Thursday, February 26, 2015

The disaster of the Nova Scotia cyberbullying law; it's time to go back to the drawing board

I often represent victims of true cyberbullying, including adults whose lives have been turned upside down by malicious online actors, so I am very sympathetic to the nominal goals of Nova Scotia's Cyber-safety Act. But the legislation fails to take into account -- in any way -- that all expression is protected by the Charter and can only be regulated or suppressed by reasonable limits, prescribed by law. The legislation is defective and has been enforced by the province in a manner that only makes it worse.

In Nova Scotia, any electronic speech that would reasonably be expected to cause someone distress or hurt feelings or harm to self-esteem is deemed to be cyberbullying. There are no defences. Here is the definition of cyberbullying from the Act:

(b) “cyberbullying” means any electronic communication through the use of technology including, without limiting the generality of the foregoing, computers, other electronic devices, social networks, text messaging, instant messaging, websites and electronic mail, typically repeated or with continuing effect, that is intended or ought reasonably [to] be expected to cause fear, intimidation, humiliation, distress or other damage or harm to another person’s health, emotional well-being, self- esteem or reputation, and includes assisting or encouraging such communication in any way;

You may want to read that again, but focus on this bit: "any electronic communication ... that ought reasonably be expected to cause .. humiliation, distress or other damage or harm to another person's ... self-esteem or reputation...".

Every other Canadian law that tries to limit speech has defences, such as the defence of truth or fair comment under defamation law. Hate speech laws in the Criminal Code have defences. The Supreme Court of Canada, in Grant v Torstar, recently recognized that traditional defamation law was not compatible with the Charter because a diligent commentator on a matter of public interest would be found liable under existing rules so created a defence of "responsible communication on a matter of public interest." Under defamation law, you can call a convicted thief a thief, but if you dare tweet that in Nova Scotia or put it on a blog, you're a cyberbully.

We just have to look at how the Cyber-safety Act has been applied by the CyberSCAN unit to understand how incompatible it is with Charter protected expression. After a teenager started a twitter argument with MLA Lenore Zann, the CyberSCAN folks called an individual who regularly tweets about Nova Scotia politics and told him to remove his tweets or there would be unspecified "further action". His tweets questioned the judgement of an elected member of the legislature. He deleted his tweets. (See: Nova Scotia politician alleges cyberbullying, calls the authorities on tweeting teen)

On another occasion, the CyberSCAN folks met with an individual who was demanding financial transparency and accountability from his elected First Nations Band Chief. I will admit his questioning was inelegant and his frustration is apparent in his comments. (At one point, he apparently suggested she could use a punch in the face.) They told him to not communicate with or about her, and to remove any negative comments about her from the internet, or there would be "further action". When he reneged on his agreement to lay off, they went to court and got an order of the Supreme Court of Nova Scotia that forbids him from communicating with or about his elected representative, effectively cutting him out of the democratic process. The judge did not issue any written reasons for the decision. (See: More details about Nova Scotia's first cyberbullying prevention order)

Most recently, Frank Magazine has reported in its 29 January 2015 issue that a local, politically active twitter user and blogger received a late-night visit from from CyberSCAN unit. Here's how it was related in the Frank article:

"A government agent from the province's Cyberscan cyberbullying division came to my house and ordered me to take down my political blog," Eric tells me.

"Or they would get a court order, and... they would seize all my computers, cell phones, ban me from using the internet, fine me thousands of dollars and jail me for up to two years."

According to the Frank magazine article, the CyberSCAN officer, Lisa Greenough, refused to tell the individual who had filed the complaint or what was the substance of the actual complaint. He was essentially told to just stop participating in politics online. Or there would be consequences.

The CyberSCAN unit's modus operandi when it comes to political participation appears to be to tell folks to stop. Not to tone it down. Just stop. And the invariable "or there will be further action."

When the legislation was introduced, I was interviewed by CBC saying that it was likely unconstitutional. In a later interview with the Premier of Nova Scotia, they played him that clip with my critique of the law. He said he couldn't disagree with me more. Having the Premier of a province tell you that you're wrong surely would hurt my feelings and harm my self esteem. If he had tweeted it, would have been cyberbullying according to the law his government passed. The CBC put the article on their website, so they cyberbullied me by "assisting or encouraging". None of them would have intended to have hurt my feelings, but that doesn't matter under this province's bizarre law.

This law was passed less than one hundred feet from the statue of Joseph Howe at the legislature. But if Howe had been on Twitter, he would have been branded a cyberbully; his comments almost certainly hurt the feelings of the local magistrates and caused them distress.

Cyberbullying is a very hard thing to define, and the law's supporters said that it had to be very broadly defined but would be applied with judgement and discretion. I have not seen evidence of that. Though most of the CyberSCAN unit's activities have not been reported on, those cases that have hit the media or the courts show a complete disregard for freedom of expression. When I asked the CyberSCAN unit about how they incorporate this fundamental human right into their decision-making, this is the response I received:

The Charter was given careful consideration when the legislation was drafted. Any action taken is done following careful consideration to ensure it meets the essence of the legislation.

I would suggest that there is no evidence that the Charter was considered when the legislation was put together. And I seen no evidence that the Charter has been given consideration when the Act is applied.

Cyberbullying -- of kids and adults -- is a real issue that demands a real, meaningful response. However, the Cyber-safety Act of Nova Scotia is a disaster and the province's government needs to go back to the drawing board.


In case you are curious about the CyberSCAN unit, here are the questions I asked of the group and the answers I received:

1. How many employees (FTE) are there in the CyberSCAN unit?

There are five full time investigators, a Director, a case manager, and an administrative assistant that have additional duties associated with similar programs.

2. How many complaints or inquiries has the CyberSCAN unit received from victims of cyberbullying? Of these, how many are from adults and how many are from youth/children?

Since September 30, 2013, the unit has received 497 complaints that have initiated investigations.

3. How many files has the CyberSCAN unit opened in connection with complaints? Of these, how many are from adults and how many are from youth/children?

SEE Q4

4. How many formal investigations have been launched by the CyberSCAN unit? Of these, how many are from adults and how many are from youth/children?

497 complaints received have involved the following:

Adult – 302 – adult reporting they are being cyberbullied

Guardian – 7 – guardian reporting on behalf of minor child

Parent – 76 – reporting on behalf of minor child

Referral by Police – 27

Referral by School – 66

Referral by Victim Services – 1

Youth – 19 – youth reporting they are being cyberbullied

5. How many complaints have been resolved informally by the CyberSCAN unit without having to open a file or launch a formal investigation?

There have been 163 informal resolutions.

6. How many Cyber Safety Prevention Orders have been applied for by the Director of Public Safety? Of these, how many are from adults and how many are from youth/children?

The Director has applied for and received 2 Prevention orders in court.

7. Does the CyberSCAN Unit have full time legal counsel assigned to it?

The unit utilizes Legal Services within the Department of Justice.

8. On the unit’s website, it says “The CyberSCAN unit will determine which alleged victims are at the most risk and respond to cases in order of priority.” How do you prioritize cases?

Cases are prioritized based on the potential harm to the individual.

9. Are there any formal or informal means by which the CyberSCAN unit takes Charter guaranteed freedom of expression rights into account in its activities?

The Charter was given careful consideration when the legislation was drafted. Any action taken is done following careful consideration to ensure it meets the essence of the legislation.

Full disclosure: I am representing clients in two separate cases that are challenging the Cyber-safety Act and its application on Charter and other grounds. I have also been a witness in an application to obtain a cyberbullying protection order.

Thursday, February 19, 2015

Pre-installed adware may be kosher under Canadian anti-spyware provisions of CASL

The Next Web is reporting that Lenovo has been shipping consumer laptops pre-equipped with adware (see: Lenovo Caught Installing Adware On New Computers). This raises an interesting question for Canadians: would something like this be ok under the anti-spyware provisions of Canada's Anti-Spam Law (CASL)?

In true lawyerly style, the answer is "it depends". But maybe this highlights one of the many problems with the law.

The owner or authorized user of a computer system can install whatever he or she wants on the device, but this may not be the ultimate end-user. So if a manufacturer installs adware software on the device before title to it passed to the end user, that may be just fine under the law (but likely problematic from the point of view of the end user). Also, if it is embedded in the operating system of the device, that may be OK because there's deemed consent for the installation of operating systems by third parties.

I think most consumers would say that adware, crapware, bloatware, etc. should not be on their devices without their consent and the company that put it there should be required to remove it on request. However, if the software was installed when the manufacturer owned the device, the law may not meet consumers' expectations.

For more information on the software installation provisions of CASL, check out my firm's FAQ on the subject.

Wednesday, February 18, 2015

Ontario health privacy law doesn't preclude class actions for intrusion upon seclusion claims

The Ontario Court of Appeal in Hopkins v. Kay, 2015 ONCA 112 (CanLII) has just ruled that the Personal Health Information Protection Act (PHIPA) doesn't preclude common law claims for intrusion upon seclusion. In the decision under appeal, The motion judge held that it was not plain and obvious that the claim based on Jones v. Tsige could not succeed. He noted that the existence of PHIPA and other privacy legislation had been brought to the appeal court’s attention in Jones v. Tsige and refused to strike the claim under Rule 21.

It was argued by the appellants that PHIPA creates an exhaustive code that ousts common law torts, such as intrusion upon seclusion. The Court of Appeal did not agree:

[30] An intention to create an exhaustive code may be expressly stated in the legislation or it may be implied. As there is nothing explicit in PHIPA dealing with exclusivity, the question is whether an intent to exclude courts’ jurisdiction should be implied. In Pleau v. Canada (A.G.), 1999 NSCA 159 (CanLII), 182 D.L.R. (4th) 373, leave to appeal refused, [2000] S.C.C.A. No. 83, Cromwell J.A. explained, at para. 48: “Absent words clear enough to oust court jurisdiction as a matter of law, the question is whether the court should infer… that the alternate process was intended to be the exclusive means of resolving the dispute.”

[31] Cromwell J.A. identified three factors that a court should consider when discerning whether there is a legislative intent to confer exclusive jurisdiction. First, a court is to consider “the process for dispute resolution established by the legislation” and ask whether the language is “consistent with exclusive jurisdiction”. Courts should look at “the presence or absence of privative clauses and the relationship between the dispute resolution process and the overall legislative scheme”: Pleau, at para. 50 (emphasis in original).

[32] Second, a court should consider “the nature of the dispute and its relation to the rights and obligations created by the overall scheme of the legislation”. The court is to assess “the essential character” of the dispute and “the extent to which it is, in substance, regulated by the legislative… scheme and the extent to which the court’s assumption of jurisdiction would be consistent or inconsistent with that scheme”: Pleau, at para. 51 (emphasis in original).

[33] The third consideration is “the capacity of the scheme to afford effective redress” by addressing the concern that “where there is a right, there ought to be a remedy”: Pleau, at para. 52 (emphasis in original).

With respect to the first criterion, the court said:

[45] I conclude that PHIPA provides an informal and highly discretionary review process that is not tailored to deal with individual claims, and it expressly contemplates the possibility of other proceedings.

For the second criterion:

[52] The above comparison leads me to conclude that allowing actions based on Jones v. Tsige to proceed in the courts would not undermine the PHIPA scheme. The elements of the common law cause of action are, on balance, more difficult to establish than a breach of PHIPA, and therefore it cannot be said that a plaintiff, by launching a common law action, is “circumventing” any substantive provision of PHIPA. The aspects of the common law that may at first glance appear more lenient are not, upon closer consideration, significantly advantageous.

[53] Allowing common law actions to proceed in the courts would, however, allow plaintiffs to avoid PHIPA’s complaint procedure, and I now turn to the issue of whether that procedure is sufficient to ensure effective redress.

And thirdly:

[61] It was suggested in oral argument that an individual complainant could always ask the Attorney General to launch a prosecution pursuant to s. 72 and then use the conviction as a basis for claiming damages under s. 65(2). I am not persuaded that this argument alleviates the problem. First, it would subject the individual complainant to yet another discretionary hurdle. Second, it is hardly a persuasive argument supporting the exclusivity of the PHIPA process to say that individuals can obtain redress by resorting to the courts by way of a prosecution.

And in the result:

[73] For these reasons, I conclude that the language of PHIPA does not imply a legislative intention to create an exhaustive code in relation to personal health information. PHIPA expressly contemplates other proceedings in relation to personal health information. PHIPA’s highly discretionary review procedure is tailored to deal with systemic issues rather than individual complaints. Given the nature of the elements of the common law action, I do not agree that allowing individuals to pursue common law claims conflicts with or would undermine the scheme established by PHIPA, nor am I satisfied that the review procedure established by PHIPA ensures that individuals who complain about their privacy in personal health information will have effective redress. There is no basis to exclude the jurisdiction of the Superior Court from entertaining a common law claim for breach of privacy and, given the absence of an effective dispute resolution procedure, there is no merit to the suggestion that the court should decline to exercise its jurisdiction.

Friday, February 13, 2015

To combat fraud, you want Visa to track your smartphone

A couple of years ago, I got into my office, sat down at my desk and the phone rang. It was my bank. The conversation went something like this:

Bank: Mr. Fraser, it's * from [my bank branch]. Do you have your bank card with you?

Me: Yes, it's right here [I pulled it out of my wallet].

Bank: Did you use your card to withdraw $400 from a no-name ABM at 2:00am this morning?

Me: No. I was asleep. Where was the ABM?

Bank: We think it was at a strip club.

Me: Yeah, that wasn't me.

Bank: We've cancelled your card and we'll put the $400 back in your account. Can you come by the branch to pick up a new card and choose a new PIN?

Me: Yup.

To me, this was a great example of how a company can use your personal information to protect you. Obviously, I was not in the habit of withdrawing cash at last call in strip joints so my bank's algorithms knew it was not me.

Now Visa is planning to roll out a new opt-in feature that will use the location of your mobile phone to combat fraud. If your phone is in New York but a transaction on your card is in Thailand, it is much less likely to be you. But if you really are in Thailand, you probably do not want Visa to disable your transactions as a precaution. This is a great feature that uses your personal information to protect you, and will not be used for secondary purposes/

From the Associated Press: To combat fraud, Visa wants to track your smartphone - Yahoo Finance:
.

(I'd suggest the title to the AP article should be "To combat fraud, you want Visa to track your smartphone.")

Thursday, February 05, 2015

Supreme Court of Canada to hear case involving foreign spying and misconduct by government lawyers

The Supreme Court of Canada has agreed to hear the appeal from the Federal Court of Appeal in the case of Re X. That was an interesting case on the merits: Can a Canadian judge grant a warrant to Canada's spy agency to do something outside of Canada that would violate the laws of the country where it would be done.

For me, the bigger part of the case was that the Court found that CSIS and the Department of Justice had lied and withheld material evidence in order to get warrants under the CSIS Act to surveil Canadians outside of Canada.

In the lower court, Justice Mosley had found that the Department of Justice lawyers, acting for CSIS in various warrant applications, had withheld information from the Court in order to get warrants under the CSIS Act. What they withheld was that they would get one or more of their Five Eyes partners to do the spying for them. Justice Mosley had found that the CSIS Act (and customary international law) did not permit the Court to grant a warrant that would effectively authorize the intelligence service to violate the laws of wherever the spying was to take place. (This last part has been addressed in proposed amendments to the CSIS Act in Bill C-44.)

I really hope the Supreme Court will delve into the required level of candour and transparency for Government lawyers when they are making secret applications for secret warrants to do intrusive things that otherwise would be unlawful in Canada.

Here's the summary prepared by the Supreme Court of Canada:

Supreme Court of Canada - SCC Case Information - Summary - 3610736107

In the Matter of an Application for Warrants Pursuant to Sections 12 and 21 of the Canadian Security Intelligence Service Act, R.S.C. 1985, c. C-23

(Federal Court) (Civil) (By Leave)

(Sealing order)

Summary - Case summaries are prepared by the Office of the Registrar of the Supreme Court of Canada (Law Branch) for information purposes only.

National security – Security intelligence – Warrants – Federal Court issuing warrant to CSIS for the interception from within Canada of telecommunications of Canadian citizens travelling abroad – CSIS failing to disclose on warrant application its intention to seek the assistance of foreign partner agencies for the interception of telecommunications of Canadians abroad – Federal Court finding that CSIS breached its duty of candour on ex parte warrant application – Federal Court holding that s. 12 of the Canadian Security Intelligence Service Act does not authorize CSIS to make such requests to foreign partner agencies – What is the scope of the Federal Court’s jurisdiction under s. 21 of the CSIS Act to issue warrants governing the interception of communications of Canadians by foreign agencies at Canada’s request – What is the scope of CSIS’s disclosure obligations on warrant applications – Canadian Security Intelligence Service Act, R.S.C. 1985, c. C-23, ss. 12, 21.

In 2009, a warrant was issued permitting the Canadian Security Intelligence Service (“CSIS”) to intercept, within Canada, the telecommunications of two Canadian citizens travelling abroad. In 2013, it came to the attention of the issuing judge that, where similar warrants were issued, it had become the practice for CSIS and for the Communications Security Establishment (“CSE”) to make requests to foreign partner agencies for assistance in the targeting of the communications of Canadians abroad. The court recalled counsel to address two issues: (1) whether the Attorney General had met his duty of candour when applying for such warrants, and in particular, whether the assistance provided by CSE in tasking foreign partners should have been disclosed; and (2) whether s. 12 of the Canadian Security Intelligence Service Act authorizes CSIS to engage the assistance of foreign agencies in intercepting the communications of Canadians abroad. The court found that the Attorney General had breached his duty of candour and that s. 12 of the CSIS Act did not authorize CSIS to engage the assistance of foreign agencies. The Court of Appeal dismissed the Attorney General’s appeal.

Wednesday, February 04, 2015

Presentation: Cyber-bullying, the law and the courts (and freedom of expression)

I was invited to speak to journalism students at the University of King's College about Cyber-bullying, the law, freedom of expression and the courts. This is the second year I've been asked to give such a presentation and I focused on the problems created by laws that are drafted and passed during very emotional times. The Nova Scotia Cyber-safety Act is a perfect example of such a law: When it was introduced, I was quoted in the media as saying it was likely unconstitutional as an unreasonable infringement on our Charter rights to freedom of expression. The Premier of the province at the time, Darryl Dexter, responded to my critique by saying that he could not disagree with me more. Since that quote hurt my feelings and was published online, it fit within the grossly overbroad definition of cyberbullying contained in the statute he was responsible for. Which only just proves my point, since an honest opinion on a matter of public interest (particularly legislation) should never be made unlawful in our free and democratic society.

In any event, it was a pleasure to give the presentation and to speak with the very engaged students. In case the materials are of interest, here is the presentation:

Wednesday, January 28, 2015

Canada's digital spy agency tracking your online downloads

The CBC (CSE tracks millions of downloads daily: Snowden documents - Canada - CBC News) and the Intercept (Canada Casts Global Surveillance Dragnet Over File Downloads) have jointly broken a huge story about mass internet surveillance led by Canada at a breathtaking scale.

In short, Canada's Communications Security Establishment (CSE) has been tracking traffic to and from over 100 file sharing sites. They can do this because they are tapping some of the principal arteries of the internet, over which your most sensitive and mundane information flows. When they see traffic to a questionable document, they try to find out as much about the person retrieving the document as possible. To do this, they dip into databases of information and profiles of millions (if not billions) of internet users created by them and their other Five Eyes partners. Correlating all this information, they may be able to link the download of a file to an individual. Though the presentation released by the CBC and the Intercept only refer to terrorism related documents, this is something CSE and its partners can do for any file shared on any one of these sites. The presentation actually refers to filtering out episodes of Glee. If you used one of these file sharing sites to download Glee, they would have been able to track you down as easily.

Of course, when asked to comment, CSE had its usual PFO:

"CSE is clearly mandated to collect foreign signals intelligence to protect Canada and Canadians from a variety of threats to our national security, including terrorism," agency spokesman Andrew McLaughlin wrote in an email to CBC.

This is another example of completely suspicionless dragnetting of internet traffic that should cause all Canadians to be concerned. Gravely concerned. My information and your information is in the databases of internet users that the Five Eyes partners have created. During the the time in question, I had clients who used these services to share large documents with me that are subject to solicitor client privilege. This data was swept up in their system and their assurances that they didn't look at it offers me no comfort.

Mass, suspicionless surveillance is not OK and has to stop.

Presentation on the new software installation rules in Canada's Anti-spam Law

I was pleased to deliver an online Hangout On Air about CASL's new software installation rules on behalf of both Digital Nova Scotia and McInnes Cooper. The full presentation is here and you can get your mitts on the slides here. As I mentioned in the video, feel free to ask any questions or make any observations in the comments below. Though I can't provide legal advice through comments (and you should not provide any confidential information), I'm happy to discuss this law.

Monday, December 15, 2014

Audio of interview with Macleans Magazine about SCC Fearon cell phone privacy decision

Last week, I was interviewed by Cormac MacSweeney for Macleans Magazine about the recent Supreme Court of Canada decision in R v Fearon. Listen to the full 15 minute-long interview here: