A US Federal Court has declared that the Bush-era "warrantless wiretap" program was unlawful. The administration, up to and including the Obama administration, argued that in a time of war, it was lawful to eavesdrop on communications without a warrant, particuarly international communications. The decision is here: http://cryptome.org/alharamain-v-nsa.pdf and the New York Times' has an article on the decision here: Federal Judge Finds N.S.A. Wiretaps Were Illegal - NYTimes.com.

Labels: national security, surveillance, warrants

The 'net and twitter have been all abuzz this past week with revelations about telco and ISP cooperation with law enforcement. We've seen Wikileaks post the internal policies of MySpace and Cryptome's posting of Yahoo!'s internal policies.

Blame for this appears to be laid at the feet of the service providers.

I'm all in favour of privacy and completely in favour of government restraint. I'm even more keen on court oversight and requirements that warrants be produced in order for cops and national security types to get access to customer information. I'm also in favour of transparently and accountability. But I haven't seen much nuance in any of the online discussion of this topic. Perhaps that's just the analytical limitations of twitter and the general tone of much of the blogosphere.

Two important issues are being missed. First: just about any time you interact with any business these days, a data trail of some sort is left. If you buy a book using any credit or debit card, there's a record that can connect that purchase to you. If you check out a book from the library, there's a record. If you use a transponder-based tolling system, there's a record of where you were, when and maybe where you are going. If you use any loyalty program to collect points on your purchases, there's an even denser data trail. Your mobile phone provider knows where you phone is at all times and who you have called. This is not unique to online companies. It's simply the reality of our digital lives. Some information collection or retention may be gratuitous, but more often than not it is essential to provide the service that users are asking for. It is not unreasonable, however, to question how much information is collected and how long it is retained. Fair information practices demand that service providers only collect the amount of information necessary to provide the service and that they keep it for only as long as they need to in order to provide the service.

The second, and more important, issue: love it or loathe it, it is the law. If a third party has information about you, the government can get access to it with a court order, a warrant or a subpoena. The third party can sometimes go to court to challenge the legality of the request, but it seldom has enough information to do so. And in many cases, it really has no ability to do so. The fact is, if there is a lawful demand for information, the service provider has to comply or face criminal sanctions itself.

And that's not just unique to the US and the USA Patriot Act. In Canada, take a look at the Anti-Terrorism Act, the Criminal Code, the Canadian Security Intelligence Service Act or the National Defence Act. European democracies have similar rules, too. These companies are generally following their legal obligations. If you have a problem with that, energies and outrage might be more usefully channelled to changing those laws.

ISPs and telcos may influence the laws, but they generally don't make they rules they have to abide by. In short: don't hate the player, hate the game.

Labels: criminal law, law enforcement, lawful access, warrants

The Privacy Commissioner of Canada has recently provided parliamentarians with her opinion on the new lawful access bills that are winding their way through the Commons. I have to say I was nodding my head while I read it:

Letter to the Standing Committee on Public Safety and National Security regarding the Commissioner's initial analysis on the privacy implications on Bills C-46 and C-47 - October 27, 2009

The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to the Standing Committee on Public Safety and National Security, regarding her initial analysis on the privacy implications on Bills C-46, the Investigative Powers for the 21st Century Act (IP21C), and C-47, the Technical Assistance for Law Enforcement in the 21st Century Act (TALEA)

October 27, 2009

Mr. Garry Breitkreuz, MP Chair of the Standing Committee on Public Safety and National Security 131 Queen Street – 6th floor House of Commons Ottawa, Ontario K1A 0A6

Dear Mr. Breitkreuz:

I am writing to provide the members of the Standing Committee on Public Safety and National Security with some preliminary views on the privacy implications stemming from Bills C-46 and C-47. As you are aware, I am often called upon to comment on legislation that will result in new or expanded forms of personal information being collected by federal government institutions. Those views, and analysis conducted by my Office, are specifically undertaken to support the deliberations of Parliament.

It must be stated at the outset that we recognize the concerns of law enforcement and national security authorities with the speed of developments in information technology and the anonymity they afford. Bills C-46 and C-47 seek to address the consequent public safety challenges and that objective is valid. That said, whenever new surveillance powers or programs are proposed, it is my view that there must be demonstrated necessity, proportionality and effectiveness. They should also be the least-invasive alternative available. These tests are all the more important in the area of public safety, as the use of surveillance powers by authorities can have deep and lasting impact on peoples’ lives.

The consequences for individuals as their personal information is collected and shared among authorities in various countries can escalate far beyond the initial objectives of public safety. Recent international reports, Canadian court rulings and federal commissions of inquiry have shown this clearly. Proper protections for privacy in this area reside in the strict limitation of invasive powers to what is demonstrably necessary to ensure public safety and in strong measures for accountability, commensurate with the powers vested. It is a matter of protecting human rights and assuring public trust.

Taking into account the real challenges of law enforcement and national security agencies in the Internet age and the fundamental right to privacy that underpins our democratic society, and after careful study and extensive consultation this past summer, I have concluded that elements of the proposed legislation raise significant privacy concerns. These must be addressed by proponents of the bills.

I would draw to the attention of this Committee, and all Parliamentarians, that the proposed legislation contains many provisions that would increase the level of access by law enforcement and national security authorities to personal information. In that regard, it is important that Parliament be satisfied that:

The need for these provisions has been clearly demonstrated,

The lowered legal requirements for use of invasive powers is justified,

The lessons of similar initiatives in other countries are considered, and

The oversight, reporting and accountability mechanisms are carefully calibrated, to ensure they mirror the breadth and scope of new powers

Analytical approach and consultations

It is important to note that our Office approached the examination of both pieces of legislation with fresh eyes and an open mind. While previous iterations or initiatives – like the 1999 Justice Canada initiative, the 2005 public consultation or the 2007 Public Safety request for submissions on Customer Name and Address access – may have served as background, they did not colour our analysis. Instead, since the legislation was tabled this past summer, our Office carefully read and analysed the two bills anew.

We also wanted to hear from informed experts, therefore between June and September of this year, my staff met with representatives of Justice Canada and Public Safety Canada, provincial privacy commissioners, the telecommunications industry (manufacturers, service providers and associations), law enforcement (RCMP and the Canadian Association of Chiefs of Police), civil society groups, academic specialists, as well as subject experts in the fields of information policy, network security, criminal law and intelligence operations. These conversations helped our Office identify the privacy issues raised by the two bills, which relate to the following areas:

Necessity: Though isolated anecdotes abound, and extreme incidents are generally referred to, no systematic case has yet been made that demonstrates a need to circumvent the current legal regime for judicial authorization to obtain personal information. Before all else, law enforcement and national security authorities need to explain how the current provisions on judicial warrants do not meet their needs.

Necessity given international obligations: A principal rationale cited for the need to update Canada’s interception and surveillance regime – as proposed in C-46 and C-47 – is ratification of the Council of Europe Convention on Cybercrime. However, many of the powers introduced in the proposed legislation go far beyond the legal requirements of the Convention. Our analysis would suggest that Canada has already met most of the substantive legal changes required. Certainly some caution should be exercised, given the fact that similar legal initiatives in the US and UK led to significant concerns in relation to privacy.

Proportionality of thresholds: Canadian law imposes rigorous thresholds of evidence for authorities to obtain access to personal information. They form the heart of protections that Parliament put in place to protect privacy in Canada. The downward movement from reasonable grounds to believe to reasonable grounds to suspect in some cases (for some production orders) - or to no threshold of evidence at all (for subscriber data access) - must be shown to be a proportionate response to safety and security imperatives. As it stands, the new powers envisaged are not limited to a specific range or seriousness of criminality, or to a specific level of urgency. In the case of Bill C-47, there is not even a requirement for the commission of a crime to justify access to personal information without a warrant. The onus lies with proponents of the legislation to demonstrate the need for lowered thresholds to obtain personal information.

Proportionality of oversight and review mechanisms: Only prior court authorization serves as rigorous privacy protection. Should Parliament allow law enforcement and national security authorities to circumvent the courts to obtain personal information, the corresponding oversight mechanisms must be established. My Office is clearly implicated at several points in Bill C-47, wherein my staff may review the records created by officers at the RCMP or Competition Bureau as they exercise new powers. Given the scale envisaged, with upwards of thousands of individuals in the RCMP alone potentially empowered to access subscriber data, it would be difficult for us, within our current resources, to offer any assurance to

Parliamentarians or Canadians of proper auditing. Still, review after the fact arrives too late. Privacy has already been breached, it is difficult to properly assess the circumstances, and there is no remedy for the ultimate outcome of the breach.

Demonstrated effectiveness through clear public reporting and accountability: In Bill C-47, audits are conducted internally and not required annually, while follow-up reporting to the responsible Minister and my Office are discretionary, as opposed to regular requirements. This will not afford objective, timely assessment of privacy risks or breaches. It is my view that, should the powers envisaged be granted, copies of those reports from the RCMP and Competition Bureau should be provided to the Minister and my Office on an annual basis. My audit and review staff can then proceed accordingly.

Flowing from these concerns, we would look forward to a constructive dialogue with the Committee on the following points or alternatives:

Examine warrant provisions in the Criminal Code. Rather than creating blanket, open access for authorities to search subscriber data, as in Bill C-47, there are other investigative options or legal changes to consider. Emergency provisions to conduct search, seizure or interception without a warrant in exigent circumstances are already in the Criminal Code. A similar provision for production and assistance orders should be considered to address the issue police have described in obtaining data.

Review the process for court authorization in Canada. If the underlying problem resides in Canada’s current warrant system, this is where the government’s attention should be directed, as opposed to limiting court oversight. Law enforcement and national security authorities should state the shortcomings they identify in the court warrant system so they can be addressed to adapt the system to the new challenges of the Internet age rather than sacrifice the principles that underpin the very society we seek to protect.

Tailor the scope of new powers. Any regime that circumvents court authorization raises significant privacy issues. If Parliament chooses to grant the proposed powers, they must be restricted in their application to the investigation of crimes or threats where such an invasion of privacy is justified. That is the Canadian legal tradition.

Revisit oversight regime. Internal audit, reporting with self-discretion and the role of external review bodies need to be strengthened with provisions for specific reporting requirements, regular review, dedicated resources for oversight and transparent mechanisms for accountability to assure the Canadian public.

Parliament should consider a five-year review for Bill C-46. While Bill C-47 has such a provision, Bill C-46 would also merit close review by Parliament, given how the two pieces of legislation interact. These reviews should be conducted with an eye to demonstrated evidence of effectiveness, minimal invasion of privacy and clear operation within bounds of the law.

Require annual public reporting. Yearly statistics on the use, results and effectiveness of new powers (subscriber data requests, preservation demands, tracking warrants, etc.) should be required by statute. Besides bolstering accountability, these reports would usefully support Parliament’s five-year review of the powers.

Review the regulations flowing from both bills. Given the important administrative, procedural and technical details involved, Parliament should conduct full committee reviews and hear from all interested stakeholders on both legislation and regulations. This should occur before either bill comes into force.

In summary, we urge Parliament to review Bills C-46 and C-47 in light of the following questions:

In specific terms, how is the current regime of judicial authorization not meeting the needs of law enforcement and national security authorities in relation to the Internet? What law enforcement or national security duty justifies access without a warrant by authorities to personal information or preservation of private communication?

Why are some of these powers unrestricted, when the spirit of Canadian law clearly reflects the view that access or seizure without court authorization should be exceptional?

And finally, are the mechanisms for accountability commensurate to the unprecedented powers envisaged?

Based on this initial analysis, my Office will be preparing a full submission for your consideration, in anticipation of your Committee’s study of the legislation. Given the public interest in this issue, we anticipate posting this letter on our website in the near future. I would like to thank you for your attention to this critical issue and look forward to discussing the initiative further when meetings on the bills commence.

Sincerely,

Original signed by

Jennifer Stoddart

Privacy Commissioner of Canada

Well said.

Labels: lawful access, lawful authority, warrants

Check out Michael Geist's post: Michael Geist - Reacting To Lawful Access: Comparing the Conservatives, Liberals, and NDP. The title says it all.

Labels: lawful access, lawful authority, warrants

I was honoured to be one of the speakers at the Halifax Internet Town Hall hosted at Dalhousie University this evening, sponsored by the Chebucto Community Net and Dalhousie Student Union. My portion of the proceedings -- surprise -- was about privacy. I only had ten minutes, so needed to be short and sweet.

I decided to focus my presentation on the abomination that is Bill C-47, in particular the provision that allows law enforcement to have wholesale access to customer information without a warrant. It is frankly appalling and should not be allowed to pass.

Look at this provision:

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

You can disagree on the finer aspects of whether an ISP should be permitted to match an IP address provided by the cops with the customer name and address information in their files. That's a reasonable debate. But I do not see any limitation in Section 16. There's no oversight. There's no real accountability. There's no nuance. All ISPs will be required to provide any (or all) of the following:

• name,
• address,
• telephone number,
• electronic mail address,
• Internet protocol address,
• mobile identification number,
• electronic serial number,
• local service provider identifier,
• international mobile equipment identity number,
• international mobile subscriber identity number and
• subscriber identity module card number

It doesn't have to be connected to a child exploitation investigation. Or a parking ticket. In fact, there's no requirement that there be an underlying lawful investigation. The police will be able to hand a list of names to the ISP and require all of the above information, for an unlimited number of targets.

This is appalling legislation and should not stand.

For other postings on this topic, check out my previous postings tagged Lawful Access.

Labels: lawful access, lawful authority, privacy, warrants

The Ottawa Citizen has an interesting article on the debate surrounding "lawful access". Check it out: Security vs. privacy. Via Michael Geist.

Labels: criminal law, lawful access, lawful authority, privacy, warrants

Just posted on slaw: The debate about warrantless access to ISP customer information >> Slaw

In the privacy community, there has been a debate over whether it is lawful, under PIPEDA, for a custodian of personal information to provide customer information when then police come knocking. The debate has been most heated in the arena of internet service providers customer names and addresses to the police when presented with an IP address. PIPEDA allows a number of disclosures of personal information without consent pursuant to Section 7(3) of the statute. One exception to the general rule relates directly to law enforcement requests:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

The debate has raged over differing interpretations of “lawful authority”, and there are conflicting decisions from the Courts over whether internet service providers can disclose customer name and address information to the police in response to a request.

For example, in Re S.C., 2006 ONCJ 343, the court set aside a search warrant that was based on information obtained from an ISP in response to a law enforcement request. In R. v. Kwok, the court found that the customer had a reasonable expectation of privacy in his name and address information and that the police should have obtained a warrant to get this information from the internet service provider. From paragraph 35 of that decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

More recently, in R. v. Ward, 2008 ONCJ 355 (CanLII), the court determined that the customer did not have a reasonable expectation of privacy with respect to this information because the service agreement imposed upon him by Bell’s Sympatico service reduced, if not destroyed, whatever expectation of privacy he might otherwise have had. Similarly, in R. v. Wilson, the court also found no reasonable expectation of privacy.

The pendulum may be swinging the other way. Last week, the Ontario Court of Justice released its decision in R. v. Cuttell. The Court concluded there is a reasonable expectation of privacy in customer account records, but this expectation can be destroyed by an ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepted that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy but there was no proof brought by the police that the Bell contract applied to this customer. What is perhaps most interesting is that the Judge lamendted the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

All of this may become moot (and then some!) thanks to currently pending legislation. Bill C-47, entitled Technical Assistance for Law Enforcement in the 21st Century Act, is about to come up for committee review in parliament. Introduced along with Bill C-46, Investigative Powers for the 21st Century Act, both bills represent a significant shift in the powers of law enforcement. Though marketed as updating current police powers to keep pace with technology, C-47 would give law enforcement virtually unfettered access to customer information from internet and telecommunications service providers without any judicial oversight. The particular provision is at Section 16:

Provision of subscriber information

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

I am of the view that there should be appropriate judicial oversight of any regime in which service providers are required to identify their users to law enforcement officials. (Subject to exceptions in exigent circumstances.) It is only with judicial oversight that society can be assured that the appropriate balance between privacy and public safety is maintained. The government’s proposal provides no oversight and the powers of law enforcement are completely unfettered. If the concern is that search warrants are too time consuming, then appropriate resources should be put in place to provide for rapid review by independent judicial officers. Removing all the stops from law enforcement powers it not appropriate in this case.

Currently there is a disparity of practices among telecommunication service providers and internet service providers across Canada when dealing with a request from a law enforcement agent to provide a customer name and address connected with a specific IP address. This is due to at least a measure of uncertainty in interpreting the service provider’s obligations under the Personal Information Protection and Electronic Documents Act. Most ISPs will provide customer name and address information if law enforcement officers make a written request in the course of investigation related to child exploitation. In other sorts of investigations, a search warrant is required. Other internet service providers require a search warrant in all circumstances to disclose this information.

For example, Clause 16 as drafted does much more than impose the obligation for service providers to carry out a “reverse look-up” to match one piece of information (such as an IP address) with customer billing information. Instead, it would require the service provider to give law enforcement a laundry list of information in response to any request. This sort of information would be IP address, mobile identification number, electronic serial number, phone number, equipment identifiers and others. This, on its face, goes beyond what law enforcement has been asking for, at least in public.

This power is not subject to meaningful review and is completely unfettered. There is no restriction on the circumstances under which these powers can be used. Currently, requests of this nature generally relate to child exploitation investigations or compelling national security/public safety matters. As drafted, law enforcement would be able to use these powers in connection with parking violations and very minor concerns. In fact, these powers could be used in the complete absence of a lawful investigation. In addition, there is no limitation whatsoever on the volume of these sorts of requests. It would be possible for a law enforcement agency to require the name, address, e-mail address and IP address of every single one of their customers. I think most would say this goes over the line.

It has been said before that a customer’s name and address is not “personal information” or if it is, it is not sensitive information. That misses the point. A customer’s name and address, when connected with an IP address or a mobile phone serial number, is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their “offline” life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that individual’s IP address. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. These provisions do not maintain the traditional balance as has developed in Canada under the Charter and in fact go dramatically and unreasonably in favour of law enforcement.

I've been surprised that discussion of this topic has mostly been contained within the privacy community and hope that the upcoming parliamentary hearings on C-46/C-47 will bring the debate into the wider community, where it belongs.

Labels: criminal law, law enforcement, lawful access, lawful authority, warrants

A friend just provided me with a copy of a recent decision of the Ontario Court of Justice considering the admissibility of information obtained without a warrant from the suspect's internet service provider, Bell. R. v. Cuttell is not on CanLii yet, but I've put a copy here.

The Court concluded there is a reasonable expectation of privacy in your account records, but this expectation can be destroyed by your ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepts that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy. (I would also question whether a form contract that the customer likey has not read would be enough to mean that subjectively there is no reasonable expectation of privacy.)

In this case, there was no proof brought by the police that the Bell contract applied to this customer so a Charter breach was found.

The Court importantly notes that PIPEDA does not give the police the right to seek information and rejects every crown argument that the police may have had "lawful authority" in the circumstances.

But, in the end, the records were admissible as the police acted in good faith.

What is perhaps most interesting is that the Judge laments the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

Labels: criminal law, law enforcement, lawful access, lawful authority, warrants

This recent case was brought to my attention today: R. v. Ward, 2008 ONCJ 355 (CanLII). The decision is a ruling on a charter motion on whether evidence in a child pornography investigation should be admissible after the police obtained the identity of an internet user from an ISP without a warrant. Acting on a pretty solid tip from Germany, police identified three IP addresses that were associated with dealing with child pornography. Instead of getting a warrant, the police when to the ISP, Bell Sympatico, and got the name and address of the subscriber associated with the IP address. (I have no doubt that the tip would be enough to get a warrant.)

Justice Lalande distinguished this case from R. v. Kwok, by pointing out that the user agreement with Bell Sympatico reduces if not destroys any reasonable expecation of privacy that the user may have. In order for a warrantless search to be reasonable, there has to be no reasonable expecation of privacy.

Some may recall the hubbub in 2006 when Bell Sympatico changed its terms of use, which many thought was a harbinger of the revival of lawful access. The ISP denied it and Bell media relations types said they’d only hand over customer information with “court ordered warrants” though the terms of use purport to permit disclosure “upon request” from a government.

In this case, the conclusion seems to be that the customer has an expectation of privacy in their name and address unless the ISP has actively taken steps to remove it. Interesting.

For a flashback to 2006, check out

• Bell warns customers about privacy loss with lawful access
• CTV.ca Sympatico's customers warned of privacy loss.
• More fallout from Sympatico privacy upset
• globeandmail.com : Jack Kapica on who's watching your surfing

Labels: ip address, law enforcement, lawful access, lawful authority, privacy, warrants

The local Halifax paper is running an AP story about the tough choices that custodians of personal information are sometimes called upon to make. After a young girl went missing, the police showed up at the public library demanding to take the public access computers that the girl had apparently used to communicate on MySpace. The librarian stood her ground and demanded that the police get a warrant. They did. Here's the full story:

Nova Scotia News - TheChronicleHerald.ca

Police raid on library offers privacy dilemma

By JOHN CURRAN The Associated Press

Sun. Jul 20 - 5:19 AM

RANDOLPH, Vt. — Children’s librarian Judith Flint was getting ready for the monthly book discussion group for eight and nine-year-olds on Love That Dog when police showed up.

They weren’t kidding around: Five state police detectives wanted to seize Kimball Public Library’s public access computers as they frantically searched for a 12-year-old girl, acting on a tip that she sometimes used the terminals.

Flint demanded a search warrant, touching off a confrontation that pitted the privacy rights of library patrons against the rights of police on official business.

"It’s one of the most difficult situations a library can face," said Deborah Caldwell-Stone, deputy director of intellectual freedom issues for the American Library Association.

Investigators obtained a warrant about eight hours later, but the June 26 standoff in the 105-year-old, red brick library on Main Street frustrated police and had fellow librarians cheering Flint.

"What I observed when I came in were a bunch of very tall men encircling a very small woman," said the library’s director, Amy Grasmick, who held fast to the need for a warrant after coming to the rescue of the 4-foot-10 Flint.

Library records and patron privacy have been hot topics since the passage of the U.S. Patriot Act after the Sept. 11, 2001, terror attacks.

Library advocates have accused the government of using the anti-terrorism law to find out, without proper judicial oversight or after-the-fact reviews, what people research in libraries.

But the investigation of Brooke Bennett’s disappearance wasn’t a Patriot Act case.

"We had to balance out the fact that we had information that we thought was true that Brooke Bennett used those computers to communicate on her MySpace account," said Col. James Baker, director of the Vermont State Police.

"We had to balance that out with protecting the civil liberties of everybody else, and this was not an easy decision to make."

Brooke, from Braintree, vanished the day before the June 26 confrontation in the children’s section of the tiny library.

Investigators went to the library chasing a lead that she had used the computers there to arrange a rendezvous.

Brooke was found dead July 2.

An uncle, convicted sex offender Michael Jacques, has since been charged with kidnapping her.

Authorities say Jacques had gotten into her MySpace account and altered postings to make investigators believe she had run off with someone she met online.

Flint was firm in her confrontation with the police.

"The lead detective said to me that they need to take the public computers and I said ‘OK, show me your warrant and that will be that,’ " said Flint, 56. "He did say he didn’t need any paper.

"I said ‘You do.’ He said ‘I’m just trying to save a 12-year-old girl,’ and I told him ‘Show me the paper.’"

Cybersecurity expert Fred H. Cate, a law professor at Indiana University, said the librarians acted appropriately.

"If you’ve told all your patrons ‘We won’t hand over your records unless we’re ordered to by a court,’ and then you turn them over voluntarily, you’re liable for anything that goes wrong," he said.

Labels: facebook, law enforcement, libraries, privacy, warrants

Some interesting news from the courts of New Jersey. The New Jersey Supreme Court has ruled that law enforcement need warrant or subpoena to get information about internet users. This goes against jurisprudence from the US Supreme Court, but may be the beginning of a trend (fingers crossed). The court based the decision on a user's expectation of privacy, which is probably a realistic statement of internet users' expectations.

N.J. justices call e-privacy surfers' right- NJ.com

... The unanimous seven-member court held that police do have the right to seek a user's private information when investigating a crime involving a computer, but must follow legal procedures. The court said authorities do not have to warn a suspect that they have a grand jury subpoena to obtain the information.

Writing for the court, Chief Justice Stuart Rabner said: "We now hold that citizens have a reasonable expectation of privacy protected by Article I ... of the New Jersey Constitution, in the subscriber information they provide to Internet service providers -- just as New Jersey citizens have a privacy interest in their bank records stored by banks and telephone billing records kept by phone companies."

Barber said most people use the internet like a phone, making personal -- sometimes sensitive -- transactions that they don't believe the police will be able to access.

"This decision reflects the reality of how ordinary people normally use the internet," he said. "'It's very nice to have the court recognize that expectation is reasonable."

The court ruled in the case of Shirley Reid of Lower Township, Cape May County, who was charged with second-degree computer theft for hacking into her employer's computer system from her home computer. Township police obtained her identity from Comcast by using a municipal court subpoena. The Supreme Court held that law enforcement had the right to investigate her but should have used a grand jury subpoena.

A state Superior Court in Cape May Court House suppressed the evidence based on the use of the wrong subpoena, and a state appeals court upheld the action when the Cape May County Prosecutor's Office appealed.

Reid was investigated after her employer, Jersey Diesel of Lower Township, was notified by a business supplier in 2004 that someone had accessed and changed both the multi-digit numbers that make up the company's IP address and password and had created a non-existent shipping address. When the owner, Timothy Wilson, asked Comcast for the IP address of the person who made the changes, the internet provider declined to comply without a subpoena.

Wilson suspected that Reid, an employee who had been on disability leave, could have made the changes. On the day the changes were made, Reid had returned to work, argued with Wilson and left.

When the police obtained a municipal court subpoena and served it on Comcast, the internet provider identified Reid, her address and telephone number, type of service provided, e-mail address, IP numbers, account number and method of payment. In 2005, a Cape May grand jury returned an indictment charging Reid with computer theft.

Lee Tien, an attorney for the Electronic Frontier Foundation, said the decision is an important ruling on the state constitution. ...

Labels: ip address, privacy, warrants

The trial of an accused trader in child pornography has brought the question of warrantless disclosure of ISP subscriber information to the national media's attention. It is understood to be the first time a superior court will consider whether basic subscriber information disclosed by an ISP without a warrant violates the Charter. The decision on this question is expected tomorrow. Stay tuned ...

The National Post, the Globe & Mail and the Toronto Sun discuss the issue:

The Globe & Mail - Wednesday, April 09

A precedent on Internet privacy in the making

Christie Blatchford

An Ontario Superior Court judge may rule as early as tomorrow in a precedent-setting Internet privacy case that could significantly set back how police conduct probes into online child pornography.

At issue is basic "subscriber information" from an Internet service provider, or ISP, which in this particular case was obtained under search warrant by Toronto police in an investigation that ultimately saw Robert Norman Smith, a Toronto actor once featured in popular Alexander Keith's beer commercials, charged with two counts of possessing child pornography and one of making it available.

Mr. Smith, 41, has pleaded not guilty.

But because the decision will be a first for superior courts in Canada, and because such decisions are binding upon the lower courts, the ruling will have broad impact.

Usually, police are able to obtain subscriber information - this is the customer's name and address - from Internet providers with what's called a simple "law enforcement request" made under the federal Personal Information Protection and Electronic Documents Act, commonly called PIPEDA.

While this legislation, which was phased in over several years beginning in 2000, sharply restricts the use and dissemination of personal information in commercial contexts, it also explicitly allows for the disclosure of customer name-and-address information to police.

But in this case, the provider, Bell Canada, refused to hand over the subscriber information, so the police resorted to getting it with a judicially approved search warrant.

On the first full day of trial yesterday before Superior Court Justice Robert Clark, Mr. Smith's lawyer, Cindy Wasser, argued that "people must have the expectation of privacy in their Internet use and they must have the right to challenge" search warrants that force ISPs to hand over their names and addresses to police.

"You can't just say this case is about child pornography," Ms. Wasser told the judge. "It's about the Internet and how we all use it and our expectation of privacy."

She is seeking legal standing for Mr. Smith to challenge the warrant; only if successful will she actually be able to challenge the validity of the warrant itself.

But if Judge Clark agrees that Mr. Smith had a reasonable expectation of privacy and grants him standing, it would mean police forces across the country, who daily obtain subscriber information under PIPEDA requests, would have to revert to the old, labour-intensive system of seeking search warrants every time they want customer information from ISPs.

Additionally, search warrants are problematic for police probing Internet crimes simply because they are more time-consuming.

Crown prosecutor Allison Dellandrea argued that because every Internet user automatically "broadcasts his IP [Internet protocol] address to potentially millions of people" every time he signs on, and because ISPs typically warn users in service agreements that their identities may be disclosed, there can be no expectation of privacy.

Furthermore, Ms. Dellandrea said that just because a commercial enterprise, such as Bell or another ISP, or even the drafters of PIPEDA, deem a block of information to be "private" doesn't mean it is private in a Charter-protected sense.

"That's quite different from what the Constitution says is privacy deserving of protection," she said.

Section 8 of the Canadian Charter of Rights and Freedoms protects people from unreasonable search and seizure, but defines privacy as "a biographical core of personal information" that tends to reveal "intimate details of the lifestyle and personal choices of the individual." Only then is the Charter protection engaged.

What was disclosed by Bell Canada to police in Mr. Smith's case was simply his name and address, information that is often readily available online or from phone books.

But Ms. Wasser argued that in combination with what the police already had learned from their investigation about his alleged use of child pornography, that minimal information was neither as benign nor innocuous as it seemed.

She urged the judge to consider not only what information the police received, but how they used it.

The Toronto investigation began in the fall of 2005, with police developing a system of searching that allowed them to view IP addresses of people sharing or making available certain child-pornography files.

Using a publicly available database, investigators were then able to determine which providers owned the IP addresses.

On Nov. 22, under one search warrant, they got the name and address information from Bell that led them to Mr. Smith, and in February the next year, under another warrant, they conducted a search of his north Toronto home.

At the time of his arrest that day, police alleged they found on his computer more than 1,000 electronic files, including movies and pictures, of children as young as 1 engaged in sexual activity.

Judge Clark said he may have a decision by tomorrow, but that the case will go ahead regardless.

From the National Post:

Television beer pitchman at centre of pornography, privacy battle

Shannon Kari, National Post

Published: Wednesday, April 09, 2008

The trial of a former television pitchman could be a precedent-setting case in deciding the privacy rights of Internet subscribers who are the subject of a criminal investigation.

Robert Smith is on trial in Ontario Superior Court on one charge of possession of child pornography and one charge of making child pornography available.

The actor was featured in commercials for Alexander Keith's beer as a character with a thick Scottish accent, until his arrest in February 2006.

Toronto police arrested Mr. Smith after an investigation into distribution of child pornography on Internet-based file sharing networks.

After discovering a specific Internet protocol address and learning it belonged to a Bell Canada customer, police executed a search warrant to obtain the subscriber information from the Internet Service Provider (ISP).

Mr. Smith is arguing there were not reasonable grounds for the first warrant to be issued or for a second one to be executed at his home.

The Crown responded that Mr. Smith has no right to challenge the warrant executed against Bell because there are no privacy rights in Internet subscriber information.

In a 2005 civil case about the downloading of music from file-sharing networks, the Federal Court of Appeal found there were privacy rights in this data and they could not be disclosed without a court order.

The prosecution of Mr. Smith is believed to be the first time a Superior Court in Canada has been asked to decide whether police are required to obtain a search warrant to get subscriber information in a criminal case and whether a defendant can challenge the warrant.

Some Internet providers voluntarily disclose this information to police in child pornography cases, but not in other criminal investigations.

A provincial court judge in Ontario ruled earlier this year that there are privacy rights in subscriber information, which includes the name, address, account and e-mail address of a customer (the Crown has appealed this ruling).

Crown attorney Allison Dellandrea argued yesterday it is simply "customer information" that police are seeking. "It doesn't matter what police do with it," said Ms. Dellandrea.

When police have subscriber information and an IP address, they can find "deeply personal" data related to an individual's Internet use and it should be possible to challenge whether the warrant was obtained lawfully, argued defence lawyer Cindy Wasser.

"You can't just say this case is about child pornography. This case is about the Internet, how we use it and the expectation of privacy," said Ms. Wasser.

From the Toronto Sun:

TorontoSun.com - Toronto And GTA- Actor disputes warrant in porn case

The Toronto comic actor who once portrayed the fanatical Scot in the Alexander Keith's beer commercials has launched an unprecedented constitutional challenge of the search warrant that led to his child porn charges.

Lawyer Cindy Wasser, who represents actor Robert Norman Smith, argued yesterday that her client's privacy rights were violated when his Internet service provider, Bell Canada, gave his name and address to Toronto Police when they presented a search warrant.

Internet users have an expectation of privacy and they don't have to list their names or addresses, Wasser said.

It is be -lieved to be the first Ontario Superior Court challenge of a warrant in which a service provider gave a subscriber's name and address.

Justice Robert Clark may give a ruling as early as tomorrow in the judge-alone trial.

The judge appeared to disagree with Wasser, saying, "The nature of the information is pivotal here. You're not discovering biographical information. You're getting the most minimal information, the person's identity and address."

Clark said he was balancing the accused's privacy rights versus "effective law enforcement."

Crown attorney Allison Dellandrea said the information provided "isn't deserving of constitutional protection."

Smith, 42, was charged with two counts of possession of child pornography and one count of making available child pornography after police searched his home computer two years ago.

He lost his job as soon as he was charged and the popular ads were pulled off the air.

Labels: ip address, lawful authority, privacy, warrants

The Royal Canadian Mounted Police in Atlantic Canada are complaining that the two major internet service providers in the region are requiring that police get a warrant before handing over customer information. The ISPs are of the view (correctly in my opinion) that the Personal Information Protection and Electronic Documents Act prevents them from disclosing subscriber information without a warrant.

CBC: Search warrants for child porn too slow, say RCMP

Child pornography investigations in Atlantic Canada are being held up by internet service providers who require search warrants before providing customer information, say RCMP.

In some parts of Canada, internet service providers will hand over information such as the name, address and phone number of a customer being investigated by police.

Const. Blair Ross, who works on child pornography cases on P.E.I., told CBC News Tuesday RCMP are short-staffed already, and getting a search warrant can take days or even weeks.

"As it stands here now in Atlantic Canada, the internet providers will not provide that unless we obtain judicial authorization, in other words, a warrant," said Ross.

"So before we even begin to investigate we have that hurdle to jump over, which is time consuming."

Protecting customer privacy

But the region's two main internet companies say they are concerned about customer privacy, and particularly legislation they are required to operate under. Both Aliant and Eastlink say if someone is in imminent danger the company will provide its customers' information right away, but most of the time police must have a warrant. Eastlink spokeswoman Paula Sibley said her company is aware some other Canadian ISPs require only a letter of request from police.

"We're not necessarily opposed to seeing things move in that direction," said Sibley.

"However, with the existing legislation that's in place, and also privacy legislation that we have to operate under, we've chosen to continue to ask for a warrant." Ross said RCMP could spend more time finding people involved with child pornography if ISPs provided information more quickly.

Then there's also the issue of the Canadian Charter of Rights and Freedoms, which at least in a recent case from Ontario, prevents law enforcement from using the information if it was obtained without a warrant. (See yesterday's post: Canadian Privacy Law Blog: Ontario Court considers warrantless requests for subscriber information.)

From my understanding of how child exploitation and child pornography investigations are usually carried out, the first contact with a suspected offender yields more than enough information to get a warrant. In R. v. Kwok (referred to in Ontario Court considers warrantless requests for subscriber information), the defendant sent the police officer photos that were clearly child pornography. There was no suggestion that the defendant was currently abusing a child, so no exigent circumstances existed. Had a warrant been sought, I have no doubt it would have been issued in that case. That information would probably have been enough to secure the ultimate conviction of the offender.

I have a serious concern with the following statement:

"So before we even begin to investigate we have that hurdle to jump over, which is time consuming."

To begin with, the Charter is not a "hurdle". It's there for a reason and that reason isn't to make life more convenient for agents of the state to get into people's personal information. And secondly, this suggests the police are looking for personal information before they begin an investigation. I appreciate the importance of investigations of this type, but it seems they should always have reasonable grounds to believe an offence has taken place and that the information they are seeking will lead to the identity of the offender before seeking personal information. The alternative is an unacceptable fishing expedition.

Note: The above are my own opinions and not those of any organization I may be associated with or represent.

Labels: law enforcement, lawful authority, privacy, warrants

There's been a lot of debate over whether PIPEDA permits a commercial entity, such as an ISP, to provide certain identifying information to law enforcement without a warrant. Most of the debate centers around section 7(3)(c.1) of PIPEDA, which reads:

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

Some are of the view that "lawful authority" means a lawful investigation and that an organization is able to disclose certain information without consent under PIPEDA. Some take the erroneous view that PIPEDA actually authorizes the disclosure, which is not the case at all. This error is compounded by law enforcement who refer to "PIPEDA letters" demanding information from internet service providers in connection with child exploitation investigations.

The Ontario Court of Justice, in an unpublished decision that I understand is under appeal, recently considered the impact of a request by law enforcement for ISP subscriber information. In R. v. Kwok, police officers went online and convinced an unidentified person to provide child pornography to the undercover officer. Using usual techniques, the cops determined the IP address of the suspect and sent a letter to the ISP requesting the billing information associated with the account. The officer testified that he had not read PIPEDA, but understood from an e-mail from the RCMP Commissioner that PIPEDA authorizes such disclosures and these letters should be used to facilitate access to information. Prior to PIPEDA, the officer testified, they routinely sought warrants for this sort of information. The letter used in this case, not surprisingly, cited PIPEDA. The ISP provided the information and an arrest was subsequently made.

The defendant made an application to have the evidence thrown out as it was unlawfully obtained and the Court agreed. The Court held that even if PIPEDA permits access to this information by law enforcement, it is contrary to the Charter for the police to obtain it in this manner.

From Paragraph 35 of the decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

The copy of the decision that I've obtained (R. v. Kwok) is marked "draft" and I haven't been able to find it online. I understand it is under appeal and hopefully the Court of Appeal can clarify what s. 7(3)(c) actually means and whether companies can provide the police with customer information without a warrant. I also hope that the Court will clarify that PIPEDA does not give anyone -- agents of the state in particular -- increased access to personal information, but the reverse.

Note: I've blogged about this topic on a number of occasions. For some background, see http://www.privacylawyer.ca/blog/labels/warrants.html.

Labels: ip address, law enforcement, lawful authority, privacy, warrants

Today I had the privilege of speaking at the annual professional development event of the Nova Scotia Criminal Lawyers Association, in association with the Nova Scotia Barristers' Society. The theme of the conference was very privacy-centric: Listening, Snooping and Searching: What's Right, What's Wrong.

I was also privileged to speak alongside S/Sgt Al Langille of the RCMP's integrated technology crime unit. He is a thirty-year veteran of law enforcement, including fifteen in technology crimes and computer forensics. A great guy and very privacy conscious.

My presentation, for those who may be interested, is here: http://docs.google.com/Presentation?id=ddpx56cg_48hcdnqv.

Labels: google, law enforcement, lawful access, lawful authority, media-mention, presentations, privacy, vanity, warrants

I was invited to be the keynote speaker at a half-day session put on today by the Canadian Bar Association - New Brunswick. I spoke about the current law related to the law enforcement access to personal information and a an update on what's happing with "lawful access". Here's the presentation: click here (google Docs) or here (pdf).

I tried embedding it but it only worked if you are logged into a google account, which wasn't my intention.

Labels: google, law enforcement, lawful access, lawful authority, presentations, privacy, warrants

It appears that SWIFT is going to move its global data centre from the United States to Switzerland, to avoid having to deal with US fishing expeditions. See:

heise online - SWIFT puts EU data beyond the immediate reach of the US

SWIFT puts EU data beyond the immediate reach of the US

The supervisory board of SWIFT has approved the plans for the restructuring of the systems architecture of the financial messaging network the outlines of which had been known for some time. The core of the realignment is the creation of a global data processing center in Switzerland. To this will be added a command-and-control center in Hong Kong. The first step toward the realization of the project that has now been approved by the supervisory board will involve the expansion of the central news platform of SWIFT, in an attempt to aid the setting up of several processing zones.

By engaging in the restructuring effort that is scheduled to be completed by the end of 2009 the financial messaging network based in Belgium is trying to accomplish a score of targets aimed at satisfying the desires of customers. Thus by preventing immediate access by US authorities to international transfer data -- as is currently the case via the network's computing center in the United States -- data privacy concerns are to be dispelled. In addition SWIFT hopes that the new message architecture will boost the processing capacity of the system, improve reliability, lower information transfer costs and, into the bargain, open up new business opportunities in general.

The financial messaging service intends to create two message processing zones: Europe and Transatlantic. The new global computing center would as a partner of the extant European data processing center, among other things, take on the mirror function of the current US facility, the organization declared. Transfer information belonging to the European zone would be processed and, if need be, stored there. The Swiss location would also process and store data emanating from the US center, it was said. "Messages within a zone will in future remain in their region of origin," SWIFT CEO Lázaro Campos said by way of explaining the new principle, which takes account to a greater degree of concerns voiced by data privacy watchdogs and members of the European Parliament and which will define the future modus operandi for the European Economic Area at least.

According to statements made by SWIFT the choice of Switzerland as the seat of its global data processing center was the result of a comprehensive survey of possible European locations. The decisive factors determining the choice of location had been the suitability of existing infrastructure, the availability of skilled staff and the presence of an appropriate framework of data privacy legislation, SWIFT noted. Switzerland had fulfilled these criteria to an outstanding degree, the organization observed. The financial messaging network has put the costs of the approved initiative at the one-off sum of 150 million euros. In addition some 50 jobs would be created in the European and Asian branches of SWIFT, it was said.

The network has managed to secure a safe harbor agreement for the existing data center in the United States that will stay in effect until the new Swiss computing center commences operations. The company has thus volunteered to abide in the US by data protection provisions that accord with European standards, allowing it thereby to benefit from the transatlantic safe harbor concept. A breach of the data protection provisions agreed to could in theory cause the Federal Trade Commission (FTC) to intervene. However, as the United States can on its territory order data to be handed over the seizure order of the US government remains in force for the time being. SWIFT has, however, assured its customers that it has implemented "unique protective measures" and has received "security guarantees" from the US government for the remaining period of time. These fulfilled the obligation to protect the privacy of customer data and the requirements of EU and US law, the organization stated. One of the most important data access restrictions was the one according to which the US Treasury Department was only given access to data that met specific search criteria in the context of a terror investigation, SWIFT explained. There was moreover a supervision regime in place when data requested by a US authority was made available to the authority in question, the organization added.

SWIFT processes international bank transfers with a volume of about 4.8 trillion euros every day. About 8,100 banks from 208 countries and regions are connected to the network. On its busiest day to date 13,663,975 bank transfer messages shot through SWIFT's data lines. Last year it emerged that US security authorities have access to SWIFT servers and are in a position to analyze the information that is being collected. Following the safe harbor assurances given by SWIFT the European Commission has given its blessing to the current financial-data access regime in the United States. In the US two customers of US banks have filed lawsuit alleging that bank transfer data of theirs was illegally passed on to security authorities by the network; the government for its part is trying to block these lawsuits. (Stefan Krempl)

For previous posts on this topic, see SWIFT.

Labels: law enforcement, national security, privacy, swift, warrants

Michael Geist has posted a summary of interviews with him and Public Safety Minister on the CBC yesterday. He writes:

Michael Geist - Stockwell Speaks

Search Engine, CBC's excellent new show on the Internet and technology, focused this week [MP3 podcast] on recent lawful access controversy. I appear in the first part of the show, but more important is the response from Public Safety Minister Stockwell Day. Leaving aside the Minister's inaccurate claims that the consultation was been "wide open" and the suggestion that perhaps the consultation was old Liberal wording, it is good to hear him again confirm that the government will not introduce legislation compelling the disclosure of CNA information without a court order. According to the Public Safety Minister:

"We are not, in any way, shape or form, wanting extra powers to police to pursue items without a warrant. That is not what our purported legislation is going to be doing. That is previous Liberal legislation and that's not the path we're walking down at all."

This is both a clear confirmation of the government's position and a good indicator that it smartly intends to use this to score political points by emphasizing the Liberals' support for disclosure without court oversight.

Labels: lawful access, privacy, surveillance, warrants

The US Bill of Rights Defence Committee has produced a two-part video on National Security Letters under the USA Patriot Act. There are additional materials on their website: FBI Unbound: How National Security Letters Violate Our Privacy

Labels: law enforcement, national security, patriot act, privacy, surveillance, warrants

Over the last week, there's been a huge fuss in the media and among bloggers about the consultation that was initiated by the Department of Public Safety over an apparent revival of "lawful access" in Canada. Two things really seemed to catch the attention of commentators: first, the suggestion that the government is again contemplating a system of warrantless access to personal information and, second, that the consultation was taking place in secret. I first heard about it from Michael Geist, who deserves a lot of credit for making it well-known (Public Safety Canada Quietly Launches Lawful Access Consultation). Since then it has been widely reported on in the media and among bloggers.

So what is the fuss about? I hope I can provide some background and context for some of the discussion that is taking place.

Canadian law enforcement and national security agencies are looking for a quick and easy way to obtain access to the names, phone numbers, IP addresses, etc of customers of Canadian telecommunications service providers. (Quick and easy, in this context, means without the delay and paperwork involved in applying to a judge for a search warrant.) This information is sought in a number of contexts, including in the very beginning of investigations or as part of "intelligence gathering." It is also sought, at times, when there is insufficient evidence to connect an individual to a crime so that a judge would not issue a warrant. (Which raises the question: Why should the police be able to require the information without oversight in circumstances where a judge says that the Charter of Rights and Freedoms doesn't permit them to require the information?)

So why shouldn't telecommunications service providers, being good citizens, hand over this information when asked by the police or by national security agents? Simply put, because it is illegal for them to do so. Since 2001, Canadian telecommunications service providers have been subject to the Personal Information Protection and Electronic Documents Act (aka "PIPEDA"). PIPEDA requires the consent of the individual for all collection, use and disclosure of personal information, subject to a number of exceptions. "Personal information" includes any information about an identifiable individual. If it is information and it's about an identifiable individual (either alone or in combination with information that it accompanies), it's "personal information". This would include my name, my address, my phone number, the IP address of my computer, etc.

Some might say that's public information, because my name and phone number may be in a phone book. Interesting point, but that doesn't remove the protections to the information if it is in the hands of my TSP. If the police get it from the phone book, then they can do what they want with it. But if they want to get it from my TSP, then it is personal information and the TSP can't disclose it unless a "consent exception" applies. (See s. 7(1)(d), 7(2)(c.1) and 7(3)(h.1) of PIPEDA and, very importantly, the Regulations Specifying Publicly Available Information (SOR/2001-7)).

The police (who are not bound by PIPEDA) may be within their rights to ask for the information, but TSPs (who are bound by PIPEDA are not able to hand it over without consent unless a PIPEDA consent exception applies. Section 7 contains many consent exceptions, some of which might apply in the circumstances described in the consultation document put out by Public Safety Canada:

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

Under PIPEDA, TSPs can likely disclose information about a customer in an emergency. Section 7(3)(e) permits a disclosure without consent if the disclosure is:

(e) made to a person who needs the information because of an emergency that threatens the life, health or security of an individual and, if the individual whom the information is about is alive, the organization informs that individual in writing without delay of the disclosure;

What it doesn't permit is disclosures to law enforcement unless they have a warrant. In this context, s. 7(3)(c.1) is the subject of a bit of debate. This reads:

7(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

It must be noted that these provisions are permissive, meaning that they allow the TSP to disclose the information in these circumstances without offending PIPEDA. Nothing in the above requires a TSP to disclose the information. Any compulsion has to come from another statute or rule of law. Section 7(3)(c) says if they have a warrant, the TSP can hand it over. (The obligation comes from the warrant, not PIPEDA.) There is authority from the Ontario Courts that an investigation does not create the "lawful authority" to obtain the information. "Lawful access" is an effort to change the law to have an investigation constitute "lawful authority". Or just remove the "lawful authority" requirement altogether.

What is also very interesting from the consultation document is that many TSPs currently hand over the information when asked by law enforcement (worth quoting again):

"Some [telecommunications] companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation."

I have it on reliable authority from within the industry that most internet service providers will provide a customer's full name and billing address when given an IP address. It doesn't seem to be because they think they legally can, but because they have succumbed to pressure from law enforcement who take a position that not providing the information puts them in league with child molesters and terrorists.

The fact remains, and must be borne in mind, that if a person's life or safety is in jeopardy, the TSP can disclose information without consent. This would include the ticking bomb scenario, a child being abused, etc. In exigent circumstances, the police always have access to the expedited telewarrant procedures in the Criminal Code. There isn't an exception in PIPEDA, the Criminal Code or the Charter for compelled disclosures of personal information absent lawful authority.

Labels: health information, ip address, law enforcement, lawful access, lawful authority, national security, privacy, warrants

This is interesting and weird ... Stockwell Day appears to say that he agrees that law enforcement access to customer names and numbers requires a warrant today and should always. [Insert head scratch here.]

Check it out yourself:

Warrant needed to pull data on Internet users: Day Safety minister opens closed consultations

Carly Weeks

The Ottawa Citizen

Friday, September 14, 2007

Public Safety Minister Stockwell Day announced late yesterday that the federal government will not force Internet service providers to hand over customers' personal information to police without a warrant -- a move that will surprise critics who have been expressing alarm this week that the Harper government appeared poised to intrude on the civil liberties of Canadians.

"We have not and we will not be proposing legislation to grant police the power to get information from Internet companies without a warrant. That's never been a proposal," Mr. Day said. "It may make some investigations more difficult, but our expectation is rights to our privacy are such that we do not plan, nor will we have in place, something that would allow the police to get that information."

...

Mr. Day said the consultation document was circulated without his knowledge or consent and emphasized that all groups, regardless of their perspective, should have a chance to voice their opinions on the contentious issue.

"That document never would have gone out if I had seen it," Mr. Day said. "This particular document just somehow went out without my approval."

...

But, Mr. Day added, the purpose of the consultation is not to look for ways to make it easier for police to obtain customers' personal information without a warrant. Instead, the federal consultation is seeking to ensure Internet companies are aware of their need to comply when presented with court orders, Mr. Day said. ...

Labels: law enforcement, lawful access, privacy, surveillance, warrants

The lawful access consultation information is now online on the Public Safety Canada website.

(It refers to telecommunications service providers who are "not cooperative", which should read who "choose not to violate the law respecting the privacy of subscriber information.)

Public Safety Canada :: Home :: Programs :: National security :: Policy advice and support

Customer Name and Address Information Consultation

Public Safety Canada and Industry Canada are seeking current views and/or new issues associated with the question of accessing customer name and address in the modern telecommunications world. We are consulting with a range of stakeholders, such as the police, industry representatives, civil liberties groups as well as other groups interested in privacy and victim of crimes issues. If you and/or your organization would like to provide input on any or all of the issues identified in the posted consultation document, please submit written comments, by October 12th, 2007 to:

Customer Name and Address Consultation

Public Safety Canada

16C, 269 Laurier Avenue West

Ottawa , ON, Canada K1A 0P8

Email: cna-consultations@ps-sp.gc.ca

Modern telecommunications and computer networks such as the Internet are a great source of economic and social benefits, but they can also be used in the planning, coordination, financing and perpetration of crimes and threats to public safety and the national security of Canada. By extension, the rapidly evolving nature of these technologies can pose a significant challenge to law enforcement and national security officials who are entrusted with combating these threats, and who employ lawful access to communications and information to do so.

The principles and powers of lawful access must be exercised in a manner consistent with the rights and freedoms guaranteed in the Canadian Charter of Rights and Freedoms and while adapting to the rapid pace of technological change.

The consultation process

Public Safety Canada, in collaboration with Industry Canada, is presently examining how to address the challenges faced by police, the Canadian Security Intelligence Service (CSIS) and the Competition Bureau when seeking timely access to basic CNA information in a modern telecommunications milieu. This question was previously considered by stakeholders in broader consultation processes on lawful access issues held in 2002 and 2005.

The purpose of this consultation is to provide a range of stakeholders - including police and industry representatives and groups interested in privacy and victims of crime issues - with an opportunity to identify their current views on possible approaches to updating Canada’s lawful access provisions as they relate to law enforcement and national security officials’ need to gain access to CNA information in the course of their duties. The possible scope of CNA information to be obtained is later identified, but it should be noted from the outset that it would not, in any formulation, include the content of communications or the Web sites an individual visited while online.

The objectives of this process are to maintain lawful access for law enforcement and national security agencies in the face of new technologies while preserving and protecting the privacy and other rights and freedoms of all people in Canada. In striving to attain these goals, it is essential to ensure that the competitiveness of Canadian industry is taken into account and that the solutions adopted do not place an unreasonable burden on the Canadian public.

Current context

Timely access to CNA information is an important tool used by law enforcement and national security agencies to fulfil their public safety mandates. This type of information can be vital in the context of investigations of online criminal activity, such as child exploitation.

Law enforcement agencies have been experiencing difficulties in consistently obtaining basic CNA information from telecommunications service providers (TSPs). In the absence of explicit legislation, a variety of practices exists among TSPs with respect to the release of basic customer information, e.g., name, address, telephone number, or their Internet equivalents. Some companies provide this information voluntarily, while others require a warrant before providing any information, regardless of its nature or the nature of the situation. If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer. This poses a problem in some contexts. For example, law enforcement agencies may require the information for non-investigatory purposes (e.g., to locate next-of-kin in emergency situations) or because they are at the early stages of an investigation. The availability of such building-block information is often the difference between the start and finish of an investigation.

CNA information

In the context of options under consideration by Public Safety Canada and its partner departments and agencies, CNA information refers to basic identifiers that would assist law enforcement and national security agencies to determine the identity of a telecommunications service subscriber, if this information was necessary to the performance of their duties.

The scope of CNA information obtained could include the following basic identifiers associated with a particular subscriber:

• name;
• address(es);
• ten-digit telephone numbers (wireline and wireless);
• Cell phone identifiers, e.g., one or more of several unique identifiers associated with a subscriber to a particular telecommunications service (mobile identification number or MIN; electronic serial number or ESN; international mobile equipment or IMEI number; international mobile subscriber identity or IMSI number; subscriber identity module card number of SIM Card Number);
• e-mail address(es);
• IP address; and/or,
• Local Service Provider Identifier, i.e., identification of the TSP that owns the telephone number or IP address used by a specific customer.

Possible model

Options based on an administrative model are being considered closely by officials.

Possible safeguards

Further to input received during 2002 and 2005 consultations, a number of safeguards could be included under a possible administrative model requiring the release of limited basic CNA information to law enforcement and national security agencies upon request. These could include:

• clear limitations on what customer information could be obtained upon request;
• limiting the number of employees who would have access to CNA;
• requiring that individuals with access be designated by senior officials within their organizations;
• limiting requests to those made for the purpose of performing an official duty or function;
• requiring that requests be made in writing, except in exceptional circumstances;
• requiring that designated officials provide associated information with their request, e.g., identification of a specific date and time for a request relating to an IP address;
• requiring designated officials to record their status as such when making a request, as well as the duty or function for which a particular request is made;
• limiting the use of any information obtained to the agency that obtained it for the purpose for which the information was obtained, or for a use consistent with that purpose, unless permission is granted by the individual to whom it relates;
• requiring regular internal audits by agency heads to ensure that any requests for CNA information are being made in accordance with the protocols and safeguards in place;
• reporting to responsible ministers on the result of any internal audits;
• provision of any audit results to the Privacy Commissioner of Canada, the Security Intelligence Review Committee, or provincial privacy commissioners, as appropriate; or
• provision for the Privacy Commissioner and SIRC to conduct audits related to the release of CNA information.

Under no option being examined would TSPs be compelled to track the actions of customers or to collect information about them in the absence of necessary court authorizations governing such activity in Canada, nor would law enforcement or national security agencies be permitted to obtain the content of a customer’s communications without such authorizations.

Conclusion

Officials plan to meet with a range of interested parties in September, 2007 to discuss the issues raised in this paper.

Labels: ip address, law enforcement, lawful access, national security, privacy, surveillance, warrants

The CBC has a lengthy piece on the quiet consultation I referred to the other day (Canadian Privacy Law Blog: Public Safety Canada Quietly Launches Lawful Access Consultation):

Government moving to access personal info, sparking privacy fears

Government agencies are moving to gain access to telephone and internet customers' personal information without first getting a court order, according to a document obtained by CBCNews.ca that is raising privacy issues.

Public Safety Canada and Industry Canada have begun a consultation on how law enforcement and national security agencies can gain lawful access to customers' information. The information would include names, addresses, land and cellphone numbers, as well as additional mobile phone identification, such as a device serial number and a subscriber identity module (SIM) card number.

The consultation also seeks input on access to e-mail addresses and IP addresses. An IP address is a number that can be used to identify a computer's location.

The document says the objective of the consultation is to provide law enforcement and national security agencies with the ability to obtain the information while protecting the privacy of Canadians.

The document says that under current processes, enforcement agencies have been experiencing difficulties in gaining the information from telecommunications service providers, some of which have been demanding a court-issued warrant before turning over the data.

"If the custodian of the information is not co-operative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer," the document says. "This poses a problem in some contexts."

It says enforcement agencies may need the information for matters other than probes, such as informing next-of-kin of emergency situations, or because they are at the early stages of an investigation.

"The availability of such building-block information is often the difference between the start and finish of an investigation," according to the document.

Privacy advocates, however, expressed displeasure over both the content and the process of the consultation.

Criticizes short consultation time

Michael Geist, chair of internet and e-commerce law at the University of Ottawa, said the process is not being conducted publicly as two previous consultations have been, in 2002 and in 2005.

The consultation has not been published in the Canada Gazette, where such documents are normally publicized, or on the agencies' websites.

Interested parties have been given until Sept. 27 to submit their comments, which is a short consultation time, Geist said. Several organizations and individuals contacted by CBCNews.ca only received their documents this week.

More pointedly, a number of parties that took part in the previous consultations, including privacy and civil liberty advocates — and even some telecommunication service providers — have not been made aware of the discussion, he said.

"It's really disturbing particularly in light of the fact that they've had two prior consultations on lawful access in the past, so it's not as if they don't know the parties that are engaged on this issue," Geist said.

Officials with the Canadian Civil Liberties Association were not aware of the consultation.

All about appearances?

Jacqueline Michelis, an Ottawa-based spokeswoman at Bell Canada Inc., the country's largest telecommunications provider, said the company was aware of the consultation but would not comment further. Rogers Communications Inc. and Telus Corp., the country's next biggest providers, did not have immediate comment.

Geist said the other problem with the consultation is that it appears as if the government agencies have already made up their minds on how to proceed and are simply conducting it for appearances' sake.

"The fear is that law enforcement knows what it would like to do — it would like to be able to obtain this information without court oversight — and so it has pulled together this consultation in the hope that they can use that to say they have consulted, and here are the safeguards that the consultation thought was appropriate."

Denies document secrecy

Mélisa Leclerc, a spokeswoman for Public Safety Minister Stockwell Day, said the government was not trying to keep the consultation secret and would post the document on the internet on Thursday. The deadline for submissions would also be extended, although no decision on a date has been made yet.

Colin McKay, a spokesman for the privacy commissioner of Canada, said the government agencies have not yet proven that accessing information without a court order is necessary. The commissioner will be making a submission to the consultation on that matter.

"We'd like to see some proof that this is a necessary step because at the moment there is provision in privacy law if necessary and if presented with a legal authority to do it, in most cases that's a court order," McKay said. "That gives Canadians some level of protection."

The Information Technology Association of Canada, which will also be making a submission, agreed and said it would like to see details on instances where telecommunication providers have refused to co-operate with authorities.

"This is about transposing to new technology the same kind of law enforcement we used to have on wire-line phone networks," said Bernard Courtois, president and chief executive officer of ITAC. "Conversely, just because you're going to do law enforcement on new technology people should not lose any of their privacy protection or rights in terms of the nature of investigation."

Canada's move is in contrast to one by the United States, where last week a federal judge overturned a part of the Patriot Act that allowed the Federal Bureau of Investigation to secretly obtain personal records about customers from internet providers, phone companies, banks, libraries and other businesses without a court's permission.

Speaking on the phone from Paris, Peter Fleischer, global privacy counsel for internet search giant Google Inc., told CBCNews.ca that even in the security-conscious United States, courts have moved to curtail excessive attempts by the government at extracting personal information.

A year and a half ago, the Department of Justice obtained a warrant demanding Google turn over users' personal information as part of an investigation into the effectiveness of anti-pornography software that was being tested. Google refused and a judge ending up siding with the company.

"The order we had from the U.S. Department of Justice was a valid legal order under the U.S. legal system, but even then it was excessive and infringed privacy, and was curtailed by a U.S. court when we challenged it," Fleischer said.

Companies operating in Canada, and their customers, should have the same rights here, he said.

"There should be judicial authorization and a valid legal process before a government should be able to compel companies to hand over information about their users."

Ironically, Google on Wednesday came under fire from Privacy Commissioner Jennifer Stoddart for its Street View web photo application. The commissioner said many of the images used by the application could break Canada's privacy laws.

Fleischer would not comment on the matter, but said he would address it when he visits Canada later this month.

Labels: google, google street view, ip address, law enforcement, lawful access, libraries, patriot act, privacy, street view, surveillance, warrants