In response to the most recent debate over the role of internet service providers as potential agents of law enforcement in Canada (see Bell warns customers about privacy loss with lawful access, et seq), OnlineRights.ca and CIPPIC are calling for all internet service providers to take the ISP Privacy Pledge:

ISP Privacy Pledge

As an Internet Service Provider, we pledge to:

1. Not respond to government/law enforcement requests for personal information about users unless the request is supported by a warrant or court order, or unless the request is being made explicitly under ss.184.4 or 487.11 of the Criminal Code.

2. Not collect personally identifying information about users or monitor user content for law enforcement, national security, or other state purposes except where required by law to do so. If we see evidence of illegal activity, we may notify law enforcement authorities for further action.

3. Notify the subscriber as soon as possible after we receive a legal request or court order for that subscriber's personal information, unless the order does not permit such notification.

Michael Geist writes about it on his blog and points to a debate between him and Marc Goldberg, responded to by Alec Saunders.

This issue has more recently come to the fore in an Ontario application for a search warrant (Canadian Privacy Law Blog: Ontario court considers "lawful authority" under PIPEDA) and I've blogged on a similar topic in Canadian Privacy Law Blog: It's not your job to police your customers.

Simply put, commercial entities such as internet service providers should not arrange their service offerings to act as agents or adjuncts to law enforcement. This does not mean that ISPs should turn a blind eye to criminal activity. If clearly illegal conduct comes to their attention, they can and should report it. I say "clearly" because most commercial entities do not have the nuanced understanding of the law to be able to identify many kinds of allegedly unlawful conduct. Many think that downloading copyright material, such as songs, is illegal but the debate about it rages on in Canada. Whether any content is obscene depends upon a very sophisticated legal analysis, which most ISPs probably don't know, don't understand and aren't trained to apply. Other conduct is more clearly illegal, such as a death threat or sexual depictions of pre-pubescent children. If we expect private companies to make these nuanced judgements, we are opening the door to many "false positives" that may have a chilling effect on the use of the Internet by individual Canadians. If I thought that my ISP was acting as a deputy of the law enforcement apparatus, I may hesitate to post academic debates on religious fundamentalism for fear I may be reported for inciting hatred.

There really isn't anything specifically "anti-law enforcement" in the privacy pledge. It only demarcates the boundary between law enforcement and commercial service providers, who have privileged access to personal information. This boundary already exists in our laws, which provide a balance between the interests of the individual and those of the state. Our Charter and privacy laws provide for specific procedures that must be followed and thresholds that must be met before law enforcement are given access to these troves of data. These are in place to allow individuals to be free from unwarranted intrusions except in specific circumstances. If law enforcement can meet these thresholds, the intrusion is warranted. Deputizing private service providers interferes with that critical balance.

Labels: breach notification, law enforcement, lawful access, lawful authority, privacy, warrants