On January 2, 2004, the first post for the Canadian Privacy Law Blog went live (though it was called "PIPEDA and Canadian Privacy Law" at the time.

Looking back to 2004, I had become an avid reader of legal blogs that were already being put out there and wanted to join the conversation. Many were such fantastic resources for a practitioner who needed to keep on top of developments in the law. At the time, privacy law was the most rapidly developing and it seemed a natural fit.

When I first clicked "Publish Post", I really hoped that I'd be able to keep at it. My greatest fear was, aside from not making a positive contribution, was joining the thousands of others who had abandoned blogs after a brief flurry of activity. My expectations have been greatly surpassed. Blogger tells me this will be the 3052nd posting to the Canadian Privacy Law Blog.

I'd like to thank the many people who read this blog regularly and subscribe to the RSS feed. I hope that it has proven to be of value to lawyers and others who have an interest in what I feel is one of the most interesting areas of the law. The tempo of developments in privacy law has varied and so has my posting frequency, but I plan to keep at it.

I thought it may be interesting to look at the top ten most read posts of 2009. Two topics that got a lot of attention in 2009, lawful access and social networking, weren't really on the radar in 2004.

1. European court rules that photo without consent is breach of privacy and human rights
2. Police get warrantless access to Sympatico customer's data
3. Privacy Commissioner to accept Fracebook's friend request
4. Lawful access to ISP subscriber information reintroduced
5. Cheating husband caught on Google Street View
6. New decision on warrantless access to ISP customer data
7. Mind your trash
8. 10 Privacy Settings Every Facebook User Should Know
9. Quebec movie theatre ordered to pay $10K in damages for bag search
10. Commissioner taking Air Canada to court over customer access to info

There's a lot going on in the arena of privacy law and I hope this blog has been of assistance in keeping on top of it.

(Birthday cake graphic used under a creative commons license from K. Pierce.)

Labels: lawful access, privacy, social networking, vanity

It's official, the Prime Minister is proroguing parliament until the beginning of March: CBC News - Politics - PM seeks Parliament shutdown until March. (Never mind that they've been on vacation since November.)

This means that a number of privacy-affecting bills are being forced into a coma. The list includes:

• Bill C-27 - Electronic Commerce Protection Act (Second Reading in the Senate and Referred to Committee on December 15, 2009) (aka Anti-spam Act);
• Bill C-46 - Investigative Powers for the 21st Century Act (Referred to Committee on October 27, 2009);
• Bill C-47 - Technical Assistance for Law Enforcement in the 21st Century Act (Referred to Committee on October 29, 2009);

The media is also reporting that, in the meantime, Harper plans to fill five vacant senate seats, which will give the Conservatives the majority they need to ensure safe passage of their legislation.

Labels: lawful access, pipeda review, privacy, spam

The 'net and twitter have been all abuzz this past week with revelations about telco and ISP cooperation with law enforcement. We've seen Wikileaks post the internal policies of MySpace and Cryptome's posting of Yahoo!'s internal policies.

Blame for this appears to be laid at the feet of the service providers.

I'm all in favour of privacy and completely in favour of government restraint. I'm even more keen on court oversight and requirements that warrants be produced in order for cops and national security types to get access to customer information. I'm also in favour of transparently and accountability. But I haven't seen much nuance in any of the online discussion of this topic. Perhaps that's just the analytical limitations of twitter and the general tone of much of the blogosphere.

Two important issues are being missed. First: just about any time you interact with any business these days, a data trail of some sort is left. If you buy a book using any credit or debit card, there's a record that can connect that purchase to you. If you check out a book from the library, there's a record. If you use a transponder-based tolling system, there's a record of where you were, when and maybe where you are going. If you use any loyalty program to collect points on your purchases, there's an even denser data trail. Your mobile phone provider knows where you phone is at all times and who you have called. This is not unique to online companies. It's simply the reality of our digital lives. Some information collection or retention may be gratuitous, but more often than not it is essential to provide the service that users are asking for. It is not unreasonable, however, to question how much information is collected and how long it is retained. Fair information practices demand that service providers only collect the amount of information necessary to provide the service and that they keep it for only as long as they need to in order to provide the service.

The second, and more important, issue: love it or loathe it, it is the law. If a third party has information about you, the government can get access to it with a court order, a warrant or a subpoena. The third party can sometimes go to court to challenge the legality of the request, but it seldom has enough information to do so. And in many cases, it really has no ability to do so. The fact is, if there is a lawful demand for information, the service provider has to comply or face criminal sanctions itself.

And that's not just unique to the US and the USA Patriot Act. In Canada, take a look at the Anti-Terrorism Act, the Criminal Code, the Canadian Security Intelligence Service Act or the National Defence Act. European democracies have similar rules, too. These companies are generally following their legal obligations. If you have a problem with that, energies and outrage might be more usefully channelled to changing those laws.

ISPs and telcos may influence the laws, but they generally don't make they rules they have to abide by. In short: don't hate the player, hate the game.

Labels: criminal law, law enforcement, lawful access, warrants

Over the last little while, there has been much discussion about cooperation between telcos and ISPs, on one hand, and law enforcement, on the other hand. We've certainly seen a lot of talk about "lawful access" in Canada.

If you're curious about some of the goings on behind the scenes at American telcos and ISPs in this regard, Cryptome and Wikileaks both have some interesting leaked documentation about policies and procedures for companies like MySpace, Sprint, Yahoo! and others. Just go to Cryptome.org and WikiLeaks.org and do a little digging around.

Labels: law enforcement, lawful access, surveillance

The Privacy Commissioner of Canada has recently provided parliamentarians with her opinion on the new lawful access bills that are winding their way through the Commons. I have to say I was nodding my head while I read it:

Letter to the Standing Committee on Public Safety and National Security regarding the Commissioner's initial analysis on the privacy implications on Bills C-46 and C-47 - October 27, 2009

The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to the Standing Committee on Public Safety and National Security, regarding her initial analysis on the privacy implications on Bills C-46, the Investigative Powers for the 21st Century Act (IP21C), and C-47, the Technical Assistance for Law Enforcement in the 21st Century Act (TALEA)

October 27, 2009

Mr. Garry Breitkreuz, MP Chair of the Standing Committee on Public Safety and National Security 131 Queen Street – 6th floor House of Commons Ottawa, Ontario K1A 0A6

Dear Mr. Breitkreuz:

I am writing to provide the members of the Standing Committee on Public Safety and National Security with some preliminary views on the privacy implications stemming from Bills C-46 and C-47. As you are aware, I am often called upon to comment on legislation that will result in new or expanded forms of personal information being collected by federal government institutions. Those views, and analysis conducted by my Office, are specifically undertaken to support the deliberations of Parliament.

It must be stated at the outset that we recognize the concerns of law enforcement and national security authorities with the speed of developments in information technology and the anonymity they afford. Bills C-46 and C-47 seek to address the consequent public safety challenges and that objective is valid. That said, whenever new surveillance powers or programs are proposed, it is my view that there must be demonstrated necessity, proportionality and effectiveness. They should also be the least-invasive alternative available. These tests are all the more important in the area of public safety, as the use of surveillance powers by authorities can have deep and lasting impact on peoples’ lives.

The consequences for individuals as their personal information is collected and shared among authorities in various countries can escalate far beyond the initial objectives of public safety. Recent international reports, Canadian court rulings and federal commissions of inquiry have shown this clearly. Proper protections for privacy in this area reside in the strict limitation of invasive powers to what is demonstrably necessary to ensure public safety and in strong measures for accountability, commensurate with the powers vested. It is a matter of protecting human rights and assuring public trust.

Taking into account the real challenges of law enforcement and national security agencies in the Internet age and the fundamental right to privacy that underpins our democratic society, and after careful study and extensive consultation this past summer, I have concluded that elements of the proposed legislation raise significant privacy concerns. These must be addressed by proponents of the bills.

I would draw to the attention of this Committee, and all Parliamentarians, that the proposed legislation contains many provisions that would increase the level of access by law enforcement and national security authorities to personal information. In that regard, it is important that Parliament be satisfied that:

The need for these provisions has been clearly demonstrated,

The lowered legal requirements for use of invasive powers is justified,

The lessons of similar initiatives in other countries are considered, and

The oversight, reporting and accountability mechanisms are carefully calibrated, to ensure they mirror the breadth and scope of new powers

Analytical approach and consultations

It is important to note that our Office approached the examination of both pieces of legislation with fresh eyes and an open mind. While previous iterations or initiatives – like the 1999 Justice Canada initiative, the 2005 public consultation or the 2007 Public Safety request for submissions on Customer Name and Address access – may have served as background, they did not colour our analysis. Instead, since the legislation was tabled this past summer, our Office carefully read and analysed the two bills anew.

We also wanted to hear from informed experts, therefore between June and September of this year, my staff met with representatives of Justice Canada and Public Safety Canada, provincial privacy commissioners, the telecommunications industry (manufacturers, service providers and associations), law enforcement (RCMP and the Canadian Association of Chiefs of Police), civil society groups, academic specialists, as well as subject experts in the fields of information policy, network security, criminal law and intelligence operations. These conversations helped our Office identify the privacy issues raised by the two bills, which relate to the following areas:

Necessity: Though isolated anecdotes abound, and extreme incidents are generally referred to, no systematic case has yet been made that demonstrates a need to circumvent the current legal regime for judicial authorization to obtain personal information. Before all else, law enforcement and national security authorities need to explain how the current provisions on judicial warrants do not meet their needs.

Necessity given international obligations: A principal rationale cited for the need to update Canada’s interception and surveillance regime – as proposed in C-46 and C-47 – is ratification of the Council of Europe Convention on Cybercrime. However, many of the powers introduced in the proposed legislation go far beyond the legal requirements of the Convention. Our analysis would suggest that Canada has already met most of the substantive legal changes required. Certainly some caution should be exercised, given the fact that similar legal initiatives in the US and UK led to significant concerns in relation to privacy.

Proportionality of thresholds: Canadian law imposes rigorous thresholds of evidence for authorities to obtain access to personal information. They form the heart of protections that Parliament put in place to protect privacy in Canada. The downward movement from reasonable grounds to believe to reasonable grounds to suspect in some cases (for some production orders) - or to no threshold of evidence at all (for subscriber data access) - must be shown to be a proportionate response to safety and security imperatives. As it stands, the new powers envisaged are not limited to a specific range or seriousness of criminality, or to a specific level of urgency. In the case of Bill C-47, there is not even a requirement for the commission of a crime to justify access to personal information without a warrant. The onus lies with proponents of the legislation to demonstrate the need for lowered thresholds to obtain personal information.

Proportionality of oversight and review mechanisms: Only prior court authorization serves as rigorous privacy protection. Should Parliament allow law enforcement and national security authorities to circumvent the courts to obtain personal information, the corresponding oversight mechanisms must be established. My Office is clearly implicated at several points in Bill C-47, wherein my staff may review the records created by officers at the RCMP or Competition Bureau as they exercise new powers. Given the scale envisaged, with upwards of thousands of individuals in the RCMP alone potentially empowered to access subscriber data, it would be difficult for us, within our current resources, to offer any assurance to

Parliamentarians or Canadians of proper auditing. Still, review after the fact arrives too late. Privacy has already been breached, it is difficult to properly assess the circumstances, and there is no remedy for the ultimate outcome of the breach.

Demonstrated effectiveness through clear public reporting and accountability: In Bill C-47, audits are conducted internally and not required annually, while follow-up reporting to the responsible Minister and my Office are discretionary, as opposed to regular requirements. This will not afford objective, timely assessment of privacy risks or breaches. It is my view that, should the powers envisaged be granted, copies of those reports from the RCMP and Competition Bureau should be provided to the Minister and my Office on an annual basis. My audit and review staff can then proceed accordingly.

Flowing from these concerns, we would look forward to a constructive dialogue with the Committee on the following points or alternatives:

Examine warrant provisions in the Criminal Code. Rather than creating blanket, open access for authorities to search subscriber data, as in Bill C-47, there are other investigative options or legal changes to consider. Emergency provisions to conduct search, seizure or interception without a warrant in exigent circumstances are already in the Criminal Code. A similar provision for production and assistance orders should be considered to address the issue police have described in obtaining data.

Review the process for court authorization in Canada. If the underlying problem resides in Canada’s current warrant system, this is where the government’s attention should be directed, as opposed to limiting court oversight. Law enforcement and national security authorities should state the shortcomings they identify in the court warrant system so they can be addressed to adapt the system to the new challenges of the Internet age rather than sacrifice the principles that underpin the very society we seek to protect.

Tailor the scope of new powers. Any regime that circumvents court authorization raises significant privacy issues. If Parliament chooses to grant the proposed powers, they must be restricted in their application to the investigation of crimes or threats where such an invasion of privacy is justified. That is the Canadian legal tradition.

Revisit oversight regime. Internal audit, reporting with self-discretion and the role of external review bodies need to be strengthened with provisions for specific reporting requirements, regular review, dedicated resources for oversight and transparent mechanisms for accountability to assure the Canadian public.

Parliament should consider a five-year review for Bill C-46. While Bill C-47 has such a provision, Bill C-46 would also merit close review by Parliament, given how the two pieces of legislation interact. These reviews should be conducted with an eye to demonstrated evidence of effectiveness, minimal invasion of privacy and clear operation within bounds of the law.

Require annual public reporting. Yearly statistics on the use, results and effectiveness of new powers (subscriber data requests, preservation demands, tracking warrants, etc.) should be required by statute. Besides bolstering accountability, these reports would usefully support Parliament’s five-year review of the powers.

Review the regulations flowing from both bills. Given the important administrative, procedural and technical details involved, Parliament should conduct full committee reviews and hear from all interested stakeholders on both legislation and regulations. This should occur before either bill comes into force.

In summary, we urge Parliament to review Bills C-46 and C-47 in light of the following questions:

In specific terms, how is the current regime of judicial authorization not meeting the needs of law enforcement and national security authorities in relation to the Internet? What law enforcement or national security duty justifies access without a warrant by authorities to personal information or preservation of private communication?

Why are some of these powers unrestricted, when the spirit of Canadian law clearly reflects the view that access or seizure without court authorization should be exceptional?

And finally, are the mechanisms for accountability commensurate to the unprecedented powers envisaged?

Based on this initial analysis, my Office will be preparing a full submission for your consideration, in anticipation of your Committee’s study of the legislation. Given the public interest in this issue, we anticipate posting this letter on our website in the near future. I would like to thank you for your attention to this critical issue and look forward to discussing the initiative further when meetings on the bills commence.

Sincerely,

Original signed by

Jennifer Stoddart

Privacy Commissioner of Canada

Well said.

Labels: lawful access, lawful authority, warrants

Check out Michael Geist's post: Michael Geist - Reacting To Lawful Access: Comparing the Conservatives, Liberals, and NDP. The title says it all.

Labels: lawful access, lawful authority, warrants

I was honoured to be one of the speakers at the Halifax Internet Town Hall hosted at Dalhousie University this evening, sponsored by the Chebucto Community Net and Dalhousie Student Union. My portion of the proceedings -- surprise -- was about privacy. I only had ten minutes, so needed to be short and sweet.

I decided to focus my presentation on the abomination that is Bill C-47, in particular the provision that allows law enforcement to have wholesale access to customer information without a warrant. It is frankly appalling and should not be allowed to pass.

Look at this provision:

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

You can disagree on the finer aspects of whether an ISP should be permitted to match an IP address provided by the cops with the customer name and address information in their files. That's a reasonable debate. But I do not see any limitation in Section 16. There's no oversight. There's no real accountability. There's no nuance. All ISPs will be required to provide any (or all) of the following:

• name,
• address,
• telephone number,
• electronic mail address,
• Internet protocol address,
• mobile identification number,
• electronic serial number,
• local service provider identifier,
• international mobile equipment identity number,
• international mobile subscriber identity number and
• subscriber identity module card number

It doesn't have to be connected to a child exploitation investigation. Or a parking ticket. In fact, there's no requirement that there be an underlying lawful investigation. The police will be able to hand a list of names to the ISP and require all of the above information, for an unlimited number of targets.

This is appalling legislation and should not stand.

For other postings on this topic, check out my previous postings tagged Lawful Access.

Labels: lawful access, lawful authority, privacy, warrants

The Ottawa Citizen has an interesting article on the debate surrounding "lawful access". Check it out: Security vs. privacy. Via Michael Geist.

Labels: criminal law, lawful access, lawful authority, privacy, warrants

Just posted on slaw: The debate about warrantless access to ISP customer information >> Slaw

In the privacy community, there has been a debate over whether it is lawful, under PIPEDA, for a custodian of personal information to provide customer information when then police come knocking. The debate has been most heated in the arena of internet service providers customer names and addresses to the police when presented with an IP address. PIPEDA allows a number of disclosures of personal information without consent pursuant to Section 7(3) of the statute. One exception to the general rule relates directly to law enforcement requests:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

The debate has raged over differing interpretations of “lawful authority”, and there are conflicting decisions from the Courts over whether internet service providers can disclose customer name and address information to the police in response to a request.

For example, in Re S.C., 2006 ONCJ 343, the court set aside a search warrant that was based on information obtained from an ISP in response to a law enforcement request. In R. v. Kwok, the court found that the customer had a reasonable expectation of privacy in his name and address information and that the police should have obtained a warrant to get this information from the internet service provider. From paragraph 35 of that decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

More recently, in R. v. Ward, 2008 ONCJ 355 (CanLII), the court determined that the customer did not have a reasonable expectation of privacy with respect to this information because the service agreement imposed upon him by Bell’s Sympatico service reduced, if not destroyed, whatever expectation of privacy he might otherwise have had. Similarly, in R. v. Wilson, the court also found no reasonable expectation of privacy.

The pendulum may be swinging the other way. Last week, the Ontario Court of Justice released its decision in R. v. Cuttell. The Court concluded there is a reasonable expectation of privacy in customer account records, but this expectation can be destroyed by an ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepted that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy but there was no proof brought by the police that the Bell contract applied to this customer. What is perhaps most interesting is that the Judge lamendted the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

All of this may become moot (and then some!) thanks to currently pending legislation. Bill C-47, entitled Technical Assistance for Law Enforcement in the 21st Century Act, is about to come up for committee review in parliament. Introduced along with Bill C-46, Investigative Powers for the 21st Century Act, both bills represent a significant shift in the powers of law enforcement. Though marketed as updating current police powers to keep pace with technology, C-47 would give law enforcement virtually unfettered access to customer information from internet and telecommunications service providers without any judicial oversight. The particular provision is at Section 16:

Provision of subscriber information

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

I am of the view that there should be appropriate judicial oversight of any regime in which service providers are required to identify their users to law enforcement officials. (Subject to exceptions in exigent circumstances.) It is only with judicial oversight that society can be assured that the appropriate balance between privacy and public safety is maintained. The government’s proposal provides no oversight and the powers of law enforcement are completely unfettered. If the concern is that search warrants are too time consuming, then appropriate resources should be put in place to provide for rapid review by independent judicial officers. Removing all the stops from law enforcement powers it not appropriate in this case.

Currently there is a disparity of practices among telecommunication service providers and internet service providers across Canada when dealing with a request from a law enforcement agent to provide a customer name and address connected with a specific IP address. This is due to at least a measure of uncertainty in interpreting the service provider’s obligations under the Personal Information Protection and Electronic Documents Act. Most ISPs will provide customer name and address information if law enforcement officers make a written request in the course of investigation related to child exploitation. In other sorts of investigations, a search warrant is required. Other internet service providers require a search warrant in all circumstances to disclose this information.

For example, Clause 16 as drafted does much more than impose the obligation for service providers to carry out a “reverse look-up” to match one piece of information (such as an IP address) with customer billing information. Instead, it would require the service provider to give law enforcement a laundry list of information in response to any request. This sort of information would be IP address, mobile identification number, electronic serial number, phone number, equipment identifiers and others. This, on its face, goes beyond what law enforcement has been asking for, at least in public.

This power is not subject to meaningful review and is completely unfettered. There is no restriction on the circumstances under which these powers can be used. Currently, requests of this nature generally relate to child exploitation investigations or compelling national security/public safety matters. As drafted, law enforcement would be able to use these powers in connection with parking violations and very minor concerns. In fact, these powers could be used in the complete absence of a lawful investigation. In addition, there is no limitation whatsoever on the volume of these sorts of requests. It would be possible for a law enforcement agency to require the name, address, e-mail address and IP address of every single one of their customers. I think most would say this goes over the line.

It has been said before that a customer’s name and address is not “personal information” or if it is, it is not sensitive information. That misses the point. A customer’s name and address, when connected with an IP address or a mobile phone serial number, is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their “offline” life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that individual’s IP address. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. These provisions do not maintain the traditional balance as has developed in Canada under the Charter and in fact go dramatically and unreasonably in favour of law enforcement.

I've been surprised that discussion of this topic has mostly been contained within the privacy community and hope that the upcoming parliamentary hearings on C-46/C-47 will bring the debate into the wider community, where it belongs.

Labels: criminal law, law enforcement, lawful access, lawful authority, warrants

A friend just provided me with a copy of a recent decision of the Ontario Court of Justice considering the admissibility of information obtained without a warrant from the suspect's internet service provider, Bell. R. v. Cuttell is not on CanLii yet, but I've put a copy here.

The Court concluded there is a reasonable expectation of privacy in your account records, but this expectation can be destroyed by your ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepts that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy. (I would also question whether a form contract that the customer likey has not read would be enough to mean that subjectively there is no reasonable expectation of privacy.)

In this case, there was no proof brought by the police that the Bell contract applied to this customer so a Charter breach was found.

The Court importantly notes that PIPEDA does not give the police the right to seek information and rejects every crown argument that the police may have had "lawful authority" in the circumstances.

But, in the end, the records were admissible as the police acted in good faith.

What is perhaps most interesting is that the Judge laments the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

Labels: criminal law, law enforcement, lawful access, lawful authority, warrants

The federal, provincial and territorial Privacy Commissioners meeting together in St. John's have issued a statement calling for "caution" on the expansion of investigative powers proposed by the conservative government.

They issued the following media release, referring to resolutions available on the federal Commissioner's website:

Privacy commissioners urge caution on expanded surveillance plan

ST. JOHN'S, Sept. 10 /CNW Telbec/ - Parliament should take a cautious approach to legislative proposals to create an expanded surveillance regime that would have serious repercussions for privacy rights, say Canada's privacy guardians.

Privacy commissioners and ombudspersons from across the country issued a joint resolution today urging Parliamentarians to ensure there is a clear and demonstrable need to expand the investigative powers available to law enforcement and national security agencies to acquire digital evidence.

The federal government has introduced two bills aimed at ensuring that all wireless, Internet and other telecommunications companies allow for surveillance of communications, and comply with government agency demands for subscriber data - even without judicial authorization.

"Canadians put a high value on the privacy, confidentiality and security of their personal communications and our courts have also accorded a high expectation of privacy to such communications," says Jennifer Stoddart, the Privacy Commissioner of Canada.

"The current proposal will give police authorities unprecedented access to Canadians' personal information," the Commissioner says.

The resolution is the product of the semi-annual meeting of Canada's privacy commissioners and ombudspersons from federal, provincial and territorial jurisdictions across Canada, being held in St. John's.

The commissioners unanimously expressed concern about the privacy implications related to Bill C-46, the Investigative Powers for the 21st Century Act and Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act. Both bills were introduced in June.

"We feel that the existing legal regime governing interception of communications - set out in the Criminal Code and carefully constructed by government and Parliament over the decades - does protect the rights of Canadians very well," says Ed Ring, the Information and Privacy Commissioner for Newfoundland and Labrador and host of the meeting.

"The government has not yet provided compelling evidence to demonstrate the need for new powers that would threaten that careful balance between individual privacy and the legitimate needs of law enforcement and national security agencies."

The resolution states that, should Parliament determine that an expanded surveillance regime is essential, it must ensure any legislative proposals:

• Are minimally intrusive;
• Impose limits on the use of new powers;
• Require that draft regulations be reviewed publicly before coming into force;
• Include effective oversight;
• Provide for regular public reporting on the use of powers; and
• Include a five-year Parliamentary review.

At the meeting in St. John's, the commissioners and ombudspersons also passed a resolution about the need to protect personal information contained in online personal health records.

The resolution emphasizes the importance of empowering patients to control how their own health information is used and shared. For example, it calls for developers of personal health records to allow patients to gain access to their own health information, set rules about who else has access, and to receive alerts in the event of a breach.

"Personal health records have the potential to deliver significant benefits for patients and their health care providers. However, given the highly sensitive personal information involved, developers need to ensure they build in the highest privacy standards," says Commissioner Ring.

Both resolutions are available on the Privacy Commissioner of Canada's website, http://www.priv.gc.ca/.

The resolutions are here:

• “Protecting Privacy for Canadians in the 21st Century” – Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials on Bills C-46 and C-47
• “The Promise of Personal Health Records” – Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials

Labels: criminal law, health information, law enforcement, lawful access, lawful authority, police, privacy, surveillance

C-46 An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act. First Reading

SUMMARY

The enactment amends the Criminal Code to add new investigative powers in relation to computer crime and the use of new technologies in the commission of crimes. It provides, among other things, for

(a) the power to make preservation demands and orders to compel the preservation of electronic evidence;

(b) new production orders to compel the production of data relating to the transmission of communications and the location of transactions, individuals or things;

(c) a warrant to obtain transmission data that will extend to all means of telecommunication the investigative powers that are currently restricted to data associated with telephones; and

(d) warrants that will enable the tracking of transactions, individuals and things and that are subject to legal thresholds appropriate to the interests at stake.

The enactment amends offences in the Criminal Code relating to hate propaganda and its communication over the Internet, false information, indecent communications, harassing communications, devices used to obtain telecommunication services without payment and devices used to obtain the unauthorized use of computer systems or to commit mischief. It also creates an offence of agreeing or arranging with another person by a means of telecommunication to commit a sexual offence against a child.

The enactment amends the Competition Act to make applicable, for the purpose of enforcing certain provisions of that Act, the new provisions being added to the Criminal Code respecting demands and orders for the preservation of computer data and orders for the production of documents relating to the transmission of communications or financial data. It also modernizes the provisions of the Act relating to electronic evidence and provides for more effective enforcement in a technologically advanced environment.

The enactment also amends the Mutual Legal Assistance in Criminal Matters Act to make some of the new investigative powers being added to the Criminal Code available to Canadian authorities executing incoming requests for assistance and to allow the Commissioner of Competition to execute search warrants under the Mutual Legal Assistance in Criminal Matters Act.

C-47 An Act regulating telecommunications facilities to support investigations aka Technical Assistance for Law Enforcement in the 21st Century Act. First Reading

SUMMARY

This enactment requires telecommunications service providers to put in place and maintain certain capabilities that facilitate the lawful interception of information transmitted by telecommunications and to provide basic information about their subscribers to the Royal Canadian Mounted Police, the Canadian Security Intelligence Service, the Commissioner of Competition and any police service constituted under the laws of a province.

Labels: criminal law, lawful access, lawful authority, privacy

The Minister of Justice is having a press conference as I type this, unveiling among other things, "lawful access" to telecommunications customers' idenfitying information without a warrant. Stay tuned for more details.

Update: Here's the media release from the government:

Government Of Canada Introduces Legislation To Fight Crime In The 21st Century

OTTAWA, June 18, 2009 – The Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada, together with the Honourable Peter Van Loan, P.C., Q.C., M.P. for York-Simcoe, Minister of Public Safety, and Mr. Daniel Petit, M.P. for Charlesbourg-Haute-Saint-Charles, Parliamentary Secretary to the Minister of Justice today introduced in the House of Commons two separate pieces of legislation that will ensure law enforcement and national security agencies have the tools they need to fight crime and terrorism in today’s high-tech environment.

“Evolving communications technologies like the Internet, cell phones, and PDAs (personal digital assistants) clearly benefit Canadians in their day-to-day lives,” said Minister Nicholson. “Unfortunately, these technologies have also provided new ways of committing crimes such as distributing child pornography. We must ensure investigators have the necessary powers to trace and ultimately stop crimes.” While technology has advanced rapidly in the past two decades, law enforcement and national security agencies have faced increased difficulty in protecting the safety and security of Canadians. The Investigative Powers for the 21st Century (IP21C) Act will ensure that law enforcement officials have the tools they need to fight crime in today’s modern environment by updating certain existing offences as well as creating new investigative powers to effectively deal with crime in today’s computer and telecommunications environment.

“We must provide our law enforcement with the tools they need to keep our communities safe,” said Minister Van Loan. “High tech criminals will be met by high tech police. This is a great day for the victims and their families who have been long calling for these legislative changes, and those who work tirelessly every day to ensure that when there is a threat to safety police can intervene quickly.”

The Technical Assistance for Law Enforcement in the 21st Century Act will require service providers to include interception capability in their networks. Requirements to obtain court orders to intercept communications will not be changed by this Act, which will require service providers to supply basic subscriber information to law enforcement agencies and the Canadian Security Intelligence Service on request. Other countries, such as the United Kingdom, the United States, Australia, New Zealand, Germany and Sweden, already have similar legislation in place.

“The safety of our citizens, both in our communities and in cyberspace, is a responsibility that this Government takes very seriously,” said Mr. Petit. “The proposed legislation strikes an appropriate balance between the investigative powers used to protect public safety and the necessity to safeguard privacy and the rights and freedoms of Canadians.”

The Government carefully considered input provided by a broad range of stakeholders in developing these two pieces of legislation, including the telecommunications industry, civil liberties groups, victims’ advocates, police associations and provincial/territorial justice officials. As a result, the Government has ensured that the Investigative Powers for the 21st Century (IP21C) Act and theTechnical Assistance for Law Enforcement in the 21st Century Act strike an appropriate balance between the need to protect the safety and security of Canada, the competitiveness of the telecommunications industry, and the privacy rights of Canadians.

An online version of the legislation will be available at http://www.parl.gc.ca/.

See also:

Technical Assistance for Law Enforcement in the 21st Century Act

Investigative Powers for the 21st Century (IP21C) Act -->

Information:

Darren Eke Press Secretary Office of the Minister of Justice 613-992-4621

Media Relations Department of Justice 613-957-4207

Media Relations Public Safety Canada 613-991-0657

Here is the government's summary of the warrantless access to customer information provisions:

Technical Assistance for Law Enforcement in the 21st Century Act

Subscriber Information Component

Police forces and CSIS also require timely access to basic subscriber information as it is an essential tool for fighting crime and terrorism. Subscriber information refers to basic identifiers such as name, address, telephone number and Internet Protocol (IP) address, e-mail address, service provider identification and certain cell phone identifiers. These basic identifiers are often crucial in the early stages of an investigation, and without this basic information, police forces and CSIS often reach a dead-end as they are unable to obtain sufficient information to pursue an investigative lead or obtain a warrant.

Currently, there is no legislation specifically designed to require the provision of this information to police forces and CSIS in a timely fashion. As a result, the practices of releasing this information to police forces and CSIS vary across the country: some service providers release this information to law enforcement immediately upon request; others provide it at their convenience, often following considerable delays; while others insist on law enforcement obtaining search warrants before the information is disclosed. This lack of national consistency and clarity can delay or block investigations.

A consistent, balanced, well-regulated and accountable solution is needed for law enforcement and CSIS to obtain basic subscriber information in order to protect the public’s safety and security, while safeguarding individual privacy interests. The Act will accomplish this by compelling all service providers to release this information and creating an administrative model that provides for a reporting regime which ensures accountability by including consisting of a number of new, privacy-related safeguards. Safeguards include such things as the designation of a limited number of law enforcement and CSIS officials who can request information, record keeping, and both internal audits and external oversight.

This legislation provides law enforcement and CSIS with the updated tools needed in the face of rapidly changing technology, while providing maximum flexibility for industry, and creating rigorous safeguards to protect privacy. In doing so, this legislation strikes an appropriate balance between the needs of law enforcement and CSIS, the competitiveness of industry, and the privacy rights of Canadians.

Labels: criminal law, lawful access, lawful authority, privacy

I blogged earlier this week about a decision from the Ontario Superior Court of Justice that held that Bell Sympatico customers do not have a reasonable expectation of privacy when the police come knocking for the name and address behind an IP address. (See: Canadian Privacy Law Blog: Police get warrantless access to Sympatico customer's data.) I managed to get a copy of the decision in R. v. Wilson (6MB PDF file).

Labels: bell, law enforcement, lawful access, lawful authority, privacy, surveillance

Here we go again .... the government is preparing a new "lawful access" law. The media coverage seems to suggest that it covers both eavesdropping of internet based communications (with a warrant) and obtaining subscriber data (without a warrant).

globeandmail.com: New law to give police access to online exchanges

BILL CURRY

From Thursday's Globe and Mail

February 12, 2009 at 3:39 AM EST

OTTAWA — The Conservative government is preparing sweeping new eavesdropping legislation that will force Internet service providers to let police tap exchanges on their systems - but will likely reignite fear that Big Brother will be monitoring the private conversations of Canadians.

The goal of the move, which would require police to obtain court approval, is to close what has been described as digital "safe havens" for criminals, pedophiles and terrorists because current eavesdropping laws were written in a time before text messages, Facebook and voice-over-Internet phone lines.

The change is certain to please the RCMP and other police forces, who have sought it for some time. But it is expected to face resistance from industry players concerned about the cost and civil libertarians who warn the powers will effectively place Canadians under constant surveillance.

Public Safety Minister Peter Van Loan confirmed the plan yesterday during an appearance before a House of Commons committee and offered further explanation afterward.

Public Safety Minister Peter Van Loan confirmed the plan. (Sean Kilpatrick/The Canadian Press)

"We have legislation covering wiretap and surveillance that was designed for the era of the rotary phone," Mr. Van Loan said.

"If somebody's engaging in illegal activities on the Internet, whether it be exploitation of children, distributing illegal child pornography, conducting some kind of fraud, simple things like getting username and address should be fairly standard, simple practice. We need to provide police with tools to be able to get that information so that they can carry out these investigations."

Mr. Van Loan said there have been situations where the police want to act quickly to stop a crime, but can't because of the current laws.

"In some of these cases, time is of the essence," he said. "If you find a situation where a child is being exploited live online at that time - and that situation has arisen before - police services have had good co-operation with a lot of Internet service providers, but there are some that aren't so co-operative."

Although police agencies have been calling for such a law since at least the mid-1990s, this would be the first legislative effort in this direction by the Conservatives.

The reaction can be predicted, however, because Paul Martin's Liberal government faced stiff resistance when his public safety minister, Anne McLellan, introduced a "lawful-access" bill in November, 2005, shortly before that government was defeated.

The Conservative justice critic at the time, Peter MacKay, who is now in the Conservative cabinet, expressed concern with the bill, and Privacy Commissioner Jennifer Stoddart went further, saying there was no justification for such a law.

The concern of critics is that unlike a traditional wiretap that cannot commence without judicial approval, lawful-access legislation in other countries has forced Internet providers to routinely gather and store the electronic traffic of their clients. Those stored data can then be obtained by police via search warrant.

"That means we're under surveillance, in some sense, all the time," said Richard Rosenberg, president of the B.C. Freedom of Information and Privacy Association. "I think that changes the whole nature of how we view innocence in a democratic society."

RCMP Commissioner William Elliott said yesterday the lack of such legislation is causing problems for police.

"We're speaking generally about the development of technology that is difficult or impossible to wiretap," Mr. Elliott said after appearing alongside Mr. Van Loan at the House of Commons Public Safety and National Security Committee.

"In the old days, for a wiretap it was pretty simple. You sort of clicked onto the physical wires. So we have some instances where the court authorizes us and other police forces, for example, to intercept communications, but we don't have the technical ability to do that. So certainly the RCMP is supportive of changes of legislation that would allow those kind of intercepts."

Labels: facebook, law enforcement, lawful access, lawful authority, privacy, social networking, surveillance

Another case from Ontario about police getting warrantless access to personal information from an internet service provider, in this case Bell Sympatico. For previous cases, see this link.

The justification is based on a particular reading of Section 7 of PIPEDA, and Bell Canada deciding it should hand over the information. I don't agree with this interpretation of s. 7 and I also don't think the Bell should have handed customer information over without a warrant, even if it legally could do so.

Police may have access to your online history

TORONTO - An Ontario Superior Court ruling could open the door to police routinely using Internet Protocol addresses to find out the names of people online, without any need for a search warrant.

Justice Lynne Leitch found there is "no reasonable expectation of privacy" in subscriber information kept by Internet Service Providers, in a decision issued earlier this week.

The decision is binding on lower courts in Ontario and it is the first time a Superior Court level judge in Canada has ruled on whether there are privacy rights in this information that are protected by the charter. The ruling is a significant victory for police investigating crimes such as possession of child pornography, while privacy advocates warn there are broad implications even for law-abiding users of the Internet.

"There is no confidentiality left on the Internet if this ruling stands," said James Stribopoulos, a professor at Osgoode Hall Law School in Toronto.

Canada's privacy commissioner also warned Thursday the Conservative government's plans to revive legislation that would force Internet Service Providers to allow police to intercept Internet-based conversations "is a serious step forward toward mass surveillance" that violates the privacy rights of Canadians.

"My concerns are a huge increase in surveillance powers," Jennifer Stoddart told a news conference Thursday. "I understand there are technological challenges for the forces of law and order . . . but is this the only way this can be done?"

Police and the Canadian Security Intelligence Service already have the power to wiretap private communications, but the laws were written before the era of the Internet and wireless technologies such as mobile phones.

A "modernization" bill was first introduced by the former Liberal government and the Conservatives have promised for years to revive the legislation, which privacy advocates oppose because they say it could broaden the power of authorities because they could reach back for months of communications.

Public Safety Minister Peter Van Loan, who assumed the portfolio in November, told a House of Commons committee this week that he will move forward with a bill, which his predecessor, Stockwell Day, relegated to a back burner.

The court ruling by Leitch was made in a possession of child pornography case in southwestern Ontario.

A police officer in St. Thomas, Ont. faxed a letter to Bell Canada in 2007 seeking subscriber information for an IP address of an Internet user allegedly accessing child pornography. The court heard it was a "standard letter" that had been previously drafted by Bell and the officer "filled in the blanks" with a request that stated it was part of a child sexual exploitation investigation.

Bell provided the information without asking for a search warrant. The name of the subscriber was the wife of the man who was eventually charged with "possession of child pornography" and "making available child pornography."

Most ISPs in the country require search warrants to turn over subscriber information unless it is a child pornography investigation.

Ron Ellis, the lawyer for the defendant, stressed to the judge there was no allegation of attempted luring or of a child in immediate danger. The "making available" charge stems from peer-to-peer websites that permit the downloading of images from other users.

Ellis argued police should have been required to seek a search warrant to obtain the subscriber information.

Leitch accepted the arguments of Crown attorney Elizabeth Maguire the information is similar to what is in a phone book.

"One's name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state," said Leitch.

The reasoning of the judge misses the context of what police are seeking, suggested Stribopoulos.

"It is not just your name. It is your whole Internet surfing history. Up until now, there was privacy. An IP address is not your name it is a 10-digit number. A lot more people would be apprehensive if they knew their name was being left everywhere they went," he said.

This information should require a search warrant by police if there is suspected criminal activity, said Stribopoulos. Judges are accepting the argument that this is "just your name" because "everyone wants to get at the child abusers," he said.

The federal Personal Information Protection Electronics Documents Act permits ISPs to provide this information to someone with "lawful authority," which Leitch interpreted as meaning a police officer and not requiring a court ordered warrant.

There is an irony that exemptions in federal privacy legislation have been used to increase police powers and potentially reduce privacy rights, said Stribopoulos.

The trial of the defendant in St. Thomas will resume this spring.

With a file from Janice Tibbetts, Canwest News Service

Labels: bell, law enforcement, lawful access, lawful authority, privacy

Five years ago, on January 2, 2004, a new age of privacy was creeping across Canada and this blog was born. The day before, at the stroke of midnight, the Personal Information Protection and Electronic Documents Act (Canada) had come fully into force. The Alberta and British Columbia Personal Information Protection Acts also became effective on the first day of 2004.

Since then, we have seen dramatic changes in privacy throughout the world: Identity theft is on the rise; there have been literally thousands of data breaches exposing the personal information of millions of people; governments are looking for easier access to personal information; video surveillance is more widespread; more personal information is generated digitally and aggregated in private hands.

And in the past year specifically, things have remained interesting on the privacy front. We've seen debate over changes to PIPEDA without anything definitive coming from the mandatory five year review. We've also seen arguments put forward to reform the public sector Privacy Act. Focus has also been drawn to the increasing practice of examining laptops at US border crossings. Litigation between Viacom and Google has raised awareness of log information that's often retained by internet companies. And Google has also been sued by a couple claiming their privacy has been violated by presenting pictures of their house in Google Street View. But in the last year, the one big privacy story that was supposed to have the largest impact on Canadians was the implementation of the National Do Not Call List. Whether it has, in fact, had an impact is the subject of debate.

I'd like to thank the many thousands of readers of the blog for visiting this site and thanks to those who have contacted me with comments, compliments, suggestions and links to interesting news. It's been a pleasure to write and I plan to keep it going as long as there's interesting privacy news to report.

Birthday cake graphic used under a creative commons license from K. Pierce.

Labels: border, dncl, google, google street view, identity theft, incident, laptop, lawful access, pipeda review, privacy, privacy act, telemarketing, video surveillance

The Independent is reporting that the British government is planning to announce a 1 BILLION POUND project that would involve the creation of a database to log every e-mail, telephone call and website click and retain the information for one year.

The project seems to be universally panned: the independent reviewer of UK anti-terrorism laws says "as a raw idea it is awful". The Information Commissioner calls it a "step too far".

If anyone had asked me (which they didn't, but I have constitutional rights here in Canada and get to say what I want), I would have said the idea is not surprising given the way things are going in England, but it is a clear step into the abyss of giving up any sense of private life in the country. See: Exclusive: Storm over Big Brother database - Home News, UK - The Independent. Big thanks to DP thinker: Proposed Database for pointing to the story.

Labels: europe, law enforcement, lawful access, privacy, surveillance, uk

This recent case was brought to my attention today: R. v. Ward, 2008 ONCJ 355 (CanLII). The decision is a ruling on a charter motion on whether evidence in a child pornography investigation should be admissible after the police obtained the identity of an internet user from an ISP without a warrant. Acting on a pretty solid tip from Germany, police identified three IP addresses that were associated with dealing with child pornography. Instead of getting a warrant, the police when to the ISP, Bell Sympatico, and got the name and address of the subscriber associated with the IP address. (I have no doubt that the tip would be enough to get a warrant.)

Justice Lalande distinguished this case from R. v. Kwok, by pointing out that the user agreement with Bell Sympatico reduces if not destroys any reasonable expecation of privacy that the user may have. In order for a warrantless search to be reasonable, there has to be no reasonable expecation of privacy.

Some may recall the hubbub in 2006 when Bell Sympatico changed its terms of use, which many thought was a harbinger of the revival of lawful access. The ISP denied it and Bell media relations types said they’d only hand over customer information with “court ordered warrants” though the terms of use purport to permit disclosure “upon request” from a government.

In this case, the conclusion seems to be that the customer has an expectation of privacy in their name and address unless the ISP has actively taken steps to remove it. Interesting.

For a flashback to 2006, check out

• Bell warns customers about privacy loss with lawful access
• CTV.ca Sympatico's customers warned of privacy loss.
• More fallout from Sympatico privacy upset
• globeandmail.com : Jack Kapica on who's watching your surfing

Labels: ip address, law enforcement, lawful access, lawful authority, privacy, warrants

For over a year now, the United States and the European Union have been negotiating an arrangement so that US law enforcement and national security organizations can have easier access to data in Europe and about Europeans. The New York Times is reporting that that the two parties are closer to an arrangement that would permit trolling through personal information for suspicious activities, such as the review of SWIFT data that the American government undertook as the data was resident in the United States. One of the remaining issues is whether European citizens will have an ability to sue the Americans for misuse of their data.

The fact that Europe and the Bush administration are engaged in this process is a good thing. The alternatives are to shut off the tap entirely, which may not be a good idea, or to allow American authorities to freely troll through European data as easily as information about Americans, which would be worse. In Canada, Maher Arar learned the hard way about what can happen if an unstructured, unregulated information sharing "system" results in the transfer of unreliable information to the Bush administration.

Recently, the Canadian Bar Association presented its recommendations to Parliament, demanding that all information sharing arrangements be in writing with safeguards and oversight to make sure that information is accurate and does not unreasonably invade personal privacy.

The NYTimes article is here: U.S. and Europe Near Accord on Privacy - NYTimes.com.

Thanks to Rob Hyndman for the link.

Labels: europe, law enforcement, lawful access, national security, patriot act, privacy

It appears that "lawful access" is in the news again, at least with respect to the debate over who is to pay for forcing telcos to build intercept capabilities into their systems:

Dispute over costs holds up plan to reintroduce Internet policing legislation

The Harper government's plans to reintroduce legislation that would make it easier for law-enforcement agencies to monitor Internet and wireless communications have been held up by a dispute with industry over who should cover the costs, according to documents obtained by Canwest News Service.

The former Liberal government introduced a law, called the Modernization of Investigative Techniques Act, that would have compelled telecommunications service providers such as Bell Canada and Rogers Communications to disclose personal subscriber information to authorities upon request. The Conservative government has been working on a new version of the law, which was introduced just days before the Liberal government fell in November 2005.

Police and the Canadian Security Intelligence Service can already seek the authority to wiretap private communications through the Criminal Code, CSIS Act and other laws. But the laws were written before the emergence of the Internet, mobile phones and handheld computers, and in many cases the industry hasn't developed the technology to intercept such communications.

The "lawful access" law, as it is better known, would have effectively forced companies to build intercept capabilities into their networks....

Labels: lawful access, privacy

Earlier this week, the RCMP organized a conference of police, internet service providers and other "stakeholders" on internet safety. I wrangled an invite, but had to go out of town at the last minute. One of the topics under discussion was whether ISPs should disclose subscriber information without a warrant.

My opinion on the topic is well known to readers of this blog (see tag: lawful authority).

Today's Hailifax Daily News has an article on the fact that the two leading ISPs in Atlantic Canada, Eastlink and Aliant, have a policy of requiring a warrant. Interestingly, the article focuses on the word "may" and not "lawful authority" in PIPEDA:

Halifax, The Daily News: Local News Police want local ISPs to loosen up to nab suspected online predators

Police want local ISPs to loosen up to nab suspected online predators

Crime

PAUL MCLEOD

Police in Nova Scotia are at a disadvantage compared to the rest of Canada when it comes to tracking down online sexual predators. Partly it's because of a single word in a piece of legislation.

When someone posts child pornography online, police have to go through Internet service providers - or ISPs - to get the person's name and address.

Most ISPs - over 70 per cent across the country - give police basic information without making them get a warrant. But Cpl. Dave Fox of the RCMP Internet Child Exploitation Unit said the majority of those that require warrants are in Atlantic Canada.

Both of Nova Scotia's two main providers, Aliant and EastLink, make police get warrants before handing over information. It's a process that takes a week on average, police say, and eats up desperately needed resources.

"We're not looking for shortcuts. If we took a shortcut and we were breaching someone's charter rights ... We would risk all the evidence we obtained by this warrantless searches being ruled inadmissible at trial," Fox said.

When contacted by The Daily News, Aliant said it would share information with police in emergency situations, but otherwise ask for a warrant.

"This is how we approach it. We work with them. This is what's in place in terms of our practice," said Aliant communications director Kelly Gallant.

For EastLink, the reluctance comes from the wording of the Personal Information Protection and Electronic Documents Act.

The act states ISPs "may disclose personal information" to police without a warrant.

At issue is the word "may," which some ISPs see as being too vague.

Though the federal government has endorsed pre-warrant requests as complying with the legislation, a minority of companies say handing over personal information without a warrant could expose them to lawsuits.

"The way the law is dictated today it is not clear, so we're erring on the side of the law," said Paula Sibley, communications specialist for EastLink.

"If the legislation was to be clarified, we would fully work within that."

No company has been successfully sued for handing information over to police, though there are two suits in early stages - one in Ontario and one in British Columbia.

Labels: bc, law enforcement, lawful access, lawful authority, privacy

Today I had the privilege of speaking at the annual professional development event of the Nova Scotia Criminal Lawyers Association, in association with the Nova Scotia Barristers' Society. The theme of the conference was very privacy-centric: Listening, Snooping and Searching: What's Right, What's Wrong.

I was also privileged to speak alongside S/Sgt Al Langille of the RCMP's integrated technology crime unit. He is a thirty-year veteran of law enforcement, including fifteen in technology crimes and computer forensics. A great guy and very privacy conscious.

My presentation, for those who may be interested, is here: http://docs.google.com/Presentation?id=ddpx56cg_48hcdnqv.

Labels: google, law enforcement, lawful access, lawful authority, media-mention, presentations, privacy, vanity, warrants

In case you haven't been consulted enough ...

The Government of Canada issued its response to the PIPEDA review report from the Standing Commitee on Access to Information, Privacy and Ethics, agreeing in parts and disagreeing in others with the committee's recommendations. So the government is now seeking public input on the topics that were relatively well canvassed before the parliaentary commitee.

If you have additional thoughts, you have until January 15 to make them known to Industry Canada.

Canada Gazette

DEPARTMENT OF INDUSTRY

IMPLEMENTATION OF THE GOVERNMENT RESPONSE TO THE FOURTH REPORT OF THE STANDING COMMITTEE ON ACCESS TO INFORMATION, PRIVACY AND ETHICS ON THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Deadline for submission of views: January 15, 2008

On October 17, 2007, the Government of Canada tabled in Parliament its response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). In support of the Minister of Industry's responsibility for PIPEDA, Industry Canada is seeking the views of Canadians on a number of issues related to the response, including proposals for legislative amendments to PIPEDA.

PIPEDA, which came into force on January 1, 2001, sets rules for the collection, use and disclosure of personal information in the course of commercial activity in Canada. In a modern, information-based economy, an effective and efficient model for the protection of personal information is vitally important to ensure that the privacy of Canadian consumers remains protected. The ETHI Report contains 25 recommendations for how PIPEDA could be fine-tuned to ensure that the Act continues to achieve this objective. The government response expresses agreement with a majority of the Committee's recommendations and reflects the view held by a number of stakeholders that PIPEDA is working well and is not in need of dramatic change at this time. However, a small number of specific amendments may be warranted, and this consultation process provides Canadians with the opportunity to present further information, advice and views regarding the implementation of key proposals for legislative change.

In particular, Industry Canada is seeking views on the implementation of a data breach notification provision in PIPEDA (ETHI recommendations 23, 24 and 25). Such a provision is an important component of a comprehensive strategy to address the growing problem of identity theft. The Government proposes that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Ultimately, a requirement for data breach notification should encourage organizations to implement more effective security measures for the protection of personal information, while enabling consumers to better protect themselves from identity theft when a breach does occur. Industry Canada is seeking input in developing the parameters of a data breach notification provision, including, but not limited to, questions of timing, manner of notification, penalties for failure to notify, the need for a "without consent" power to notify credit bureaus, and appropriate "thresholds" for when organizations should be required to notify.

Industry Canada is also seeking further views on the issue of "work product" information (ETHI recommendation 2). The question of whether information created by individuals in their employment or professional capacity should be explicitly excluded from the definition of personal information has been a matter of significant debate. Industry Canada would therefore appreciate a wider range of views on whether an amendment to PIPEDA is needed, and, if so, how this should be implemented.

Furthermore, in order to ensure that PIPEDA is consistent with the needs of Canadian law enforcement agencies, the Government intends to clarify the meaning of lawful authority in PIPEDA as recommended by the Committee (ETHI recommendation 12). Industry Canada is seeking views and specific advice on how the concept of lawful authority could be better defined.

The Committee also recommended a number of issues for further consideration and/or consultation, including witness statements (ETHI recommendation 10), consent by minors (ETHI recommendation 15), and an assessment of the extent to which elements contained in the PIPEDA Awareness Raising Tools (PARTS) document may be set out in legislative form (ETHI recommendation 17). Industry Canada welcomes submissions on these matters.

Finally, Industry Canada is considering alternatives to the current process for the designation of investigative bodies (ETHI recommendation 6) and would appreciate any further views on this issue.

Submissions on the above, or on any other issues related to the government response that you may wish to raise, can be sent by email to PIPEDAconsultation@ic.gc.ca, by fax to 613-941-1164, or by mail to Richard Simpson, Director General, Industry Canada, Electronic Commerce Branch, 300 Slater Street, Ottawa, Ontario K1A 0C8.

The Government's response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics is available electronically on the World Wide Web at the following address: http://ic.gc.ca/specialreports.

For printed copies, please contact Publishing and Depository Services, Public Works and Government Services Canada, Ottawa, Ontario K1A 0S5; 1-800-635-7943 (Canada and U.S. toll-free telephone), 613-941-5995 (telephone), 1-800-465-7735 (TTY), 1-800-565-7757 (Canada and U.S. toll-free fax), 613-954-5779 (fax), publications@pwgsc.gc.ca (email), www. publications.gc.ca.

Labels: breach notification, identity theft, lawful access, lawful authority, pipeda review, privacy

I was invited to be the keynote speaker at a half-day session put on today by the Canadian Bar Association - New Brunswick. I spoke about the current law related to the law enforcement access to personal information and a an update on what's happing with "lawful access". Here's the presentation: click here (google Docs) or here (pdf).

I tried embedding it but it only worked if you are logged into a google account, which wasn't my intention.

Labels: google, law enforcement, lawful access, lawful authority, presentations, privacy, warrants

Michael Geist has posted a summary of interviews with him and Public Safety Minister on the CBC yesterday. He writes:

Michael Geist - Stockwell Speaks

Search Engine, CBC's excellent new show on the Internet and technology, focused this week [MP3 podcast] on recent lawful access controversy. I appear in the first part of the show, but more important is the response from Public Safety Minister Stockwell Day. Leaving aside the Minister's inaccurate claims that the consultation was been "wide open" and the suggestion that perhaps the consultation was old Liberal wording, it is good to hear him again confirm that the government will not introduce legislation compelling the disclosure of CNA information without a court order. According to the Public Safety Minister:

"We are not, in any way, shape or form, wanting extra powers to police to pursue items without a warrant. That is not what our purported legislation is going to be doing. That is previous Liberal legislation and that's not the path we're walking down at all."

This is both a clear confirmation of the government's position and a good indicator that it smartly intends to use this to score political points by emphasizing the Liberals' support for disclosure without court oversight.

Labels: lawful access, privacy, surveillance, warrants

Over the last week, there's been a huge fuss in the media and among bloggers about the consultation that was initiated by the Department of Public Safety over an apparent revival of "lawful access" in Canada. Two things really seemed to catch the attention of commentators: first, the suggestion that the government is again contemplating a system of warrantless access to personal information and, second, that the consultation was taking place in secret. I first heard about it from Michael Geist, who deserves a lot of credit for making it well-known (Public Safety Canada Quietly Launches Lawful Access Consultation). Since then it has been widely reported on in the media and among bloggers.

So what is the fuss about? I hope I can provide some background and context for some of the discussion that is taking place.

Canadian law enforcement and national security agencies are looking for a quick and easy way to obtain access to the names, phone numbers, IP addresses, etc of customers of Canadian telecommunications service providers. (Quick and easy, in this context, means without the delay and paperwork involved in applying to a judge for a search warrant.) This information is sought in a number of contexts, including in the very beginning of investigations or as part of "intelligence gathering." It is also sought, at times, when there is insufficient evidence to connect an individual to a crime so that a judge would not issue a warrant. (Which raises the question: Why should the police be able to require the information without oversight in circumstances where a judge says that the Charter of Rights and Freedoms doesn't permit them to require the information?)

So why shouldn't telecommunications service providers, being good citizens, hand over this information when asked by the police or by national security agents? Simply put, because it is illegal for them to do so. Since 2001, Canadian telecommunications service providers have been subject to the Personal Information Protection and Electronic Documents Act (aka "PIPEDA"). PIPEDA requires the consent of the individual for all collection, use and disclosure of personal information, subject to a number of exceptions. "Personal information" includes any information about an identifiable individual. If it is information and it's about an identifiable individual (either alone or in combination with information that it accompanies), it's "personal information". This would include my name, my address, my phone number, the IP address of my computer, etc.

Some might say that's public information, because my name and phone number may be in a phone book. Interesting point, but that doesn't remove the protections to the information if it is in the hands of my TSP. If the police get it from the phone book, then they can do what they want with it. But if they want to get it from my TSP, then it is personal information and the TSP can't disclose it unless a "consent exception" applies. (See s. 7(1)(d), 7(2)(c.1) and 7(3)(h.1) of PIPEDA and, very importantly, the Regulations Specifying Publicly Available Information (SOR/2001-7)).

The police (who are not bound by PIPEDA) may be within their rights to ask for the information, but TSPs (who are bound by PIPEDA are not able to hand it over without consent unless a PIPEDA consent exception applies. Section 7 contains many consent exceptions, some of which might apply in the circumstances described in the consultation document put out by Public Safety Canada:

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

Under PIPEDA, TSPs can likely disclose information about a customer in an emergency. Section 7(3)(e) permits a disclosure without consent if the disclosure is:

(e) made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure;

What it doesn't permit is disclosures to law enforcement unless they have a warrant. In this context, s. 7(3)(c.1) is the subject of a bit of debate. This reads:

7(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

It must be noted that these provisions are permissive, meaning that they allow the TSP to disclose the information in these circumstances without offending PIPEDA. Nothing in the above requires a TSP to disclose the information. Any compulsion has to come from another statute or rule of law. Section 7(3)(c) says if they have a warrant, the TSP can hand it over. (The obligation comes from the warrant, not PIPEDA.) There is authority from the Ontario Courts that an investigation does not create the "lawful authority" to obtain the information. "Lawful access" is an effort to change the law to have an investigation constitute "lawful authority". Or just remove the "lawful authority" requirement altogether.

What is also very interesting from the consultation document is that many TSPs currently hand over the information when asked by law enforcement (worth quoting again):

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

I have it on reliable authority from within the industry that most internet service providers will provide a customer's full name and billing address when given an IP address. It doesn't seem to be because they think they legally can, but because they have succumbed to pressure from law enforcement who take a position that not providing the information puts them in league with child molesters and terrorists.

The fact remains, and must be borne in mind, that if a person's life or safety is in jeopardy, the TSP can disclose information without consent. This would include the ticking bomb scenario, a child being abused, etc. In exigent circumstances, the police always have access to the expedited telewarrant procedures in the Criminal Code. There isn't an exception in PIPEDA, the Criminal Code or the Charter for compelled disclosures of personal information absent lawful authority.

Labels: health information, ip address, law enforcement, lawful access, lawful authority, national security, privacy, warrants

This is interesting and weird ... Stockwell Day appears to say that he agrees that law enforcement access to customer names and numbers requires a warrant today and should always. [Insert head scratch here.]

Check it out yourself:

Warrant needed to pull data on Internet users: Day Safety minister opens closed consultations

Carly Weeks

The Ottawa Citizen

Friday, September 14, 2007

Public Safety Minister Stockwell Day announced late yesterday that the federal government will not force Internet service providers to hand over customers' personal information to police without a warrant -- a move that will surprise critics who have been expressing alarm this week that the Harper government appeared poised to intrude on the civil liberties of Canadians.

"We have not and we will not be proposing legislation to grant police the power to get information from Internet companies without a warrant. That's never been a proposal," Mr. Day said. "It may make some investigations more difficult, but our expectation is rights to our privacy are such that we do not plan, nor will we have in place, something that would allow the police to get that information."

...

Mr. Day said the consultation document was circulated without his knowledge or consent and emphasized that all groups, regardless of their perspective, should have a chance to voice their opinions on the contentious issue.

"That document never would have gone out if I had seen it," Mr. Day said. "This particular document just somehow went out without my approval."

...

But, Mr. Day added, the purpose of the consultation is not to look for ways to make it easier for police to obtain customers' personal information without a warrant. Instead, the federal consultation is seeking to ensure Internet companies are aware of their need to comply when presented with court orders, Mr. Day said. ...

Labels: law enforcement, lawful access, privacy, surveillance, warrants