Tuesday, September 02, 2014

The celebrity photo leak/hack: lessons for securing devices and cloud accounts

Over the weekend, a deluge of intimate photos of celebrities appeared on the internet, first on 4Chan and then on Reddit (CBC report). Surely, they are other places now. What is unclear at the moment is how the images were obtained in the first place. There's been speculation that the photos came from the iCloud accounts that were either compromised by a brute-force password attack or even a suggestion that the WiFi at the Emmy Awards was somehow compromised. Other discussions online suggest that the photos have been traded for years among avid collectors. It will be very interesting -- from a privacy and security point of view -- to learn how it actually happened.

In the meantime, this serves as a reminder about what steps most people should take to secure their sensitive personal information on their devices and in the cloud.

Increasingly, people are carrying more and more sophisticated devices with onboard cameras that automatically sync data to remote servers. I am not at all interested in blaming the victims. Increasingly, people are taking photos from the most banal moments in their lives to the most intimate. Like it or not, it's simply a fact. While celebrity images are the most sought-out, images of ordinary people have been scraped from unsecured image hosting sites with traumatic results.

Most smartphones are mostly secure out of the box, and responsible vendors update vulnerabilities as they are discovered. However, they rely on humans who may not be as technically-minded as the first line of defence. All of these devices and services are protected by passwords. People tend to choose very weak, easily guessed passwords. That can be fixed. And people can take additional steps to protect their information.

  1. Try to learn the basics of how your device works, particularly about what is synchronised and backed up to online services; check your default settings;
  2. Secure your device with a PIN or password (How to: Android and iOs);
  3. Add encryption to your device, if possible (How to: Android);
  4. Add remote management to kill your device if it is lost (How to: Android (I also like Cerberus Anti Theft) and iOs);
  5. Use a strong password for all your accounts. The longer the better. (Read this XKCD comic. Read it, learn it, live it.)
  6. Consider a password manager like LastPass to generate complicated passwords for your accounts and to keep them safe. But protect your password vault with the most complicated and longest password you can reliably remember.
  7. Use two-factor authentication for your cloud accounts. While not particularly intuitive, two-factor authentication protects your account even if your password is compromised. This is critical. (How to: Google Accounts, DropBox, and most other places.) Any account to which you sync your personal images and video should be protected by two factor authentication.

With these measures in place, you're much more secure than most people. But there is no such thing as perfect security. Knowing that there are malevolent people out there looking for this kind of content and other sensitive personal information, the next question needs to be "am I satisfied that this is as secure as it needs to be in light of the nature of the information and the consequences of a 'leak'"?

Sunday, July 27, 2014

Ontario court to hear telcos' challenge of police request for "tower dumps" including info on 40,000+ customers

An Ontario court has agreed to hear a Charter challenge brought by Rogers and Telus in response to a police request for "tower dumps" with records on over 40,000 calls or customers. The police subsequently withdrew its request, but the judge has agreed to hear the case in any event, given the important privacy interests at stake.

The short recital of the facts is very interesting and suggests the initial production order is staggeringly broad, requiring the production of personal information about tens of thousands of people who had nothing to do with the crime being investigated: [8] Mobile telephones check into wireless networks by connecting to antennas that are frequently mounted on towers. A record is created whenever the telephone attempts or completes a communication which could be a phone call, text message or e-mail. The record identifies the particular tower at which the phone connected to the system. Each tower serves a geographical area ranging from a 10-25 km radius in the country and 1-2 km, radius (or even less) in the city. [9] The production orders against Rogers and Telus are in similar form. The orders require cell phone records for all phones activated, transmitting and receiving data through 21 specified Telus towers and 16 Rogers towers. The orders require the name and address of every subscriber making or attempting a communication and the particular cell tower being utilized. The orders are framed such that if both the person initiating and receiving the communication are Rogers (or Telus) subscribers, then information regarding the recipient must also be provided and the cell tower the recipient used must also be provided. The orders also require billing information which may include bank and credit card information.

[10] Telus and Rogers are both contractually obliged, subject to narrow exceptions, to keep customer personal information private and confidential.

[11] The existing order will require Telus to disclose the personal information of at least 9,000 individuals. Rogers estimates that it will be required to conduct 378 separate searches and retrieve approximately 200,000 records related to 34,000 subscribers.

[12] The existing orders do not specify how the customer information is to be safeguarded and does not restrict the purposes for which the PRP may use the information. For example the PRP is not restricted from retaining the information and using it with respect to unrelated investigations.

[13] The Telus affidavit indicates that since 2004 it has dealt with thousands of court orders requiring cell records. In 2013 alone, it responded to approximately 2,500 production orders and general warrants. To the knowledge of the Telus deponent, the order that it now challenges is the most extensive to date in terms of the number of cell tower locations, and length of time periods, for which customer information is required.

[14] The Rogers affidavit indicates that from 1985 to 2014 it has complied with many thousands of production orders. In 2013, alone it produced 13,800 “files” in response to production orders and search warrants.

The court also highlights that the privacy of millions of Canadians is implicated by the decision:

[41] With respect to the third criterion, sensitivity to the count’s proper law making function, there is effectively an ongoing dispute between the police and telecommunications providers. The fact the “tower dumps” are frequently used by police as an investigative tool is reflected in the material before me and is evident as a matter of judicial experience. The Rogers-Telus applications directly concern 40-50,000 individuals, it is safe to infer that the number of individuals affected across Canada would be in the hundreds of thousands, if not millions, every year.

See: R. v. Rogers Communications Partnership, 2014 ONSC 3853 and Telecoms’ charter case to be heard | The Chronicle Herald.

Thursday, July 10, 2014

Privacy Commissioner cautions insurers about the use of genetic testing

The Office of the Privacy Commissioner of Canada has today released a policy statement on genetic testing and the insurance industry. Essentially, the document says to tread carefully, but the subtext clearly is much more negative towards the practice.

From the media release:

News Release: Office of the Privacy Commissioner of Canada issues statement on the use of genetic test results by life and health insurance companies - July 10, 2014

OTTAWA, July 10, 2014 – The Office of the Privacy Commissioner of Canada is urging the life and health insurance industry to call on its members to refrain from asking applicants for access to existing genetic test results for the purposes of underwriting an insurance policy at this time.

“As science and technologies advance, protecting genetic privacy will become increasingly important and challenging,” says Privacy Commissioner Daniel Therrien.

“We are calling on the industry to refrain from asking for existing test results to assess insurance risk until the industry can clearly show that these tests are necessary and effective in assessing risk. This would allow people to undergo genetic testing for various purposes without fear that the results may have a negative impact if they apply for insurance.”

The step called for in the policy statement issued today would effectively expand the industry’s current voluntary moratorium on asking applicants to undergo genetic testing. The statement outlines the Office of the Privacy Commissioner’s position with respect to the application of the Personal Information Protection and Electronic Documents Act (PIPEDA) to this practice.

The statement says: “It is not clear that the collection and use of genetic test results by insurance companies is demonstrably necessary, effective, proportionate or the least intrusive means of achieving the industry’s objectives at this time.”

The statement reflects the Office of the Privacy Commissioner’s ongoing work on the privacy implications associated with genetic information.

The issue has prompted the introduction of private members’ bills at both the federal and provincial levels, and the issue was mentioned in the most recent Speech from the Throne.

The Office of the Privacy Commissioner has provided the statement to the Canadian Life and Health Insurance Association.

The Commissioners of Alberta, British Columbia and Quebec – all provinces with substantially similar private-sector legislation – support the work done by the Office of the Privacy Commissioner of Canada. Insurance companies in those provinces will need to consider provincial legislation in addressing these issues.

For more information about the two research papers that contributed to this statement and the OPC’s strategic priorities, please see:

Tuesday, July 08, 2014

Catherine Tully appointed new FOIPOP Review Officer of Nova Scotia

The Nova Scotia government has just announced the appointment of the new FOIPOP Review Officer for Nova Scotia, Catherine Tully.

Here's the media release:

New FOIPOP Review Officer Appointed | novascotia.ca

New FOIPOP Review Officer Appointed

Department of Justice

July 8, 2014 1:07 PM

Catherine Tully of Ottawa has been appointed Nova Scotia's new freedom of information and protection of privacy review officer.

Ms. Tully will oversee how provincial and municipal governments, school boards, universities, community colleges and hospitals protect the privacy of Nova Scotians and respond to requests for access to information.

"This is an important oversight role," said acting Justice Minister Mark Furey. "Nova Scotians have a right to information held by government and they expect us to protect their private information. I'm very pleased we have a strong leader to fulfill this responsibility. Ms. Tully has tremendous leadership and practical experience to bring to this role."

Ms. Tully has over 10 years of senior experience with government agencies and Crown corporations dedicated to access to information and privacy law. She's been the assistant information and privacy commissioner for British Columbia and, most recently, was the director of privacy and access to information for Canada Post. Although she spent much of her work and educational career in Ontario and British Columbia, Ms. Tully completed a master's degree in international law and human rights at Dalhousie University.

"I look forward to working with public bodies and health custodians to help them find practical solutions to the tough access and privacy issues," said Ms. Tully. "For citizens, I will continue the work of ensuring that Nova Scotians have meaningful access to government information and real protection of their personal information.

"I am honoured by this appointment and look forward to my return to Nova Scotia to tackle the opportunities and challenges of review officer."

The review officer is an independent ombudsman appointed by the Governor in Council for a term of five to seven years. The review officer accepts appeals from people and organizations who are not satisfied with the response they received from provincial government departments, most provincial agencies, boards and commissions, municipal government organizations and public bodies including community colleges, hospitals, universities, and school boards.

The review officer may make recommendations to the public body. The public body must respond in writing to the report. If the applicant, or a third party, is not satisfied with the outcome of a review, an appeal may be made to the Supreme Court of Nova Scotia.

Ms. Tully will begin Sept. 8.

Monday, June 23, 2014

The New Canadian Anti-SPAM Law and Your Business

This morning, I hosted an online webinar entitled The New Canadian Anti-SPAM Law and Your Business. We did it using Google's Hangout On Air feature that allows virtually unlimited numbers of people to attend live and it creates a handy YouTube video of the entire session for future reference.

You'll see from the presentation that I'm not a big fan of the law, but it's going to be the law on July 1, 2014 and businesses need to get their ducks in a row if they haven't already.

If you're looking for specific advice about compliance, feel free to contact me at david.fraser@mcinnescooper.com.

Wednesday, June 18, 2014

Henry v Bell Mobility: Another Federal Court case shows PIPEDA damages are hardly worth pursuing absent evidence of actual harm

The Federal Court, in the recently issued decision in Henry v Bell Mobility 2014 FC 555 (not yet on CanLII or the Court's site) has awarded a very modest sum of damages to a customer of Bell Mobility whose phone account was accessed by an impostor. At the hearing before the Federal Court, Bell did not contest liability so all the Court had to consider was the appropriate measure of damages. Nevertheless, the facts are relevant: An individual was able to convince a customer service representative employed by the mobile phone company to grant her access to the complainant's account. She was provided with general account information and the last seven numbers dialed. The impostor was also allowed to make changes to the account.

The claimant alleged that he suffered a lost business opportunity as a result of the impostor then contacting an intended business associate of the claimant. However, the claimant did not offer any compelling evidence to support this business opportunity. Instead of the compensatory damages of $35,500.00, punitive damages of $5,000.00, general damages of $5,000.00 and legal costs of $4,000.00, the Court awarded $2,500 in general damages plus $1,000 in costs. The complainant had argued that the Court should follow Chitraker v Bell, but the court was not convinced.

[26] Chitrakar is distinguishable from the current case in that here Bell Mobility has taken responsibility for the breach of Mr. Henry's privacy rights; it has put in place steps to better train CSRs; it has not in any way benefited from the breach; and, has acknowledged that Mr. Henry is entitled to damages in keeping with the jurisprudence of this Court. Bell Mobility argued that damages in the range of $1,500 - $2,000 was more than adequate to compensate Mr. Henry in these circumstances.

[27] Having considered all of the evidence and the jurisprudence and given the circumstances under which the woman cajoled the Bell representative to make the changes to the account and the breadth of the information disclosed it is my view that an award of $2,500.00 is appropriate. Mr. Henry was self-represented at trial although he had counsel on record assisting him earlier in the case. In all of the circumstances, costs in the amount of $1,000.00 will cover disbursements and legal costs.

Interestingly, there is no mention of Jones v Tsige; the court only discusses PIPEDA cases.

What's the moral of this story? Absent any actual, provable harm, PIPEDA damages are hardly worth pursuing.

Friday, June 13, 2014

R v Spencer: Supreme Court rules internet users have a reasonable expectation of privacy and anonymity online

[Note: this post is a work in progress, and will be updated as I digest the decision.]

This morning, the Supreme Court of Canada released its decision in R v Spencer, 2014 SCC 43.

The case, on appeal from the Saskatchewan Court of Appeal, has finally provided some certainty regarding the expectation of privacy that all Canadians enjoy in their online activities. All internet users expose their IP addresses to the sites they visit and the computers they connect to, but generally it is only the internet service provider who can connect that innocuous string of digits to a real identity.

In this case, the police had obtained information about an internet user from his internet service provider without a warrant. The police asked for it using a "PIPEDA request" and the ISP simply provided it, relying on a broad provision in PIPEDA which -- in its view -- permits certain disclosures to law enforcement.

I am still digesting the decision, but some very important conclusions from the case:

  • Internet users have a reasonable expectation of anonymity in their online activities

    Contrary to the views of most police agencies and the government of Canada, this information is not innocuous "phone book information" but "Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage."

  • A police request to the ISP for customer information amounts to a "search" for Charter purposes
  • The fact that an ISP may be able to disclose information pursuant to s. 7(3)(c.1) of PIPEDA or the terms of use is relevant to the expectation of privacy, but not determinative of it
  • The request by the police had no "lawful authority" since they had no authority to compel the production of the information

There has been much controversy surrounding the term "lawful authority" in PIPEDA, which permits an organization to disclose personal information without consent in connection with an investigation where the police have identified their "lawful authority" to obtain the information. The police have generally argued that an investigation is sufficient to satisfy that. The Court disagreed:

[62] Section 7(3)(c.1)(ii) allows for disclosure without consent to a government institution where that institution has identified its lawful authority to obtain the information. But the issue is whether there was such lawful authority which in turn depends in part on whether there was a reasonable expectation of privacy with respect to the subscriber information. PIPEDA thus cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy since the proper interpretation of the relevant provision itself depends on whether such a reasonable expectation of privacy exists. Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure “of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.

[63] I am aware that I have reached a different result from that reached in similar circumstances by the Ontario Court of Appeal in Ward, where the court held that the provisions of PIPEDA were a factor which weighed against finding a reasonable expectation of privacy in subscriber information. This conclusion was based on two main considerations. The first was that an ISP has a legitimate interest in assisting in law enforcement relating to crimes committed using its services: para. 99. The second was the grave nature of child pornography offences, which made it reasonable to expect that an ISP would cooperate with a police investigation: paras. 102-3. While these considerations are certainly relevant from a policy perspective, they cannot override the clear statutory language of s. 7(3)(c.1)(ii) of PIPEDA, which permits disclosure only if a request is made by a government institution with “lawful authority” to request the disclosure. It is reasonable to expect that an organization bound by PIPEDA will respect its statutory obligations with respect to personal information. The Court of Appeal in Ward held that s. 7(3)(c.1)(ii) must be read in light of s. 5(3), which states that “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”. This rule of “reasonable disclosure” was used as a basis to invoke considerations such as allowing ISPs to cooperate with the police and preventing serious crimes in the interpretation of PIPEDA. Section 5(3) is a guiding principle that underpins the interpretation of the various provisions of PIPEDA. It does not allow for a departure from the clear requirement that a requesting government institution possess “lawful authority” and so does not resolve the essential circularity of using s. 7(3)(c.1)(ii) as a factor in determining whether a reasonable expectation of privacy exists.

[64] I also note with respect to an ISP’s legitimate interest in preventing crimes committed through its services that entirely different considerations may apply where an ISP itself detects illegal activity and of its own motion wishes to report this activity to the police. Such a situation falls under a separate, broader exemption in PIPEDA, namely s. 7(3)(d). The investigation in this case was begun as a police investigation and the disclosure of the subscriber information arose out of the request letter sent by the police to Shaw.

[65] The overall impression created by these terms is that disclosure at the request of the police would be made only where required or permitted by law. Such disclosure is only permitted by PIPEDA in accordance with the exception in s. 7, which in this case would require the requesting police to have “lawful authority” to request the disclosure. For reasons that I will set out in the next section, this request had no lawful authority in the sense that while the police could ask, they had no authority to compel compliance with that request. I conclude that, if anything, the contractual provisions in this case support the existence of a reasonable expectation of privacy, since the Privacy Policy narrowly circumscribes Shaw’s right to disclose the personal information of subscribers.

[66] In my view, in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.

Here is the headnote summary of the decision:

Constitutional law — Charter of Rights — Search and seizure — Privacy — Police having information that IP address used to access or download child pornography — Police asking Internet service provider to voluntarily provide name and address of subscriber assigned to IP address — Police using information to obtain search warrant for accused’s residence — Whether police conducted unconstitutional search by obtaining subscriber information matching IP address — Whether evidence obtained as a result should be excluded — Whether fault element of making child pornography available requires proof of positive facilitation — Criminal Code, R.S.C. 1985, c. C‑46, ss. 163.1(3), 163.1(4), 487.014(1) — Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5, s. 7(3)(c.1)(ii) — Charter of Rights and Freedoms, s. 8.

The police identified the Internet Protocol (IP) address of a computer that someone had been using to access and store child pornography through an Internet file sharing program. They then obtained from the Internet Service Provider (ISP), without prior judicial authorization, the subscriber information associated with that IP address. The request was purportedly made pursuant to s. 7(3)(c.1)(ii) of the Personal Information Protection and Electronic Documents Act (PIPEDA). This led them to the accused. He had downloaded child pornography into a folder that was accessible to other Internet users using the same file sharing program. He was charged and convicted at trial of possession of child pornography and acquitted on a charge of making it available. The Court of Appeal upheld the conviction, however set aside the acquittal on the making available charge and ordered a new trial.

Held: The appeal should be dismissed.

Whether there is a reasonable expectation of privacy in the totality of the circumstances is assessed by considering and weighing a large number of interrelated factors. The main dispute in this case turns on the subject matter of the search and whether the accused’s subjective expectation of privacy was reasonable. The two circumstances relevant to determining the reasonableness of his expectation of privacy in this case are the nature of the privacy interest at stake and the statutory and contractual framework governing the ISP’s disclosure of subscriber information.

When defining the subject matter of a search, courts have looked not only at the nature of the precise information sought, but also at the nature of the information that it reveals. In this case, the subject matter of the search was not simply a name and address of someone in a contractual relationship with the ISP. Rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage.

The nature of the privacy interest engaged by the state conduct turns on the privacy of the area or the thing being searched and the impact of the search on its target, not the legal or illegal nature of the items sought. In this case, the primary concern is with informational privacy. Informational privacy is often equated with secrecy or confidentiality, and also includes the related but wider notion of control over, access to and use of information. However, particularly important in the context of Internet usage is the understanding of privacy as anonymity. The identity of a person linked to their use of the Internet must be recognized as giving rise to a privacy interest beyond that inherent in the person’s name, address and telephone number found in the subscriber information. Subscriber information, by tending to link particular kinds of information to identifiable individuals may implicate privacy interests relating to an individual’s identity as the source, possessor or user of that information. Some degree of anonymity is a feature of much Internet activity and depending on the totality of the circumstances, anonymity may be the foundation of a privacy interest that engages constitutional protection against unreasonable search and seizure. In this case, the police request to link a given IP address to subscriber information was in effect a request to link a specific person to specific online activities. This sort of request engages the anonymity aspect of the informational privacy interest by attempting to link the suspect with anonymously undertaken online activities, activities which have been recognized in other circumstances as engaging significant privacy interests.

There is no doubt that the contractual and statutory framework may be relevant to, but not necessarily determinative of whether there is a reasonable expectation of privacy. In this case, the contractual and regulatory frameworks overlap and the relevant provisions provide little assistance in evaluating the reasonableness of the accused’s expectation of privacy. Section 7(3)(c.1)(ii) of PIPEDA cannot be used as a factor to weigh against the existence of a reasonable expectation of privacy since the proper interpretation of the relevant provision itself depends on whether such a reasonable expectation of privacy exists. It would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent. The contractual provisions in this case support the existence of a reasonable expectation of privacy. The request by the police had no lawful authority in the sense that while the police could ask, they had no authority to compel compliance with that request. In the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. Therefore, the request by the police that the ISP voluntarily disclose such information amounts to a search.

Whether the search in this case was lawful will be dependent on whether the search was authorized by law. Neither s. 487.014(1) of the Criminal Code, nor PIPEDA creates any police search and seizure powers. Section 487.014(1) is a declaratory provision that confirms the existing common law powers of police officers to make enquiries. PIPEDA is a statute whose purpose is to increase the protection of personal information. Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, the police do not gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information. The conduct of the search in this case therefore violated the Charter. Without the subscriber information obtained by the police, the warrant could not have been obtained. It follows that if that information is excluded from consideration as it must be because it was unconstitutionally obtained, there were not adequate grounds to sustain the issuance of the warrant and the search of the residence was therefore unlawful and violated the Charter.

The police, however, were acting by what they reasonably thought were lawful means to pursue an important law enforcement purpose. The nature of the police conduct in this case would not tend to bring the administration of justice into disrepute. While the impact of the Charter‑infringing conduct on the Charter protected interests of the accused weighs in favour of excluding the evidence, the offences here are serious. Society has a strong interest in the adjudication of the case and also in ensuring the justice system remains above reproach in its treatment of those charged with these serious offences. Balancing the three factors, the exclusion of the evidence rather than its admission would bring the administration of justice into disrepute. The admission of the evidence is therefore upheld.

There is no dispute that the accused in a prosecution under s. 163.1(3) of the Criminal Code must be proved to have had knowledge that the pornographic material was being made available. This does not require however, that the accused must knowingly, by some positive act, facilitate the availability of the material. The offence is complete once the accused knowingly makes pornography available to others. Given that wilful blindness was a live issue and that the trial judge’s error in holding that a positive act was required to meet the mens rea component of the making available offence resulted in his not considering the wilful blindness issue, the error could reasonably be thought to have had a bearing on the trial judge’s decision to acquit. The order for a new trial is affirmed.

For some background on "PIPEDA requests", check out the blog posts tagged with "PIPEDA requests".

Tuesday, June 10, 2014

Why Friday's decision in R v Spencer will be a BIG DEAL for privacy

As I blogged yesterday, the Supreme Court of Canada has announced that it will release its decision in the appeal from Saskatchewan Court of Appeal in R v Spencer, 2011 SKCA 144. This decision, regardless of how the Court rules, will likely be a very big deal for privacy rights of customers of telecommunications service providers in Canada. It will hopefully decide whether Canadians have a reasonable expectation of privacy in information that is attached to an IP address.

Here's some background (mainly drawn from the Court of Appeal decision) and why this is a big deal.

The police detected somebody -- at that time unknown -- using the the file sharing program and protocol LimeWire to share child pornography. At that stage, all they had was the IP address of the computer or network connection being used. Using publicly available tools, they determined the IP address was allocated by the internet service provider, Shaw Communications. The police officer, though he likely had sufficient grounds to get a production order under the Criminal Code simply wrote to the ISP with the following request:

Constable Darren Parisien … is investigating a criminal code offence pertaining to child pornography and the internet. We have opened [sic] file investigation in relation to this investigation.

Pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA), we request the disclosure of customer identifying information including but not limited to name, internet service provider records, address of service, current service status and phone number relevant to the following:

1. Internet Protocol Address on 2007-August-31 at 1246 hours (Local Saskatchewan time)

This information is being requested to assist in an ongoing investigation. We declare that Constable Darren Parisien of the Saskatoon Police Service Organized Crime Unit – Vice Section [sic] has the lawful authority to obtain the information and that the following section of PIPEDA is satisfied for this request: [full text of s. 7(3)(c.1) omitted]

This request specifically satisfies Paragraph 7(3)(c.1)(ii).

And, with that, the police got the customer name and address from the ISP. That information was used to get a search warrant of Spencer's house and he was subsequently arrested. At the trial, Spencer argued that the warrantless disclosure of his information by Shaw was a violation of his Charter rights. This motion was denied and he appealed to the Court of Appeal on this issue.

The Court of Appeal agreed, finding that any objective expectation of privacy was effectively gutted by the Shaw privacy policy and acceptable use policy which reserves to Shaw a very broad discretion to disclose personal information to the police. There was no real discussion about whether such terms of use are ever read by customers and whether they really should temper the expectation of privacy that most of us have about our internet usage.

[42] In summary, neither its contractual relationship with Mr. Spencer’s sister, as set out in the Services Agreement, nor PIPEDA prohibited Shaw from disclosing the Disclosed Information in the circumstances of this case; rather, each clearly provided Shaw with the discretion to disclose information to the police in these exact circumstances, and Shaw had Mr. Spencer’s sister’s express, informed consent to do so. The sum of these factors militates very strongly against a finding that Mr. Spencer’s privacy expectation was reasonable.

In short, the police can ask for and, under the Court's reading of PIPEDA, the internet service provider can provide the customer's personal information.

So what's the big deal? This is not an exceptional case; what's exceptional is that the Supreme Court of Canada is going to weigh in on whether a Canadian has an expectation of privacy in his or her internet activities. We know that thousands of times a year the police go to internet service providers asking for information about their customers and thousands of times a year, this information is provided. Just a quick search of CanLII shows this. Just search for "pipeda request" and you'll get a dozen reported cases. They show voluntary cooperation by such internet service providers as Uniserve, Shaw, Bell Sympatico, Northwestel, and Rogers. (Recently, Rogers and Teksavvy disclosed in their respective transparency reports a high level of providing customer information in similar circumstances withou a warrant. For Rogers, it provided customer information 711 times in 2012/2013.)

As I understand it, the form of letter was a result of the coordinated effort of law enforcement and a group of internet service providers who have agreed to provide warrantless access to customer account information in connection with child exploitation investigations. They are designed to satisfy the requirements of Section 7(3)(c.1)(ii) of PIPEDA which permits disclosures of personal information to the police where they have the "lawful authority" to obtain the information and the information relates to "enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law".

It was exactly this sort of disclosure that was so controversial in Vic Toews' Bill C-30. That bill, if passed, would have permitted police officers to demand customer names and addresses connected to a known IP address. ISPs would have been required to hand over the information. The controversy stemmed from the fact that these demands are unaccountable and are not subject to ANY supervision by the courts. The "request" at issue in R v Spencer is the same: made without a warrant based on reasonable grounds, completely unaccountable and with no judicial oversight. In addition, the relevant individual is NEVER informed of the fact that the request was made or that the information was disclosed. To top it off, there is no information under oath so there is no disincentive to lie in these PIPEDA requests. (I find it to be telling that nowhere near 711 charges resulted from the requests made of Rogers.)

So what's the big deal with having an ISP connect an IP address with a customer's name and address? There has been some suggestion by the law enforcement community that a customer's name and address is just "phone book information" and there's no expectation of privacy in that. That misses the point and shows contempt for the right to privacy. A customer’s name and address, when connected with an IP address is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their "offline" life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that IP address that can often be traced back to an individual or a small group of people. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities pierces the reasonable expectation of anonymity and amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. This is why, in my view, judicial supervision should be required. We'll see whether the Supreme Court of Canada agrees with this view ...

At the very least, I expect the Supreme Court of Canada will provide some clear guidance on whether -- under the Charter of Rights and Freedoms -- there is a reasonable expectation of privacy and anonymity on the internet that can only be pierced by an order from a judge, who is satisfied on information under oath that there are reasonable grounds to believe a crime has been committed and that the order is necessary to uncover evidence of the offender. Stay tuned ...

Monday, June 09, 2014

Supreme Court to release warrantless ISP disclosure decision on Friday

The Supreme Court of Canada has just announced that it will release its decision in R. v. Spencer on Friday. For those concerned with "lawful access" and warrantless disclosure of telco customer information, this will be a biggie.

Here's the summary of the case ....

SCC Cases (Lexum) - Judgments to be Rendered in Appeals:

34644 Matthew David Spencer v. Her Majesty the Queen

Canadian Charter of Rights and Freedoms - Search and seizure - Whether the Court of Appeal erred in concluding that there was no reasonable expectation of privacy in the information attached to an IP address - If the appellant’s rights under s. 8 of the Charter were breached, whether the evidence gathered upon the execution of the search warrant should be excluded pursuant to s. 24(2) of the Charter - Whether the Court of Appeal erred in overturning the trial judge’s decision according to which the appellant did not have the requisite mens rea to commit the offence of making available child pornography, on the basis that the trial judge failed to consider the question of wilful blindness on the part of the appellant - Criminal Code, R.S.C. 1985, c. C-46, s. 163.1(3).

The appellant downloaded child pornography from the Internet using a peer-to-peer file-sharing software program that connects users over the Internet. He stored child pornography in his shared folder and did not override the software’s default settings that made his shared folder accessible to other users from which they could obtain downloads of his files. A police officer searched his folder and discovered the pornographic files. The officer could not identify the owner of the folder but did determine that the Internet Protocol address being used by the owner of the folder had been assigned by Shaw Communications. The police wrote to Shaw and requested information identifying the assignee at the relevant time. Shaw identified the appellant’s sister. The police obtained a warrant and searched her residence, where they seized the respondent’s computer. The appellant was charged with possession of child pornography and making child pornography available.

Origin of the case: Saskatchewan

File No.: 34644

Judgment of the Court of Appeal: November 25, 2011


Aaron A. Fox, Q.C. and Darren K. Kraushaar for the appellant

Anthony B. Gerein for the respondent

Saturday, June 07, 2014

Canadian telcos release transparency reports

In the past week, in a significant development, both Teksavvy and Rogers have released information that provides much greater insights into government demands for personal information from telecommunications companies.

Teksavvy is one of the largest independent internet service providers and they released their report in the form of a comprehensive response to the letter sent to them by the Citizen Lab's Chris Parsons (See: Citizen Lab calls for transparency by Canadian telcos). Many may remember that Teksavvy was the ISP that went to court to challenge a demand by a Hollywood studio for information about users who were alleged to have violated copyright.

Rogers is one of Canada's largest "full service" telecommunications service providers, offering landline and mobile telephone services, in addition to cable internet. Their report is slightly less detailed, presumably because they are very constrained by the government (by the Solicitor General's guidelines on lawful interception).

This is a great advance in transparency and a good first step. It also provides some useful information for the discussion and debate about warrantless disclosures of personal information by telecommunications service providers. The reports both show that in the period under discussion, both Rogers and Teksavvy disclosed customer information without a warrant in a range of circumstances.

The Teksavvy report shows they provided customer names and addresses when provided with an IP address in at least 16 out of the 17 such disclosures. The circumstances of those disclosures are not reported. (To be fair, they say in their letter that they will no longer do this.) The Rogers report shows they did the same in what they called

Child sexual exploitation emergency assistance requests:

Legal authority: The Criminal Code and PIPEDA. Details: We assist police during child exploitation investigations. Examples of info provided: Confirming a customer’s name and address when provided with an IP address so that police can get a search or arrest warrant to stop the sexual exploitation of a child.

The numbers of these warrantless disclosures are very high: 711 such disclosures. These are presumably controversial PIPEDA Requests, which a number of ISPs have agreed to cooperate with law enforcement when they are told it is connected with a child exploitation investigation. They cite PIPEDA as the authority, though the section in question (s. 7(3)(c.1)) does not require disclosure and is only applicable when the law enforcement agency has shown its "lawful authority" to demand the information. There is not yet any consensus about what "lawful authority" actually means.

For some really great reporting on these transparency reports, check out:

Now that Rogers in particular has made this disclosure, I'm looking forward to the other large telcos following suit.