Canada Border Services Agency (Re), 2024 OIC 43
Date: 2024-07-17
OIC file number: 5822-03587
Access request number: A-2022-17066
Summary
The complainant alleged that the Canada Border Services Agency (CBSA) had improperly withheld information under subsection 16(2) (facilitating the commission of an offence) of the Access to Information Act in response to an access request. The request was for the complete source code for the ArriveCAN application. The allegation falls under paragraph 30(1)(a) of the Act.
CBSA provided evidence to demonstrate that disclosure of the source code could be used by malicious actors to either hack the application, pose as the ArriveCAN application in the App Store/Google Play Store or to expose a security vulnerability which would place the personal information of individuals at risk.
CBSA also provided evidence that it considered relevant factors such as the public interest in disclosure, the sensitive nature of the information collected by the application and the purpose of the Act when exercising its discretion pursuant to subsection 16(2).
The complaint is not well founded
Complaint
[1] The complainant alleged that the Canada Border Services Agency (CBSA) had improperly withheld information under subsection 16(2) (facilitating the commission of an offence) of the Access to Information Act in response to an access request. The request was for the complete source code for the ArriveCAN application. The allegation falls under paragraph 30(1)(a) of the Act.
Investigation
[2] When an institution withholds information under an exemption, it bears the burden of showing that refusing to grant access is justified.
Subsection 16(2): facilitating the commission of an offence
[3] Subsection 16(2) allows institutions to refuse to disclose information that, if disclosed, could reasonably be expected to facilitate the commission of an offence.
To claim this exemption, institutions must show the following:
- Disclosing the information (for example, information on criminal methods or techniques, or technical details of weapons, as set out in paragraphs 16(2)(a) to (c)) could facilitate the commission of an offence.
- There is a reasonable expectation that this harm could occur—that is, the expectation is well beyond a mere possibility.
[4] When these requirements are met, institutions must then reasonably exercise their discretion to decide whether to disclose the information.
Does the information meet the requirements of the exemption?
[5] CBSA withheld the entirety of the ArriveCAN application source code pursuant to subsection 16(2). CBSA provided evidence to demonstrate that disclosure of the source code could be used by malicious actors to either hack the application, pose as the ArriveCAN application in the App Store/Google Play Store or to expose a security vulnerability which would place the personal information of individuals at risk.
[6] During the course of the investigation, the complainant confirmed that they are not seeking updated source code for the ArriveCAN application, rather they are seeking the code as it existed at the time of the request, in August 2022. They also note that the use of the ArriveCAN application is no longer mandatory.
[7] When investigating a complaint from someone who was refused access to a record under the Access to Information Act, the Office of the Information Commissioner (OIC) reviews the institution’s decision to apply any exemptions to withhold information at the time the decision is made. That is usually when an institution responds to the access request, but it could be during the complaint investigation. In the present instance, CBSA made the decision to withhold the information under subsection 16(2) at the time they responded to the request.
[8] CBSA responded to the request on September 6, 2022. At that time, the source code requested was the most updated version, and use of the ArriveCAN application was mandatory for any travelers entering Canada. The application collected the highly sensitive personal information of millions of individuals.
[9] Based on this, I conclude that the information withheld by CBSA in September 2022 under subsection 16(2) met the requirements of this exemption in that disclosure could reasonably be expected to facilitate the commission of an offence. Namely, it would have allowed malicious actors to tamper with, hack or modify the application.
Did the institution reasonably exercise its discretion to decide whether to disclose the information?
[10] Since the information meets the requirements of subsection 16(2), CBSA was required to reasonably exercise its discretion to decide whether to disclose the information. In doing so, CBSA had to consider all the relevant factors for and against disclosure CBSA does not have to provide a detailed analysis of each factor it considered and explain how it weighed one against the other. However, a blanket declaration that it had exercised its discretion and considered all relevant factors is not sufficient.
[11] The complainant argues that any risk in disclosure must be weighed against the benefits of transparency and accountability. They further note that the benefits of open-source development, such as improved security, innovation and trust, outweigh the potential risk.
[12] In this case, CBSA provided evidence that it considered relevant factors such as the public interest in disclosure, the sensitive nature of the information collected by the application and the purpose of the Act when exercising its discretion pursuant to subsection 16(2). Ultimately CBSA did not believe that the benefits of disclosure outweighed the risks and chose not to disclose the information.
[13] I conclude that the exercise of discretion by CBSA was reasonable.
Section 25: severance
[14] Section 25 applies notwithstanding any other provision in the Act. It requires institutions to disclose any part of a record that does not contain exempt information under the Act, and which can reasonably be severed from exempt information on the record. This is an extension of the principle that necessary exceptions to access should be limited and specific.
[15] CBSA provided evidence to demonstrate that severance of the source code was considered but is not reasonable in this case as it is not known where any vulnerabilities in the source code exist.
[16] I accept CBSA’s representations and conclude that the decision not to sever the record was reasonable in this case.
Outcome
[17] The complaint is not well founded.
Review by Federal Court
When an allegation in a complaint falls under paragraph 30(1)(a), (b), (c), (d), (d.1) or (e) of the Act, the complainant has the right to apply to the Federal Court for a review. The complainant must apply for this review within 35 business days after the date of this report and must serve a copy of the application for review to the relevant parties, as per section 43.