The Privacy Commissioner of Canada has recently provided parliamentarians with her opinion on the new lawful access bills that are winding their way through the Commons. I have to say I was nodding my head while I read it:

Letter to the Standing Committee on Public Safety and National Security regarding the Commissioner's initial analysis on the privacy implications on Bills C-46 and C-47 - October 27, 2009

The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to the Standing Committee on Public Safety and National Security, regarding her initial analysis on the privacy implications on Bills C-46, the Investigative Powers for the 21st Century Act (IP21C), and C-47, the Technical Assistance for Law Enforcement in the 21st Century Act (TALEA)

October 27, 2009

Mr. Garry Breitkreuz, MP Chair of the Standing Committee on Public Safety and National Security 131 Queen Street – 6th floor House of Commons Ottawa, Ontario K1A 0A6

Dear Mr. Breitkreuz:

I am writing to provide the members of the Standing Committee on Public Safety and National Security with some preliminary views on the privacy implications stemming from Bills C-46 and C-47. As you are aware, I am often called upon to comment on legislation that will result in new or expanded forms of personal information being collected by federal government institutions. Those views, and analysis conducted by my Office, are specifically undertaken to support the deliberations of Parliament.

It must be stated at the outset that we recognize the concerns of law enforcement and national security authorities with the speed of developments in information technology and the anonymity they afford. Bills C-46 and C-47 seek to address the consequent public safety challenges and that objective is valid. That said, whenever new surveillance powers or programs are proposed, it is my view that there must be demonstrated necessity, proportionality and effectiveness. They should also be the least-invasive alternative available. These tests are all the more important in the area of public safety, as the use of surveillance powers by authorities can have deep and lasting impact on peoples’ lives.

The consequences for individuals as their personal information is collected and shared among authorities in various countries can escalate far beyond the initial objectives of public safety. Recent international reports, Canadian court rulings and federal commissions of inquiry have shown this clearly. Proper protections for privacy in this area reside in the strict limitation of invasive powers to what is demonstrably necessary to ensure public safety and in strong measures for accountability, commensurate with the powers vested. It is a matter of protecting human rights and assuring public trust.

Taking into account the real challenges of law enforcement and national security agencies in the Internet age and the fundamental right to privacy that underpins our democratic society, and after careful study and extensive consultation this past summer, I have concluded that elements of the proposed legislation raise significant privacy concerns. These must be addressed by proponents of the bills.

I would draw to the attention of this Committee, and all Parliamentarians, that the proposed legislation contains many provisions that would increase the level of access by law enforcement and national security authorities to personal information. In that regard, it is important that Parliament be satisfied that:

The need for these provisions has been clearly demonstrated,

The lowered legal requirements for use of invasive powers is justified,

The lessons of similar initiatives in other countries are considered, and

The oversight, reporting and accountability mechanisms are carefully calibrated, to ensure they mirror the breadth and scope of new powers

Analytical approach and consultations

It is important to note that our Office approached the examination of both pieces of legislation with fresh eyes and an open mind. While previous iterations or initiatives – like the 1999 Justice Canada initiative, the 2005 public consultation or the 2007 Public Safety request for submissions on Customer Name and Address access – may have served as background, they did not colour our analysis. Instead, since the legislation was tabled this past summer, our Office carefully read and analysed the two bills anew.

We also wanted to hear from informed experts, therefore between June and September of this year, my staff met with representatives of Justice Canada and Public Safety Canada, provincial privacy commissioners, the telecommunications industry (manufacturers, service providers and associations), law enforcement (RCMP and the Canadian Association of Chiefs of Police), civil society groups, academic specialists, as well as subject experts in the fields of information policy, network security, criminal law and intelligence operations. These conversations helped our Office identify the privacy issues raised by the two bills, which relate to the following areas:

Necessity: Though isolated anecdotes abound, and extreme incidents are generally referred to, no systematic case has yet been made that demonstrates a need to circumvent the current legal regime for judicial authorization to obtain personal information. Before all else, law enforcement and national security authorities need to explain how the current provisions on judicial warrants do not meet their needs.

Necessity given international obligations: A principal rationale cited for the need to update Canada’s interception and surveillance regime – as proposed in C-46 and C-47 – is ratification of the Council of Europe Convention on Cybercrime. However, many of the powers introduced in the proposed legislation go far beyond the legal requirements of the Convention. Our analysis would suggest that Canada has already met most of the substantive legal changes required. Certainly some caution should be exercised, given the fact that similar legal initiatives in the US and UK led to significant concerns in relation to privacy.

Proportionality of thresholds: Canadian law imposes rigorous thresholds of evidence for authorities to obtain access to personal information. They form the heart of protections that Parliament put in place to protect privacy in Canada. The downward movement from reasonable grounds to believe to reasonable grounds to suspect in some cases (for some production orders) - or to no threshold of evidence at all (for subscriber data access) - must be shown to be a proportionate response to safety and security imperatives. As it stands, the new powers envisaged are not limited to a specific range or seriousness of criminality, or to a specific level of urgency. In the case of Bill C-47, there is not even a requirement for the commission of a crime to justify access to personal information without a warrant. The onus lies with proponents of the legislation to demonstrate the need for lowered thresholds to obtain personal information.

Proportionality of oversight and review mechanisms: Only prior court authorization serves as rigorous privacy protection. Should Parliament allow law enforcement and national security authorities to circumvent the courts to obtain personal information, the corresponding oversight mechanisms must be established. My Office is clearly implicated at several points in Bill C-47, wherein my staff may review the records created by officers at the RCMP or Competition Bureau as they exercise new powers. Given the scale envisaged, with upwards of thousands of individuals in the RCMP alone potentially empowered to access subscriber data, it would be difficult for us, within our current resources, to offer any assurance to

Parliamentarians or Canadians of proper auditing. Still, review after the fact arrives too late. Privacy has already been breached, it is difficult to properly assess the circumstances, and there is no remedy for the ultimate outcome of the breach.

Demonstrated effectiveness through clear public reporting and accountability: In Bill C-47, audits are conducted internally and not required annually, while follow-up reporting to the responsible Minister and my Office are discretionary, as opposed to regular requirements. This will not afford objective, timely assessment of privacy risks or breaches. It is my view that, should the powers envisaged be granted, copies of those reports from the RCMP and Competition Bureau should be provided to the Minister and my Office on an annual basis. My audit and review staff can then proceed accordingly.

Flowing from these concerns, we would look forward to a constructive dialogue with the Committee on the following points or alternatives:

Examine warrant provisions in the Criminal Code. Rather than creating blanket, open access for authorities to search subscriber data, as in Bill C-47, there are other investigative options or legal changes to consider. Emergency provisions to conduct search, seizure or interception without a warrant in exigent circumstances are already in the Criminal Code. A similar provision for production and assistance orders should be considered to address the issue police have described in obtaining data.

Review the process for court authorization in Canada. If the underlying problem resides in Canada’s current warrant system, this is where the government’s attention should be directed, as opposed to limiting court oversight. Law enforcement and national security authorities should state the shortcomings they identify in the court warrant system so they can be addressed to adapt the system to the new challenges of the Internet age rather than sacrifice the principles that underpin the very society we seek to protect.

Tailor the scope of new powers. Any regime that circumvents court authorization raises significant privacy issues. If Parliament chooses to grant the proposed powers, they must be restricted in their application to the investigation of crimes or threats where such an invasion of privacy is justified. That is the Canadian legal tradition.

Revisit oversight regime. Internal audit, reporting with self-discretion and the role of external review bodies need to be strengthened with provisions for specific reporting requirements, regular review, dedicated resources for oversight and transparent mechanisms for accountability to assure the Canadian public.

Parliament should consider a five-year review for Bill C-46. While Bill C-47 has such a provision, Bill C-46 would also merit close review by Parliament, given how the two pieces of legislation interact. These reviews should be conducted with an eye to demonstrated evidence of effectiveness, minimal invasion of privacy and clear operation within bounds of the law.

Require annual public reporting. Yearly statistics on the use, results and effectiveness of new powers (subscriber data requests, preservation demands, tracking warrants, etc.) should be required by statute. Besides bolstering accountability, these reports would usefully support Parliament’s five-year review of the powers.

Review the regulations flowing from both bills. Given the important administrative, procedural and technical details involved, Parliament should conduct full committee reviews and hear from all interested stakeholders on both legislation and regulations. This should occur before either bill comes into force.

In summary, we urge Parliament to review Bills C-46 and C-47 in light of the following questions:

In specific terms, how is the current regime of judicial authorization not meeting the needs of law enforcement and national security authorities in relation to the Internet? What law enforcement or national security duty justifies access without a warrant by authorities to personal information or preservation of private communication?

Why are some of these powers unrestricted, when the spirit of Canadian law clearly reflects the view that access or seizure without court authorization should be exceptional?

And finally, are the mechanisms for accountability commensurate to the unprecedented powers envisaged?

Based on this initial analysis, my Office will be preparing a full submission for your consideration, in anticipation of your Committee’s study of the legislation. Given the public interest in this issue, we anticipate posting this letter on our website in the near future. I would like to thank you for your attention to this critical issue and look forward to discussing the initiative further when meetings on the bills commence.

Sincerely,

Original signed by

Jennifer Stoddart

Privacy Commissioner of Canada

Well said.

Labels: lawful access, lawful authority, warrants

Check out Michael Geist's post: Michael Geist - Reacting To Lawful Access: Comparing the Conservatives, Liberals, and NDP. The title says it all.

Labels: lawful access, lawful authority, warrants

I was honoured to be one of the speakers at the Halifax Internet Town Hall hosted at Dalhousie University this evening, sponsored by the Chebucto Community Net and Dalhousie Student Union. My portion of the proceedings -- surprise -- was about privacy. I only had ten minutes, so needed to be short and sweet.

I decided to focus my presentation on the abomination that is Bill C-47, in particular the provision that allows law enforcement to have wholesale access to customer information without a warrant. It is frankly appalling and should not be allowed to pass.

Look at this provision:

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

You can disagree on the finer aspects of whether an ISP should be permitted to match an IP address provided by the cops with the customer name and address information in their files. That's a reasonable debate. But I do not see any limitation in Section 16. There's no oversight. There's no real accountability. There's no nuance. All ISPs will be required to provide any (or all) of the following:

• name,
• address,
• telephone number,
• electronic mail address,
• Internet protocol address,
• mobile identification number,
• electronic serial number,
• local service provider identifier,
• international mobile equipment identity number,
• international mobile subscriber identity number and
• subscriber identity module card number

It doesn't have to be connected to a child exploitation investigation. Or a parking ticket. In fact, there's no requirement that there be an underlying lawful investigation. The police will be able to hand a list of names to the ISP and require all of the above information, for an unlimited number of targets.

This is appalling legislation and should not stand.

For other postings on this topic, check out my previous postings tagged Lawful Access.

Labels: lawful access, lawful authority, privacy, warrants

The Ottawa Citizen has an interesting article on the debate surrounding "lawful access". Check it out: Security vs. privacy. Via Michael Geist.

Labels: criminal law, lawful access, lawful authority, privacy, warrants

Just posted on slaw: The debate about warrantless access to ISP customer information >> Slaw

In the privacy community, there has been a debate over whether it is lawful, under PIPEDA, for a custodian of personal information to provide customer information when then police come knocking. The debate has been most heated in the arena of internet service providers customer names and addresses to the police when presented with an IP address. PIPEDA allows a number of disclosures of personal information without consent pursuant to Section 7(3) of the statute. One exception to the general rule relates directly to law enforcement requests:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

The debate has raged over differing interpretations of “lawful authority”, and there are conflicting decisions from the Courts over whether internet service providers can disclose customer name and address information to the police in response to a request.

For example, in Re S.C., 2006 ONCJ 343, the court set aside a search warrant that was based on information obtained from an ISP in response to a law enforcement request. In R. v. Kwok, the court found that the customer had a reasonable expectation of privacy in his name and address information and that the police should have obtained a warrant to get this information from the internet service provider. From paragraph 35 of that decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

More recently, in R. v. Ward, 2008 ONCJ 355 (CanLII), the court determined that the customer did not have a reasonable expectation of privacy with respect to this information because the service agreement imposed upon him by Bell’s Sympatico service reduced, if not destroyed, whatever expectation of privacy he might otherwise have had. Similarly, in R. v. Wilson, the court also found no reasonable expectation of privacy.

The pendulum may be swinging the other way. Last week, the Ontario Court of Justice released its decision in R. v. Cuttell. The Court concluded there is a reasonable expectation of privacy in customer account records, but this expectation can be destroyed by an ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepted that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy but there was no proof brought by the police that the Bell contract applied to this customer. What is perhaps most interesting is that the Judge lamendted the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

All of this may become moot (and then some!) thanks to currently pending legislation. Bill C-47, entitled Technical Assistance for Law Enforcement in the 21st Century Act, is about to come up for committee review in parliament. Introduced along with Bill C-46, Investigative Powers for the 21st Century Act, both bills represent a significant shift in the powers of law enforcement. Though marketed as updating current police powers to keep pace with technology, C-47 would give law enforcement virtually unfettered access to customer information from internet and telecommunications service providers without any judicial oversight. The particular provision is at Section 16:

Provision of subscriber information

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

I am of the view that there should be appropriate judicial oversight of any regime in which service providers are required to identify their users to law enforcement officials. (Subject to exceptions in exigent circumstances.) It is only with judicial oversight that society can be assured that the appropriate balance between privacy and public safety is maintained. The government’s proposal provides no oversight and the powers of law enforcement are completely unfettered. If the concern is that search warrants are too time consuming, then appropriate resources should be put in place to provide for rapid review by independent judicial officers. Removing all the stops from law enforcement powers it not appropriate in this case.

Currently there is a disparity of practices among telecommunication service providers and internet service providers across Canada when dealing with a request from a law enforcement agent to provide a customer name and address connected with a specific IP address. This is due to at least a measure of uncertainty in interpreting the service provider’s obligations under the Personal Information Protection and Electronic Documents Act. Most ISPs will provide customer name and address information if law enforcement officers make a written request in the course of investigation related to child exploitation. In other sorts of investigations, a search warrant is required. Other internet service providers require a search warrant in all circumstances to disclose this information.

For example, Clause 16 as drafted does much more than impose the obligation for service providers to carry out a “reverse look-up” to match one piece of information (such as an IP address) with customer billing information. Instead, it would require the service provider to give law enforcement a laundry list of information in response to any request. This sort of information would be IP address, mobile identification number, electronic serial number, phone number, equipment identifiers and others. This, on its face, goes beyond what law enforcement has been asking for, at least in public.

This power is not subject to meaningful review and is completely unfettered. There is no restriction on the circumstances under which these powers can be used. Currently, requests of this nature generally relate to child exploitation investigations or compelling national security/public safety matters. As drafted, law enforcement would be able to use these powers in connection with parking violations and very minor concerns. In fact, these powers could be used in the complete absence of a lawful investigation. In addition, there is no limitation whatsoever on the volume of these sorts of requests. It would be possible for a law enforcement agency to require the name, address, e-mail address and IP address of every single one of their customers. I think most would say this goes over the line.

It has been said before that a customer’s name and address is not “personal information” or if it is, it is not sensitive information. That misses the point. A customer’s name and address, when connected with an IP address or a mobile phone serial number, is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their “offline” life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that individual’s IP address. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. These provisions do not maintain the traditional balance as has developed in Canada under the Charter and in fact go dramatically and unreasonably in favour of law enforcement.

I've been surprised that discussion of this topic has mostly been contained within the privacy community and hope that the upcoming parliamentary hearings on C-46/C-47 will bring the debate into the wider community, where it belongs.

Labels: criminal law, law enforcement, lawful access, lawful authority, warrants

A friend just provided me with a copy of a recent decision of the Ontario Court of Justice considering the admissibility of information obtained without a warrant from the suspect's internet service provider, Bell. R. v. Cuttell is not on CanLii yet, but I've put a copy here.

The Court concluded there is a reasonable expectation of privacy in your account records, but this expectation can be destroyed by your ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepts that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy. (I would also question whether a form contract that the customer likey has not read would be enough to mean that subjectively there is no reasonable expectation of privacy.)

In this case, there was no proof brought by the police that the Bell contract applied to this customer so a Charter breach was found.

The Court importantly notes that PIPEDA does not give the police the right to seek information and rejects every crown argument that the police may have had "lawful authority" in the circumstances.

But, in the end, the records were admissible as the police acted in good faith.

What is perhaps most interesting is that the Judge laments the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

Labels: criminal law, law enforcement, lawful access, lawful authority, warrants

The federal, provincial and territorial Privacy Commissioners meeting together in St. John's have issued a statement calling for "caution" on the expansion of investigative powers proposed by the conservative government.

They issued the following media release, referring to resolutions available on the federal Commissioner's website:

Privacy commissioners urge caution on expanded surveillance plan

ST. JOHN'S, Sept. 10 /CNW Telbec/ - Parliament should take a cautious approach to legislative proposals to create an expanded surveillance regime that would have serious repercussions for privacy rights, say Canada's privacy guardians.

Privacy commissioners and ombudspersons from across the country issued a joint resolution today urging Parliamentarians to ensure there is a clear and demonstrable need to expand the investigative powers available to law enforcement and national security agencies to acquire digital evidence.

The federal government has introduced two bills aimed at ensuring that all wireless, Internet and other telecommunications companies allow for surveillance of communications, and comply with government agency demands for subscriber data - even without judicial authorization.

"Canadians put a high value on the privacy, confidentiality and security of their personal communications and our courts have also accorded a high expectation of privacy to such communications," says Jennifer Stoddart, the Privacy Commissioner of Canada.

"The current proposal will give police authorities unprecedented access to Canadians' personal information," the Commissioner says.

The resolution is the product of the semi-annual meeting of Canada's privacy commissioners and ombudspersons from federal, provincial and territorial jurisdictions across Canada, being held in St. John's.

The commissioners unanimously expressed concern about the privacy implications related to Bill C-46, the Investigative Powers for the 21st Century Act and Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act. Both bills were introduced in June.

"We feel that the existing legal regime governing interception of communications - set out in the Criminal Code and carefully constructed by government and Parliament over the decades - does protect the rights of Canadians very well," says Ed Ring, the Information and Privacy Commissioner for Newfoundland and Labrador and host of the meeting.

"The government has not yet provided compelling evidence to demonstrate the need for new powers that would threaten that careful balance between individual privacy and the legitimate needs of law enforcement and national security agencies."

The resolution states that, should Parliament determine that an expanded surveillance regime is essential, it must ensure any legislative proposals:

• Are minimally intrusive;
• Impose limits on the use of new powers;
• Require that draft regulations be reviewed publicly before coming into force;
• Include effective oversight;
• Provide for regular public reporting on the use of powers; and
• Include a five-year Parliamentary review.

At the meeting in St. John's, the commissioners and ombudspersons also passed a resolution about the need to protect personal information contained in online personal health records.

The resolution emphasizes the importance of empowering patients to control how their own health information is used and shared. For example, it calls for developers of personal health records to allow patients to gain access to their own health information, set rules about who else has access, and to receive alerts in the event of a breach.

"Personal health records have the potential to deliver significant benefits for patients and their health care providers. However, given the highly sensitive personal information involved, developers need to ensure they build in the highest privacy standards," says Commissioner Ring.

Both resolutions are available on the Privacy Commissioner of Canada's website, http://www.priv.gc.ca/.

The resolutions are here:

• “Protecting Privacy for Canadians in the 21st Century” – Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials on Bills C-46 and C-47
• “The Promise of Personal Health Records” – Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials

Labels: criminal law, health information, law enforcement, lawful access, lawful authority, police, privacy, surveillance

C-46 An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act. First Reading

SUMMARY

The enactment amends the Criminal Code to add new investigative powers in relation to computer crime and the use of new technologies in the commission of crimes. It provides, among other things, for

(a) the power to make preservation demands and orders to compel the preservation of electronic evidence;

(b) new production orders to compel the production of data relating to the transmission of communications and the location of transactions, individuals or things;

(c) a warrant to obtain transmission data that will extend to all means of telecommunication the investigative powers that are currently restricted to data associated with telephones; and

(d) warrants that will enable the tracking of transactions, individuals and things and that are subject to legal thresholds appropriate to the interests at stake.

The enactment amends offences in the Criminal Code relating to hate propaganda and its communication over the Internet, false information, indecent communications, harassing communications, devices used to obtain telecommunication services without payment and devices used to obtain the unauthorized use of computer systems or to commit mischief. It also creates an offence of agreeing or arranging with another person by a means of telecommunication to commit a sexual offence against a child.

The enactment amends the Competition Act to make applicable, for the purpose of enforcing certain provisions of that Act, the new provisions being added to the Criminal Code respecting demands and orders for the preservation of computer data and orders for the production of documents relating to the transmission of communications or financial data. It also modernizes the provisions of the Act relating to electronic evidence and provides for more effective enforcement in a technologically advanced environment.

The enactment also amends the Mutual Legal Assistance in Criminal Matters Act to make some of the new investigative powers being added to the Criminal Code available to Canadian authorities executing incoming requests for assistance and to allow the Commissioner of Competition to execute search warrants under the Mutual Legal Assistance in Criminal Matters Act.

C-47 An Act regulating telecommunications facilities to support investigations aka Technical Assistance for Law Enforcement in the 21st Century Act. First Reading

SUMMARY

This enactment requires telecommunications service providers to put in place and maintain certain capabilities that facilitate the lawful interception of information transmitted by telecommunications and to provide basic information about their subscribers to the Royal Canadian Mounted Police, the Canadian Security Intelligence Service, the Commissioner of Competition and any police service constituted under the laws of a province.

Labels: criminal law, lawful access, lawful authority, privacy

The Minister of Justice is having a press conference as I type this, unveiling among other things, "lawful access" to telecommunications customers' idenfitying information without a warrant. Stay tuned for more details.

Update: Here's the media release from the government:

Government Of Canada Introduces Legislation To Fight Crime In The 21st Century

OTTAWA, June 18, 2009 – The Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada, together with the Honourable Peter Van Loan, P.C., Q.C., M.P. for York-Simcoe, Minister of Public Safety, and Mr. Daniel Petit, M.P. for Charlesbourg-Haute-Saint-Charles, Parliamentary Secretary to the Minister of Justice today introduced in the House of Commons two separate pieces of legislation that will ensure law enforcement and national security agencies have the tools they need to fight crime and terrorism in today’s high-tech environment.

“Evolving communications technologies like the Internet, cell phones, and PDAs (personal digital assistants) clearly benefit Canadians in their day-to-day lives,” said Minister Nicholson. “Unfortunately, these technologies have also provided new ways of committing crimes such as distributing child pornography. We must ensure investigators have the necessary powers to trace and ultimately stop crimes.” While technology has advanced rapidly in the past two decades, law enforcement and national security agencies have faced increased difficulty in protecting the safety and security of Canadians. The Investigative Powers for the 21st Century (IP21C) Act will ensure that law enforcement officials have the tools they need to fight crime in today’s modern environment by updating certain existing offences as well as creating new investigative powers to effectively deal with crime in today’s computer and telecommunications environment.

“We must provide our law enforcement with the tools they need to keep our communities safe,” said Minister Van Loan. “High tech criminals will be met by high tech police. This is a great day for the victims and their families who have been long calling for these legislative changes, and those who work tirelessly every day to ensure that when there is a threat to safety police can intervene quickly.”

The Technical Assistance for Law Enforcement in the 21st Century Act will require service providers to include interception capability in their networks. Requirements to obtain court orders to intercept communications will not be changed by this Act, which will require service providers to supply basic subscriber information to law enforcement agencies and the Canadian Security Intelligence Service on request. Other countries, such as the United Kingdom, the United States, Australia, New Zealand, Germany and Sweden, already have similar legislation in place.

“The safety of our citizens, both in our communities and in cyberspace, is a responsibility that this Government takes very seriously,” said Mr. Petit. “The proposed legislation strikes an appropriate balance between the investigative powers used to protect public safety and the necessity to safeguard privacy and the rights and freedoms of Canadians.”

The Government carefully considered input provided by a broad range of stakeholders in developing these two pieces of legislation, including the telecommunications industry, civil liberties groups, victims’ advocates, police associations and provincial/territorial justice officials. As a result, the Government has ensured that the Investigative Powers for the 21st Century (IP21C) Act and theTechnical Assistance for Law Enforcement in the 21st Century Act strike an appropriate balance between the need to protect the safety and security of Canada, the competitiveness of the telecommunications industry, and the privacy rights of Canadians.

An online version of the legislation will be available at http://www.parl.gc.ca/.

See also:

Technical Assistance for Law Enforcement in the 21st Century Act

Investigative Powers for the 21st Century (IP21C) Act -->

Information:

Darren Eke Press Secretary Office of the Minister of Justice 613-992-4621

Media Relations Department of Justice 613-957-4207

Media Relations Public Safety Canada 613-991-0657

Here is the government's summary of the warrantless access to customer information provisions:

Technical Assistance for Law Enforcement in the 21st Century Act

Subscriber Information Component

Police forces and CSIS also require timely access to basic subscriber information as it is an essential tool for fighting crime and terrorism. Subscriber information refers to basic identifiers such as name, address, telephone number and Internet Protocol (IP) address, e-mail address, service provider identification and certain cell phone identifiers. These basic identifiers are often crucial in the early stages of an investigation, and without this basic information, police forces and CSIS often reach a dead-end as they are unable to obtain sufficient information to pursue an investigative lead or obtain a warrant.

Currently, there is no legislation specifically designed to require the provision of this information to police forces and CSIS in a timely fashion. As a result, the practices of releasing this information to police forces and CSIS vary across the country: some service providers release this information to law enforcement immediately upon request; others provide it at their convenience, often following considerable delays; while others insist on law enforcement obtaining search warrants before the information is disclosed. This lack of national consistency and clarity can delay or block investigations.

A consistent, balanced, well-regulated and accountable solution is needed for law enforcement and CSIS to obtain basic subscriber information in order to protect the public’s safety and security, while safeguarding individual privacy interests. The Act will accomplish this by compelling all service providers to release this information and creating an administrative model that provides for a reporting regime which ensures accountability by including consisting of a number of new, privacy-related safeguards. Safeguards include such things as the designation of a limited number of law enforcement and CSIS officials who can request information, record keeping, and both internal audits and external oversight.

This legislation provides law enforcement and CSIS with the updated tools needed in the face of rapidly changing technology, while providing maximum flexibility for industry, and creating rigorous safeguards to protect privacy. In doing so, this legislation strikes an appropriate balance between the needs of law enforcement and CSIS, the competitiveness of industry, and the privacy rights of Canadians.

Labels: criminal law, lawful access, lawful authority, privacy

I blogged earlier this week about a decision from the Ontario Superior Court of Justice that held that Bell Sympatico customers do not have a reasonable expectation of privacy when the police come knocking for the name and address behind an IP address. (See: Canadian Privacy Law Blog: Police get warrantless access to Sympatico customer's data.) I managed to get a copy of the decision in R. v. Wilson (6MB PDF file).

Labels: bell, law enforcement, lawful access, lawful authority, privacy, surveillance

Here we go again .... the government is preparing a new "lawful access" law. The media coverage seems to suggest that it covers both eavesdropping of internet based communications (with a warrant) and obtaining subscriber data (without a warrant).

globeandmail.com: New law to give police access to online exchanges

BILL CURRY

From Thursday's Globe and Mail

February 12, 2009 at 3:39 AM EST

OTTAWA — The Conservative government is preparing sweeping new eavesdropping legislation that will force Internet service providers to let police tap exchanges on their systems - but will likely reignite fear that Big Brother will be monitoring the private conversations of Canadians.

The goal of the move, which would require police to obtain court approval, is to close what has been described as digital "safe havens" for criminals, pedophiles and terrorists because current eavesdropping laws were written in a time before text messages, Facebook and voice-over-Internet phone lines.

The change is certain to please the RCMP and other police forces, who have sought it for some time. But it is expected to face resistance from industry players concerned about the cost and civil libertarians who warn the powers will effectively place Canadians under constant surveillance.

Public Safety Minister Peter Van Loan confirmed the plan yesterday during an appearance before a House of Commons committee and offered further explanation afterward.

Public Safety Minister Peter Van Loan confirmed the plan. (Sean Kilpatrick/The Canadian Press)

"We have legislation covering wiretap and surveillance that was designed for the era of the rotary phone," Mr. Van Loan said.

"If somebody's engaging in illegal activities on the Internet, whether it be exploitation of children, distributing illegal child pornography, conducting some kind of fraud, simple things like getting username and address should be fairly standard, simple practice. We need to provide police with tools to be able to get that information so that they can carry out these investigations."

Mr. Van Loan said there have been situations where the police want to act quickly to stop a crime, but can't because of the current laws.

"In some of these cases, time is of the essence," he said. "If you find a situation where a child is being exploited live online at that time - and that situation has arisen before - police services have had good co-operation with a lot of Internet service providers, but there are some that aren't so co-operative."

Although police agencies have been calling for such a law since at least the mid-1990s, this would be the first legislative effort in this direction by the Conservatives.

The reaction can be predicted, however, because Paul Martin's Liberal government faced stiff resistance when his public safety minister, Anne McLellan, introduced a "lawful-access" bill in November, 2005, shortly before that government was defeated.

The Conservative justice critic at the time, Peter MacKay, who is now in the Conservative cabinet, expressed concern with the bill, and Privacy Commissioner Jennifer Stoddart went further, saying there was no justification for such a law.

The concern of critics is that unlike a traditional wiretap that cannot commence without judicial approval, lawful-access legislation in other countries has forced Internet providers to routinely gather and store the electronic traffic of their clients. Those stored data can then be obtained by police via search warrant.

"That means we're under surveillance, in some sense, all the time," said Richard Rosenberg, president of the B.C. Freedom of Information and Privacy Association. "I think that changes the whole nature of how we view innocence in a democratic society."

RCMP Commissioner William Elliott said yesterday the lack of such legislation is causing problems for police.

"We're speaking generally about the development of technology that is difficult or impossible to wiretap," Mr. Elliott said after appearing alongside Mr. Van Loan at the House of Commons Public Safety and National Security Committee.

"In the old days, for a wiretap it was pretty simple. You sort of clicked onto the physical wires. So we have some instances where the court authorizes us and other police forces, for example, to intercept communications, but we don't have the technical ability to do that. So certainly the RCMP is supportive of changes of legislation that would allow those kind of intercepts."

Labels: facebook, law enforcement, lawful access, lawful authority, privacy, social networking, surveillance

Another case from Ontario about police getting warrantless access to personal information from an internet service provider, in this case Bell Sympatico. For previous cases, see this link.

The justification is based on a particular reading of Section 7 of PIPEDA, and Bell Canada deciding it should hand over the information. I don't agree with this interpretation of s. 7 and I also don't think the Bell should have handed customer information over without a warrant, even if it legally could do so.

Police may have access to your online history

TORONTO - An Ontario Superior Court ruling could open the door to police routinely using Internet Protocol addresses to find out the names of people online, without any need for a search warrant.

Justice Lynne Leitch found there is "no reasonable expectation of privacy" in subscriber information kept by Internet Service Providers, in a decision issued earlier this week.

The decision is binding on lower courts in Ontario and it is the first time a Superior Court level judge in Canada has ruled on whether there are privacy rights in this information that are protected by the charter. The ruling is a significant victory for police investigating crimes such as possession of child pornography, while privacy advocates warn there are broad implications even for law-abiding users of the Internet.

"There is no confidentiality left on the Internet if this ruling stands," said James Stribopoulos, a professor at Osgoode Hall Law School in Toronto.

Canada's privacy commissioner also warned Thursday the Conservative government's plans to revive legislation that would force Internet Service Providers to allow police to intercept Internet-based conversations "is a serious step forward toward mass surveillance" that violates the privacy rights of Canadians.

"My concerns are a huge increase in surveillance powers," Jennifer Stoddart told a news conference Thursday. "I understand there are technological challenges for the forces of law and order . . . but is this the only way this can be done?"

Police and the Canadian Security Intelligence Service already have the power to wiretap private communications, but the laws were written before the era of the Internet and wireless technologies such as mobile phones.

A "modernization" bill was first introduced by the former Liberal government and the Conservatives have promised for years to revive the legislation, which privacy advocates oppose because they say it could broaden the power of authorities because they could reach back for months of communications.

Public Safety Minister Peter Van Loan, who assumed the portfolio in November, told a House of Commons committee this week that he will move forward with a bill, which his predecessor, Stockwell Day, relegated to a back burner.

The court ruling by Leitch was made in a possession of child pornography case in southwestern Ontario.

A police officer in St. Thomas, Ont. faxed a letter to Bell Canada in 2007 seeking subscriber information for an IP address of an Internet user allegedly accessing child pornography. The court heard it was a "standard letter" that had been previously drafted by Bell and the officer "filled in the blanks" with a request that stated it was part of a child sexual exploitation investigation.

Bell provided the information without asking for a search warrant. The name of the subscriber was the wife of the man who was eventually charged with "possession of child pornography" and "making available child pornography."

Most ISPs in the country require search warrants to turn over subscriber information unless it is a child pornography investigation.

Ron Ellis, the lawyer for the defendant, stressed to the judge there was no allegation of attempted luring or of a child in immediate danger. The "making available" charge stems from peer-to-peer websites that permit the downloading of images from other users.

Ellis argued police should have been required to seek a search warrant to obtain the subscriber information.

Leitch accepted the arguments of Crown attorney Elizabeth Maguire the information is similar to what is in a phone book.

"One's name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state," said Leitch.

The reasoning of the judge misses the context of what police are seeking, suggested Stribopoulos.

"It is not just your name. It is your whole Internet surfing history. Up until now, there was privacy. An IP address is not your name it is a 10-digit number. A lot more people would be apprehensive if they knew their name was being left everywhere they went," he said.

This information should require a search warrant by police if there is suspected criminal activity, said Stribopoulos. Judges are accepting the argument that this is "just your name" because "everyone wants to get at the child abusers," he said.

The federal Personal Information Protection Electronics Documents Act permits ISPs to provide this information to someone with "lawful authority," which Leitch interpreted as meaning a police officer and not requiring a court ordered warrant.

There is an irony that exemptions in federal privacy legislation have been used to increase police powers and potentially reduce privacy rights, said Stribopoulos.

The trial of the defendant in St. Thomas will resume this spring.

With a file from Janice Tibbetts, Canwest News Service

Labels: bell, law enforcement, lawful access, lawful authority, privacy

This recent case was brought to my attention today: R. v. Ward, 2008 ONCJ 355 (CanLII). The decision is a ruling on a charter motion on whether evidence in a child pornography investigation should be admissible after the police obtained the identity of an internet user from an ISP without a warrant. Acting on a pretty solid tip from Germany, police identified three IP addresses that were associated with dealing with child pornography. Instead of getting a warrant, the police when to the ISP, Bell Sympatico, and got the name and address of the subscriber associated with the IP address. (I have no doubt that the tip would be enough to get a warrant.)

Justice Lalande distinguished this case from R. v. Kwok, by pointing out that the user agreement with Bell Sympatico reduces if not destroys any reasonable expecation of privacy that the user may have. In order for a warrantless search to be reasonable, there has to be no reasonable expecation of privacy.

Some may recall the hubbub in 2006 when Bell Sympatico changed its terms of use, which many thought was a harbinger of the revival of lawful access. The ISP denied it and Bell media relations types said they’d only hand over customer information with “court ordered warrants” though the terms of use purport to permit disclosure “upon request” from a government.

In this case, the conclusion seems to be that the customer has an expectation of privacy in their name and address unless the ISP has actively taken steps to remove it. Interesting.

For a flashback to 2006, check out

• Bell warns customers about privacy loss with lawful access
• CTV.ca Sympatico's customers warned of privacy loss.
• More fallout from Sympatico privacy upset
• globeandmail.com : Jack Kapica on who's watching your surfing

Labels: ip address, law enforcement, lawful access, lawful authority, privacy, warrants

The trial of an accused trader in child pornography has brought the question of warrantless disclosure of ISP subscriber information to the national media's attention. It is understood to be the first time a superior court will consider whether basic subscriber information disclosed by an ISP without a warrant violates the Charter. The decision on this question is expected tomorrow. Stay tuned ...

The National Post, the Globe & Mail and the Toronto Sun discuss the issue:

The Globe & Mail - Wednesday, April 09

A precedent on Internet privacy in the making

Christie Blatchford

An Ontario Superior Court judge may rule as early as tomorrow in a precedent-setting Internet privacy case that could significantly set back how police conduct probes into online child pornography.

At issue is basic "subscriber information" from an Internet service provider, or ISP, which in this particular case was obtained under search warrant by Toronto police in an investigation that ultimately saw Robert Norman Smith, a Toronto actor once featured in popular Alexander Keith's beer commercials, charged with two counts of possessing child pornography and one of making it available.

Mr. Smith, 41, has pleaded not guilty.

But because the decision will be a first for superior courts in Canada, and because such decisions are binding upon the lower courts, the ruling will have broad impact.

Usually, police are able to obtain subscriber information - this is the customer's name and address - from Internet providers with what's called a simple "law enforcement request" made under the federal Personal Information Protection and Electronic Documents Act, commonly called PIPEDA.

While this legislation, which was phased in over several years beginning in 2000, sharply restricts the use and dissemination of personal information in commercial contexts, it also explicitly allows for the disclosure of customer name-and-address information to police.

But in this case, the provider, Bell Canada, refused to hand over the subscriber information, so the police resorted to getting it with a judicially approved search warrant.

On the first full day of trial yesterday before Superior Court Justice Robert Clark, Mr. Smith's lawyer, Cindy Wasser, argued that "people must have the expectation of privacy in their Internet use and they must have the right to challenge" search warrants that force ISPs to hand over their names and addresses to police.

"You can't just say this case is about child pornography," Ms. Wasser told the judge. "It's about the Internet and how we all use it and our expectation of privacy."

She is seeking legal standing for Mr. Smith to challenge the warrant; only if successful will she actually be able to challenge the validity of the warrant itself.

But if Judge Clark agrees that Mr. Smith had a reasonable expectation of privacy and grants him standing, it would mean police forces across the country, who daily obtain subscriber information under PIPEDA requests, would have to revert to the old, labour-intensive system of seeking search warrants every time they want customer information from ISPs.

Additionally, search warrants are problematic for police probing Internet crimes simply because they are more time-consuming.

Crown prosecutor Allison Dellandrea argued that because every Internet user automatically "broadcasts his IP [Internet protocol] address to potentially millions of people" every time he signs on, and because ISPs typically warn users in service agreements that their identities may be disclosed, there can be no expectation of privacy.

Furthermore, Ms. Dellandrea said that just because a commercial enterprise, such as Bell or another ISP, or even the drafters of PIPEDA, deem a block of information to be "private" doesn't mean it is private in a Charter-protected sense.

"That's quite different from what the Constitution says is privacy deserving of protection," she said.

Section 8 of the Canadian Charter of Rights and Freedoms protects people from unreasonable search and seizure, but defines privacy as "a biographical core of personal information" that tends to reveal "intimate details of the lifestyle and personal choices of the individual." Only then is the Charter protection engaged.

What was disclosed by Bell Canada to police in Mr. Smith's case was simply his name and address, information that is often readily available online or from phone books.

But Ms. Wasser argued that in combination with what the police already had learned from their investigation about his alleged use of child pornography, that minimal information was neither as benign nor innocuous as it seemed.

She urged the judge to consider not only what information the police received, but how they used it.

The Toronto investigation began in the fall of 2005, with police developing a system of searching that allowed them to view IP addresses of people sharing or making available certain child-pornography files.

Using a publicly available database, investigators were then able to determine which providers owned the IP addresses.

On Nov. 22, under one search warrant, they got the name and address information from Bell that led them to Mr. Smith, and in February the next year, under another warrant, they conducted a search of his north Toronto home.

At the time of his arrest that day, police alleged they found on his computer more than 1,000 electronic files, including movies and pictures, of children as young as 1 engaged in sexual activity.

Judge Clark said he may have a decision by tomorrow, but that the case will go ahead regardless.

From the National Post:

Television beer pitchman at centre of pornography, privacy battle

Shannon Kari, National Post

Published: Wednesday, April 09, 2008

The trial of a former television pitchman could be a precedent-setting case in deciding the privacy rights of Internet subscribers who are the subject of a criminal investigation.

Robert Smith is on trial in Ontario Superior Court on one charge of possession of child pornography and one charge of making child pornography available.

The actor was featured in commercials for Alexander Keith's beer as a character with a thick Scottish accent, until his arrest in February 2006.

Toronto police arrested Mr. Smith after an investigation into distribution of child pornography on Internet-based file sharing networks.

After discovering a specific Internet protocol address and learning it belonged to a Bell Canada customer, police executed a search warrant to obtain the subscriber information from the Internet Service Provider (ISP).

Mr. Smith is arguing there were not reasonable grounds for the first warrant to be issued or for a second one to be executed at his home.

The Crown responded that Mr. Smith has no right to challenge the warrant executed against Bell because there are no privacy rights in Internet subscriber information.

In a 2005 civil case about the downloading of music from file-sharing networks, the Federal Court of Appeal found there were privacy rights in this data and they could not be disclosed without a court order.

The prosecution of Mr. Smith is believed to be the first time a Superior Court in Canada has been asked to decide whether police are required to obtain a search warrant to get subscriber information in a criminal case and whether a defendant can challenge the warrant.

Some Internet providers voluntarily disclose this information to police in child pornography cases, but not in other criminal investigations.

A provincial court judge in Ontario ruled earlier this year that there are privacy rights in subscriber information, which includes the name, address, account and e-mail address of a customer (the Crown has appealed this ruling).

Crown attorney Allison Dellandrea argued yesterday it is simply "customer information" that police are seeking. "It doesn't matter what police do with it," said Ms. Dellandrea.

When police have subscriber information and an IP address, they can find "deeply personal" data related to an individual's Internet use and it should be possible to challenge whether the warrant was obtained lawfully, argued defence lawyer Cindy Wasser.

"You can't just say this case is about child pornography. This case is about the Internet, how we use it and the expectation of privacy," said Ms. Wasser.

From the Toronto Sun:

TorontoSun.com - Toronto And GTA- Actor disputes warrant in porn case

The Toronto comic actor who once portrayed the fanatical Scot in the Alexander Keith's beer commercials has launched an unprecedented constitutional challenge of the search warrant that led to his child porn charges.

Lawyer Cindy Wasser, who represents actor Robert Norman Smith, argued yesterday that her client's privacy rights were violated when his Internet service provider, Bell Canada, gave his name and address to Toronto Police when they presented a search warrant.

Internet users have an expectation of privacy and they don't have to list their names or addresses, Wasser said.

It is be -lieved to be the first Ontario Superior Court challenge of a warrant in which a service provider gave a subscriber's name and address.

Justice Robert Clark may give a ruling as early as tomorrow in the judge-alone trial.

The judge appeared to disagree with Wasser, saying, "The nature of the information is pivotal here. You're not discovering biographical information. You're getting the most minimal information, the person's identity and address."

Clark said he was balancing the accused's privacy rights versus "effective law enforcement."

Crown attorney Allison Dellandrea said the information provided "isn't deserving of constitutional protection."

Smith, 42, was charged with two counts of possession of child pornography and one count of making available child pornography after police searched his home computer two years ago.

He lost his job as soon as he was charged and the popular ads were pulled off the air.

Labels: ip address, lawful authority, privacy, warrants

The Royal Canadian Mounted Police in Atlantic Canada are complaining that the two major internet service providers in the region are requiring that police get a warrant before handing over customer information. The ISPs are of the view (correctly in my opinion) that the Personal Information Protection and Electronic Documents Act prevents them from disclosing subscriber information without a warrant.

CBC: Search warrants for child porn too slow, say RCMP

Child pornography investigations in Atlantic Canada are being held up by internet service providers who require search warrants before providing customer information, say RCMP.

In some parts of Canada, internet service providers will hand over information such as the name, address and phone number of a customer being investigated by police.

Const. Blair Ross, who works on child pornography cases on P.E.I., told CBC News Tuesday RCMP are short-staffed already, and getting a search warrant can take days or even weeks.

"As it stands here now in Atlantic Canada, the internet providers will not provide that unless we obtain judicial authorization, in other words, a warrant," said Ross.

"So before we even begin to investigate we have that hurdle to jump over, which is time consuming."

Protecting customer privacy

But the region's two main internet companies say they are concerned about customer privacy, and particularly legislation they are required to operate under. Both Aliant and Eastlink say if someone is in imminent danger the company will provide its customers' information right away, but most of the time police must have a warrant. Eastlink spokeswoman Paula Sibley said her company is aware some other Canadian ISPs require only a letter of request from police.

"We're not necessarily opposed to seeing things move in that direction," said Sibley.

"However, with the existing legislation that's in place, and also privacy legislation that we have to operate under, we've chosen to continue to ask for a warrant." Ross said RCMP could spend more time finding people involved with child pornography if ISPs provided information more quickly.

Then there's also the issue of the Canadian Charter of Rights and Freedoms, which at least in a recent case from Ontario, prevents law enforcement from using the information if it was obtained without a warrant. (See yesterday's post: Canadian Privacy Law Blog: Ontario Court considers warrantless requests for subscriber information.)

From my understanding of how child exploitation and child pornography investigations are usually carried out, the first contact with a suspected offender yields more than enough information to get a warrant. In R. v. Kwok (referred to in Ontario Court considers warrantless requests for subscriber information), the defendant sent the police officer photos that were clearly child pornography. There was no suggestion that the defendant was currently abusing a child, so no exigent circumstances existed. Had a warrant been sought, I have no doubt it would have been issued in that case. That information would probably have been enough to secure the ultimate conviction of the offender.

I have a serious concern with the following statement:

"So before we even begin to investigate we have that hurdle to jump over, which is time consuming."

To begin with, the Charter is not a "hurdle". It's there for a reason and that reason isn't to make life more convenient for agents of the state to get into people's personal information. And secondly, this suggests the police are looking for personal information before they begin an investigation. I appreciate the importance of investigations of this type, but it seems they should always have reasonable grounds to believe an offence has taken place and that the information they are seeking will lead to the identity of the offender before seeking personal information. The alternative is an unacceptable fishing expedition.

Note: The above are my own opinions and not those of any organization I may be associated with or represent.

Labels: law enforcement, lawful authority, privacy, warrants

There's been a lot of debate over whether PIPEDA permits a commercial entity, such as an ISP, to provide certain identifying information to law enforcement without a warrant. Most of the debate centers around section 7(3)(c.1) of PIPEDA, which reads:

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

Some are of the view that "lawful authority" means a lawful investigation and that an organization is able to disclose certain information without consent under PIPEDA. Some take the erroneous view that PIPEDA actually authorizes the disclosure, which is not the case at all. This error is compounded by law enforcement who refer to "PIPEDA letters" demanding information from internet service providers in connection with child exploitation investigations.

The Ontario Court of Justice, in an unpublished decision that I understand is under appeal, recently considered the impact of a request by law enforcement for ISP subscriber information. In R. v. Kwok, police officers went online and convinced an unidentified person to provide child pornography to the undercover officer. Using usual techniques, the cops determined the IP address of the suspect and sent a letter to the ISP requesting the billing information associated with the account. The officer testified that he had not read PIPEDA, but understood from an e-mail from the RCMP Commissioner that PIPEDA authorizes such disclosures and these letters should be used to facilitate access to information. Prior to PIPEDA, the officer testified, they routinely sought warrants for this sort of information. The letter used in this case, not surprisingly, cited PIPEDA. The ISP provided the information and an arrest was subsequently made.

The defendant made an application to have the evidence thrown out as it was unlawfully obtained and the Court agreed. The Court held that even if PIPEDA permits access to this information by law enforcement, it is contrary to the Charter for the police to obtain it in this manner.

From Paragraph 35 of the decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

The copy of the decision that I've obtained (R. v. Kwok) is marked "draft" and I haven't been able to find it online. I understand it is under appeal and hopefully the Court of Appeal can clarify what s. 7(3)(c) actually means and whether companies can provide the police with customer information without a warrant. I also hope that the Court will clarify that PIPEDA does not give anyone -- agents of the state in particular -- increased access to personal information, but the reverse.

Note: I've blogged about this topic on a number of occasions. For some background, see http://www.privacylawyer.ca/blog/labels/warrants.html.

Labels: ip address, law enforcement, lawful authority, privacy, warrants

Earlier this week, the RCMP organized a conference of police, internet service providers and other "stakeholders" on internet safety. I wrangled an invite, but had to go out of town at the last minute. One of the topics under discussion was whether ISPs should disclose subscriber information without a warrant.

My opinion on the topic is well known to readers of this blog (see tag: lawful authority).

Today's Hailifax Daily News has an article on the fact that the two leading ISPs in Atlantic Canada, Eastlink and Aliant, have a policy of requiring a warrant. Interestingly, the article focuses on the word "may" and not "lawful authority" in PIPEDA:

Halifax, The Daily News: Local News Police want local ISPs to loosen up to nab suspected online predators

Police want local ISPs to loosen up to nab suspected online predators

Crime

PAUL MCLEOD

Police in Nova Scotia are at a disadvantage compared to the rest of Canada when it comes to tracking down online sexual predators. Partly it's because of a single word in a piece of legislation.

When someone posts child pornography online, police have to go through Internet service providers - or ISPs - to get the person's name and address.

Most ISPs - over 70 per cent across the country - give police basic information without making them get a warrant. But Cpl. Dave Fox of the RCMP Internet Child Exploitation Unit said the majority of those that require warrants are in Atlantic Canada.

Both of Nova Scotia's two main providers, Aliant and EastLink, make police get warrants before handing over information. It's a process that takes a week on average, police say, and eats up desperately needed resources.

"We're not looking for shortcuts. If we took a shortcut and we were breaching someone's charter rights ... We would risk all the evidence we obtained by this warrantless searches being ruled inadmissible at trial," Fox said.

When contacted by The Daily News, Aliant said it would share information with police in emergency situations, but otherwise ask for a warrant.

"This is how we approach it. We work with them. This is what's in place in terms of our practice," said Aliant communications director Kelly Gallant.

For EastLink, the reluctance comes from the wording of the Personal Information Protection and Electronic Documents Act.

The act states ISPs "may disclose personal information" to police without a warrant.

At issue is the word "may," which some ISPs see as being too vague.

Though the federal government has endorsed pre-warrant requests as complying with the legislation, a minority of companies say handing over personal information without a warrant could expose them to lawsuits.

"The way the law is dictated today it is not clear, so we're erring on the side of the law," said Paula Sibley, communications specialist for EastLink.

"If the legislation was to be clarified, we would fully work within that."

No company has been successfully sued for handing information over to police, though there are two suits in early stages - one in Ontario and one in British Columbia.

Labels: bc, law enforcement, lawful access, lawful authority, privacy

Today I had the privilege of speaking at the annual professional development event of the Nova Scotia Criminal Lawyers Association, in association with the Nova Scotia Barristers' Society. The theme of the conference was very privacy-centric: Listening, Snooping and Searching: What's Right, What's Wrong.

I was also privileged to speak alongside S/Sgt Al Langille of the RCMP's integrated technology crime unit. He is a thirty-year veteran of law enforcement, including fifteen in technology crimes and computer forensics. A great guy and very privacy conscious.

My presentation, for those who may be interested, is here: http://docs.google.com/Presentation?id=ddpx56cg_48hcdnqv.

Labels: google, law enforcement, lawful access, lawful authority, media-mention, presentations, privacy, vanity, warrants

In case you haven't been consulted enough ...

The Government of Canada issued its response to the PIPEDA review report from the Standing Commitee on Access to Information, Privacy and Ethics, agreeing in parts and disagreeing in others with the committee's recommendations. So the government is now seeking public input on the topics that were relatively well canvassed before the parliaentary commitee.

If you have additional thoughts, you have until January 15 to make them known to Industry Canada.

Canada Gazette

DEPARTMENT OF INDUSTRY

IMPLEMENTATION OF THE GOVERNMENT RESPONSE TO THE FOURTH REPORT OF THE STANDING COMMITTEE ON ACCESS TO INFORMATION, PRIVACY AND ETHICS ON THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Deadline for submission of views: January 15, 2008

On October 17, 2007, the Government of Canada tabled in Parliament its response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on the statutory review of the Personal Information Protection and Electronic Documents Act (PIPEDA). In support of the Minister of Industry's responsibility for PIPEDA, Industry Canada is seeking the views of Canadians on a number of issues related to the response, including proposals for legislative amendments to PIPEDA.

PIPEDA, which came into force on January 1, 2001, sets rules for the collection, use and disclosure of personal information in the course of commercial activity in Canada. In a modern, information-based economy, an effective and efficient model for the protection of personal information is vitally important to ensure that the privacy of Canadian consumers remains protected. The ETHI Report contains 25 recommendations for how PIPEDA could be fine-tuned to ensure that the Act continues to achieve this objective. The government response expresses agreement with a majority of the Committee's recommendations and reflects the view held by a number of stakeholders that PIPEDA is working well and is not in need of dramatic change at this time. However, a small number of specific amendments may be warranted, and this consultation process provides Canadians with the opportunity to present further information, advice and views regarding the implementation of key proposals for legislative change.

In particular, Industry Canada is seeking views on the implementation of a data breach notification provision in PIPEDA (ETHI recommendations 23, 24 and 25). Such a provision is an important component of a comprehensive strategy to address the growing problem of identity theft. The Government proposes that the Privacy Commissioner be notified of any major breach of personal information, and that affected individuals and organizations be notified when there is a high risk of significant harm resulting from the breach. Ultimately, a requirement for data breach notification should encourage organizations to implement more effective security measures for the protection of personal information, while enabling consumers to better protect themselves from identity theft when a breach does occur. Industry Canada is seeking input in developing the parameters of a data breach notification provision, including, but not limited to, questions of timing, manner of notification, penalties for failure to notify, the need for a "without consent" power to notify credit bureaus, and appropriate "thresholds" for when organizations should be required to notify.

Industry Canada is also seeking further views on the issue of "work product" information (ETHI recommendation 2). The question of whether information created by individuals in their employment or professional capacity should be explicitly excluded from the definition of personal information has been a matter of significant debate. Industry Canada would therefore appreciate a wider range of views on whether an amendment to PIPEDA is needed, and, if so, how this should be implemented.

Furthermore, in order to ensure that PIPEDA is consistent with the needs of Canadian law enforcement agencies, the Government intends to clarify the meaning of lawful authority in PIPEDA as recommended by the Committee (ETHI recommendation 12). Industry Canada is seeking views and specific advice on how the concept of lawful authority could be better defined.

The Committee also recommended a number of issues for further consideration and/or consultation, including witness statements (ETHI recommendation 10), consent by minors (ETHI recommendation 15), and an assessment of the extent to which elements contained in the PIPEDA Awareness Raising Tools (PARTS) document may be set out in legislative form (ETHI recommendation 17). Industry Canada welcomes submissions on these matters.

Finally, Industry Canada is considering alternatives to the current process for the designation of investigative bodies (ETHI recommendation 6) and would appreciate any further views on this issue.

Submissions on the above, or on any other issues related to the government response that you may wish to raise, can be sent by email to PIPEDAconsultation@ic.gc.ca, by fax to 613-941-1164, or by mail to Richard Simpson, Director General, Industry Canada, Electronic Commerce Branch, 300 Slater Street, Ottawa, Ontario K1A 0C8.

The Government's response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics is available electronically on the World Wide Web at the following address: http://ic.gc.ca/specialreports.

For printed copies, please contact Publishing and Depository Services, Public Works and Government Services Canada, Ottawa, Ontario K1A 0S5; 1-800-635-7943 (Canada and U.S. toll-free telephone), 613-941-5995 (telephone), 1-800-465-7735 (TTY), 1-800-565-7757 (Canada and U.S. toll-free fax), 613-954-5779 (fax), publications@pwgsc.gc.ca (email), www. publications.gc.ca.

Labels: breach notification, identity theft, lawful access, lawful authority, pipeda review, privacy

I was invited to be the keynote speaker at a half-day session put on today by the Canadian Bar Association - New Brunswick. I spoke about the current law related to the law enforcement access to personal information and a an update on what's happing with "lawful access". Here's the presentation: click here (google Docs) or here (pdf).

I tried embedding it but it only worked if you are logged into a google account, which wasn't my intention.

Labels: google, law enforcement, lawful access, lawful authority, presentations, privacy, warrants

Over the last week, there's been a huge fuss in the media and among bloggers about the consultation that was initiated by the Department of Public Safety over an apparent revival of "lawful access" in Canada. Two things really seemed to catch the attention of commentators: first, the suggestion that the government is again contemplating a system of warrantless access to personal information and, second, that the consultation was taking place in secret. I first heard about it from Michael Geist, who deserves a lot of credit for making it well-known (Public Safety Canada Quietly Launches Lawful Access Consultation). Since then it has been widely reported on in the media and among bloggers.

So what is the fuss about? I hope I can provide some background and context for some of the discussion that is taking place.

Canadian law enforcement and national security agencies are looking for a quick and easy way to obtain access to the names, phone numbers, IP addresses, etc of customers of Canadian telecommunications service providers. (Quick and easy, in this context, means without the delay and paperwork involved in applying to a judge for a search warrant.) This information is sought in a number of contexts, including in the very beginning of investigations or as part of "intelligence gathering." It is also sought, at times, when there is insufficient evidence to connect an individual to a crime so that a judge would not issue a warrant. (Which raises the question: Why should the police be able to require the information without oversight in circumstances where a judge says that the Charter of Rights and Freedoms doesn't permit them to require the information?)

So why shouldn't telecommunications service providers, being good citizens, hand over this information when asked by the police or by national security agents? Simply put, because it is illegal for them to do so. Since 2001, Canadian telecommunications service providers have been subject to the Personal Information Protection and Electronic Documents Act (aka "PIPEDA"). PIPEDA requires the consent of the individual for all collection, use and disclosure of personal information, subject to a number of exceptions. "Personal information" includes any information about an identifiable individual. If it is information and it's about an identifiable individual (either alone or in combination with information that it accompanies), it's "personal information". This would include my name, my address, my phone number, the IP address of my computer, etc.

Some might say that's public information, because my name and phone number may be in a phone book. Interesting point, but that doesn't remove the protections to the information if it is in the hands of my TSP. If the police get it from the phone book, then they can do what they want with it. But if they want to get it from my TSP, then it is personal information and the TSP can't disclose it unless a "consent exception" applies. (See s. 7(1)(d), 7(2)(c.1) and 7(3)(h.1) of PIPEDA and, very importantly, the Regulations Specifying Publicly Available Information (SOR/2001-7)).

The police (who are not bound by PIPEDA) may be within their rights to ask for the information, but TSPs (who are bound by PIPEDA are not able to hand it over without consent unless a PIPEDA consent exception applies. Section 7 contains many consent exceptions, some of which might apply in the circumstances described in the consultation document put out by Public Safety Canada:

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

Under PIPEDA, TSPs can likely disclose information about a customer in an emergency. Section 7(3)(e) permits a disclosure without consent if the disclosure is:

(e) made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure;

What it doesn't permit is disclosures to law enforcement unless they have a warrant. In this context, s. 7(3)(c.1) is the subject of a bit of debate. This reads:

7(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

It must be noted that these provisions are permissive, meaning that they allow the TSP to disclose the information in these circumstances without offending PIPEDA. Nothing in the above requires a TSP to disclose the information. Any compulsion has to come from another statute or rule of law. Section 7(3)(c) says if they have a warrant, the TSP can hand it over. (The obligation comes from the warrant, not PIPEDA.) There is authority from the Ontario Courts that an investigation does not create the "lawful authority" to obtain the information. "Lawful access" is an effort to change the law to have an investigation constitute "lawful authority". Or just remove the "lawful authority" requirement altogether.

What is also very interesting from the consultation document is that many TSPs currently hand over the information when asked by law enforcement (worth quoting again):

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

I have it on reliable authority from within the industry that most internet service providers will provide a customer's full name and billing address when given an IP address. It doesn't seem to be because they think they legally can, but because they have succumbed to pressure from law enforcement who take a position that not providing the information puts them in league with child molesters and terrorists.

The fact remains, and must be borne in mind, that if a person's life or safety is in jeopardy, the TSP can disclose information without consent. This would include the ticking bomb scenario, a child being abused, etc. In exigent circumstances, the police always have access to the expedited telewarrant procedures in the Criminal Code. There isn't an exception in PIPEDA, the Criminal Code or the Charter for compelled disclosures of personal information absent lawful authority.

Labels: health information, ip address, law enforcement, lawful access, lawful authority, national security, privacy, warrants