Thursday, December 22, 2011

SCC decision on national securities regulation keeps PIPEDA's constitutionality as an open question

Today, the Supreme Court of Canada released its decision in Reference re Securities Act. The Court based much of its decision on existing caselaw, including the General Motors case, which requires certain criteria to be met for the proper exercise of the General Trade and Commerce Power:

As held in General Motors, to fall under the general branch of s. 91(2), legislation must engage the national interest in a manner that is qualitatively different from provincial concerns. Whether a law is validly adopted under the general trade and commerce power may be ascertained asking (1) whether the law is part of a general regulatory scheme; (2) whether the scheme is under the oversight of a regulatory agency; (3) whether the legislation is concerned with trade as a whole rather than with a particular industry; (4) whether it is of such a nature that provinces, acting alone or in concert, would be constitutionally incapable of enacting it; and (5) whether the legislative scheme is such that the failure to include one or more provinces or localities in the scheme would jeopardize its successful operation in other parts of the country. These indicia of validity are not exhaustive, nor is it necessary that they be present in every case. [from the headnote]

It thus remains a live issue whether PIPEDA meets these criteria. The fact that British Columbia, Alberta and Quebec are able to "opt out" by implementing their own substantially similar legislation undermines both (4) and (5).

It will be interesting to see if any such challenge is made or if the Quebec Court of Appeal reference re PIPEDA's constitutionality is ever dusted off.

Privacy Commissioner finding: Laurier Optical inappropriately disclosed customer's information

The Privacy Commissioner of Canada has published its fourth PIPEDA finding of 2011: Commissioner’s Findings - PIPEDA Report of Findings #2011-004: Laurier Optical Improperly Discloses Client’s Personal Information - March 31, 2011. What is most notable is that she "names names", principally because the organization did not respond to her recommendations:

As a result of the circumstances examined in this investigation and the outstanding issues, the Privacy Commissioner was of the view that Laurier Optical’s personal-information handling practices in this case should be made public and exercised her discretion to publicly name the organization.
.

Here is the summary of the investigation and "Lessons Learned":

An individual who was seeking a refund from Laurier Optical because two pairs of prescription eyeglasses didn’t satisfy him, was shocked to discover the company had copied its written response to his request to 10 different parties.

He complained to our Office that the optometry chain, which has locations in Ontario and Quebec, disclosed his personal information without consent and subsequently failed to provide him with access to his personal information.

The man had obtained two prescriptions from Laurier Optical and found that neither satisfied him. As a result, he obtained a prescription from an independent optometrist who worked elsewhere.

After receiving the refund request, Laurier Optical initiated a complaint against the independent optometrist with the Ontario College of Optometrists. The company alleged the optometrist had incorrectly told the complainant that Laurier Optical had not performed a proper eye exam.

In its written response to the refund request, Laurier Optical included the complainant’s home address, telephone number and details of his three prescriptions, as well as a description of the prescription dispute. The complainant felt it contained false statements damaging to his character. The letter also stated that Laurier Optical would ask two other professional bodies and the two biggest lens manufacturing labs in Canada to evaluate the three prescriptions and obtain neutral opinions.

The letter was copied to 10 different parties, including various Laurier Optical officials; the Ontario College of Optometrists; the College of Opticians of Ontario, the independent optometrist; the company that made the complainant’s lenses, as well as another lens manufacturing company.

The complainant also requested access to his personal information held by Laurier Optical, but received no documentation in response.

Following an investigation, our Office found both the disclosure and access complaints to be well founded.

It was not necessary for Laurier Optical to disclose the complainant’s personal information to the College of Opticians or the lens manufacturers in order to demonstrate that the lenses it had provided to the complainant were appropriate. Even if these organizations could provide relevant input, they could have done so without knowing the complainant’s name, address, telephone number or details of the dispute. Similarly, it was not necessary to provide the independent optometrist with this information.

We recommended that Laurier Optical train its staff about PIPEDA’s requirements regarding the protection of clients’ personal information.

The organization did not respond.

As a result of the circumstances examined in this investigation and the outstanding issues, the Privacy Commissioner was of the view that Laurier Optical’s personal-information handling practices in this case should be made public and exercised her discretion to publicly name the organization.

Lessons Learned:

  • If an organization is contemplating the disclosure of a client’s personal information without consent, it must ensure that one of the exceptions to consent under subsection 7(3) applies.
  • The sharing of personal information with other employees or agents of an organization is considered to be a “use” under the Act, rather than a “disclosure.” Therefore, if an organization is contemplating such a use of personal information without the individual’s consent, it must ensure that one of the exceptions to consent under subsection 7(2) applies.
  • When in receipt of a request for access to personal information, organizations must respond in a meaningful way, even if only to indicate that they have already provided the individual with all of their information.

Wednesday, December 21, 2011

SCC to release decision on securities regulation that may affect privacy regulation

On Thursday, the Supreme Court of Canada will be delivering its decision In the Matter of Section 53 of the Supreme Court Act, R.S.C. 1985, C. S-26 and in the Matter of a Reference by the Governor General in Council concerning the proposed Canadian Securities Act, as set out in Order in Council P.C. 2010-667, dated May 26, 2010 (33718).

What does this have to do with privacy, you ask? A lot. Our federal privacy law is on shaky constitutional ground, as it may reasonably be characterized as an incursion into purely provincial jurisdiction in the regulatory realm. We'll see what the SCC has to say about securities regulation, which may have a real spill-over into privacy regulation.

Monday, December 12, 2011

Beware of "surveillance by design" symposium

The Information and Privacy Commissioner of Ontario is organizing a symposium about "Surveillance by Design" which should be very interesting:


Upcoming Events « Privacy by Design

Beware of "Surveillance by Design" Symposium

Date January 27th, 2012

Time: 09:00 AM - 11:00 AM

Location: MaRS Discovery District, MaRS Centre South tower, Suite 100 (Auditorium – Lower Level), 101 College St., M5G 1L7 Toronto, ON, Canada

Beware of "Surveillance by Design:"

The Threat of Looming “Lawful Access” Legislation

Join Ontario's Information and Privacy Commissioner Dr. Ann Cavoukian and leading privacy, legal, and academic experts as we discuss the implications of “lawful access” legislation in Canada

Concern is mounting regarding the impact of proposed “lawful access” legislation in Canada. Media coverage has greatly increased, with this issue becoming a hot topic of discussion by all stakeholders, from the legal community to telecom providers. The Information and Privacy Commissioner of Ontario has been instrumental in bringing attention to this upcoming legislation — which in our view, would represent a system of “surveillance by design.”

The anticipated re-introduction of a trio of federal bills (Bills C-50, C-51, C-52) will provide police with much greater ability to access and track information, via the communications technologies that we use every day, such as the Internet, smart phones, and other mobile devices, including without a warrant or oversight. Taken together, the three pieces of legislation will diminish the privacy rights of Ontarians and indeed of all Canadians.

We have an opportunity to raise awareness on this very important issue, with the goal of impacting the legislation as it is re-introduced. Please join us as we bring together diverse thought leaders to discuss the implications of these federal bills.

The event is being held to celebrate International Privacy Day, marking 31 years since the first binding international convention of privacy came into force.

We are delighted to have as guest speakers:

  • Dr. Ron Deibert, Professor, Political Science, University of Toronto
  • Nathalie Des Rosiers, General Counsel, Canadian Civil Liberties Association
  • David Fraser, Lead, McInnes Cooper Privacy Practice Group
  • John Ibbitson, Ottawa Bureau Chief, Globe and Mail

Details of EU Data Protection Reform Reveal Dramatic Proposed Changes

Hogan Lovells Chronicle of Data Protection has a good summary of what's expected in the reform of European Data Protection laws in the coming year: Details of EU Data Protection Reform Reveal Dramatic Proposed Changes : HL Chronicle of Data Protection.

Wednesday, December 07, 2011

Bill C-12: Redline of proposed amendments to PIPEDA

Later today, I'm going to be giving a presentation with Lisa Lifshitz from Gowlings on the proposed amendments to the Personal Information Protection and Electronic Documents Act (AKA C-29), which are stagnating at first reading stage in Parliament. I'll be referring to the redline that I've prepared which shows the amendments in place and is a handy reference. Anyone who wants a copy is welcome to it as well: PIPEDA Amdended to include FISA, C-29 and C-12 (Google Doc).

Tuesday, December 06, 2011

Privacy Commissioner issues guidelines on online advertising

The Office of the Privacy Commissioner of Canada has today released a guidance document on online advertising and "tracking".

Here's the Commissioner's media release:

News Release: New online advertising guidance sets out restrictions for tracking - December 6, 2011

New online advertising guidance sets out restrictions for tracking

Privacy Commissioner of Canada Jennifer Stoddart calls on organizations involved in online behavioural advertising to provide better information about their practices; says the tracking of children and use of tracking technologies that can’t be turned off should be off-limits.

TORONTO, December 6, 2011 – Advertisers who use targeted online ads need to be upfront with Canadians about what they’re doing and must make it easy for people to say No to being tracked, says Privacy Commissioner of Canada Jennifer Stoddart.

The Commissioner today launched new guidelines on online behavioural advertising which also set out restrictions on the tracking of children and tracking technologies that people can’t turn off. Behavioural advertising involves tracking consumers’ online activities over time, in order to deliver advertisements that are targeted to their inferred interests.

“The use of online behavioural advertising has exploded and we’re concerned that Canadians’ privacy rights aren’t always being respected,” says Commissioner Stoddart, who launched the guidelines in a speech to the Marketing and the Law conference in Toronto.

“Many Canadians don’t know how they’re being tracked – and that’s no surprise because, in too many cases, they have to dig down to the bottom of a long and legalistic privacy policy to find out.”

The new guidance document says information about behavioural advertising should be clear, obvious and understandable. Accepting participation in online behavioural advertising should not be considered a condition for people to use the Internet generally. People must be able to easily opt out of this practice.

“Some people like receiving ads targeted to their specific interests. Others are extremely uncomfortable with the notion of their online activities being tracked. People’s choices must be respected,” says Commissioner Stoddart.

She also flagged some important restrictions when it comes to online behavioural advertising.

“If an individual can’t say no to the technology being used for tracking or targeting, then the industry shouldn’t use that technology for behavioural advertising purposes,” she told the advertising industry conference. “So, in the current online behavioural advertising environment, that means no use of web bugs or web beacons, no super cookies, no pixel hacks, no device fingerprinting and no to any new covert tracking technique of which the user is unaware and has no reasonable way to decline.”

Another restricted area involves the online tracking of children. The guidelines state that organizations should avoid knowingly tracking children and tracking on websites aimed at children.

“Children are not likely able to provide the meaningful consent required under our privacy law for the tracking of their online activities. This is an increasingly important issue as we see the average age of first-time Internet users dropping,” says the Commissioner.

The guidelines also say advertisers should avoid collecting other sensitive information, such as individuals’ health information.

Commissioner Stoddart says her Office developed the guidance document to help organizations involved in online behavioural advertising ensure their practices are fair and transparent and in compliance with Canada’s federal private-sector privacy law, the Personal Information Protection and Electronic Documents Act, or PIPEDA.

“The approach we’re taking – as prescribed under Canadian law – is reasonable. It allows industry to be innovative and to grow while respecting individuals’ right to privacy.”

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada. The Commissioner enforces two federal laws for the protection of personal information: the Privacy Act, which applies to the federal public sector; and the Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to commercial activities in the Atlantic provinces, Ontario, Manitoba, Saskatchewan and the Territories. Quebec, Alberta and British Columbia each has its own law covering the private sector. Even in these provinces, PIPEDA continues to apply to the federally regulated private sector and to personal information in interprovincial and international transactions.

Saturday, December 03, 2011

Public Safety minister continues to mislead about "phone book information" and lawful access

In today's Globe & Mail, the Public Safety Minister continues to peddle the wholly erroneous and completely misleading line about "phone book information".

Dec. 3: Letters to the editor - The Globe and Mail

The poop on e-snoop

Re Tories Have Yet To Prove Case For E-Snooping Bill (online, Dec. 1): Technology is a critical aspect of the way Canadians do business and communicate with each other. But as technology advances, criminal activities become easier. The government will propose legislation that strikes an appropriate balance between the privacy rights of Canadians and the ability of police to enforce our laws.

We will allow police to access “phone book”-type information from Internet service providers. If it becomes necessary to find a suspect's name, address, phone number or other similar identifier, ISPs will be required to disclose that information. ISPs will be required to have the capacity to allow police to investigate – strictly with a warrant – all communication methods.

Let me be clear: No legislation proposed will create powers for police to read e-mails without a warrant. Our proposed approach of linking an Internet address to subscriber information is on par with a phone book linking phone numbers to a residential address.

Vic Toews, Minister of Public Safety, Ottawa

If you want a definitive view on how this is completely misleading, check out this great analysis by Christopher Parsons: "The Anatomy of Lawful Access Phone Records".

Most notably, the article he is responding to is about the fact that the government hasn't made any compelling case for why it is necessary and a letter to the editor would have been a good opportunity to do so. He didn't. Not at all. Not one iota. They haven't even attempted to make a compelling case.

Friday, December 02, 2011

Smartphones are equivalent to computers for purposes of police search, says Nova Scotia court

In R. v. Hiscoe, 2011 NSPC 84, the Provincial Court of Nova Scotia has determined that the police can read texts on the accused's smartphone without a warrant (as incident to arrest) but need a warrant to forensically dump the contents of the phone for analysis.

Notably, the Court characterized the phone as a computer and observed that the same considerations come into play as with a search of a personal computer:

[39] The Crown acknowledges that the accused had a reasonable expectation of privacy in the contents of his cellphone and that the three occasions when the police examined and retrieved information from the cellphone constituted a warrantless search which constituted a prima facie unreasonable search[30] for the purposes of s. 8 of the Charter. Having said that, in my opinion it is important to characterize the degree or level of privacy in the smart phone information and how that information is stored because, in my opinion, it is a factor in deciding the scope of the police authority to search a cellphone incident to arrest.

[40] Here the cellphone which was seized was described as a “regular smart phone, a Blackberry sort of phone”. Phones of this sort have been described as “mini computers”[31]. These phones are capable of storing dozens of gigabytes of data not unlike personal or home computers. There is a high level of privacy associated with personal computers[32]. In R. v. Morelli, supra Justice Fish said at para. 2 “It is difficult to imagine a search more intrusive, extensive, or invasive of one's privacy than the search and seizure of a personal computer”. He continues at para. 3 :

First, police officers enter your home, take possession of your computer, and carry it off for examination in a place unknown and inaccessible to you. There, without supervision or constraint, they scour the entire contents of your hard drive: your emails sent and received; accompanying attachments; your personal notes and correspondence; your meetings and appointments; your medical and financial records; and all other saved documents that you have downloaded, copied, scanned, or created. The police scrutinize as well the electronic roadmap of your cybernetic peregrinations, where you have been and what you appear to have seen on the Internet -- generally by design, but sometimes by accident.

[41] Later at para. 105 he describes the nature of information computers contain:

Computers often contain our most intimate correspondence. They contain the details of our financial, medical, and personal situations. They even reveal our specific interests, likes, and propensities, recording in the browsing history and cache files the information we seek out and read, watch, or listen to on the Internet.

Blackberrys and other smart phones function in the same way as personal computers[33].

[42] Other case authorities[34] are consistent in their conclusions that smartphone devices have the capacity to store vast amounts of sensitive and personal and private information including emails, text messages, contact lists, diaries, medical information and personal photographs as well as internet browsing histories.

[43] Given the advances in technology, these types of devices allow individuals to carry their entire personal information library with them. In my opinion, it is difficult to compare a smartphone with a notebook or briefcase one might carry or have for a specific purpose. Smartphones have several gigabytes of data storage which can store literally thousands of documents, photographs, messages or hundreds of thousands of filed data[35]. This, of course, does not take into account current technological advances regarding Cloud[36] storage and electronic and computer device sharing features which could increase the information available from a hand-held electronic device.

[44] While the accused did not testify as to the level of privacy – the Crown has admitted the accused had a reasonable expectation of privacy in the cell phone. I agree with the conclusion reached by Fuerst, J in R. v. Little, supra, at para. 120, that the subjective expectation of privacy can be presumed. This subjective expectation of privacy is objectively reasonable for the reasons I expressed above. Furthermore, the high level of privacy which I described can be inferred as well. In my opinion this privacy level exists irrespective of whether the phone is password protected. The lack of a password is not an invitation to view the personal contents contained in the device especially from the prying eyes of the state.

[45] Finally, I would add that like other computers, cellphones are organized in a way that separates voice messages, text messages, documents, photographs, browser history and other information. The information is not stored in one big container to use perhaps a poor analogy. It is possible to look at text messages without looking at photographs, for example. It is not necessary to examine ones voice memos to read text messages or documents.

Thursday, December 01, 2011

Never mind the Patriot Act, watch your thumb drives

Earlier this week, I spoke on a panel at Reboot's Privacy and Security conference in Ottawa about privacy and security in cloud computing. I didn't have a powerpoint, but IT World Canada has a pretty good write-up of the presentation ...

Never mind the Patriot Act, watch your thumb drives - Page 1 - Security

By: Grant Buckler
On: 01 Dec 2011
For: ComputerWorld Canada

Businesses that think storing their cloud-based data north of the border protects them from government intrusion are wrong, a panel says. Why thumb drives are the real threat to info security

OTTAWA – Businesses contemplating cloud computing should worry less about the U.S. Patriot Act and more about thumb drives and border crossings, panelists at the Privacy and Information Security Congress said here Monday.

David Fraser, partner with the Atlantic Canadian law firm McInnes Cooper, said many people believe it is illegal to put data in the cloud if that means it will be stored south of the border because of provisions in the U.S. Patriot Act that allow the American security establishment to seize information without a conventional warrant or any notification to the data’s owners.

Whether or not many people believe it is illegal (it is not, though some provinces put limits on where certain data such as health records may be stored), comments from the audience showed there are concerns about the Patriot Act, particularly the fact that the law expressly forbids a cloud service provider from notifying a data owner when data is seized under the act.

But Fraser argued that Canada has similar legislation and that U.S. law applies to any company with a substantial connection to that country anyway, so insulating oneself from such government intrusion is not as simple as ensuring data stays north of the border.

And he said other risks are more significant – like thumb drives that plug into Universal Serial Bus (USB) ports. These are the No. 1 source of data breaches, according to Fraser.

“Go to the front desk of a hotel and say that you’ve lost your thumb drive,” he said, “and they’ll probably pull out a box of them.”

And if you’re concerned about governments snooping into your data, he added, “any time you cross the border … they can open up your laptop and they can clone your hard drive.”

Cloud computing could actually be a solution to both those problems by allowing computer users secure access to data from anywhere so they need not carry sensitive data on laptop hard drives or USB thumb drives, said Fraser.

Omkhar Arasaratnam, cloud security lead architect for SmartCloud Enterprise at IBM Canada Ltd., agreed with Fraser that keeping data at home is no panacea. And he said cloud security is not much different from information security in general, which is mainly about risk management and education.

Putting too many restrictions on what people can do won’t work, said Arasaratnam. “If you as an IT department are too restrictive, your end user community, your executives or their children will find ways around it.”

The best hope, he said, is to educate people so they understand why some behavior is risky, and look for ways to ensure security without restricting people’s use of technology too much.

The fact that cloud computing is new doesn’t necessarily mean it is insecure, said Arasaratnam. But Winn Schwartau, moderator of the panel, well-known speaker and author of several books on security, observed that IT has swung back and forth between centralization and decentralization several times since the 1950s, and asked the panelists what businesses should do to ensure they can get off the cloud should the pendulum swing again.

Fraser advised making sure contracts are clear about ownership of data and the client’s right to have it returned. Arasaratnam added that it’s important to ensure the data comes back in usable form, not as paper printouts or files in incomprehensible formats.

Saturday, November 26, 2011

Ontario Commissioner Issues Significant Order on Custody or Control of University Records

If any part of your practice involves advising universities on access to information issues, run -- don't walk -- over to Dan Michaluk's summary of the recently released decision in University of Ottawa – Order PO-3009-F (November 7, 2011).

One of the big issues these days is whether records held by a university professor is in the custody or control of the university, so that they may be subject to access to information legislation. The Information and Privacy Commissioner of Ontario has just held that it is up to the IPC and not any other process (such as arbitration or reference to arbitral jurisprudence) to determine whether this is the case. The decision also provides the following very helpful guidance:

Accordingly, I conclude that the arbitral awards are not determinative with respect to the custody or control of records that may be responsive in this case. Rather, the determination is to be made based in the principles enunciated in this order. The significant conclusions I have reached in this regard are:

1. records or portions of records in the possession of an APUO member that relate to personal matters or activities that are wholly unrelated to the university’s mandate, are not in the university’s custody or control;

2. records relating to teaching or research are likely to be impacted by academic freedom, and would only be in the university’s custody and/or control if they would be accessible to it by custom or practice, taking academic freedom into account;

3. administrative records are prima facie in the university’s custody and control, but would not be if they are unavailable to the university by custom or practice, taking academic freedom into account.

Run to Dan's summary: Ontario Commissioner Issues Significant Order on Custody or Control of University Records « All About Information.

Thursday, November 24, 2011

Tuesday, November 22, 2011

Current issues in privacy: Social media and cloud computing

Today, I was honoured to be asked to present to the Nova Scotia Association of Educational Administrators on current privacy issues. A very interesting group of people with some great questions. Here's the presentation, in case you're interested:

What information is law enforcement looking for under "lawful access"?

Christopher Parsons has a great and detailed blog post on the sort of information that would be open for inspection by law enforcement under "lawful access". And it's isn't "phone book" information. Check it out: The Anatomy of Lawful Access Phone Records | Technology, Thoughts, and Trinkets.

Paper on Canadian ISP cooperation with law enforcement

An interesting read:

Updated: Business disclosure of personal information to law enforcement agencies: PIPEDA and the CNA letter of request protocol (PDF):

By Suzanne Morin with the assistance of Amy Awad and Dee Pham

Canadian Internet Service Providers (“ISPs”) are continuing their strategy to deal with a subset of requests for customer information from law enforcement agencies requests that is of particular concern to them – those pertaining to online child exploitation investigations.

The initiative, where participating ISPs voluntarily disclose customer name and address linked to an IP address at a particular date and time to law enforcement at the pre-warrant stage of child exploitation investigations, remains interesting at a number of levels.

It touches on privacy issues pertaining to the proper interpretation of PIPEDA and the reasonable privacy expectations of ISPs’ customers. It also provides an ongoing example of a relatively successful voluntary collaboration between private business, law enforcement and privacy regulators aimed at tackling legal uncertainties where they may most negatively affect the public good.

Friday, November 18, 2011

Nova Scotia Privacy Review officer reviews workers' comp board

Until recently, the "Review Officer" appointed under Nova Scotia's Freedom of Information and Protection of Privacy Act only had the power to deal with access to information issues and not privacy complaints. That's now changed and the Protection of Privacy Review Officer, Dulcie McCallum has come out swinging following a review of the province's Workers' Compensation Board. Below is the press release, summarizing Review P-11-01 (PDF):

REVIEW OFFICER ISSUES PUBLIC REPORT: RECOMMENDS CHANGES TO WCB PRIVACY PRACTICES

November 18, 2011

Dulcie McCallum, Nova Scotia’s Privacy Review Officer, today released her report investigating the privacy practices of the Nova Scotia Workers’ Compensation Board: Privacy Matters: Creating a Zero Tolerance Privacy Environment. Ms. McCallum made 21 recommendations that she believes will improve the privacy culture at the WCB, and the WCB has agreed to implement all of the recommendations.

“Because privacy is such an important part of how we define ourselves, I have recommended that the WCB work towards creating an institutional goal where privacy is given priority, where one privacy breach is one too many,” said Ms. McCallum. “I believe this approach to privacy lines up closely to WCB’s primary emphasis on safety in the workplace, where one accident is one too many.”

The Review marks the first time the Privacy Review Officer has completed a systemic privacy review of a public body. Ms. McCallum launched the investigation early this year when it was publicly reported that at least two separate individuals had received another WCB claimant’s claim file when requesting their own. Most claimant's files include considerable personal information and in particular personal health information.

Before this report was made public, the Review Officer shared a draft version with the WCB in order to ensure that the Review Office had fully captured the work of the WCB and its privacy practices. In its response, the WCB emphasized the similarities between efforts to prevent workplace injuries and efforts to prevent privacy breaches and agreed to implement all 21 recommendations.

“I am happy to report that the WCB has fully accepted preventing privacy breaches as a priority and has indicated that our expert advice as to how to go about achieving that is welcome,” said Ms. McCallum. “I want to thank the WCB for the full cooperation it provided throughout this investigation.”

The WCB has committed to implementing seven of the recommendations immediately, while the remaining 14 will require a reasonable period of time to fully adopt. The Review Office intends to revisit the progress being made by the WCB on implementation within the next year.

The Privacy Review was expedited to ensure any privacy breaches that may have occurred were not ongoing and had been sufficiently contained by the WCB. The Privacy Review Officer found that they had been contained, though the overall privacy practices of the WCB needed improvement in order to give privacy protection the attention it deserved.

Thursday, November 17, 2011

Privacy Commissioner of Canada releases annual report on public sector privacy law

Jennifer Stoddart has just tabled her annual report to Parliament on the Privacy Act, Canada's federal public sector privacy law: Annual Report to Parliament 2010-2011 - Report on the Privacy Act.

From her media release on the topic:

Audit of airport security measures flags concerns about over-collection and safeguarding of travellers’ personal information

2010-2011 Annual Report to Parliament on the Privacy Act examines the stewardship of personal information by Canada’s airport security authority, the RCMP and other federal departments and agencies

OTTAWA, November 17, 2011 – The Government of Canada is collecting too much information about some air travellers and is not always safeguarding it properly, Privacy Commissioner Jennifer Stoddart found in an audit published with her annual report today.

The audit of the privacy policies and practices of the Canadian Air Transport Security Authority (CATSA) concluded that the agency was reaching beyond its mandate by completing security reports on incidents which were not related to aviation security.

This was the case even with incidents involving an activity that was legal. For example, CATSA collected information about air passengers who were found to be carrying large sums of cash on domestic flights. CATSA also contacted police in such cases. Since it should not be collecting personal information about legal activities not related to aviation security, the Office of the Privacy Commissioner of Canada recommended that CATSA immediately cease that practice. CATSA agreed.

Moreover, the audit found that such incident reports, and other types of personal information collected by the agency, were not always properly secured.

“Documents containing sensitive personal information were left on open shelves and in plain view in a room where passengers may be taken for security checks,” Commissioner Stoddart reported.

The audit also identified other concerns about procedures not being followed during the screening process. When auditors visited the rooms where CATSA officials screen full-body scans, they discovered a cell phone and a closed-circuit TV camera even though these types of devices are strictly prohibited according to CATSA’s operating procedures.

“Fortunately, these irregularities were uncommon and we were pleased that CATSA moved quickly to correct them by issuing a reminder to staff and conducting inspections to ensure proper procedures were followed,” said Commissioner Stoddart.

Even so, she added, “the Government of Canada is entrusted with highly sensitive personal information, and is obliged to handle it with an uncompromising level of care—not some of the time, or even most of the time, but all of the time.”

The audit was summarized in the 2010-2011 annual report on the Privacy Act, which was tabled in Parliament today.

The annual report also contains a summary of another audit conducted by the Office of the Privacy Commissioner of Canada (OPC). It examined the Royal Canadian Mounted Police’s (RCMP) management of operational databases that are widely shared with other police forces, government institutions and other organizations.

The audit determined that, while the RCMP has policies and procedures to safeguard the sensitive information contained in the databases, there were also some disturbing gaps.

For instance, the Privacy Act, which governs the information-handling practices of federal government departments and agencies, requires that organizations retain personal information no longer than absolutely necessary. And yet, information about offences for which a pardon had been granted, or that resulted in a wrongful conviction, continues to be accessible in a database called the Police Reporting and Occurrence System.

“People who were convicted of an offence they did not commit, or who have been granted a pardon, have a right to go about their lives without information—and especially misinformation—about their past coming to light,” Commissioner Stoddart noted. “Such information must be more tightly controlled.”

The annual report highlights the work of the OPC in 2010-2011 in strengthening the privacy rights of Canadians. It summarizes key investigations into privacy complaints and data breaches that the Office conducted under the Privacy Act. The report also describes several Privacy Impact Assessments that federal institutions submitted to the Office for review during the past fiscal year.

Aimed at assessing the government’s stewardship of personal information, the report has separate chapters devoted to the collection, use and disclosure of data. Given the sensitive nature of the personal information that the state needs to govern, the report warns of grave consequences for its over-collection, misuse or inappropriate disclosure.

Aside from the two audit summaries, here are other highlights of today’s reports:

  • Biometric identifiers: Citizenship and Immigration Canada submitted Privacy Impact Assessments for two initiatives involving the use of fingerprints and other biometric identifiers for immigration control. The OPC recommended ways to strengthen privacy safeguards for vulnerable populations such as refugee claimants.
  • Passenger behaviour observation: A Privacy Impact Assessment for a new pilot project to observe airport travellers for suspicious activity raised several concerns, including the potential for inappropriate risk profiling based on characteristics such as race, age or gender.
  • Personal data breaches: The OPC received a record number of reports of breaches of personal information in 2010-2011. One involved a malfunction of the new My Service Canada Account website, a day after its launch, which allowed an estimated 75 users to see financial and other personal data of previous visitors to the site.
  • Follow-up to past audits: During follow-ups on three audits originally conducted in 2008 and 2009, the entities that we audited indicated that 32 of 34 of the OPC’s recommendations had been fully or substantially implemented. For example, the RCMP reported that it had removed tens of thousands of surplus files from its exempt databanks, in compliance with the Privacy Commissioner’s recommendations.

The full annual report and audit reports on CATSA’s aviation security measures and the RCMP operational databanks are available at www.priv.gc.ca.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.

Monday, November 14, 2011

Ontario Court: Information about landlords not Personal Information

Dan Michaluk has a summary of a very recent Ontario Superior Court of Justice Case which held that information about landlords in the capacity as landlords is not really personal information, but is instead business information. Check it out: Information About Landlords not Personal Information « All About Information.

Thursday, November 10, 2011

Cloud computing session at Privacy and Information Security Congress 2011

I'm going to be on a panel discussion at the Reboot conference "Privacy and Information Security Congress 2011" on November 28/29 in Ottawa.

The session is entitled Borderless Cloud Computing – "Hey You, Get Off My Cloud!"

Moderator: Winn Schwartau, President, Interpact, Inc. Author of Information Warfare, Cyber Shock, Time Based Security and Internet & Computer Ethics for Kids

Speakers:

  • David Fraser, Partner, McInnes Cooper
  • Omkhar Arasaratnam, Lead Security Architect, SmartCloud Enterprise+, IBM
  • Ibrahim Gedeon*, Chief Technology Officer, TELUS

For more info, check out the agenda here: http://www.rebootconference.com/ottawaPS2011/agenda.php

Monday, November 07, 2011

ISP's terms of use allow disclosure of customer information to police

Once again, a Canadian trial court has determined that an internet service provider's "terms of use" mean that a customer does not have a reasonable expectation of privacy in their identity information when the police come knocking. R. v. Lo, 2011 ONSC 6527.

I can't help but wonder how many people have ever read the terms of use for the internet service provider and how you can really conclude that an expectation of privacy can be vitiated by something that the vast majority of people have never read.

I also note that the police had more than enough information to get a warrant or a production order, but didn't.

Ontario Commissioner releases great response to government position on "lawful access"

The Information and Privacy Commissioner of Ontario has not been shy about wading into the debate about "lawful access" and she has just unleashed what might be the most significant salvo to date. An open letter to the Ministers of Justice and Public Safety. It is here and reproduced below. It is a must read.

 

 

October 31, 2011

VIA ELECTRONIC MAIL AND COURIER

 

The Honourable Vic Toews
Minister of Public Safety
269 Laurier Avenue West
Ottawa, Canada
K1A 0P8

The Honourable Robert Nicholson
Minister of Justice and Attorney General of Canada
284 Wellington Street
Ottawa, Ontario
K1A 0H8

 

Dear Ministers:

Introduction

As the Information and Privacy Commissioner of Ontario, I felt compelled to write to you today regarding the federal government’s insistence on enacting a highly intrusive surveillanceregime. I do so in full support of Canada’s Privacy Commissioner Stoddart and the open letter she sent to Minister Toews on October 26th.

At the outset, please note that my mandate includes commenting on developments that affect the personal privacy of Ontarians, and overseeing law enforcement compliance with privacy legislation in Ontario. The proposed surveillanceregime will have a substantial impact on the privacy rights of Ontarians, law enforcement functions, and the role of my office.

Media reports referring to Minister Toews’ rejection of Commissioner Stoddart’s concerns and quoting his defence of the regime suggest that the government will re-introduce Bills C-50, C-51, and C-52 (“the Bills”) in essentially the same form in which they appeared in the last Parliament. In my view, that would be highly regrettable for the people of Ontario and Canada. I am writing this open letter to outline my specific concerns and concrete recommendations.

I have first summarized the privacy concerns identified by my office into five categories, followed by an in-depth discussion of each.

Summary of Privacy Concerns:

Reconsidering the Privacy Implications of Expanded Surveillance and Access

Before providing a detailed analysis of the privacy issues, my concerns may be summarized as follows:

  1. The proposed powers must not come at the expense of the necessary privacy safeguards guaranteed under the Canadian Charter of Rights and Freedoms; in order to maintain the integrity of this constitutional framework, the government must acknowledge the sensitivity of traffic data, stored data, and tracking data.

  2. Intrusive proposals require essential matching legislative safeguards; the courts, affected individuals, future Parliaments, and the public must be well informed about the scope, effectiveness, and deleterious effects of intrusive powers. If Parliament enacts expansive new surveillance powers, we urge the federal government to publicly commit to enacting the necessary oversight legislation in tandem.

  3. Even with matching oversight, the proposed surveillance and access powers will require more stringent conditions precedent to determine the situations when surveillance or access may be appropriate and necessary.

  4. The government must not impose a mandatory surveillance capacity regime on the public and its telecommunication service providers (TSPs) without adequate safeguards to protect the future of freedom and privacy; a comprehensive and public cost-benefit analysis should precede rather than follow the making of so many significant public policy decisions. Public Parliamentary hearings should be scheduled to ensure that civil society, as well as industry, have a full opportunity to provide substantial input on all of the Bills including Bill C-52 (the Electronic Communications Act). In addition, the Electronic Communications Act should be amended to require that all interception-related capacity requirements be approved by Parliament before they can be imposed.

  5. The proposal for warrantless access to subscriber information is untenable and should be withdrawn; it remains our view that the Electronic Communications Act should be amended to require that the provisions setting out TSP obligations concerning “subscriber information” be deleted and replaced with a court supervised regime

1) New Powers Must Not Come at the Expense of the Constitutional Framework

In a steady stream of communiqués dating back almost a decade and spanning 2002, 2005, 2007, 2009, and 2011, our office has cautioned against taking a legislative approach to new surveillance powers that undermines the judicially supervised rules and procedures which secure our shared rights to privacy, freedom and security of the person. Two of these were in joint communiqués led by the Privacy Commissioner of Canada, and signed by all the provincial and territorial privacy commissioners and ombudsmen (“privacy commissioners”). 1

Together, they accurately reflect the general nature of many of our current concerns and recommendations. (We also urge you to carefully consider the federal Privacy Commissioner’s November 2010 publication A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century.)

The concerns voiced by Canada’s privacy commissioners have been echoed by legal and academic experts specializing in technology, privacy and the law and, most importantly, by thousands of concerned Canadians who wish to have both effective law enforcement and strong privacy protections.

In this context, there can be little doubt that the most recent iteration of the government’s approach to expansive surveillance legislation has significant implications for personal privacy, state powers, and the longstanding constitutional compromise between the two, as well as for the oversight functions of courts and privacy commissioners, and the future of innovation, costs and competiveness in the communications and technology fields.

The fact that the government appears to be committed to limiting real-time surveillance of private communications including in-transit e-mail under the “wiretapping” rules set out in Part VI of the Criminal Code is welcome news. We also welcome the absence of any public call for the creation of data retention rules with respect to subscribers and their day-to-day use of the new technologies. No such retention rules should be countenanced.

At the same time, we believe that critical elements of the proposed legislative regime suggest that the government misconceives how Canadians interact with new communications technologies and significantly underestimates the sensitivity of the personal information involved. The concomitant risks to privacy and other fundamental rights are significant.

Why? Because new surveillance powers leverage new and still evolving technologies. As a result, they significantly increase rather than merely maintain the state’s surveillance capacity. Accordingly, attempts to frame the public debate in terms of maintaining capacity are misleading:

  • The ways in which we communicate with each other have undergone such enormous changes that it is entirely fanciful to say that there are simple equivalents in the Internet and broader digital domain to the communications surveillance techniques used for conventional voice-based telephones. There are many new types of communication available between individuals, but nearly all of these are in forms that are very easily computer-readable and therefore capable of complex analysis by computers. The range of tools available to law enforcement to track and link activity and database content is now vast and growing all the time. The debate is thus not about maintenance of capability but trying to determine a proper balance in new circumstances.2

In this context, the legal distinction traditionally drawn between the content of a private communication such as is exchanged during a telephone call or via e-mail and the associated traffic data is being overtaken by social, economic and technological developments. What we refer to as trafficdata has evolved and it will continue to do so. Certainly, it is no longer confined to a list of phone numbers obtained by a dial recorder or rows of text on a telephone bill.

It extends digitally to link and trace the ongoing interactions of networks of users through unique identifying device numbers vis-à-vis their location in time, their location on and along the ground, their activity and interactivity within the Internet, and their relatedness within and across communities. The resulting digital trails are routinely retained by service providers and various third parties for weeks, months or even years. These trails paint a detailed and evolving picture that reflects on who we are.

Furthermore, there are strong indications that law enforcement’s appetite for the surveillance of live telephone communications is being dwarfed by their interest in accessing the private content in the mass of digital trails created every time an individual sends a message, surfs the Internet, e-banks or simply carries a 3G enabled device.3 Computer facilitated analysis of this data canreadily reveal the interwoven layers of core biographical information that animate communications data, particularly where the scrutiny extends for a significant period of time. As recognized by the United States Court of Appeals for the District of Columbia in a Fourth Amendment GPS vehicle tracking case being heard by the U.S. Supreme Court on November 8, 2011:

  • Prolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than does any individual trip viewed in isolation. Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one’s not visiting any of these places over the course of a month. The sequence of a person’s movements can reveal still more; a single trip to a gynaecologist’s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story. A person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.4

Properly supervised, surveillance powers can be invaluable to law enforcement. However, it is equally true that where individuals are subject to unwarranted suspicions, evidence is poorly handled, or erroneous conclusions are hastily drawn, the consequences for innocent individuals can be devastating. Recent national security-related investigations make this all too clear (e.g., Maher Arar).

While we continue to support the vital law enforcement interest in pursuing electronic evidence and intelligence about serious wrongdoing, we also urge the government to ensure that any search, seizure, or surveillance of personal communications be subject to the most rigorous oversight. The constitutional values at stake demand such safeguards.

On the basis of all the above, we reject the Bills’ implicit claim that the so-called non-content data elements associated with new communication devices and services are of significantly lesser constitutional significance. Safeguards comparable to those necessary to properly regulate the wiretapping of a rotary phone are required with respect to 21st century communications, including, but not limited to, rigorous prior judicial scrutiny.

2) Intrusive Proposals Require Essential Matching Legislative Safeguards

Read together, the legislative proposals substantially diminish the privacy rights of Canadians. They do so by enhancing the capacity of the state to conduct surveillance, as well as access private information, while reducing the frequency and vigour of judicial scrutiny, thus making it easier for the state to subject more individuals to surveillance and scrutiny.

Are the current processes that provide for oversight of surveillance-related powers sufficient to keep pace with the proposed expansion of state power? With the anticipated re-introduction of the Bills, Canadians are being asked to rely on oversight regimes designed decades ago to provide sufficient safeguards for the protection of our fundamental rights and freedoms today. The supervision provided by prior judicial authorization, the criminal trial process, and complaint-driven oversight under police and privacy-related statutes, while critical, are fundamentally insufficient. Let me explain.

The proposed surveillance and access regime will frequently involve complex, highly technical, and sensitive information. Moreover, where prior judicial authorization is required, the relevant surveillance and access applications are necessarily held in camera and ex parte. Where the resultant surveillance and access activities produce legal charges that lead to a criminal trial, the trials invariably have a narrow focus on the accused. National security-related investigations, which often have a much broader focus, invariably proceed in secrecy, and are rarely subject to public scrutiny. In both contexts, innocent individuals subject to surreptitious invasions of their privacy may never be in a position to learn about, let alone file for or find any redress. In addition, existing complaint regimes are limited as to their reach, powers and remedies. Any in depth public scrutiny of such matters will be the rare exception to a general rule of confidentiality and secrecy.

Furthermore, under the Bills, local, provincial, and federal law enforcement agencies will be equally empowered to use these intrusive powers in pursuit of both domestic and international investigations. Without a focused harmonizing and coordinating authority, inconsistent policies and practices are likely to develop among the various jurisdictions. Inevitably, privacy rights and civil liberties will suffer from fragmented and inconsistent protections.

Canadians have a constitutional right to be secure from unreasonable search and seizure. The expansive surveillance proposals bring this right into question. And, since the state’s authority to intrude on privacy does not come with concomitant responsibilities with respect to accountability, notification and transparency, the net negative effect on human rights is likely to be compounded over time.

To its credit, the government has responded to recent court rulings 5 by including a provision in Bill C-50 that will require that: (i) a person who has been the target of a warrantless exceptional circumstances interception must be notified of the interception within a specified period; and (ii) the relevant Minister must report publicly on police resort to such warrantless wiretaps.

At the same time, we note that these notice and reporting mechanisms are confined to providing a modest degree of notice, transparency and accountability (restricted as they are to only notifying the target of the surveillance, and confined as they are to limited numeric reporting) with respect to a single surveillance power – the power to intercept a private communication. In addition, the reporting practices of provincial and federal Attorneys General with respect to the use of these Part VI wiretap powers have varied considerably (as seen in jurisdictions where the required annual reports have sometimes not appeared until several years have passed).

In this context, we call for the government’s public commitment to the enactment of sufficient safeguards to match the array of new and existing powers.

Support for this call can be found in recent U.S. and Canadian court decisions. In a unanimous decision of September 6, 2011 requiring the U.S. Department of Justice to publicly disclose information showing the government’s use of cell phone location data in criminal prosecutions resulting in a guilty plea or a conviction, the United States Court of Appeals for the District of Columbia determined that:

  • The disclosure sought by the plaintiffs would inform … ongoing public policy discussion by shedding light on the scope and effectiveness of cell phone tracking as a law enforcement tool. It would, for example, provide information about the kinds of crimes the government uses cell phone tracking data to investigate. As the plaintiffs note, with respect to wiretapping Congress has balanced privacy interests with law enforcement needs by permitting the government to use that technique for only the more serious offenses … and the plaintiffs (and others) may decide to argue for similar legislation to govern cell phone tracking. Disclosure would also provide information regarding how often prosecutions against people who have been tracked are successful, thus shedding some light on the efficacy of the technique and whether pursuing it is worthwhile in light of the privacy implications. 6

And, as indicated above, recent rulings of the Superior Courts of Ontario and British Columbia have determined that notice and reporting safeguards are constitutionally required with respect to intrusive surveillance powers, such as the power Parliament granted peace officers in section 184.4 of the Criminal Code (a power to conduct warrantless wiretapping in certain exceptional circumstances). For example, in R. v. Six Accused Persons, the B.C. Supreme Court determined that:

  • Although the Crown submits that in most cases where … persons whose communications have been intercepted will receive de facto notification by way of the prosecution of the underlying offence, that submission fails to recognize that the communications of persons other than the alleged perpetrator may have been intercepted. It also fails to address situations where, for whatever reason, the police may have erred in their assessment of the need to intercept private communications, intercepted more communications than those to which they were lawfully entitled or over a longer period of time, or those that were intercepted under circumstances which did not result in a prosecution.

    In any or all of those circumstances, the police would be answerable to no one. Further, the fact that there is no obligation to disclose surreptitious invasions of privacy to those persons whose communications have been intercepted removes an important safeguard to the potential abuse of power that can arise without accountability.

    This case is illustrative of some of those concerns … To this day, many of the persons whose communications were intercepted by the police are unlikely to know of that invasion of their privacy. That circumstance is exacerbated by the police having engaged in the automatic monitoring of all calls to the telephones they had identified as being appropriate for interception. Any discovery by third parties of the police having intercepted their private communications would be fortuitous.

    Requirements to notify persons whose private communications have been intercepted of the fact of that interception afford an important constitutional and accountability safeguard to the potential abuse of state power in invading the privacy of its citizens.

    The interception of private communications in exigent circumstances is not like situations of hot pursuit, entry into a dwelling place to respond to a 9-1-1 call, or searches incidental to arrest when public safety is engaged. In those circumstances, the person who has been the subject of a search will immediately be aware of both the circumstances and consequences of police action. The invasion of privacy by interception of private communications will, however, be undetectable, unknown and undiscoverable by those targeted unless the state seeks to rely on the results of its intentionally secretive activities in a subsequent prosecution.

    I am accordingly satisfied that the failure of … the [Criminal Code] to provide notification of surreptitious interception of private communications to those persons whose communications are intercepted is a serious impediment to the constitutional validity of s. 184.4.
    …..
    If the intention of Parliament in requiring the provision of [public] reports [enumerating resort to surveillance powers] is to oversee the frequency and circumstances of the interception of private communications by the police, the failure to provide a similar reporting requirement under s. 184.4 of the Code removes the potential for that oversight. As with the failure to require notification of those intercepted of the fact of an interception, the lack of any reporting requirement undermines both constitutionality and police accountability. 7

Bearing all of the above in mind, and in addition to the adjustments we call for to Bills C-51 and C-52, we renew our call for the creation of an independent, arm’s-length Surveillance and Access Review Agency (SARA), with a legislative mandate to supervise state access to the highly sensitive personal information associated with digital communications and to report annually to Parliament and the public on the use of the surveillance and access powers. 8

In establishing SARA, Parliament would require law enforcement and security agencies who obtain any communication-related data from TSPs to notify all of the individuals whose personal
information is involved within one year of the information being obtained unless the individual cannot readily be identified or reasonably located, or notification would prejudice an ongoing investigation. Notification of all readily identifiable individuals would be required within five years of the information being obtained unless, on application to SARA, it is determined that the public interest in non-disclosure outweighs the right to notification.

In this context, TSPs should be required to publish annual reports on how many interception and access orders (and requests) they receive a year from which law enforcement and security agencies, in respect of how many individuals; and how many orders (and requests) result in the disclosure of personal information, and in respect of how many individuals.

In renewing the call for the creation of SARA, we acknowledge that the preparation and enactment of the necessary legislative framework will take time and that, in the meantime, the government may well decide to proceed with its plan to substantially reshape the state’s capacity to conduct surveillance. To the extent that you are not prepared to redraft the Bills to ensure that the new surveillance powers are justified and that the necessary safeguards are in place before the regime comes into force, we strongly urge you to publicly commit to enact a SARA Act in tandem with the proposed surveillance and access regime, even as you move to amend the current legislative proposals to provide additional if limited safeguards on it coming into force, as further discussed below.

3) Even with Matching Oversight, the Proposed Powers Require Adjustment

Bill C-51, the Investigative Powers for the 21st Century Act, will amend the Criminal Code, giving “peace officers” and “public officers” new avenues to obtain access to information generated electronically. As such, a wide range of officers, extending well beyond police, will be empowered to:

  • Issue preservation demands on their own say so with respect to a wide array of primarily corporate-held data in the course of investigating any offence, including on behalf of a foreign state, and impose any conditions in the demand that they consider appropriate, including conditions prohibiting the disclosure of its existence or some or all of its contents,
  • Apply for new suspicion-based preservation and production orders to preserve and gain access to information about transmission, traffic, communication, tracking, transaction and financial data,
  • Apply for new suspicion-based warrants to enable the remote live tracking of vehicles and other things,
  • Apply for belief-based warrants to enable the remote live tracking of individuals by tracking the location of cell phones or other things they usually carry or wear, and
  • Apply for non-disclosure/secrecy orders with respect to all of the above.

It is our view that, as a general rule, law enforcement access to data, particularly communications-related data, as well as the new tracking powers, should be subject to prior judicial scrutiny, limited to the investigation of serious crime, generally subject to higher belief rather than suspicion-based thresholds, and come with additional oversight and accountability-related safeguards.

In this context, I note that an August 22, 2011 U.S. District Court decision invites us to raise the question as to the constitutionality of the proposed suspicion-based, as well as belief-based, production order making powers. 9 In this case, the U.S. government had asked the Court for “orders directing Verizon Wireless, a cell-phone service provider, to disclose recorded information of cell-site-location records for one of its customers pursuant … to the Stored Communications Act or ‘SCA’).” The proposed order sought stored, historical cell-site-location records tied to a period in excess of 113 days. On its face, the SCA provides that such an order “may be issued by … a court of competent jurisdiction … only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.” (Emphasis added.) The Court determined that “the Fourth Amendment to the United States Constitution requires a warrant and a showing of probable cause before the Government may obtain the cell-site-location records requested here.”

As the Court clearly understood, the problem with these kinds of production orders is their implication for the privacy of society at large and, in my view, the concerns expressed by the Court with respect to Americans apply equally with respect to Canadians:

  • The vast majority of Americans own cell phones. Many Americans have abandoned land line phones entirely, and use cell phones for all telephonic communications. Typically people carry these phones at all times: at work, in the car, during travel, and at home. For many Americans, there is no time in the day when they are more than a few feet away from their cell phones.

    Cell phones work by communicating with cell-sites operated by cell-phone service providers. Each cell-site operates at a certain location and covers a certain range of distance. The number of cell-sites that must be placed within a particular area, and thus the distance between cell-sites, is determined by several factors, including population density.

    If a user’s cell phone has communicated with a particular cell-site, this strongly suggests that the user has physically been within the particular cell-site’s geographical range. By technical and practical necessity, cell-phone service providers keep historical records of which cell-sites each of their users’ cell phones have communicated.
    The implication of these facts is that cellular service providers have records of the geographic location of almost every American at almost every time of day and night. And under current statutes and law enforcement practices, these records can be obtained without a search warrant and its requisite showing of probable cause.

    What does this mean for ordinary Americans? That at all times, our physical movements are being monitored and recorded, and once the Government can make a showing of less-than-probable-cause, it may obtain these records of our movements, study the map our lives, and learn the many things we reveal about ourselves through our physical presence.

In the same vein, in the Maynard case now pending before the U.S. Supreme Court, the reasoning of the United States Court of Appeals for the District of Columbia provokes questions as to the constitutionality of the proposed suspicion-based, as well as belief-based, tracking warrants. As the Appeal Court found in Maynard, “prolonged GPS monitoring [of a person’s vehicle travelling on public roads] defeats an expectation of privacy that our society recognizes as reasonable” and must comply with Fourth Amendment standards.

The Court’s holding was echoed as recently as September 21, 2011 in a report issued by the Liberty and Security Committee of the U.S. Constitution Project. This bi-partisan committee, whose members include two former members of Congress, former FBI director William Sessions, a former U.S. Court of Appeals judge and a former chair of the American Conservative Union, concludes that “when powerful tracking technologies to conduct pervasive surveillance are paired with [a computer’s] analytic capability and a digital database, such monitoring can violate an individual’s reasonable expectation of privacy even in a public place.”

The Committee recommends that, if the U.S. Supreme Court does not adopt the proper approach in the Maynard case, Congress should do so by enacting legislation requiring court warrants for any location tracking lasting more than 24 hours.10

Consistent with these developments, in my view, it is essential that more stringent conditions precedent be enacted in relation to the proposed surveillance and access powers. The use of production orders and tracking warrants should be confined to investigations in respect of the list of serious offences in section 183 of the Criminal Code. Before issuing such orders or warrants, a superior court judge ought to be satisfied that:

  • There are reasonable and probable grounds to believe that an offence under section 183 of the Criminal Code has been or is being committed,
  • Other less intrusive investigative methods are likely to prove impracticable,
  • Measures will be taken to safeguard the privacy of the personal information obtained, particularly of non-suspects, and
  • The intrusion is otherwise in the best interests of the administration of justice.

As indicated, Bill C-51 also proposes to create a new set of powers that police could invoke to require data managers to locate and hold personal information in documents or databanks. Government has argued that these preservation powers are necessary to support the production order powers discussed above. In our view, any power to issue a preservation demand or order should be confined to the same list of serious offences in section 183 of the Criminal Code.

In addition, in order to address the risk to accountability that non-disclosure or secrecy orders entail, we recommend that all those whose personal information is obtained under a surveillance and access regime should be entitled to notification at the appropriate time. And, in accord with our SARA-related recommendations, state use of these powers and access to this personal information should be superintended and reviewed by an independent agency.

It is also noteworthy that in introducing sections 487.0195(1) and (2) to the Criminal Code, Bill C-51 provides broad immunity from “any criminal or civil liability” to any person who voluntarily preserves data or provides a document to an officer. The person is no longer required to show that he or she acted on reasonable grounds per the operation of what is now section 487.014 with section 25 of the Criminal Code. The person need only show that his or her cooperation was not “prohibited by law.” In our view, individuals and entities responsible for safeguarding personal information of members of the public must act reasonably before they should be entitled to such immunity. A reasonableness standard provides volunteers with significant protection while helping to rule out the possibility that, for example, malicious or incompetent decision makers will enjoy undeserved immunity.

Accordingly, section 487.0195(2) should be amended to provide that:

  • A person who preserves data or provides a document in the circumstances described in subsection (1) does not incur any criminal or civil liability for doing so if he or she acted reasonably in the circumstances.

Bill C-50, the Improving Access to Investigative Tools for Serious Crimes Act, will amend the Criminal Code, first by providing that if a wiretap authorization is granted under Part VI, the judge may at the same time issue one or more Bill C-51-related warrants or orders that relate to the investigation in respect of which the wiretap authorization is given. That is, in obtaining a wiretap warrant, police may also contemporaneously obtain companion production orders and tracking warrants, all from a single judge. Rules respecting secrecy and confidentiality that apply in respect of a wiretap authorization will also apply in respect of a request for a related warrant or order. In addition, the Bill will permit a peace officer or a public officer to install and make use of a number recorder without a warrant in exigent circumstances. The Bill will also extend to one year the maximum period of validity of a warrant for a tracking device and a number recorder if the warrant is issued in respect of a terrorism offence or an offence relating to a criminal organization (the maximum is now 60 days).
The critical development brought forward in Bill C-50 is that the efficiencies it may purchase in streamlining the conduct of judicially authorized state surveillance and access may come at some cost to the rigour of prior judicial scrutiny. In some cases, a single judge hearing a multitude of inter-related applications may be better informed about the extent of the overarching surveillance employed. At the same time, the demands on judges are likely to grow. In the context of what are necessarily ex parte and in camera proceedings, there will be an increased risk that a greater degree of intrusive surveillance and access will be granted in cases where it is not warranted. While we do not oppose Bill C-50 per se, its enactment will likely intensify the effect of the new surveillance regime. Such intensification increases the need for the adoption of matching safeguards under a SARA Act.

4) Surveillance Must Not Undercut the Future of Freedom, Innovation and Privacy

In addition to the controversial plan to provide law enforcement with warrantless access to subscriber information (discussed in section 5 below), the Electronic Communications Act sets in motion a fundamental change to the way communication services are regulated. It does so by entrenching the power of security officials to require TSPs to:

  • Build in and continuously maintain a wide array of yet to be specified interception capabilities into all their networks, systems and software for the purpose of allowing authorized agencies to intercept, isolate and accurately correlate multiple communications per court orders,
  • Notify law enforcement and CSIS officials regarding changes to state provided equipment or systems where those changes are likely to reduce interception capability;
  • Assist designated persons who will have warrantless access to TSP facilities, systems, documents and information to test, inspect, and access TSP facilities, services and systems for regulatory purposes,
  • Provide prescribed specialized telecommunications support to CSIS and law enforcement agencies,
  • Submit lists of TSP personnel to CSIS and/or the RCMP for the purposes of conducting security assessments of employees who may assist in the interception of communications, and
  • Comply with prescribed confidentiality and security measures. 11

The Electronic Communications Act will also establish numerous offences and violations and subject TSPs, their officers, directors, and employees to prosecution and fines for failing to comply with obligations, including those relating to systems requirements.

Each additional day in breach of the statute will add to the count of violations and increase the exposure of TSPs, their officers, directors, and employees to fines of up to $50,000 per offence for an individual and $250,000 for a corporation. The Electronic Communications Act will allow the state to seek a court injunction ordering a TSP to cease operating a transmission apparatus, or to refrain from acquiring, installing or operating new software, if the TSP is contravening or likely to contravene interception requirements.

It is also noteworthy that the Electronic Communications Act does not address the financial and commercial implications of these proposals, either to businesses, consumers, or taxpayers. It only authorizes the payment of some monies to compensate TSPs in relation to: (i) compliance with a Ministerial order to provide interception capabilities additional to those prescribed; (ii) the provision of subscriber information; and (iii) the provision of certain specialized telecommunications support. Reports about the cost of related proposals in the U.S. and the U.K. warrant careful consideration in Canada.

In October of 2010, it was reported that, in response to the Obama administration’s intention to submit comparable surveillance legislation, American TSPs are “likely to object to increased government intervention in the design or launch of services. Such a change … could have major repercussions for industry innovation, costs and competitiveness.”12

In the U.K., a related though more intrusive data retention and “Interception Modernization Program” was being considered until it was abandoned by the British government in late 2009 because of concerns about cost, controversy and feasibility. Prior to this, it was reported that development costs will be high (2 to 13 billion pounds). “The bulk of the costs will be incurred by [TSPs]. The most ignored cost comes in the form of opportunity costs as engineers will be tasked to develop this [surveillance] solution instead of developing their core business, i.e. new ways to enhance the networks for advancing consumer and business interests.”13

None of these immediate financial costs would necessarily translate into privacy issues per se if it were not for the fact that the Electronic Communications Act risks causing additional marketplace distortions by effectively prohibiting the use and development of any systems or software that might impair a TSP’s capacity to facilitate simultaneous multiple intercepts. While the goal of facilitating compliance with court ordered surveillance is valid, there is a significant risk that in implementing this legislation, the authorities will impede the development and use of new communications technologies and services, particularly, for example, privacy enhancing technologies and services such as those that provide for encryption.

In this regard, the Electronic Communications Act requires that a TSP must “use the means in its control” to provide an intercepted communication “in the same form as it was before the communication was treated by the service provider” by way of encoding, compression, or encryption. A TSP is not required to make the form of an intercepted communication the same as it was before the communication was treated if it would be required to develop or acquire new decryption techniques or tools. The legislation appears to allow companies like Research in Motion to continue to provide existing encryption protected communication services. It remains to be seen what the future holds for new companies and new strong encryption techniques and services in the field of communications. For example, there is a risk that the Electronic Communications Act will set the stage for rules requiring back-door state access to encryption services.

It is evident that many of the critical details flowing from the Electronic Communications Act will be left to policies, procedures, regulations and evolving relationships between TSPs and the state. In passing so many significant public policy decisions on to security-oriented officials, Parliamentarians and the public risk being left out of the decision-making process and Canadians risk seeing TSPs transformed into agents of the state. This represents a significant and needless risk to a free and open society.

We only have to look to recent U.S. history to consider the implications. Many will now be familiar with reports of the secretive and controversial assistance that major telecommunications carriers provided the National Security Agency in the conduct of warrantless eavesdropping on international calls by suspected terrorists after 9/11. As recognized by U.S. courts, such surveillance has the potential to expose “journalistic sources, witnesses, experts, foreign government officials, and victims of human rights abuses located outside the United States” to “violence and retaliation by their own governments, non-state actors, and the U.S. government.” 14

While the Electronic Communications Act will be subject to a form of Parliamentary review five years out, in the meantime, if passed, it will substantially alter the design and operation of communication systems, the role and function of TSPs, their ability to be transparent, and the relationship between citizens, TSPs and the state.

A comprehensive and public cost benefit analysis should precede rather than follow the making of so many significant public policy decisions. Before imposing the kind of interception capacity regime the Electronic Communications Act would impose on TSPs, Parliament should ensure that such a capacity regime will be proportionate and designed to ensure not only appropriate surveillance capacity but also necessary competiveness and privacy.

It follows that the Parliamentary committee eventually mandated to consider the kinds of proposals in the Electronic Communications Act should be adequately resourced to ensure that civil society, as well as industry, has a full opportunity to provide substantial input.

In addition, the Electronic Communications Act should be amended to require that all interception-related capacity requirements be publicly vetted for their impact on privacy and competiveness before they are imposed (in the future, SARA should have a role to play in reporting on the impact of capacity-related requirements). Such requirements should be provided for in the form of draft regulations which would only come into force after a vote by Parliament to approve them as a whole.

5) Warrantless Access to Subscriber Information Must Be Withdrawn

In addition to providing the state with substantial control over the design and operation of TSP systems, the Electronic Communications Act will also provide law enforcement and CSIS officials with warrantless access to subscriber information for the purposes of performing any of their duties or functions. Subscriber information includes a named individual’s IP address or mobile ID number, or the name and contact information of a subscriber associated with an IP address or mobile ID number.

The Electronic Communications Act provides for attenuated post facto review of warrantless access to subscriber information. In doing so, it relies on provincial and territorial privacy commissioners to: (i) conduct audits to assess local and provincial police compliance with provisions of the statute empowering the collection and use of subscriber information; and (ii) review police reports generated to the extent that police decide that something has occurred with respect to their own exercise of these access powers that, in their opinion, ought to be brought to the attention of the responsible provincial minister (in Ontario, the attorney general).

Under section 20(6) of the legislation, the Privacy Commissioner of Canada must provide Parliament with an annual report identifying the provincial and territorial privacy commissioners who may receive any such opinion-based reports and the powers that they have to conduct section 20 compliance audits.

Like a number of other provincial and territorial privacy commissioners, I lack the necessary powers. In particular, under Ontario’s privacy statutes, I do not have any audit powers. Even those privacy commissioners with sufficient powers are likely to need additional resources in order to adequately perform the legislative duties imposed under section 20 of the Electronic Communications Act.

In a letter of March 9, 2011 signed by all the federal, provincial and territorial privacy commissioners, we joined our colleagues in calling on the federal government to commit to working with provincial and territorial governments to ensure that all of our offices have sufficient powers and resources should the Electronic Communications Act be enacted. It does not appear that any such commitment has been forthcoming.

Quite apart from the constitutional issues raised by the enactment of a regime of warrantless access, it is noteworthy that in some circumstances, aspects of post facto oversight of communications-related surveillance powers have been found by Superior Courts to be constitutionally required (see, for example R. v. Six Accused Persons, [2008] B.C.J. No. 293 and R. v. Riley, [2008] O.J. No. 2887). In the absence of the necessary provincial and territorial powers and resources, the Electronic Communications Act’s reliance on provincial and territorial privacy commissioners is untenable. In addition, the audit duties to be imposed on provincial and territorial privacy commissioners under section 20 may raise division of powers problems.
It remains our view that the Electronic Communications Act should be amended to require that provisions setting out TSP obligations concerning “subscriber information” should be deleted and replaced with a court supervised regime.

“Subscriber information” is personal information. To date, all individual customers enjoy the legal right to insist that, subject to narrowly defined exceptions, their subscriber information remains private and confidential. The law currently provides for warrant procedures, expedited tele-warrants, and an organization’s special exercise of discretion to disclose personal information to law enforcement without an individual’s consent, for example, in aid of an Internet-related child pornography investigation, or in comparable exigent-like circumstances. Granting law enforcement and intelligence officials an almost unfettered power to issue their own administrative “warrants” for the purposes of performing any of their duties or functions is a substantial departure from the legal and constitutional framework in Canada. Such a departure requires extraordinary justification and a substantial framework for accountability.

Consistent with our earlier comments, law enforcement and security agency access to informationlinkingsubscribers to devices (and vice versa) should generally be subject to prior judicial scrutiny accompanied by the appropriate checks and balances. Before issuing an order requiring the disclosure of subscriber information, a judge ought to be satisfied that:

  • There are reasonable and probable grounds to believe that an offence under section 183 of the Criminal Code has been or is being committed,
  • Measures will be taken to safeguard the privacy of the personal information obtained, particularly of any non-suspects, and
  • The intrusion is otherwise in the best interests of the administration of justice.

In the alternative, if Parliament is determined to allow warrantless access to subscriber information, the legislative safeguards in section 20 of the Electronic Communications Act should be strengthened so that they provide a much greater degree of post facto oversight. In particular:

  • The power to demand warrantless access to subscriber information should be narrowed to only apply in circumstances where access is necessary to the investigation of a specific and defined category of serious crime, for example, sexual offences involving children and minors, or to prevent or eliminate a significant and imminent risk of serious bodily harm.
  • The “consistent use” limitation regarding subscriber information collected by law enforcement and security agencies should be strengthened. A use should only be considered as consistent if a reasonable person might reasonably have expected such a use.
  • Law enforcement and security agencies should be required to securely destroy information that is provided in response to a subscriber information request one year after the individual has been notified of its collection, or once retention of the information is no longer necessary for the purpose for which the information was obtained, or for a use consistent with that purpose, whichever is later.
  • The requirement that law enforcement and security agencies must report to attorneys general and privacy commissioners should be strengthened. Agencies should be expressly required to report any collection, use or retention practices that do not appear to be necessary and proportionate in relation to the duty or function for which they were originally obtained.
  • In reporting to Parliament on the adequacy of audit and investigation powers available to provincial and territorial privacy commissioners, the Privacy Commissioner should also report on whether those commissioners consider themselves to have adequate resources to conduct the necessary audits and reviews.
  • If, after consulting with a provincial or territorial commissioner, the Privacy Commissioner reports that her colleague does not have substantially similar powers, the subscriber information powers available to police services within that jurisdiction should automatically lapse until the Privacy Commissioner reports back that the provincial or territorial commissioner has been provided with those powers.

To the extent that Parliament chooses to rely on provincial and territorial privacy commissioners to perform post facto review of warrantless access to subscriber information, it follows that the federal government must commit to working with provincial and territorial governments to ensure that all of the relevant privacy commissioners have sufficient powers and resources. In this regard, please note that I have written two letters to Ontario’s Attorney General, asking that the Ontario government play its part in these important law reform and oversight-related issues. Copies of those letters are attached.

Conclusion

The surveillance regime being put forward is aimed at capturing the full range of content, communication and traffic data associated with digital communications. As communication services continue to evolve, thelegislation will empower the state to develop, update and enforce regulations directly aimed at shaping the technological capacities of telecommunication services so as to ensure that Web 2.0, 3.0 etc. communications can be readily intercepted, isolated and accurately correlated. In this context, it is reasonable to foresee that it will be much easier for the state to subject more individuals, including innocent individuals, to unwanted surveillance and scrutiny.

This debate is not about maintaining the state’s surveillance capabilities, but trying to determine the proper balance in the evolving information age. In the face of so many significant changes, with so much at stake, and with so much left to regulation and implementation by policy, we are concerned that the public, Parliament and industry will be hard pressed to keep abreast of the technological challenges, the financial costs, and the invasiveness of an expanding surveillance regime. It is essential that Parliament and the public be well informed on technological, legal, regulatory and financial issues. The implications for privacy and other human rights must also be fully addressed, by providing for the necessary transparency, accountability and oversight. No less than the future of privacy – the future of freedom, is at stake.

Yours sincerely,

.

Ann Cavoukian, Ph.D.
Commissioner

Enclosures (2)

c: The Honourable John Gerretsen, Attorney General of Ontario
William Baker, Deputy Minister, Public Safety Canada
Myles Kirvan, Deputy Minister of Justice & Deputy Attorney General of Canada
Murray Segal, Deputy Attorney General of Ontario

2 London School of Economics, Briefing on the Interception Modernisation Programme, June 2009, p. 6.

3 See “The Law Enforcement Surveillance Reporting Gap” by Christopher Soghoian , Indiana University Bloomington - Center for Applied Cybersecurity Research, April 10, 2011.

4 United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), cert. granted, United States v. Jones, 2011 WL 1456728 (June 27, 2011), U.S.S.C. Docket No. 10-1259.

5 See R. v. Six Accused Persons, [2008] B.C.J. No. 293 (S.C.) and R. v. Riley, [2008] O.J. No. 2887 (S.C.J).

6 American Civil Liberties Union v. United States, United States Court of Appeals for the District of Columbia Circuit, September 6, 2011, No. 10-5159.

7 R. v. Six Accused Persons, [2008] B.C.J. No. 293 (S.C.)

8 For more information about the functions and duties we propose for SARA, please see our April 21, 2005 letter to the then Minister of Justice and Attorney General of Canada.

9 In the matter of an application of the United States of America for an Order authorizing the release of historical cell-site information No. 10-MC-897, United States District Court, E.D. New York (August 22, 2011).

10 See the Liberty and Security Committee September 21st, 2011 Statement on Location Tracking at http://www.constitutionproject.org/pdf/LocationTrackingReport.pdf.

11 Note that, to date, security officials have been able to impose a similar framework largely outside Parliamentary scrutiny through, for example, the Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications, and Conditions of Licence for New Cellular and PCS Licences issued by the Minister of Industry under the Radiocommunication Act (see http://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf09251.html).

12 “Officials Push to Bolster Law on Wiretapping”, Charlie Savage, New York Times, October 18, 2010.

13 London School of Economics, Briefing on the Interception Modernisation Programme, June 2009, p. 44-45.

14 Amnesty Int’l USA et al. v. Clapper et al., United States Court of Appeals for the Second Circuit, September 21st, 2011, 09-4112-cv, at pages 8-9 of Circuit Judge Lynch’s decision, quoting from Amnesty Int’l USA v. Clapper, 638 F.3d 118 (2d Cir. 2011).