Saturday, December 02, 2006

More on warrants for ISP records

Back in October, I blogged about the CIPPIC and Online Rights privacy pledge (Canadian Privacy Law Blog: The ISP Privacy Pledge). In that post, I referred to a posting by Mark Goldberg called "Online rights is wrong."

More recently, Mark has posted 7 reasons why warrants aren't needed. This one has resulted in a bit of a debate between David Butt and Mark Goldberg, on one side, and Rob Hyndman on the other side.

The seven reasons are listed, as is additional information offered by David in the course of the debate with Rob Hyndman:

Internet child abuse investigators routinely need bare bones subscriber information (name and address) from ISPs to conduct their investigations. A question commonly asked by ISPs and privacy advocates is, why shouldn’t the police use a search warrant to get that bare bones subscriber information? There are seven really good answers to this question.
  1. Bare bones subscriber information is not the kind of private information that requires a search warrant. The highest court in Canada, the Supreme Court, has clearly said so. [R. v. Plant, [1993] 3 SCR 281]
  2. Every other business in Canada must supply this kind of bare bones customer information to the police upon request. There is no principled reason why ISPs should be exempted from the rules that apply to every other business. [This engages the moral calculus of social, not legal obligation. Simply put, fighting child abuse is more important than "protecting" the confidentiality of basic subscriber information that is widely recognized as not engaging core privacy values. In other words, I [David] challenge any business to state publicly that they would rather hamper child abuse investigations than voluntarily surrender upon request non-intimate basic customer information for which a search warrant is not necessary.]
  3. PIPEDA has a specific section in it whose purpose is to authorize the granting of this bare bones subscriber information to police. ISPs therefore have specific statutory authority to rely upon. [PIPEDA s.7(3)(c.1)(ii) Based on the comfort provided by this section, the letter of authority endorsed by CAIP is a commendable step taken by the industry to address internet based child abuse.]
  4. Police services are always understaffed and over worked. The demand for policing services always exceeds the available supply. Therefore, adding unnecessary burdens on police by requiring them to go to the trouble of getting legally unnecessary warrants prevents police officers from devoting their limited time to more important work. The result is that the whole community suffers unnecessarily.
  5. Search warrant requirements under Canadian law are onerous. A typical search warrant, even for bare bones subscriber information, may often run to more than 40 pages in length. This will require several hours of work by an officer, sometimes many officers. It will involve at least two visits to a judge. Given the limited availability of judges, the entire process may take days. All of this effort is legally unnecessary and therefore a complete waste of public funds.
  6. Bare bones subscriber information is necessary to identify the location of the suspect so that the case can be conducted by the local police service. If a search warrant were necessary for every such bare bones request, the police service in the city where the ISP head office is located would be obliged to do a great deal of onerous search warrant work simply to pass the file on to another jurisdiction when the bare bones subscriber information comes back. This places not only an unnecessary but a disproportionate burden on police services in those cities that host ISP head offices.
  7. Other democratic countries, that fully respect privacy rights, require businesses to supply this type of bare bones subscriber information to the police upon request. Internationally, the practice is routine.

With respect, I don't think it is legally correct to say that subscriber information can be provided by an ISP in response to a "letter of authority". And I am not going to get into the political debate that starts with the premise that if you follow the Charter, you are supporting child exploitation.

The first point relies entirely on R. v. Plant, a 1993 and pre-PIPEDA decision from the Supreme Court of Canada. It did not deal with subscriber information from an ISP or other telco, but electricity consumption records from a publicly owned power generation company. At the time, this information was provided to cops on a routine basis. In fact, the police had a direct computer connection to the hydro company's system. In addition, at the time, the electricity consumption records of every customer was available to anyone who asked. The majority of the Court concluded that there was no reasonable expectation of privacy in this information and a warrant was not required. It is also notable that the current Chief Justice wrote a very strong dissent arguing that there was a reasonable expectation of privacy in this information.

In my personal opinion, R. v. Plant is readily distinguishable. Plant deals with electricity consumption at a particular address, not specifically identifying information that is now being discussed from ISPs. Since PIPEDA and the PIPAs, it would be very difficult to say that there is no expectation of privacy in your name and address in ISP billing records. Just look at BMG Canada Inc. v. John Doe (F.C.), [2004] 3 F.C. 241, 2004 FC 488 (CanLII) where the Court noted:

[37]In respect of the internet specifically, Wilkins J. in Irwin Toy Ltd. v. Doe (2000), 12 C.P.C. (5th) 103 (Ont. Sup. Ct.) stated, at paragraphs 10-11:
Implicit in the passage of information through the internet by utilization of an alias or pseudonym is the mutual understanding that, to some degree, the identity of the source will be concealed. Some internet service providers inform the users of their services that they will safeguard their privacy and/or conceal their identity and, apparently, they even go so far as to have their privacy policies reviewed and audited for compliance. Generally speaking, it is understood that a person's internet protocol address will not be disclosed. Apparently, some internet service providers require their customers to agree that they will not transmit messages that are defamatory or libellous in exchange for the internet service to take reasonable measures to protect the privacy of the originator of the information.

In keeping with the protocol or etiquette developed in the usage of the internet, some degree of privacy or confidentiality with respect to the identity of the internet protocol address of the originator of a message has significant safety value and is in keeping with what should be perceived as being good public policy. As far as I am aware, there is no duty or obligation upon the internet service provider to voluntarily disclose the identity of an internet protocol address, or to provide that information upon request.

[38]Parliament has also recognized the need to protect privacy by enacting PIPEDA, which has as one of its primary purposes the protection of an individual's right to control the collection, use and disclosure of personal information by private organizations (section 3).

The context of this case is a civil lawsuit, but the sentiments would apply in the criminal context as well. The Ontario courts have more recently dealt the exact issue we are discussing here (including the use of a so-called "letter of authority") in Re S.C., 2006 ONCJ 343 (CanLII). In this case, Justice of the Peace Conacher was being asked to issue a search warrant on the basis of information provided by an ISP to the police pursuant to a letter of authority. The Court considered both the expectation of privacy and section 7(3)(c.1)(iii) of PIPEDA, referred to by David Butt. This section reads:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

In the result, the Court in Re S.C. concluded that an ongoing criminal investigation is not "lawful authority" under PIPEDA that would permit the ISP to disclose the name and address of a subscriber without consent or a warrant:

[9] However, s. 7(3) stipulates that the information can be provided without consent only if the body seeking the information has "identified its lawful authority to obtain the information" and has indicated that the disclosure is requested (in this case) for law enforcement purposes. The Act does not set out that the existence of a criminal investigation is, in and of itself, “lawful authority” within the meaning of the Act nor, therefore, does a “Letter of Request for Account Information Pursuant to a Child Sexual Exploitation Investigation” establish such authority. Accordingly, there must still be some “legal authority” to obtain the information; in the view of this Court s. 7(3)(c.1)(ii) by itself does not establish what that “lawful authority” is. The section provides authority for disclosing information. It does not establish the authority for obtaining and possessing the information.

[10] The Information to Obtain does not otherwise reflect that the Informant established to Bell Canada the lawful authority, within the meaning of the Act, by which the investigators were seeking to obtain the requested information. Accordingly, Bell Canada did not have a basis upon which to disclose the information.

[11] In the absence of express authority within the legislation, the Charter right not to have one’s reasonable expectation of privacy interfered with, except through prior judicial authorization with all the protections that affords, must govern. Accordingly, it is the view of this Court that the Informant is not lawfully in possession of the information that was provided by Bell Canada. Therefore, that information must be set aside in the overall consideration of this application to obtain a search warrant.

With respect to the other points raised, the current Criminal Code allows for searches and obtaining personal information if there are exigent circumstances that require the information immediately. Whether the bar should be further reduced (or can be further reduced in light of the Charter), I leave to others to debate.

No comments: