targets of police campaigns against particular categories of offenses, like gambling or telemarketing fraud. “People who have broken the law” refers to people accused of both criminal offenses like sexual assault and non-criminal administrative offenses like using drugs. “Target people from Xinjiang” includes Uyghurs and others from Xinjiang accused of fomenting separatism, terrorism, or extremism, or otherwise seen by police as threatening social stability.

According to the Construction Plan, public security organs at all administrative levels are to set up “leading small groups” (领导小组) to direct the construction and operation of a national iris identity inspection subsystems according to a specific timeline. By the end of March 2019, a national ministry-level iris database containing scans from Xinjiang target people was to be completed. By the end of April, checkpoints surrounding Beijing and other target areas (重点区) were to install iris recognition equipment connected to the ministry-level database to scan for target people from Xinjiang and “suspicious people” (可疑人员) in order to support a secure celebration of the 70th anniversary of the founding of the People’s Republic.

By the end of August, police across China were to establish provincial and local-level iris scan databases. Police were to verify the identities of and collect iris scans from target people, crackdown targets, and criminal offenders. And by the end of 2019, personal information and iris scans from these groups was to be added to national and provincial-level information resource service platforms (信息资源服务平台) to facilitate iris scan comparisons between national and provincial databases and “provide effective and mutually shared iris comparison services for all branches of the police” (为各警种提供高效、共享的虹膜比对服务).

The Construction Plan makes clear that the Iris Identity Inspection Subsystem is also connected to other “public security data resource system” (公安数据资源体系) and “big data centres at the national, provincial, and municipal level” (部省市三级大数据中心). Public security data resource systems are used by the Ministry of Public Security for a variety of purposes, including population management. Big data centres refers to a project begun in 2020 and spearheaded by the National Development and Reform Commission to build 10 computing centres across China to promote digital innovation, economic development, the use of green energy, and to transfer data from eastern to western regions for the processing and storage.

It is not clear if the Ministry of Public Security or Public Security Bureaus across China were able to stick to the timeline laid out in the Construction Plan. However, since the release of the Construction Plan, police in places like Hubei Province have attempted to implement the tasks laid out in the Plan.

There are also indications that municipal public security bureaus have invested in building iris databases large enough to cover entire local populations. In 2019 the Beijing Municipal Public Security Bureau and IrisKing announced the building of a database capable of containing up to 20 million iris scans, roughly equivalent to the city’s population of 21.89 million, “to facilitate public security management” and “as [a] crime-fighting tool.” According to the 2021 article in Forensic Science and Technology, the capital of Henan, Zhengzhou, has an iris scan database capable of storing 10 million scans, nearly equal to the city’s population of 10.52 million. However, there are no public reports indicating that either the Beijing or the Zhengzhou databases have been operationalized or actually contain iris scans from every permanent resident of the two cities.

Background on Iris Scan Collection in Qinghai

Since the release of the “Notice on Implementing Iris Information Collection and Application Work” and the “Construction Plan for National Criminal Investigation Information Specialized Application System’s Iris Identity Inspection Subsystem” in 2019, reports of police across China building large-scale iris scan databases have emerged. Among these reports is one published in February 2020 by Bitter Winter, which details a program of mass iris scan collection by the Public Security Bureau of Qinghai Province (pop. 5.9 million).

According to Bitter Winter, police collected iris scans at police stations and at the homes of residents of Tsoshar (Haidong) (pop. 1.35 million), warning that refusal to cooperate would make it “difficult for them in the future to buy tickets for traveling and even withdraw money.” Bitter Winter’s report also noted the collection of iris scans from children in the provincial capital Xining, ostensibly aimed at addressing the problem of missing or trafficked children. According to reports from Chinese media, some locals expressed concern about the security of the data their children were providing authorities, as well as a 200 RMB fee for inclusion in the database. Later reports clarified that participation was voluntary, suggesting that this program was distinct from the police-led program of mass iris scan collection described by Bitter Winter.

Bitter Winter’s report is not the first publicly available report documenting mass iris scan collection in Qinghai. In 2010, Chinese media reported that in Yulshul (Yushu) the Provincial Department of Science and Technology and the Chinese Academy of Sciences partnered to implement a trial program to collect iris scans from 3,598 herders in the wake of the April 2020 Yulshul earthquake.

However, Bitter Winter’s report is the first to discuss police engaging in mass iris scan collection outside any ongoing criminal investigation. Bitter Winter’s report is also part of a well-documented record of state surveillance and repression in Qinghai. Much of this surveillance and repression has focused on the province’s Tibetans and other non-Han people who make up 49.4% of the province’s population. Tibetans have been detained and prosecuted for political activism, and Tibetan monks have immolated themselves in protest against party-state rule.

Police have also used anti-crime measures to arrest and jail Tibetan activists. A nationwide “sweep the black” campaign against organized crime between 2018-2021 have been used since 2018 in Tibetan areas of Qinghai to punish people protesting corruption, demanding compensation for property damage by state developers, or complaining about land expropriation by local governments.

Controls in Qinghai have also extended to land usage and population resettlement. In Yulshul in 2021, local authorities rescinded the right of Tibetan nomads to use grasslands for raising livestock and community settlement, a right authorities originally granted to nomads for up to 50 years beginning in 1985. Authorities justified mass population resettlement in Qinghai, which dates back to the early 2000s, in terms of ecological protection and raising living standards. However, critics have claimed that the designation of former grazing areas as protected areas will further cultural loss among nomads and that population resettlement in areas of Qinghai, Tibet, Xinjiang, and Inner Mongolia are a form of population control.

Language rights are also under threat in Qinghai, where since the mid-2010s authorities have promoted Mandarin Chinese as the primary language of instruction at schools in Tibetan areas. Authorities have closed Tibetan language schools and police have detained people who have criticized state language policies.

In addition to controls on Tibetans and Tibetan Buddhists, authorities in the provincial capital Xining have also “sinicized” Hui Muslim mosques through the removal of minarets and domes, as part of nationwide efforts to sinicize Islamic practices. Other religious minorities have also been targeted for repression, including the decision of police in 2012 to detain 400 members of the banned spiritual movement Church of Almighty God.

Mass iris scan collection in Tsoshar, as reported by Bitter Winter, appears to be one part of much larger and long-standing instances of state repression and surveillance in Qinghai. Yet while Bitter Winter was the first English language publication to discuss mass iris scan collection in Qinghai, the report left a number of questions unanswered, including whether iris scan collection was confined to Tsoshar, how long the program had been in operation, the specific measures police used to collect data, what companies have sold iris scan collection or iris recognition equipment to the police, or how many iris scans police had collected.

Understanding Qinghai’s iris scan collection program requires answering these questions. What’s more, an accurate assessment of police iris scan collection in Qinghai can provide insight into police biometric surveillance across China, and the legality of mass biometric surveillance under the country’s legal system. By analyzing publicly available sources from Qinghai, and examining these sources in light of existing research on policing and biometric surveillance in China, our report builds on Bitter Winter’s work to detail the scope and character of mass iris scan collection in Qinghai.

Methodology

To explore the character and scale of the police-led mass iris scan collection program in Qinghai, we searched online for publicly available reports concerning this campaign. Data collection for this report began January 8, 2022 and ended September 26, 2022.

All sources were publicly available and found online through Chinese language keyword searches on the social media platform WeChat and on the search engines Google and Baidu. In total, we used 7 keywords arranged into 6 combinations (Table 1).

When identifying which sources to collect, we only selected those sources which referred to police iris scan collection, iris database construction, or the importance of iris scan collection as a feature of police work in Qinghai. To ensure greater trustworthiness, we only collected sources from official government or public security WeChat accounts, official government or public security social media accounts published through the news website The Paper, or Chinese domestic news websites. In total, we collected and collated 189 sources (Table 2).

Sources were saved as PDFs and archived using Archive Today, then collated in a spreadsheet according to date and location for further analysis.

We also took steps to ensure that sources referred specifically to mass police-led iris scan collection, rather than other instances of iris scan collection. For example, reports of a voluntary iris scan collection program in Xining focused on preventing elderly people from going missing were not collected or analyzed. Similar programs occur elsewhere in China and cannot be definitively linked to police-led mass iris scan collection in Qinghai.

To contextualize mass iris scan collection in Qinghai, we also drew on other publicly available sources. These sources included government websites which discussed public security programs and police data collection efforts, and Chinese academic literature on police information and iris scan database systems.

There are limits to the 189 sources we collected. These sources alone do not provide a fully comprehensive account of police-led mass iris scan collection in Qinghai. Nor was any single document found which articulates the purpose and scope of mass iris scan collection in Qinghai. However, by collecting 189 publicly available sources discussing mass iris scan collection in Qinghai, we were able to create a composite (albeit incomplete) picture of this program.

Findings

The 189 sources we collected provide insight into the scope of police-led mass iris scan collection in Qinghai and expand upon Bitter Winter’s February 2020 report. Through examination of the 189 sources we collected, we were able to: identify the timeline and geographical scope of police-led mass iris scan collection in Qinghai; the measures police used to collect iris scans; the name of one company involved in the program; and the number of people from whom police collected iris scans. Our research indicates that the Qinghai Public Security Bureau’s mass iris scan collection program is part of broader domestic intelligence gathering programs which target men, women, and children outside any ongoing criminal investigation.

Implementation of the mass iris collection program in Qinghai began March 2019 and continued as late as July 2022 (Table 3).

These 189 sources referred to police-led mass collection of iris scans in three of Qinghai’s nine administrative regions (Table 4). These sources do not refer to iris scan collection in the remaining six administrative regions of Qinghai.

Mass iris scan collection in Qinghai does not appear to be connected to any ongoing criminal investigation. In keeping with the Ministry of Public Security’s 2019 Iris Identity Inspection Subsystem Construction Plan, mass iris scan collection in Qinghai appears to be part of larger police-led data collection programs aimed at strengthening police surveillance capabilities.

A report on a March 2019 public security meeting in Tsoshar, conducted at the start of Qinghai’s mass iris scan collection program, gives insight into the role of iris recognition technologies in policing. The report describes an increasingly precarious domestic security situation necessitating new forms of biometric surveillance:

“Accompanying rapid economic and technological development have been an increasing number of domestic terrorism, public security, and criminal cases. Criminals use cosmetic surgery, forgery, and false documents to hide their identities, seriously threatening national stability and people’s lives and property. Traditional ways of verifying identity, like ID cards and passports, are facing a crisis. Although biometric recognition technologies used to assess fingerprints, voice prints, faces, and DNA play important roles in their respective fields, they cannot accurately determine a person’s true identity in mere seconds.”

According to this report, iris recognition technologies are possible solutions to these problems:

“Iris recognition is currently the fastest and most accurate biometric recognition technology, and benefits from uniqueness, stability, and non-contact recognition, and can connect personal identity documents with iris biometrics. By describing, matching, and classifying the human eyes’ iris through pattern recognition, image processing, and other methods, automatic personal identity authentication can be achieved. Rapid iris identification can accurately determine the true identity of a person and issue a timely alarm for a suspicious person, effectively solving problems caused by forgery, false documents, and cosmetic surgery.”

Who qualifies as a “suspicious person” is not specified. The 189 sources we examined, however, do not suggest that mass iris scan collection is focused on people that the police view as threats to social stability, such as the target people mentioned in the 2019 Construction Plan.

Instead, Qinghai’s police have targeted entire communities for mass iris scan collection. An April 2019 news report from Tsoshar states that police planned to collect iris scans from all long-term residents, people involved in legal cases or civil disputes, passport applicants, and migrant workers. A later report from April 2020 from Haiyan County in Tsojang referred to police collection of iris scans from both permanent residents and migrants. By expanding iris scan collection to all long-term and migrant residents, police in Qinghai are treating entire communities as potential threats to social stability.

Planning for iris scan collection in Qinghai dates back at least to November 2018 in Tsoshar, prior to the release of the February 2019 Construction Plan. Beginning in March 2019, police across Tsoshar began receiving training in how to use iris scanners and organizing iris scan collection efforts.

Small groups of police officers were responsible for collecting data from local homes. In some cases, police adopted a “police + village police + volunteer method” (民警+村警+志愿者模式) of collecting iris scans, though who volunteers were is left unstated. In other cases, police, auxiliary police, and village police participated in iris scan collection.

Early reports indicate that police focused on areas with high concentrations of people like public squares and schools. In Huzhu Tu Autonomous County in Tsoshar, police collected iris scans from people at work units, schools, and commercial enterprises, while in Gangcha County in Tsojang, police collected iris scans at village committees, work units, temples, and construction and from migrant workers at construction sites. In these well-trafficked public areas, police routinely used desk-mounted iris scanners or operated iris scan machines out of police cars.

Iris scan collection could be combined with other police work, such as surveillance of target people or conducting urine drug tests of registered users of drugs. In other cases, public security meetings discussed iris scan collection alongside local implementation of a nationwide surveillance camera program translated alternately as “Dazzling Snow” or “Sharp Eyes” (雪亮工程). Iris scan collection was part of stability maintenance work in the lead up to the May 1 holiday. And in Tsojang, police collected iris scans alongside the confiscation of fake 100 yuan bills and illegal firearms.

Police also integrated iris scan collection into the broader program of “1 million police entering 10 million homes” (百万警进千万家), a national program of police-led home and business inspections and data collection that was also associated with mass DNA collection in the Tibet Autonomous Region. During home visits as part of the “1 million officers entering 10 million homes” program, police would “chew the fat” (拉家常) with locals about their lives and problems while also collecting iris scans.

Iris scan collection seems to have slowed over the last two years. From 2021 to July 2022, this report found only 27 reports of mass iris scan collection: 15 from Tsojang and 12 from Tsoshar. The drop in the number of reports may indicate that police in Tsoshar, Tsojang, and Yulshul had largely completed iris scan collection by late 2020. However, police surveillance programs piloted in one region can grow, as happened with a male DNA collection project first implemented in Henan in 2014-2016 that later expanded nationwide in 2017. It is possible that police in the future may conduct mass iris scan collection in other regions beyond Qinghai.

Company Involvement: Super Red

Mass iris scan collection in Qinghai is led by municipal Public Security Bureaus. In addition to the police, public records also reveal that at least one company, Super Red (北京万里红科技有限公司), is involved in this biometric surveillance program.

In November 2018, Tsoshar’s Public Security Bureau decided on the model of iris scan collection devices and by the following March had spent 5.21 million RMB on an iris identification system and iris database. At least a portion of the equipment was provided by Super Red, a company in which the Chinese Academy of Sciences holds a majority share. According to the company’s website, Super Red’s iris identification inspection system can associate iris scans with an individual’s ID card or passport, and can be used to identify target people and issue an alert in order to take “preemptive control measures” (提前处置进行部控，防止危险的发生).

In March 2019, technicians from Super Red installed iris scan recognition and inspection systems (虹膜采集识别核查系统) in 19 municipal public security divisions in Tsoshar. At police meetings, technicians from Super Red provided training not only for the iris recognition system, but also the company’s computer secrets technology prevention system (计算机保密技术防范系统), both of which were associated with improving public security organs’ anti-terror and population management capacities.

Super Red’s involvement in biometric surveillance extends beyond Qinghai. In 2019, Super Red reportedly finished building a national-level iris database and more than 20 provincial-level iris databases, as well as connecting provincial-level databases with the national-level database. That same year, Super Red finished building China’s largest iris database, which some reports describe as a national target population iris database (国家重点人口虹膜库).

Details on Super Red’s involvement in these iris database projects outside Qinghai are not publicly available. However, we do know that for years the Ministry of Public Security has partnered with numerous Chinese firms to develop police-run iris recognition systems. In April 2019, the Ministry of Public Security convened the National New Criminal Technology and Equipment Promotional Fair (全国刑事技术新技术新装备推广会) in Zhuhai, Guangdong, a platform attended by officers in the national and provincial Criminal Investigation Bureaus and more than 20 select technology enterprises to discuss police application of iris and vocal print recognition systems. Police interest in biometric technologies has also played a role in the growth of China’s iris recognition market from 2.17 billion RMB in 2017 to 4.8 billion RMB in 2020.

Government Justifications for Iris Scan Collection

As part of the iris scan collection program, police in Qinghai have “increased propaganda efforts” (加大宣传力度) and “won the cooperation and support of local masses” (赢得了辖区群众的配合和支持). However, public outreach has not included a clear justification for mass iris scan collection.

Police requests for cooperation have been made both through public notices and WeChat posts. In some cases, police have highlighted the role of iris scans as a crime fighting tool. In Xunhua Salazu Autonomous County in Tsoshar, iris collection was described was a way to “promote informatization construction” (推进信息化建设), a term referring to the Chinese government’s use of information technologies to collect, store, and use data. Similar justifications were found elsewhere like in Minhe Hui and Tu Autonomous County, where iris scan collection was tied to catching criminals and ensuring social stability. In Huzhu Tu Autonomous County, iris scan collection was tied to improving public security information and counter-terrorism.

Some public messaging about the program does not even mention crime or social instability. Public notices from Xunhau Salaz Autonomos County and Hualong Hui Autonomous County discussed iris scan recognition systems helping people identify themselves when boarding mass transit, setting up bank cards or passports, or passing security checks. Other notices stated that iris scans will be used to upgrade national ID cards or find missing children. And in Tsoshar’s Ledu District, iris scan collection terminals at household registration offices were described as a way to improve public security informatization, stability maintenance work, and provide convenient, fast, and effective service to the public.

Police have justified other biometric surveillance programs, like mass DNA collection in the Tibet Autonomous Region, in similarly broad terms. It’s possible that the lack of a single justification for mass iris scan collection in Qinghai may reflect the fact that an iris scan database could, in fact, be put to multiple uses. Police could use iris recognition technologies and iris scan databases to identify missing people or people with criminal records. Or these programs could be used to tighten state surveillance over ethnic minorities already subject to intense state repression, as has been the case in Xinjiang.

And while police have reportedly asked for public cooperation with iris scan collection, there is no evidence to suggest that people have the right to not cooperate. During other mass biometric data collection programs in China, police have threatened that people who refused data requests would be denied the right to travel or visit a hospital. It is possible that police in Qinghai have also used threats or intimidation to compel some locals to submit to having their irises scanned.

Connection to Mass DNA Collection

Iris scan collection is not the only police-led biometric data collection program in Qinghai. As reported by Human Rights Watch, police in some areas of the province have also engaged in mass DNA collection. However, mass DNA collection in Qinghai appears to occur independent of iris scan collection. Out of the 189 sources we examined for this report, only 11 referred to police collecting DNA, all of which came from Tsojang.

Unlike mass DNA collection in neighbouring Tibet Autonomous Region, which targeted women and men, police in Tsojang did not seem to collect DNA from women. However, two reports referring to or depicting male DNA collection in Tsojang also included photographs of police collecting iris scans from women. This suggests that even in those areas where male DNA collection occurred, police iris scan collection continued to focus on both men and women.

We therefore conclude that police are conducting a mass iris scan collection program in Qinghai independent of both mass DNA collection in Tibet and the national program of male DNA collection. However, the purpose of all three of these programs is broadly similar: to expand police surveillance over wider segments of the Chinese public.

Estimating the Scale of Iris Scan Collection

Our analysis shows that mass iris collection has occurred in at least three of Qinghai’s administrative regions: Tsoshar, Tsojang, and Yulshul. In order to estimate the scale of iris scan collection in these areas, we examined the 189 sources listed in Table 2. Out of these sources, 53 provided specific figures for the number of DNA samples police collected in two of these regions: Tsoshar and Tsojang. These figures ran from as low as 20 iris scans to as many as 130,461.

The clearest picture of the scale of mass iris scan collection comes from Tsoshar. A November 2019 post from Hualong Hui Autonomous County notes that the county’s total population of 306,824 included 150,000 people living in the county and 150,000 living or working outside Hualong. For those living within Hualong, police aimed to collect iris scans from everyone (采集量必须达到100%). For those not currently living in Hualong, police were to innovate new working methods and adopt various measures to increase data collection (要创新工作方式方法，采取多种措施提高信息采集量). A subsequent report from March 2020 states that police in Hualong had collected 130,805 iris scans, equivalent to 87% of the county’s 150,000 long-term residents.

Hualong is not the only area of Tsoshar from which we have data collection figures. In Tsoshar’s Minhe Hui and Tu Autonomous County, police had collected 308,000 iris scans by December 2019, or 70% of their intended total. This suggests that police aimed to collect scans from around 440,000 people, slightly more than Minhe’s total population of 430,000.

These reports from Hualong and Minhe suggest that police in different regions of Tsoshar attempted to collect iris scans from a majority of local residents, and in some cases entire local populations. The scale of iris collection in Tsoshar is captured in a March 2022 report which states that police had collected 1.04 million iris scans across the city. Given Tsoshar’s long-term resident population of 1.35 million, this indicates police had collected iris scans from 77% of the city’s residents.

From Tsojang, only incomplete totals from three of the city’s four administrative regions are available. By April 2020, police in Haiyan County states had collected iris scans from 10,995 people, or roughly 30.5% of the county’s population of 36,000. In Menyuan Hui Autonomous County, a June 2020 report states that police had collected 50,000 iris scans, or roughly 32% of the county’s total population of 155,800. And in March 2021, it was reported that police in Qilian County had collected iris scans from 11,505 people, or roughly 23% of the county’s population of 50,000. If we assume that these three figures reflect the final collection figures for each of these regions, we can then estimate the scale of iris scan collection in Tsojang. Adding these three figures together gives us a total of 72,500 iris scans, equivalent to 27.3% of Tsojang’s total population of 265,000 (Tsojang Estimate One in Table 4).

In addition to Haiyan, Menyuan, and Qilian, there is a fourth administrative region in Tsojang, Gangcha County. We have found multiple reports of iris scan collection in Gangcha, including one which states that police at a single police station collected 1,700 iris scans from locals. Assuming that the proportion of iris scans relative to population in Gangcha were similar to those of Tsojang’s other three counties, this would suggest that police in Gangcha collected iris scans from 27.3% of the county’s population of 45,000, or 12,285 people. This in turn would suggest that police in Tsojang have collected roughly 84,785 iris scans, representing 31.9% of Tsojang’s total population (Tsojang Estimate Two in Table 5).

The final area of Qinghai where police are known to have collected iris scans is Yulshul (population 425,000). Our report only found four reports of iris scan collection in Yulshul, none of which included precise figures. It is therefore difficult to ascertain the scale of police data collection in Yulshul. If iris scan collection in Yulshul has been as extensive as in Tsojang, then police have collected iris scans from 27.3% of the local population, or 116,025 people (Yulshul Estimate One in Table 6).¹ If iris scan collection in Yulshul instead matched the scope of collection in Tsoshar, then police would have collected iris scans from 77% of local residents, or 327,250 people (Yulshul Estimate Two in Table 6).

Based on our estimates of data collection in Tsoshar, Tsojang, and Yulshul, we were able to calculate two estimates for the scale of iris scan collection in Qinghai. To arrive at a low estimate, we only considered the known totals of iris scan collection in Tsoshar (1.04 million iris scans), the lowest estimate for iris scan collection in Tsojang (72,500 iris scans, Tsojang Estimate One in Table 4), and the lowest estimate for iris scan collection in Yulshul (116,025 iris scans, Yulshul Estimate One in Table 5).³ This gave us a combined estimate of 1,248,075 iris scans, representing 21.1% of Qinghai’s total population (Qinghai Estimate One in Table 6).

To arrive at the highest estimate, we added the known total of iris scan collection in Tsoshar (1.04 million iris scans) to the highest estimate for iris scan collection in Tsojang (84,785 iris scans, Tsojang Estimate Two in Table 4), and the highest estimate for iris scan collection in Yulshul (327,250 iris scans, Yulshul Estimate Two in Table 5). This gave us a combined estimate of 1,452,035 iris scans, representing 24.6% of Qinghai’s total population (Qinghai Estimate Two in Table 7).

If we are correct in concluding that police have collected iris scans from roughly one fifth to one quarter of Qinghai’s population, then mass iris scan collection campaign in Qinghai is the largest known campaign (relative to population) conducted anywhere in China, with the possible exception of Xinjiang.

Legal Framework on Data Privacy in China

China has laws and regulations which cover how biometric or personal data can be collected and stored, by whom, and for what purpose. However, these laws and regulations have not constrained the Qinghai police’s program of mass iris scan collection.

According to Article 2 of the Police Law, China’s police are responsible for maintaining national security and social order, and preventing and punishing illegal activity. In line with these responsibilities, police have the right to collect biometric data under certain conditions. Article 132 of China’s Criminal Procedure Law states that police may collect “biological samples” (生物样本) from victims or suspects in criminal proceedings, while Article 50 of the Anti-Terrorism Law states that public security organs can collect iris scans when investigating suspected terrorist activity. Article 3 of the Resident Identity Card Law states that citizens obtaining resident identity cards must register their “fingerprint information” (指纹信息).

Police collection of iris scans in Qinghai takes place outside the scope of the Criminal Procedure Law and the Anti-Terrorism Law. Those targeted by police are not criminal suspects, victims, or suspected terrorists. And despite references to the use of iris scan collection to help upgrade national ID cards, the Resident Identity Card Law specifies that the only biometric data identity card applicants need to register is their fingerprints. And because mass iris scan collection lacks a legal basis, it is also arguably in conflict with Article 37 of the Constitution of the People’s Republic of China, which prohibits “[u]nlawful detention or deprivation or restriction of citizens’ freedom” and “unlawful search of the person of citizens.”

Public security officials have in the past publicly expressed awareness of the legal limits on their authority to collect biometric data, specifically from children. In a 2016 article in China Daily, the then-head of the Ministry of Public Security’s Office of Combatting Against Human Trafficking Chen Jianfeng stated that “[b]iometric data, such as DNA or iris scans, are people’s private information and by law, the police have no right to forcefully collect children’s biometric data.” Yet as our analysis demonstrates, police in Qinghai have forcefully collected biometric data from children, as they have in mass DNA collection campaigns in the Tibet Autonomous Region and across China.

Legal concerns about compulsory biometric data collection by police are not unique to Qinghai. Police outside the province have conducted other mass biometric data collection programs – notably mass DNA collection in the Tibet Autonomous Region and a national program of mass male DNA collection – in ways that find no basis in the Criminal Procedure Law or the Anti-Terrorism Law. Despite the limits on the collection of genetic data stated under the 2019 Regulations on Human Genetic Resources Management and the draft 2022 Detailed Rules for the Implementation of the Regulations on the Management of Human Genetic Resources, police across China have collected DNA samples from millions of people outside of any criminal investigation.

Chinese legal scholars have highlighted the risks to privacy and personal liberty posed by state biometric data collection. In a 2019 online essay, Lao Dongyang, a professor of law at Tsinghua University, warned that state and private biometric surveillance programs in China have challenged the presumption that people are innocent until proven guilty: “[T]he current security measures, no matter how you look at them, are based on the presumption of guilt. Everyone is presumed to be a danger to public safety and all are required, without exception, to pass through increasingly stringent security checks.”

In this same essay, Lao further argued that state biometric data collection programs needed “explicit legal authorization” in order to operate. “Without the authorization, they cannot do it; the government has no right to collect the biometric data of ordinary citizens in the name of security.”

Biometric data collection by private actors has also elicited pushback from legal scholars. In 2019, Guo Bing, a professor of law at Zhejiang Science and Technology University, sued a zoo in Hangzhou for violating China’s Consumer Protection Law by demanding that all visitors submit to facial recognition registration in order to enter the zoo. Under Article 29 of the Consumer Protection Law, operators can only collect and use personal data in ways that are necessary, legitimate, and legal, and with the consent of the consumer. The following year in 2020, a court in Hangzhou ruled in favour of Guo and ordered that the zoo delete any facial recognition data it had collected from him, a decision which was upheld in 2021 on appeal. However, the Consumer Protection Law does not impose limits on the power of China’s police to collect biometric data from Chinese citizens.

Discussion

Since March 2019, police in Qinghai Province have conducted a program of mass iris scan collection. Based on our analysis of 189 publicly available sources, we believe that between March 2019 and July 2022 police in three regions of Qinghai – Tsoshar, Tsojang, and Yulshul – collected iris scans from a total of between 1.2 million and 1.4 million people, or between one fifth and one quarter of Qinghai’s total population. These people do not appear to be accused of any criminal offense nor victims of any crime. Instead, police have effectively treated entire communities as potential threats to social stability.

Police surveillance programs – including networks of informants and the “grid management” of urban neighbourhoods – are not unique to the Xi administration, nor is police collection of biometric data from criminal suspects. What is unique to the Xi era is police-led mass biometric surveillance of entire populations. Alongside the Xi administration’s concern with achieving “comprehensive national security” (总体国家安全), police across China have launched coordinated biometric data collection programs. These programs have collected millions of DNA samples in the Tibet Autonomous Region and Xinjiang, as well as from men across China.

In Qinghai, police biometric surveillance has focused on iris scans. Like other mass biometric data collection programs in China, police collection of iris scans in Qinghai has occurred outside any ongoing criminal investigation. Qinghai’s police have targeted everyone from elementary school students to the elderly. And like mass DNA collection in the Tibet Autonomous Region and Xinjiang, many of those police have targeted are ethnic minorities, including Tibetans and Hui Muslims.

By collecting iris scans from entire communities, and associating these images with personal files, police in Qinghai possess a powerful tool of biometric surveillance. What purpose this tool will play is unclear. Sources examined for this report indicate that police have provided the public with vague justifications for iris scan collection, including fighting crime, finding missing people, and upgrading national ID cards.

This lack of clarity may reflect the lack of a singular motivation for the program. Police could use iris recognition tools to identify missing people. Or police could use these same tools as part of broader programs of surveillance and “ethnic sorting” directed against ethnic minority communities. Iris scan collection has been a key part of state repression and mass detainment in Xinjiang, where police have created “multi-modal” biometric profiles of Uyghurs and other non-Han residents authorities view as potential threats to social stability.

Police could also use the collection of iris scans or other biometric data as a way to deepen control over critics of the Chinese state. This deepening of control already appears to be happening. Following protests in late 2022 across China against harsh pandemic control measures, police collected the “retina patterns” of demonstrators held in police custody, while in other cases police used surveillance cameras equipped with facial recognition capabilities to identify protesters and warn them against participating in future demonstrations.

However police decide to use population-wide iris scan databases or iris recognition technologies, it is clear that these tools will strengthen existing forms of police surveillance. Police already maintain population databases of target people. By associating iris records with personal files in these population databases, police can potentially identify anyone they have on record simply by scanning their eyes. These population databases are in some cases also linked to computer systems at hotels, railways, and airlines. Chinese airports and some municipal transit systems are already using facial recognition cameras for the purpose of passenger screening and payment. If these institutions increasingly use iris recognition terminals to verify customer or passenger identity, Chinese citizens viewed by the police as threats to the party-state may find it even more difficult to travel without alerting the police.

Further contributing to the potential human rights impact of this program is the character of policing in China. China’s police are required to be loyal to the ruling Communist Party. To that end, domestic security work in China involves both policing crime and repressing political opponents. However, the line separating crime control and political repression is often fuzzy. Authorities have charged feminists, labour activists, and human rights lawyers with “picking quarrels and provoking troubles,” “disturbing public order,” and “subversion of state power.” And as part of anti-crime campaigns, police in China also used their extensive authority to detain people with or without charge to punish both political critics and ethnic minorities. Without opposition political parties, independent courts, a free press, or civil society organizations capable of checking police powers, police in China will be free to collect and use iris scans from whomever they choose and for whatever purpose they wish.

The threat that unrestricted police iris scan collection poses to human rights and privacy is not unique to China. During the United States’ occupations of Afghanistan and Iraq, US military collection of iris scans from local residents was a key surveillance tool. The FBI is also interested in the potential applications of iris recognition technologies and iris scan databases.

Compulsory collection of iris scans by state actors may be in violation of key human rights documents. Article 17(1) of the International Covenant on Civil and Political Rights states that “[n]o one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation,” while Article 12 of the Universal Declaration of Human Rights states that “[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation.”

Police iris scan collection can also have a chilling effect on civil society. People who have their irises scanned may have no further encounters with the police. However, as the United Nations Special Rapporteur on freedom of opinion and expression David Kaye warned in his 2019 report on surveillance and human rights:

“In environments subject to rampant illicit surveillance, the targeted communities know of or suspect such attempts at surveillance, which in turn shapes and restricts their capacity to exercise the rights to freedom of expression, association, religious belief, culture and so forth. In short, interference with privacy through targeted surveillance is designed to repress the exercise of the right to freedom of expression.”

It is also possible that even properly functioning iris recognition tools or iris scan databases will play only a modest role in crime control, despite the claims of proponents. As the United Kingdom’s then-Biometrics Commissioner Paul Wiles noted in a 2017 report, “[i]t does not follow that where crimes are detected or ‘solved’ by the police, all those detections where biometrics were available occurred because of a biometric match: the offender may have been identified for other reasons and the biometric holdings may have played no role or were merely confirmatory.”

Presently, there is a lack of international norms concerning police collection, storage, and use of biometric data like iris scans. At the global level, states, civil society groups, researchers, and international organizations should work together to establish relevant norms and support mechanisms that monitor adherence to these norms and identify possible violations. At the national level, states – including China – must enact and enforce strict limits on police collection, analysis, and storage of iris scans and other sensitive biometric data, in order to minimize the potential harm to those from whom data were collected, their kin, and their wider community.

Acknowledgements

Research for this project was supervised by Professor Ron Deibert.

We would like to thank Donald Clarke, Ron Deibert, Jeff Knockel, Michael Kovrig, Yves Moreau, Tenzin Norgay, Maya Wang, and one anonymous reviewer for valuable feedback.

Sources

Primary sources collected for this project are available here.

What are the key findings of this report?

In the report, we investigate the collection of mobility data by the federal government, its legality under the existing and proposed commercial privacy regime, and proposed recommendations for the reform of draft Bill C-27 which would address many of the issues in the governance of mobility data.

The federal government obtained de-identified and aggregated mobility data from Telus and BlueDot, beginning  as early as March 2020, but this only came to the public’s attention in December 2021. The Standing Committee on Access to Information, Ethics, and Privacy (ETHI) investigated this data collection and ultimately raised concerns about the federal government’s inadequate consultation with the Office of the Privacy Commissioner, the failure of the government to verify consent had been provided to collect or disclose the mobility information, the broad purposes for data collection, and the unclear timeline for the government’s retention of data.

When we assessed the lawfulness of the collection of mobility data, we found that BlueDot and Telus likely complied with current private sector privacy legislation PIPEDA. Specifically, the de-identified information likely did not constitute personal information within the meaning of PIPEDA. This, however, led us to spotlight deficiencies in current privacy legislation. These included:

• inadequate governance of de-identified data
• an absence of appropriate transparency and accountability principles
• a failure to adequately account for harmful impacts of data sharing
• a neglect of commitments to Indigenous data sovereignty principles
• insufficient enforcement mechanisms

We found that these deficiencies remain in the Consumer Privacy Protection Act (CPPA). Most pertinently, the proposed legislation contains significant exceptions to knowledge and consent where the purposes of data sharing are deemed as either socially beneficial or within a corporation’s legitimate interests. The result is that individuals’ mobility information may be collected or used without knowledge or consent in the service of legitimate business interests, or disclosed to parties including the federal government such as for socially beneficial purposes.

We make 19 corrective recommendations to the CPPA that would alleviate many of the thematic issues facing PIPEDA and, by extension, the CPPA. However, even were these amendments adopted the legislation should be significantly re-thought to protect individual and collective privacy rights.

What are the key privacy issues with regards to collection of mobility data during the COVID-19 pandemic?

We outline a number of privacy issues surrounding the collection of data during the COVID-19 pandemic.

First, there has been a lack of transparency concerning the collection, use, or disclosure of de-identified mobility data between private sector organizations and the federal government. Though the pandemic required timely and urgent responses, communications from the government were often muddled and did not clearly address whether the government was collecting mobility data. This lack of transparency can fuel distrust amongst members of the Canadian public who already doubt that the federal government respects their privacy rights.

Second, the federal privacy commissioner was not adequately involved in assessing the government’s collection of mobility information. In the case of the disclosure between Telus, BlueDot, and the federal government, the Privacy Commissioner was not engaged. Consequently, the Commissioner could not review the privacy practices linked to the activity in order to confirm the adequacy of de-identification or to ensure consent was obtained where necessary under law.

Third, while the government asserted it established requirements to protect Canadians’ privacy when entering into contracts with Telus and BlueDot, these requirements were not made public or discussed in greater detail.

Fourth, the stated purposes for the collection of data were very broad. They would allow for, in theory, the provision of information or policy advice to relevant provincial and municipal governments to target enforcement actions towards communities with higher-than-average mobility scores. This could have led to enforcement activities being applied to racialized neighborhoods where residents more regularly traveled significant distances for work. The prospect of disproportionate enforcement actions raises equity concerns.

Fifth, the absence of transparency was not limited to the purposes for data collection but continued through to retention timelines. The collection of data was to continue until the end of the pandemic, raising questions as to who decides when the pandemic is ‘over’.

Overall, these issues highlight deficiencies in the existing framework governing private-public data sharing: an absence of governance for de-identified data; a lack of transparency requirements in the sharing of data; inadequate protections to prevent function creep and long retention timelines; and the absence of requirements to consider the equity implications of information sharing with government agencies.

What are the potential negative consequences of collecting and sharing COVID-19 pandemic mobility data with the intention of being ‘socially beneficial’?

Individual privacy rights are at risk when data sharing can occur for socially beneficial purposes, where individuals whose data is being shared are neither aware of the sharing nor consent to it. Socially beneficial purposes can mean different things to differently-situated people: what may be perceived as being socially beneficial to one group may not be to another.

To give one example, consider the context of abortion-care services. One government might analyze de-identified data to assess how far people must travel to obtain abortion-care services and, subsequently, recognize that more services are required. Other governments could use the same de-identified mobility data and come to the opposite conclusion and selectively adopt policies to impair access to such services.

Moreover, the sharing of data for socially beneficial purposes without knowledge or consent may be interpreted as inherently paternalistic. Though the federal government is tasked with making policy that benefits the lives of its citizens, sharing data without knowledge and consent can undermine the data sovereignty of individuals in society. This problem is further pronounced for Indigenous people whose sovereignty has been historically undermined.

Is current privacy legislation adequate in protecting individuals’ privacy interests?

No. We argue that current commercial privacy legislation fails to adequately protect individuals’ privacy interests for the following reasons:

1. PIPEDA fails to adequately protect the privacy interests at stake with de-identified and aggregated data despite risks that are associated with re-identification.
2. PIPEDA lacks requirements that individuals be informed of how their data is de-identified or used for secondary purposes.
3. PIPEDA does not enable individuals or communities to substantively prevent harmful impacts of data sharing with the government.
4. PIPEDA lacks sufficient checks and balances to ensure that meaningful consent is obtained to collect, use, or disclose de-identified data.
5. PIPEDA does not account for Indigenous data sovereignty nor does it account for Indigenous sovereignty principles in the United Nations Declaration on the Rights of Indigenous Peoples, which has been adopted by Canada.
6. PIPEDA generally lacks sufficient enforcement mechanisms.

 Why does the collection of de-identified data matter?

De-identified data runs the risk of being re-identified, especially with the rapid evolution of machine learning technologies, breadth of publicly and commercially available datasets, and regularly evolving statistical methods for analyzing data. Where information which is sensitive is de-identified and not subject to the same privacy protections as identifiable, personal information, re-identification risks are magnified.

Would implementing your recommendations solve issues with privacy law?

We wrote this report, in part, to provide practical solutions to gaps in draft privacy legislation. Our recommendations were drafted in light of this practical aim.

However, as we ultimately conclude, our recommendations are not a panacea – even if all of the changes were implemented, they would not ameliorate all of the issues with the CPPA. In order to adequately protect individual privacy rights, the correct approach would be to take a human rights centric approach to privacy protections.

Which recommendations are the most important?

In drafting recommendations, we sought to ameliorate existing deficiencies in current privacy law. The recommendations of the most concern relate to the exemptions to knowledge and consent for “socially beneficial” purposes and “legitimate interests” of organizations.

The sharing of de-identified mobility data between the private and public sector would be authorized under the socially beneficial purpose exemption to knowledge and consent under the draft CPPA. While socially beneficial activities can have positive characteristics, determining what constitutes a beneficial activity can be political. There is a risk that what is socially beneficial for some is not for others. The failure to narrow this exception may allow for information sharing that disproportionately intrudes on the privacy or equity rights of some individuals. We offer numerous recommendations intended to reduce the risks associated with potentially socially beneficial uses of data while, at the same time, not asserting that such sharing should be barred in its entirety.

While the socially beneficial purposes clause opens the door to sharing de-identified information with third-parties, such as government agencies, the legitimate interest exception enables private organizations to determine whether the collection or use of personal information outweighs the adverse effects of doing so. While the information cannot be used to influence an individual’s behavior or decisions it could be used to create datasets that facilitate business or policy developments. While the Privacy Commissioner could investigate organizations that use the exception, they would first need to know that organizations were collecting or using information under this exception; only then could the Commissioner request the organization’s records. The effect is that unless the Privacy Commissioner is zealously engaged in asking private organizations about whether they are collecting or using personal information under the legitimate interest exception, it will be private organizations that will principally be the judges and juries of whether their collection falls under the legitimate interest exception. We argue that organizations should need to be up front with the Commissioner about the use of this exception while, also, aiming to better empower individuals to control how private organizations collect and use their personal information.