I had the pleasure of speaking to the Canadian Institute for the Administration of Justice's annual conference this week in St. John's. My second panel presentation was emerging issues and I focused on wearables.
My presentation is here:
I had the pleasure of speaking to the Canadian Institute for the Administration of Justice's annual conference this week in St. John's. My second panel presentation was emerging issues and I focused on wearables.
My presentation is here:
I had the pleasure of speaking to the Canadian Institute for the Administration of Justice's annual conference this week in St. John's. My first panel presentation was on the collision between privacy and freedom of expression in the form of the "Right to be Forgotten". Spoiler alert: it would be unconstitutional in Canada.
Here's my presentation:
Only a short time until the Canadian Bar Association's 5th Annual Privacy and Access Law Symposium in Ottawa at the end of the month. The conference is uniformly excellent with great speakers.
Special guest post by Detective Constable Warren Bulmer of the Toronto Police Service.
Note: Det Cst Bulmer has been invited to post on this blog before. See: Guest post: A police officer's take on informational privacy and the police in the digital age and A police officer's response to my recent critique of lawful access.
A couple of months have passed since the Supreme Court of Canada rendered their decision on informational privacy in R v. Spencer (2014 SCC 43). Most of the feedback I have read online or in the mainstream media, by way of public comment or via the privacy pundits have declared the decision a victory. I am not sure I agree, not because I hold the position I do, but more because to my mind the decision didn’t really change much of anything. I hope to explain my views in this post, and highlight what impact the decision has on the police and the Justice system as a whole going forward.
The views expressed in this post are mine alone, and are not to be taken as the views of any police service.
Unfortunately, the Supreme Court misunderstood the complexity of dynamic IP addresses. In some contexts, an IP address when used in criminal activity such sharing child pornography files in a peer to peer environment could offer the police the ability to see what else that IP address has been sharing but it may not necessarily always be the same person responsible for the activity. It does not offer the ability for the police to see what else you might be doing online outside of that context. The police need to isolate the IP address, a date and a time for each incident to narrow down which person(s) may be responsible for the activity. An IP address used in one context on the Internet does not then offer the police some sort of superpower to read your email, see what suspicious websites you went on or what you typed into Google last night. Despite what you’ve heard, the police cannot find your Facebook profile because they got your IP address from E-donkey. Most Internet users have or use Service Providers that assign dynamic IP addresses. For example, this could mean that over a 24 hour period, more than 75 different customers could have used any given IP address.
The public generally do not understand how their devices connect to the Internet, nor do they understand how IP addresses can be traced back to them while they are surfing.
Tracing IP addresses is very specific and extremely complicated; Justice Cromwell wrote as much in paragraph 8 of the Spencer ruling “There is little information in the record about the nature of IP addresses in general or the IP addresses provided by Shaw to its subscribers”
The concern in Spencer was that the Police got an IP address connected to the sharing of Child Pornography files and then obtained a name connected to that IP address for a specific date and time. Once the police have your name, well of course they can then check various databases or systems and the Internet for other pieces of information about you. That isn’t new, we do that every day, when we run the licence plate of your car or when you call to report something to the police. The police, like you, can use Google.
An IP address alone cannot identify anything other than the Internet Service Provider who owns it. Some of you may have been assigned the same IP address as someone who was downloading or sharing child pornography in the past. I believe I am safe to infer that you would not expect that the police to barge through your door with a warrant alleging such a heinous crime because someone got the date and time wrong or didn’t use any specific dates and times. In the world of the Internet and dynamic IP assignments it can happen that easily. It wouldn’t matter if the police got your information by way of a court order, warrant or if it was voluntarily disclosed.
Police have many powers, defined in many different statutes, regulations and other Acts of Parliament both federally and provincially. The most common sources of police powers are provincial traffic statutes such as the Highway Traffic Act (Ontario) and the Criminal Code of Canada (Federal Act). When the police believe on reasonable and probable grounds or in some circumstances have reason to suspect an offence against an Act of Parliament has been committed their various powers can be exercised with or without a warrant or court order.
In the Spencer case, the police obtained the subscriber information linked to an IP address used at a specific date and time that was seen sharing child pornography files in a peer to peer client called LimeWire. They obtained the information without a warrant or court order by formally requesting it in writing from a third party, Shaw Communications, the Service provider (owner) of the IP address.
The Criminal Code, specifically Section 487.014 allows police to ask a third party record holders for such records without a court order or warrant, often called voluntary disclosure or more inappropriately a “warrantless search”.
487.014 (1) For greater certainty, no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.
As the court rightfully pointed out in Spencer this section of the Code does not “create any police search and seizure power”. The power resided with the record holder to “voluntarily” provide police with what they asked but they could not be compelled to do so under this section.
The Internet Service Provider when deciding on this type of lawful request by police would rely on another piece of Federal legislation called the “Personal Information Protection and Electronic Documents Act” (PIPEDA) specifically section 7(3)(c.1)(ii):
(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if
(ii) The disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law.
As such, the police could ask for subscriber records and the decision was left to the Internet Service provider to hand them over. This was a common practice for the past several years in child pornography or child exploitation cases as well as Terrorism, National Security and other public safety emergencies.
Until Spencer, this practice of voluntarily disclosing information to police had been repeatedly held by both trial and appellate courts across Canada to be lawful. A search warrant or court order was not required. See, for example, R v. Ward 2012 ONCA 660.
Most ISPs when asked for the very same subscriber records in a fraud case or an online harassment case for example, would not voluntarily choose to disclose. This was despite the fact that the authorities or the governance for making a request in those cases was exactly the same. So why was the law applied differently? I can’t answer that other than to say that it wasn’t the police, it was the ISPs who were dictating the application of the law.
Officers who needed subscriber records for IP addresses in other than child pornography or child exploitation cases have always had to write a court order to obtain them.
The records they received from the ISPs once compelled by court order were exactly the same as the ones received by a lawful request form as described in the Spencer case. The stated reasoning behind it was articulated as the necessity to expedite the length of time required so law enforcement could act more quickly when children were at risk.
On many levels, it seems logical to conclude that in such cases children are being abused or are targets for predators and police must act quickly when such victimization is imminent. What about the senior citizen who has just been defrauded of their entire life savings and no longer has money to pay for food, clothing or other life essentials? Do they have the right to swift justice? The ISPs have maintained they do not.
The difference between these two cases in the Pre-Spencer era would go like this. In the child pornography case, police would ask the ISP for the subscriber records for the IP address, date and time of the downloader and receive it within a few hours or days and be in a position to advance the investigation. I was involved in cases where we arrested someone within hours of receiving their name under this kind of regime given the risk to a child. But in the fraud case against the senior citizen, the victim would have to wait for 30-40 days for the police to get a court order for the IP address of the fraudster and for the ISP to “get around” to sending it back to the police. So in theory, the Internet Service Provider decided who was protected by the Charter by forcing the police to obtain prior judicial authorization in some cases but did not require it in others for all the same subscriber information.
Most of the post-Spencer discussion has focused on the protection of privacy the Supreme Court enshrined: privacy defined over two decades ago in R v. Plant [1993 3 SCR 281]. Privacy in the digital age that became entrusted to the Internet Service Providers to define on a case by case basis.
I think what has been missed is the fact although they determined Mr. Spencer’s rights were breached by a lawful request absent judicial oversight, they ruled it was minor and upheld his conviction. When the case was investigated, given the current state of the law at that time which permitted such requests without a prior court order, the Police acted in good faith. Each case has its own merits and courts analyze the totality of the circumstances for each one. Obtaining records from ISPs was ruled to be a search in the Spencer case.
For the future, police will generally have to obtain court orders when seeking subscriber records from ISPs but as I said that isn’t a change for most types of investigations. The court order police will typically seek to satisfy the pre-judicial requirement set out in Spencer is called a Production Order. Section 487.012 of the Criminal Code permits their use for obtaining 3rd party records. They are not hard to write and the test, arguably less stringent than a search warrant, is “an offence against this Act or any other Act of Parliament has been or is suspected to have been committed”. Reasonable suspicion is a lesser threshold than reasonable grounds (to believe).
Another important point than has been left out by the privacy advocates is that as a result of this decision, the court orders police will now have to use to obtain subscriber information come with a prohibition of disclosure condition. The demand in today’s post “Snowden” era is more transparency for government requests issued to ISPs. Under the voluntary disclosure provisions there was no legal mechanism for the police to seek a prohibition for disclosure on a company from notifying a user that a request for their information was made. In fact, since the NSA fiasco, many companies have built or re-wrote their disclosure policies to make mandatory notification to a user of any government or State requests for subscriber records. The privacy protected by the SCC also now includes the privacy of the police request as so ordered by a court to prohibit a company from notifying a subscriber regardless of their notification policy. It can be filed under the “be careful what you wish for category”.
Time will tell what the 3rd party records holders do or more importantly how they interpret what the Supreme Court wants to protect.
Do they want to protect your name only while you’re online? Your name is everywhere, ID cards, uniform name tags, credit cards, call display. Every time you swipe or insert a card your name connected to your card number becomes a record in somebody’s system. What now of “unlisted” phone numbers or cellular phone subscribers. Do we really want a world where Internet trolls, phone harassers and the like have the freedom to run amuck knowing the police need them to ‘cross the line’ so court orders can be obtained to do anything about it? The police can only get a court order if a law is broken.
It is difficult to translate what is intended by paragraph 38 of the Spencer ruling:
“To return to informational privacy, it seems to me that privacy in relation to information includes at least three conceptually distinct although overlapping understandings of what privacy is. These are privacy as secrecy, privacy as control and privacy as anonymity.”
For the police, the right to ask remains, but now it carries the risk of losing at trial the information obtained. The most acceptable remaining use of the right to ask for information without a court order is exigent or emergency circumstances, such as imminent harm or death to any person and/or the destruction of evidence. Police deal with bonafide emergencies every day, and court orders may be impracticable in certain situations. The SCC acknowledges this necessity at paragraph 74 in Spencer; however even in these emergency situations, ISPs can still decide whether or not to provide the information requested.
More time is needed to evaluate how much impact the Spencer decision will have overall on criminal investigations. If police now need court orders for all third party record cases, ISPs will be inundated with such orders.
The current standard in most cases averages about a 30-40 day turnaround from the time the police serve the company with a court order until the information is provided to the police. That number is bound to increase if there are more court orders. If the company needs to hire more security analysts or law enforcement support staff they will inherit more costs.
The increase of costs will ultimately be passed onto you the customer. The police can’t be billed because it is a court order and unless the company wants to fight the order, which they can do, they are compelled to comply. Under the voluntary disclosure regime, police could be and in some cases were billed for each disclosure sought.
Some might speculate that the police may not “bother” because it could take too long to proceed with an investigation. There is no doubt, investigations will take longer and inevitably some could slip through the cracks as a result of a lack of timely information. In a majority of technical cases, the IP address is a part of the initial piece of an investigation and police need to identify who is behind it before the investigation can go forward.
I see it a different way. Police officers have a duty to investigate, and having them write court orders in almost every case could be a good thing. Some officers could become better investigators, their ability to search for and seek evidence could increase, and their cases could face less scrutiny at trial because they will have learned to respect a person’s right to privacy. Some officers could become very good at drafting affidavits thereby withstanding the most volatile of cross-examinations.
When police seek evidence with prior judicial authorization, the search becomes prima facie reasonable. A search without prior judicial authorization is automatically unreasonable. In my opinion, the Spencer decision makes it harder for the “bad guys”. Speaking candidly, if I am writing a court order to get your name, it is likely that providing the grounds to do so exist; I am going to seek further information about you as my suspect then I might have had the lawful authority to only ask about. The court order will compel the information I didn’t have access to before.
In closing, my message to victims is to be patient. Most police officers will be doing everything they can to help you, but it is likely going to take longer than it used to. Ensure you are communicating with the officer frequently and ask for a status report on your case.
Privacy on the Internet is important, but equally important is a fair system for all citizens. We want to ensure that court decisions and legislative changes don’t make victims more vulnerable while the pendulum swings in favour of those who hide behind an Internet address to commit crime. It is a balancing act. Giving the State too much power is dangerous, but so is taking too much away.
The Protecting Canadians from Online Crime Act, also known as the controversial cyberbullying and lawful access ("law adjacent" access?) bill is in the home stretch, about to be passed by the House of Commons. From the CBC: Cyberbullying bill inches closer to law despite privacy concerns - Politics - CBC News.
I have had a lot to say about it, so for background, please check out the Bill C-13 Tag.
The 18th annual conference of the Canadian Information Technology Law Association is coming up in Montreal, October 20-21, 2014.
I have not missed an IT-Can conference since I started practicing law and have been honoured to be a regular speaker. (In fact, I liked the association so much, I was the president of the Association for a while. :) I'm moderating a panel on privacy, big data and data governance. There are other excellent plenary sessions and round-tables for anyone with an interest in tech or privacy law. A veritable buffet:
The Annual Update on IP Issues • Cybersecurity: Mitigating Business Risk • Evolution of IT Licensing: From Software Licensing to Software as a Service • Privacy and Information Governance Challenges in the Age of Big Data • IT and the Practice of Law: Whatever Happened to the Paperless Office? • Développements récents 2013-2014 en TI en droit québécois • Canada's New Anti-Spam Legislation: Compliance Challenges and Risk Mitigation Strategies • Mobile Payment Technology Issues • Hot Topics in IT Law 2014 • A Checklist of Issues for Doing Business in Quebec • Strategic Use of Outsourcing Arrangements • Global Practice Issues: The Intersection of Anti-Corruption and Technology • Mobile and Telecommunications Contracting • The Current State of Net Neutrality
I was invited to contribute to the Hill Times Policy Briefing on Information Technology that was released today. Here's what I had to say:
Canadians deserve to participate in an informed conversation about privacy and surveillance
A multi-year conversation about privacy and surveillance is finally coming to a head, and it may be one of the defining issues of our time. This is a pivotal aspect of the relationship between citizens and the state, and Canadians have a right to sufficient information about the government’s activities to contribute to an intelligent conversation.
The topic of privacy and government surveillance has been making headlines in Canada for the last several years. Huge numbers – MILLIONS OF REQUESTS! – grab attention, but there is little understanding of the circumstances under which information is requested and disclosed from telecommunications service providers, the extent to which law enforcement seeks information, or even the nature of the information. Canadian law enforcement and security agencies have many of the same powers as their US counterparts. Canada has an equivalent of the USA Patriot Act: this is little-known and the import is little-understood. Few Canadians are aware that laws, including the Customs Act, the Excise Tax Act and the Environment Act, authorize warrantless access to personal information without judicial oversight or notice to the affected persons. Nobody outside government knows how often or how these powers are used.
Ever since the first efforts at legislating “lawful access” years ago, civil society groups have attempted to engage law enforcement and government in a dialogue to understand privacy and warrantless access to information about citizens. Their efforts have reached a crescendo as leaks from Mr. Snowden, furor over Bill C-13 and the Supreme Court of Canada decision in R. v. Spencer draw further attention to the issue. More recently, it has been reported that Rogers and Telus are challenging an order that they turn over call records of more than forty-thousand customers in one “tower dump”.
Law enforcement’s participation in that dialogue can be summed up in the following: “trust us, but it’s not private information anyway so don’t worry about it.” Government and national security agencies stonewall, telling us: “we don’t talk about national security.” Or cabinet ministers state that questioning such powers puts one in league with child pornographers. The credibility of assertions that Canadians are not targeted for mass warrantless surveillance has been dramatically undermined by documents from Mr. Snowden’s cache. Speculation that members of the “Five Eyes” - Canada included - spy on each other’s citizens is left largely uncontradicted.
The result is an informational vacuum in which hard facts are rare, leading to dire and Orwellian speculation.
Until recently, the only visibility into the Canadian government’s demands for information about its citizens had to be coerced from either the telcos or government. Thankfully, a small handful of telcos followed the lead of Google, Twitter and Facebook by releasing “transparency reports” earlier this year. But even here, the information is sparse, incomplete and likely misleading.
The reported data does not tell us, for example, how many requests are related to call records (so-called metadata) or unlisted numbers, in comparison to looking up the owner of a particular phone number? How many requests sought customer info based on IP addresses, which was the focus of the Spencer decision? How many customer accounts are affected?
Canadians have a Charter-guaranteed right to privacy, which can be limited “subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.” This is a critical balancing act, recognizing that the state has a compelling interest in protecting society and the national security. At the same time, widespread, warrantless surveillance of a population is one of the hallmarks of a police state and the antithesis of how most Canadians imagine their country.
To what extent are we a free and democratic society? The only way this conversation can take place is when law enforcement agencies and national security organizations are transparent about the use of these powers. We already have similar information about the use of wiretap powers under the Criminal Code, tabled in Parliament annually. Providing statistics cannot conceivably undermine security or the effectiveness of investigative techniques.
Canadians have a right to express informed opinions about where the line should be drawn and where the balance between privacy and security should rest. This conversation is one of the most important for our society, and Canadians have a right to an informed discussion. It may well be that Canadians will be satisfied where the lines are drawn and where the balance lies; but without transparency, we can only speculate.
David TS Fraser practices internet and privacy law with the firm McInnes Cooper. He is the author of the Canadian Privacy Law Blog (blog.privacylawyer.ca) and can also be found on Twitter at @privacylawyer. The views expressed are the author’s alone and should not be attributed to his firm or its clients.
Later today, I'll be giving a presentation to the Nova Scotia School Boards Association on Canada's Anti-Spam Law (CASL) and how it affects their operations. There has been a huge amount of confusion about the impact of this law on organizations like school boards, which are generally not engaged in commercial activity and can't really take advantage of some of the implied consent provisions are are available to other organizations.
Here's the presentation, in case it is of interest or useful:
Hot on the heels of Telus' transparency report, SaskTel has also released its very first transparency report [PDF] on government data demands.
It's worth giving the report a look, and noting that SaskTel is the only telco in Canada that is also subject to a public sector privacy law that has very broad latitude for data disclosure to law enforcement.
Here are the numbers:
General – Listed Customer Name and Address 1,582
Court order 4,139
Freedom of Information and Protection of Privacy (excluding child sexual exploitation) 896
Federal/provincial government formal demands 233
Emergency requests 718
Emergency requests - after-hours by operator services 3,993
Child sexual exploitation 49
Requests denied 247
It's also worth noting that SaskTel says they have changed their practices in response to the R. v. Spencer case.
I just had the pleasure of speaking at a joint meeting of the Canadian Bar Association (Nova Scotia)'s privacy and charities sections on the impact of Canada's Anti-Spam Law (CASL) on charities and not for profits.
Here's the presentation, in case it may be of interest: