Privacy interests to be considered in publication ban

A long-time friend of this blog just recently sent me a link to a new decision from the British Columbia Supreme Court (R. v. Pickton, 2010 BCSC 1198 ), in which the Court was asked to issue a publication ban to protect the identity of an individual witness for reasons of privacy.

The individual applicant had previously been a sex worker and drug addict. In 1997, police laid a charge against Robert Pickton, alleging that he had attempted to murder her but the prosecution was discontinued. Her evidence is relevant in the current proceeding against Robert Pickton. No publication ban was entered at the time of the 1997 prosecution.

Since then, the applicant has left the sex trade and is no longer a drug user. She is married, has kids and appears to be living a normal life in the lower mainland of British Columbia.

She brought an application to prevent her name from being disclosed during the current prosecution of Pickton. The application was strongly opposed by the media.

When dealing with publication bans, the courts take their lead from Dagenais v. Canadian Broadcasting Corp., [1994] 3 S.C.R. 835, 1994 CanLII 39 (S.C.C.) and R. v. Mentuck, 2001 SCC 76, [2001] 3 S.C.R. 442, neither of which explicitly address privacy interests.

A publication ban should only be ordered when:

(a) such an order is necessary in order to prevent a serious risk to the proper administration of justice because reasonably alternative measures will not prevent the risk; and

(b) the salutary effects of the publication ban outweigh the deleterious effects on the rights and interests of the parties and the public, including the effects on the right to free expression, the right of the accused to a fair and public trial, and the efficacy of the administration of justice.

In this case, the media argued that the applicant was only "about embarrassment and nothing more". They suggested that her interests could be protected by changing her name.

Justice Williams did not agree:

[20] I am satisfied that the Applicant will suffer a significant breach of privacy if her name is not protected by a publication ban and that this impacts on her personal security and that of her family. The privacy interests of the Applicant are a legitimate aspect of the proper administration of justice and must be considered in the analysis. The Respondents’ submission that the Applicant’s privacy interests are insufficient seems contrary to a number of authorities including the Criminal Code provisions which deal with publication restrictions for victims and witnesses. These provisions expressly recognize the privacy interests of the victims and witnesses. The concept of dignity springs to mind. Although it is nowhere mentioned in the subsection, I cannot believe that it is not a factor worthy of some consideration in the analysis.

Given that the media are free to report on all the details of her previous encounter with Pickton and of any evidence she has given more recently, but without her name, the balance tilted in favour of protecting her identity.

[28] The Applicant, having participated in the proceedings against Mr. Pickton requests that she be able to live in her community free from the public scrutiny that will arise if her name and identity are published. She does not seek to prevent the details of her story from being published. In my view, granting the Applicant’s request achieves the proper balance that the Dagenais-Mentuk framework requires between the open court principle and the proper administration of justice. The temporary publication ban which has thus far protected the Applicant has been shown to minimally impair the ability of the Respondents to perform their function. The publication ban respects the open court principle and allows the public to scrutinize this proceeding. The publication ban protects the proper administration of justice because it permits the Applicant’s story to be told in a way that illustrates that the justice system respects, where possible, the privacy interests of victims and witnesses of crime.

Saskatchewan court considers lawful authority

The Provincial Court of Saskatchewan has just ruled that a police officer in the midst of a drug investigation has "lawful authority" to ask for and receive information about a customer of a car rental company, including the customer's contract and photocopy of the renters' drivers license. The Court held that Section 7(3) of PIPEDA was satisfied by the request and that Budget Rent A Car was able to hand over the info in the absence of a production order.

See: R v Siemens, 2011 SKPC 57

[51] Lastly, I am not satisfied that the information contained in the Budget Rent-a-Car contract or attached documents exposed any intimate details about the accused’s lifestyle or information of a biographic nature. The information in the contract included the accused’s name and Mastercard number. It also included a copy of the accused’s driver’s license which provided a photo of the accused, his driver’s license number, his address, his height, weight, eye and hair colour, sex, birthdate, issue date, expiry date, class, endorsements and restrictions.

[52] A lot of this information is personal to the accused but it does not reveal intimate details of his lifestyle or his personal choices. In today’s world we have become increasingly dependent on the Internet and technology. Some of the information such as name and address are readily available on the Internet or in a phone book. I heard no evidence that the accused went to any lengths to keep this information out of a phone book or off the cyber highway. People use credit and debit cards to purchase things or make payments. A driver’s license gives an individual the privilege to drive a vehicle and it has become a very common form of identification. Indeed, it is one of only a handful of acceptable identification when it comes to purchasing alcohol or cigarettes, travelling on an airplane within Canada, when cashing a cheque, when picking up merchandise already paid for, among other things. It is also used by retailers to deter and detect fraud. All provinces in Canada have given police the right to request a driver’s license from someone driving a vehicle to verify the identity of the person driving to ensure that they are legally driving. Barring evidence to the contrary about a particular person, such reliance on driver’s license and technology reduces the expectation of privacy that that person can expect in the information contained in these things.

[53] It is also significant to note that the disclosure of this information did not lead to the police obtaining more intimate details of the accused’s lifestyle or choices such as sexual orientation, religion or personal likes or dislikes. The only thing the information revealed was that Lindsay Siemens had a driver’s license and a credit card and rented the red Cobalt that the police saw meet with Ms. Holmes and Mr. Soare in Rosedale, Alberta. It was only after the police did further investigation that they satisfied themselves that Mr. Siemens was the person who met with Ms. Holmes and Mr. Soare and that he was involved in the drug trade.

[54] Taking into account the nature of the information in question, the fact that PIPEDA was complied with the lawful authority of Constable Hicks to request the information pursuant to section 47.014(1) and Phelps Leasing’s right, in accordance with its contractual arrangement with the accused to disclose the information to a police officer engaged an active investigation, the accused did not have an objectively reasonable expectation of privacy in this information.

In the end, the court found the information was not unlawfully obtained, was not an unreasonable invasion of privacy and therefore did not offend Section 8 of the Charter.

Text of digital wiretap Bills now online

Further to yesterday's post, Canadian Privacy Law Blog: Lawful access to ISP subscriber information reintroduced, the texts of Bills C-46 and C-47 are now online at the Parliament website:

C-46 An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act.
First Reading

SUMMARY

The enactment amends the Criminal Code to add new investigative powers in relation to computer crime and the use of new technologies in the commission of crimes. It provides, among other things, for

(a) the power to make preservation demands and orders to compel the preservation of electronic evidence;

(b) new production orders to compel the production of data relating to the transmission of communications and the location of transactions, individuals or things;

(c) a warrant to obtain transmission data that will extend to all means of telecommunication the investigative powers that are currently restricted to data associated with telephones; and

(d) warrants that will enable the tracking of transactions, individuals and things and that are subject to legal thresholds appropriate to the interests at stake.

The enactment amends offences in the Criminal Code relating to hate propaganda and its communication over the Internet, false information, indecent communications, harassing communications, devices used to obtain telecommunication services without payment and devices used to obtain the unauthorized use of computer systems or to commit mischief. It also creates an offence of agreeing or arranging with another person by a means of telecommunication to commit a sexual offence against a child.

The enactment amends the Competition Act to make applicable, for the purpose of enforcing certain provisions of that Act, the new provisions being added to the Criminal Code respecting demands and orders for the preservation of computer data and orders for the production of documents relating to the transmission of communications or financial data. It also modernizes the provisions of the Act relating to electronic evidence and provides for more effective enforcement in a technologically advanced environment.

The enactment also amends the Mutual Legal Assistance in Criminal Matters Act to make some of the new investigative powers being added to the Criminal Code available to Canadian authorities executing incoming requests for assistance and to allow the Commissioner of Competition to execute search warrants under the Mutual Legal Assistance in Criminal Matters Act.

C-47 An Act regulating telecommunications facilities to support investigations aka Technical Assistance for Law Enforcement in the 21st Century Act.
First Reading

SUMMARY

This enactment requires telecommunications service providers to put in place and maintain certain capabilities that facilitate the lawful interception of information transmitted by telecommunications and to provide basic information about their subscribers to the Royal Canadian Mounted Police, the Canadian Security Intelligence Service, the Commissioner of Competition and any police service constituted under the laws of a province.

Lawful access to ISP subscriber information reintroduced

The Minister of Justice is having a press conference as I type this, unveiling among other things, "lawful access" to telecommunications customers' idenfitying information without a warrant. Stay tuned for more details.

---

Update: Here's the media release from the government:

Government Of Canada Introduces Legislation To Fight Crime In The 21st Century

OTTAWA, June 18, 2009 – The Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada, together with the Honourable Peter Van Loan, P.C., Q.C., M.P. for York-Simcoe, Minister of Public Safety, and Mr. Daniel Petit, M.P. for Charlesbourg-Haute-Saint-Charles, Parliamentary Secretary to the Minister of Justice today introduced in the House of Commons two separate pieces of legislation that will ensure law enforcement and national security agencies have the tools they need to fight crime and terrorism in today’s high-tech environment.

“Evolving communications technologies like the Internet, cell phones, and PDAs (personal digital assistants) clearly benefit Canadians in their day-to-day lives,” said Minister Nicholson. “Unfortunately, these technologies have also provided new ways of committing crimes such as distributing child pornography. We must ensure investigators have the necessary powers to trace and ultimately stop crimes.” While technology has advanced rapidly in the past two decades, law enforcement and national security agencies have faced increased difficulty in protecting the safety and security of Canadians. The Investigative Powers for the 21st Century (IP21C) Act will ensure that law enforcement officials have the tools they need to fight crime in today’s modern environment by updating certain existing offences as well as creating new investigative powers to effectively deal with crime in today’s computer and telecommunications environment.

“We must provide our law enforcement with the tools they need to keep our communities safe,” said Minister Van Loan. “High tech criminals will be met by high tech police. This is a great day for the victims and their families who have been long calling for these legislative changes, and those who work tirelessly every day to ensure that when there is a threat to safety police can intervene quickly.”

The Technical Assistance for Law Enforcement in the 21st Century Act will require service providers to include interception capability in their networks. Requirements to obtain court orders to intercept communications will not be changed by this Act, which will require service providers to supply basic subscriber information to law enforcement agencies and the Canadian Security Intelligence Service on request. Other countries, such as the United Kingdom, the United States, Australia, New Zealand, Germany and Sweden, already have similar legislation in place.

“The safety of our citizens, both in our communities and in cyberspace, is a responsibility that this Government takes very seriously,” said Mr. Petit. “The proposed legislation strikes an appropriate balance between the investigative powers used to protect public safety and the necessity to safeguard privacy and the rights and freedoms of Canadians.”

The Government carefully considered input provided by a broad range of stakeholders in developing these two pieces of legislation, including the telecommunications industry, civil liberties groups, victims’ advocates, police associations and provincial/territorial justice officials. As a result, the Government has ensured that the Investigative Powers for the 21st Century (IP21C) Act and theTechnical Assistance for Law Enforcement in the 21st Century Act strike an appropriate balance between the need to protect the safety and security of Canada, the competitiveness of the telecommunications industry, and the privacy rights of Canadians.

An online version of the legislation will be available at http://www.parl.gc.ca/.

See also:

Technical Assistance for Law Enforcement in the 21st Century Act

Investigative Powers for the 21st Century (IP21C) Act -->

Information:

Darren Eke Press Secretary
Office of the Minister of Justice
613-992-4621

Media Relations
Department of Justice
613-957-4207

Media Relations
Public Safety Canada
613-991-0657

Here is the government's summary of the warrantless access to customer information provisions:

Technical Assistance for Law Enforcement in the 21st Century Act

Subscriber Information Component

Police forces and CSIS also require timely access to basic subscriber information as it is an essential tool for fighting crime and terrorism. Subscriber information refers to basic identifiers such as name, address, telephone number and Internet Protocol (IP) address, e-mail address, service provider identification and certain cell phone identifiers. These basic identifiers are often crucial in the early stages of an investigation, and without this basic information, police forces and CSIS often reach a dead-end as they are unable to obtain sufficient information to pursue an investigative lead or obtain a warrant.

Currently, there is no legislation specifically designed to require the provision of this information to police forces and CSIS in a timely fashion. As a result, the practices of releasing this information to police forces and CSIS vary across the country: some service providers release this information to law enforcement immediately upon request; others provide it at their convenience, often following considerable delays; while others insist on law enforcement obtaining search warrants before the information is disclosed. This lack of national consistency and clarity can delay or block investigations.

A consistent, balanced, well-regulated and accountable solution is needed for law enforcement and CSIS to obtain basic subscriber information in order to protect the public’s safety and security, while safeguarding individual privacy interests. The Act will accomplish this by compelling all service providers to release this information and creating an administrative model that provides for a reporting regime which ensures accountability by including consisting of a number of new, privacy-related safeguards. Safeguards include such things as the designation of a limited number of law enforcement and CSIS officials who can request information, record keeping, and both internal audits and external oversight.

This legislation provides law enforcement and CSIS with the updated tools needed in the face of rapidly changing technology, while providing maximum flexibility for industry, and creating rigorous safeguards to protect privacy. In doing so, this legislation strikes an appropriate balance between the needs of law enforcement and CSIS, the competitiveness of industry, and the privacy rights of Canadians.

Government proposes to fingerprint before charges

The federal government introduced legislation in Parliament to "modernize" criminal procedure in Canada. What it means, among other things, is that police will get the authority to fingerprint suspects even before charges are laid. Bill C-31 amends the Identification of Criminals Act (but oddly doesn't rename it the Identification of Criminals and People We Don't Have Enough Evidence to Charge Act).

From the DOJ:

Minister of Justice Moves to Modernize Criminal Law Procedure in Canada

OTTAWA, May 15, 2009 – The Honourable Rob Nicholson, P.C., Q.C., M.P. for Niagara Falls, Minister of Justice and Attorney General of Canada, today introduced in the House of Commons an Act to Amend the Criminal Code and other federal legislation, which will modernize criminal procedure and make the justice system more efficient and effective.

“Crime is constantly evolving in Canada so it is crucial that our criminal justice system evolves with it,” said Minister Nicholson. “With these amendments, our Government is taking action to help ensure the safety and security of our communities. It is the latest step in our continuing commitment to tackling crime.”

Proposed amendments in the legislation include:

Creating a new offence to help prevent individuals from fleeing a province or territory in order to avoid prosecution;

Streamlining the identification process in police stations by allowing the fingerprinting and photographing of persons in lawful custody who have not yet been charged or convicted of specific offences;

Improving the application procedure for search and seizure warrants by providing both peace and public officers with greater access to telewarrants;

Enhancing the expert witness process to allow parties more time to prepare their response to expert evidence in criminal matters;

Updating rules related to the use of “agents” (non-lawyers) in criminal proceedings, to provide the provinces with greater flexibility on this issue and ensuring better representation of accused individuals by agents; and,

Expanding the list of permitted sports covered under the current prize fighting provisions, and updating Canada’s pari-mutuel betting system.

“Our provincial and territorial partners have been instrumental in helping us identify and review a number of evolving issues in criminal law across Canada,” said Minister Nicholson. "This bill will increase the effectiveness of the justice system in a number of ways, including giving peace and public officers greater access to warrants relating to search and seizure, and helping address the issue of those who evade justice by travelling to other jurisdictions.”

Here's some media coverage:

Canada wants to fingerprint first - UPI.com

OTTAWA, May 17 (UPI) -- The Canadian government wants to give police the power to fingerprint and photograph suspects who have been arrested and not formally charged.

Justice Minister Rob Nicholson announced legislation Friday, The Toronto Globe and Mail reported. He said that Canada needs to bring its justice system up to date.

"Crime is constantly evolving in Canada so it is crucial that our criminal justice system evolves with it," Nicholson said in a statement.

The Conservative government described the plan as something that would help suspects as well as police by speeding up processing so that they might end up spending less time in police custody.

But one prominent defense lawyer in Toronto opposes the plan.

"Providing fingerprints is self-incrimination and the Constitution protects us from this. The line that is drawn is when you are charged. And to allow police to compel you to incriminate yourself before that moment is open to abuse," Clayton Ruby said.

Senator Leahy introduces much-needed update to Electronic Communications Privacy Act

Today, May 17, 2011, Patrick Leahy introduced a bill to amend and substantially fix the Electronic Communications Privacy Act (ECPA). The bill made sense at the time it was first authored by Leahy a quarter century ago, but it has needed a substantial re-write in this cloud computing age. The most problematic provision allows obtaining stored communications that are more than 180 days old with just a subpoena, rather than a warrant based on probable cause. Twenty-five years ago, you might consider an un-downloaded e-mail message to have been abandoned, but that is no longer the case when millions of users are keeping all of their e-mails and documents in the cloud.

The Digital Due Process Coalition has been heavily lobbying for this change for some time.

For more info: Patrick Leahy introduces update to electronic privacy law - Post Tech - The Washington Post

Canadian police state legislation needs closer examination

I try not to get too opinionated on this blog, but there are some things I feel strongly about. One thing is the ability of people to live their lives (online and off) free of state surveillance and intrusion unless an impartial judge decides that the balance needs to be shifted in favour of the state.

When the recent election was called, a bill fell off the order paper that would remove the impartial judge and put significant surveillance powers it the hands of the state. (In fairness, I have to say that this was originally conceived under the previous Liberal goverment, but is currently part of the Conservative Party's law and order platform that they say will be passed within 100 days if they win a majority (Conservative majority would pass lawful access [laws] within 100 days)). One Bill in particular needs a full airing and thorough debate. It was introduced in the last session and never made it past first reading. This means there was no debate and no scrutiny of any kind.

Here's why Bill C-52 - An Act regulating telecommunications facilities to support investigations needs much closer examination.

Section 16 of the Bill requires all telecommunication service providers to hand over enormous quantities of customer information to the police, CSIS or the competition cops. There is no limit on the amount of information to be provided and is only restricted to "duties" of the cops or intelligence agency.

The provisions, at least as they appeared in Bill C-52, read as follows:

OBLIGATIONS CONCERNING SUBSCRIBER INFORMATION

16. (1) Every telecommunications service provider must provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

(2) A designated person must ensure that he or she makes a request under subsection (1) only in performing, as the case may be, a duty or function

(a) of the Canadian Security Intelligence Service under the Canadian Security Intelligence Service Act;

(b) of a police service, including any related to the enforcement of any laws of Canada, of a province or of a foreign jurisdiction; or

(c) of the Commissioner of Competition under the Competition Act.

(3) The Commissioner of the Royal Canadian Mounted Police, the Director of the Canadian Security Intelligence Service, the Commissioner of Competition and the chief or head of a police service constituted under the laws of a province may designate for the purposes of this section any employee of his or her agency, or a class of such employees, whose duties are related to protecting national security or to law enforcement.

(4) The number of persons designated under subsection (3) in respect of a particular agency may not exceed the greater of five and the number that is equal to five per cent of the total number of employees of that agency.

(5) The Commissioner of the Royal Canadian Mounted Police and the Director of the Canadian Security Intelligence Service may delegate his or her power to designate persons under subsection (3) to, respectively, a member of a prescribed class of senior officers of the Royal Canadian Mounted Police or a member of a prescribed class of senior officials of the Canadian Security Intelligence Service.

17. (1) A police officer may request a telecommunications service provider to provide the officer with the information referred to in subsection 16(1) in the following circumstances:

(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;

(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and

(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.

The police officer must inform the telecommunications service provider of his or her name, rank, badge number and the agency in which he or she is employed and state that the request is being made in exceptional circumstances and under the authority of this subsection.

Let me break this down: Any designated police officer or CSIS agent can ask a telecommunications service provider to hand over any of the following information about a customer:

• name,
  
• address,
  
• telephone number,
  
• electronic mail address,
  
• Internet protocol address,
  
• mobile identification number,
  
• electronic serial number,
  
• local service provider identifier,
  
• international mobile equipment identity number,
  
• international mobile subscriber identity number and
  
• subscriber identity module card number.

This goes well beyond the usual scenario of when the cops have an IP address of someone suspected of online child exploitation and want the customer name and address information. But the bill doesn't say that if the cops have X info, they can get Y subscriber data. Instead, it just says on request the telco has to hand over the entire laundry list of data on customers. This is without a warrant, without a production order and without any court oversight at all. Unlike wiretap laws where stats have to be released, there is no obligation on the part of the police or the ministers responsible to release information about how these powers are used and under what circumstances. The Privacy Commissioner gets to audit it, but I don't think this saves any of the problems with the Bill.

The Bill contained no limitation on what level of investigation was required. It isn't limited to serious crimes or even trivial crimes. It is not limited to criminal or national security investigations. All that's necessary is that it be connected with the cop's duties. Collecting parking tickets fit within that category.

Think about what this means, given the laundry list of data to be provided with no threshold of probable cause or even a real investigation. The police can scan the airwaves at a protest and identify the IMEIs of the mobile phones in the vicinity. One request to the telcos can get the names and addresses of virtually everyone who was there. I bet the Egyptian authorities would have loved to have done this in Tahrir Square. Next time there's a G-20 protest in Canada, the police can do this, too.

There is no limitation in the statute that would prevent the police from asking for all the above data for any subscribers who connected, for example, to any cell site in a particular neighbourhood at a particular time.

In Canada, we expect that we can generally live our lives free of government surveillance and intrusion, unless an independent judge says that the government interest in crime fighting outweighs our individual right to privacy. This legislation would remove this balance and tips the scales dramatically toward police state powers.

Telco and ISP snooping? Don't hate the player, hate the game

The 'net and twitter have been all abuzz this past week with revelations about telco and ISP cooperation with law enforcement. We've seen Wikileaks post the internal policies of MySpace and Cryptome's posting of Yahoo!'s internal policies.

Blame for this appears to be laid at the feet of the service providers.

I'm all in favour of privacy and completely in favour of government restraint. I'm even more keen on court oversight and requirements that warrants be produced in order for cops and national security types to get access to customer information. I'm also in favour of transparently and accountability. But I haven't seen much nuance in any of the online discussion of this topic. Perhaps that's just the analytical limitations of twitter and the general tone of much of the blogosphere.

Two important issues are being missed. First: just about any time you interact with any business these days, a data trail of some sort is left. If you buy a book using any credit or debit card, there's a record that can connect that purchase to you. If you check out a book from the library, there's a record. If you use a transponder-based tolling system, there's a record of where you were, when and maybe where you are going. If you use any loyalty program to collect points on your purchases, there's an even denser data trail. Your mobile phone provider knows where you phone is at all times and who you have called. This is not unique to online companies. It's simply the reality of our digital lives. Some information collection or retention may be gratuitous, but more often than not it is essential to provide the service that users are asking for. It is not unreasonable, however, to question how much information is collected and how long it is retained. Fair information practices demand that service providers only collect the amount of information necessary to provide the service and that they keep it for only as long as they need to in order to provide the service.

The second, and more important, issue: love it or loathe it, it is the law. If a third party has information about you, the government can get access to it with a court order, a warrant or a subpoena. The third party can sometimes go to court to challenge the legality of the request, but it seldom has enough information to do so. And in many cases, it really has no ability to do so. The fact is, if there is a lawful demand for information, the service provider has to comply or face criminal sanctions itself.

And that's not just unique to the US and the USA Patriot Act. In Canada, take a look at the Anti-Terrorism Act, the Criminal Code, the Canadian Security Intelligence Service Act or the National Defence Act. European democracies have similar rules, too. These companies are generally following their legal obligations. If you have a problem with that, energies and outrage might be more usefully channelled to changing those laws.

ISPs and telcos may influence the laws, but they generally don't make they rules they have to abide by. In short: don't hate the player, hate the game.

Privacy-related bills to die on the order paper if Canadian election called

With talk of an election heating up in Canada, I thought I'd provide a list of the government bills that will likely die on the order paper if the government is brought down or if the PM wanders over to speak with the Governor General about dissolving parliament:

C-29	An Act to amend the Personal Information Protection and Electronic Documents Act (Safeguarding Canadians’ Personal Information Act)	First Reading in the House of Commons (May 25, 2010)
C-50	An Act to amend the Criminal Code (interception of private communications and related warrants and orders) (Improving Access to Investigative Tools for Serious Crimes Act)	First Reading in the House of Commons (October 29, 2010)
C-51	An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act (Investigative Powers for the 21st Century Act)	First Reading in the House of Commons (November 1st, 2010)
C-52	An Act regulating telecommunications facilities to support investigations (Investigating and Preventing Criminal Electronic Communications Act)	First Reading in the House of Commons (November 1st, 2010)

Bills C-50, C-51 and C-52 need some major work so I'm fine to see them go back into parliamentary purgatory, but the PIPEDA amendments (C-29) were pretty good and I'd hate to think we're back to the drawing board.

The new lawful access bills

Here is the first reading text of the Investigative Powers for the 21st Century Act:

BILL C-51 An Act to amend the Criminal Code, the Competition Act and the Mutual Legal Assistance in Criminal Matters Act aka Investigative Powers for the 21st Century Act.

I will post a link to the Investigating and Preventing Criminal Electronic Communications Act when it is posted on the parliamentary website.

(Note: I had previously linked to the wrong bill on this post ...)

The lawful access debate

The Ottawa Citizen has an interesting article on the debate surrounding "lawful access". Check it out: Security vs. privacy. Via Michael Geist.

The debate about warrantless access to ISP customer information

Just posted on slaw:

The debate about warrantless access to ISP customer information >> Slaw

In the privacy community, there has been a debate over whether it is lawful, under PIPEDA, for a custodian of personal information to provide customer information when then police come knocking. The debate has been most heated in the arena of internet service providers customer names and addresses to the police when presented with an IP address. PIPEDA allows a number of disclosures of personal information without consent pursuant to Section 7(3) of the statute. One exception to the general rule relates directly to law enforcement requests:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

The debate has raged over differing interpretations of “lawful authority”, and there are conflicting decisions from the Courts over whether internet service providers can disclose customer name and address information to the police in response to a request.

For example, in Re S.C., 2006 ONCJ 343, the court set aside a search warrant that was based on information obtained from an ISP in response to a law enforcement request. In R. v. Kwok, the court found that the customer had a reasonable expectation of privacy in his name and address information and that the police should have obtained a warrant to get this information from the internet service provider. From paragraph 35 of that decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

More recently, in R. v. Ward, 2008 ONCJ 355 (CanLII), the court determined that the customer did not have a reasonable expectation of privacy with respect to this information because the service agreement imposed upon him by Bell’s Sympatico service reduced, if not destroyed, whatever expectation of privacy he might otherwise have had. Similarly, in R. v. Wilson, the court also found no reasonable expectation of privacy.

The pendulum may be swinging the other way. Last week, the Ontario Court of Justice released its decision in R. v. Cuttell. The Court concluded there is a reasonable expectation of privacy in customer account records, but this expectation can be destroyed by an ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepted that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy but there was no proof brought by the police that the Bell contract applied to this customer. What is perhaps most interesting is that the Judge lamendted the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

All of this may become moot (and then some!) thanks to currently pending legislation. Bill C-47, entitled Technical Assistance for Law Enforcement in the 21st Century Act, is about to come up for committee review in parliament. Introduced along with Bill C-46, Investigative Powers for the 21st Century Act, both bills represent a significant shift in the powers of law enforcement. Though marketed as updating current police powers to keep pace with technology, C-47 would give law enforcement virtually unfettered access to customer information from internet and telecommunications service providers without any judicial oversight. The particular provision is at Section 16:

Provision of subscriber information

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

I am of the view that there should be appropriate judicial oversight of any regime in which service providers are required to identify their users to law enforcement officials. (Subject to exceptions in exigent circumstances.) It is only with judicial oversight that society can be assured that the appropriate balance between privacy and public safety is maintained. The government’s proposal provides no oversight and the powers of law enforcement are completely unfettered. If the concern is that search warrants are too time consuming, then appropriate resources should be put in place to provide for rapid review by independent judicial officers. Removing all the stops from law enforcement powers it not appropriate in this case.

Currently there is a disparity of practices among telecommunication service providers and internet service providers across Canada when dealing with a request from a law enforcement agent to provide a customer name and address connected with a specific IP address. This is due to at least a measure of uncertainty in interpreting the service provider’s obligations under the Personal Information Protection and Electronic Documents Act. Most ISPs will provide customer name and address information if law enforcement officers make a written request in the course of investigation related to child exploitation. In other sorts of investigations, a search warrant is required. Other internet service providers require a search warrant in all circumstances to disclose this information.

For example, Clause 16 as drafted does much more than impose the obligation for service providers to carry out a “reverse look-up” to match one piece of information (such as an IP address) with customer billing information. Instead, it would require the service provider to give law enforcement a laundry list of information in response to any request. This sort of information would be IP address, mobile identification number, electronic serial number, phone number, equipment identifiers and others. This, on its face, goes beyond what law enforcement has been asking for, at least in public.

This power is not subject to meaningful review and is completely unfettered. There is no restriction on the circumstances under which these powers can be used. Currently, requests of this nature generally relate to child exploitation investigations or compelling national security/public safety matters. As drafted, law enforcement would be able to use these powers in connection with parking violations and very minor concerns. In fact, these powers could be used in the complete absence of a lawful investigation. In addition, there is no limitation whatsoever on the volume of these sorts of requests. It would be possible for a law enforcement agency to require the name, address, e-mail address and IP address of every single one of their customers. I think most would say this goes over the line.

It has been said before that a customer’s name and address is not “personal information” or if it is, it is not sensitive information. That misses the point. A customer’s name and address, when connected with an IP address or a mobile phone serial number, is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their “offline” life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that individual’s IP address. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. These provisions do not maintain the traditional balance as has developed in Canada under the Charter and in fact go dramatically and unreasonably in favour of law enforcement.

I've been surprised that discussion of this topic has mostly been contained within the privacy community and hope that the upcoming parliamentary hearings on C-46/C-47 will bring the debate into the wider community, where it belongs.

New decision on warrantless access to ISP customer data

A friend just provided me with a copy of a recent decision of the Ontario Court of Justice considering the admissibility of information obtained without a warrant from the suspect's internet service provider, Bell. R. v. Cuttell is not on CanLii yet, but I've put a copy here.

The Court concluded there is a reasonable expectation of privacy in your account records, but this expectation can be destroyed by your ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepts that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy. (I would also question whether a form contract that the customer likey has not read would be enough to mean that subjectively there is no reasonable expectation of privacy.)

In this case, there was no proof brought by the police that the Bell contract applied to this customer so a Charter breach was found.

The Court importantly notes that PIPEDA does not give the police the right to seek information and rejects every crown argument that the police may have had "lawful authority" in the circumstances.

But, in the end, the records were admissible as the police acted in good faith.

What is perhaps most interesting is that the Judge laments the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

Privacy Commissioners call for reconsideration of expanded surveillance powers

The federal, provincial and territorial Privacy Commissioners meeting together in St. John's have issued a statement calling for "caution" on the expansion of investigative powers proposed by the conservative government.

They issued the following media release, referring to resolutions available on the federal Commissioner's website:

Privacy commissioners urge caution on expanded surveillance plan

ST. JOHN'S, Sept. 10 /CNW Telbec/ - Parliament should take a cautious
approach to legislative proposals to create an expanded surveillance regime
that would have serious repercussions for privacy rights, say Canada's privacy
guardians.

Privacy commissioners and ombudspersons from across the country issued a
joint resolution today urging Parliamentarians to ensure there is a clear and
demonstrable need to expand the investigative powers available to law
enforcement and national security agencies to acquire digital evidence.

The federal government has introduced two bills aimed at ensuring that
all wireless, Internet and other telecommunications companies allow for
surveillance of communications, and comply with government agency demands for
subscriber data - even without judicial authorization.

"Canadians put a high value on the privacy, confidentiality and security
of their personal communications and our courts have also accorded a high
expectation of privacy to such communications," says Jennifer Stoddart, the
Privacy Commissioner of Canada.

"The current proposal will give police authorities unprecedented access
to Canadians' personal information," the Commissioner says.

The resolution is the product of the semi-annual meeting of Canada's
privacy commissioners and ombudspersons from federal, provincial and
territorial jurisdictions across Canada, being held in St. John's.

The commissioners unanimously expressed concern about the privacy
implications related to Bill C-46, the Investigative Powers for the 21st
Century Act and Bill C-47, the Technical Assistance for Law Enforcement in the
21st Century Act. Both bills were introduced in June.

"We feel that the existing legal regime governing interception of
communications - set out in the Criminal Code and carefully constructed by
government and Parliament over the decades - does protect the rights of
Canadians very well," says Ed Ring, the Information and Privacy Commissioner
for Newfoundland and Labrador and host of the meeting.

"The government has not yet provided compelling evidence to demonstrate
the need for new powers that would threaten that careful balance between
individual privacy and the legitimate needs of law enforcement and national
security agencies."

The resolution states that, should Parliament determine that an expanded
surveillance regime is essential, it must ensure any legislative proposals:

• Are minimally intrusive;
  
• Impose limits on the use of new powers;
  
• Require that draft regulations be reviewed publicly before coming
  into force;
  
• Include effective oversight;
  
• Provide for regular public reporting on the use of powers; and
  
• Include a five-year Parliamentary review.

At the meeting in St. John's, the commissioners and ombudspersons also
passed a resolution about the need to protect personal information contained
in online personal health records.

The resolution emphasizes the importance of empowering patients to
control how their own health information is used and shared. For example, it
calls for developers of personal health records to allow patients to gain
access to their own health information, set rules about who else has access,
and to receive alerts in the event of a breach.

"Personal health records have the potential to deliver significant
benefits for patients and their health care providers. However, given the
highly sensitive personal information involved, developers need to ensure they
build in the highest privacy standards," says Commissioner Ring.

Both resolutions are available on the Privacy Commissioner of Canada's
website, http://www.priv.gc.ca/.

The resolutions are here:

• “Protecting Privacy for Canadians in the 21st Century” – Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials on Bills C-46 and C-47
  
• “The Promise of Personal Health Records” – Resolution of Canada’s Privacy Commissioners and Privacy Enforcement Officials