There are many, many problems with the warrantless access to customer data in Bill C-30, known as the lawful access bill. The main problem pointed to by the proponents of the Bill is that it takes too long to get a warrant that requires an internet service provider to hand over customer name and address information that corresponds with an IP address. If that is really the problem they are trying to address, it would be best to address it by making the warrant-seeking process more efficient and limit warrantless requests to circumstances where there is a real emergency.
Since the government has suggested it is open to amending the Bill, it doesn’t sound like they are amenable to throwing it out and fixing the warrant process. In hopes of adding to the discussion on what’s wrong with the Bill and how it can be fixed, below I’ve set out some of the major problems and how they can be fixed in a way that restores the protection of privacy while permitting law enforcement to investigate serious crimes.
I don’t expect these are the only solutions, but will hopefully start a discussion on how to fix lawful access.
- There is no limitation on the circumstances under what these powers can be used.
Problem: As drafted, there is no limitation under which these powers can be used. They can be used for child exploitation investigations or serious crime, but can also be used without any justification or to reunite someone with their lost iPhone.
Solution: Limit the use of these powers to (a) the investigation of serious crimes only under the Criminal Code, the Narcotics Control Act, the Canadian Security Intelligence Service Act and the National Defence Act where there are reasonable and probable grounds to believe that the information is necessary for the investigation of a crime that has occurred or is likely to occur, or (b) where the subscriber about whom the information relates is reasonably believed to be a victim of the crime or whose life or safety is in imminent jeopardy, and the victim’s identity is unknown.
(If lost iPhones are a serious problem that require police intervention, require the police to hand them them to the telco and require the telcos to reunite them with their heartbroken owners.)
- There is no accountability to the justice system.
Problem: The requesting officer is not required to justify the request and to be accountable to the wider justice system. Under a warrants-based system, an affidavit is required and it needs to be filed with the courts.
Solution: Require that the requesting officer swear an affidavit, under oath, articulating the circumstances described above and the basis for this belief. The affidavit shall be filed with the superior court of the relevant jurisdiction. This affidavit can be filed after the fact in exigent circumstances. This affidavit should be counter-signed by an officer of superior rank to the requesting officer or a senior crown attorney, who will also swear that she is of the view that the facts set out by the officer form the basis for a lawful request.
- There is no accountability to the individual if charges do not result.
Problem: The individual whose information is sought will likely never know that this information was sought and obtained unless it comes out in open court after charges have been laid. In the current draft C-30, there is actually a gag order that prevents the ISP from telling the individual even if asked.
Solution: The affidavit referred to above shall be provided to the individual whose information is sought within six months unless a judge agrees, based on affidavit evidence provided by the relevant law enforcement officer, that doing so would be harmful to an ongoing criminal or national security investigation. An individual whose information is wrongfully sought or obtained should have a private right of action against the officer and the officer’s employer if there were not reasonable grounds to seek the information.
- There is no accountability to the public at large.
Problem: The Bill, as currently drafted, doesn’t give the public at large any understanding of how the intrusive powers are used and under what circumstances.
Solution: The Minister of Justice or the Minister of Public Safety shall table an annual report before Parliament setting out the number of such requests, including the requesting police agency, the criminal code section or other violation being investigated, whether charges were laid against the individual and whether a conviction resulted. This is in addition to the ability of the federal and provincial privacy commissioners to audit the practices of the agencies within their jurisdiction, except that summary results of their audits shall be tabled in Parliament annually. (Additional funding to each privacy commissioner should be provided to defray the costs of such audits.)
I'd be happy to hear any other proposed solutions ...