Tuesday, September 18, 2012

Guest post: A police officer's take on informational privacy and the police in the digital age

Warren Bulmer is a detective constable with the Toronto Police and an instructor on Computer and Technology Facilitated Crime for the Toronto Police College. Recently, Warren has written comments on some of the posts about lawful access on this blog that show a perspective on the issue that differs from what I usually write. I invited Warren to write a guest post as it would be helpful for readers of this blog and those interested in the lawful access debate to hear things from his perspective.


Informational Privacy and the Police in the Digital Age

Background

In the past 12 months there has been much attention paid to the issue of “lawful access” and what information police can obtain about your digital trail.  Unfortunately, many of those who write online posts, blogs and communications seem to misunderstand or in some cases grossly mischaracterize such issues.  

Let’s leave aside for a moment, the issues of Internet users who post public information to social networks without any privacy settings.  The reason; the police and any other citizen can access that information and use it for any purpose thereby making any subsequent claim to an expectation of privacy, absurd.  Having said that, one must understand that if the police intend on using that information in a criminal prosecution, they must account for how it was obtained and for their authority to obtain it.

The police have many authorities that govern how they obtain information, which can be with or without a search warrant.  The most common authorities come from Statutes both Federal, like the Criminal Code and Provincial, like the Highway Traffic Act.  Police are also governed by common law, which is derived from the decisions made at various levels of Canadian courts.

The Charter of Rights and Freedoms Section 8 protects citizens against “unreasonable search and seizure” and the key term is “unreasonable”.  In a Supreme Court of Canada decision Hunter v. Southam, [1984] 2 S.C.R. 145 the court outlined that a search (by the State) without prior judicial authorization (i.e. a warrant) is presumed to be unreasonable.  The State has to justify or explain why a search is reasonable if they didn’t have a warrant.  There are also six exceptions written into law where the police are exempt from having to obtain a warrant.  They are consent, abandonment, incident to arrest, investigative detention, exigent circumstances and plain view.  

Informational Privacy

We are all given a name at birth.  Our name identifies us and distinguishes us from each other.  We provide our name to others to connect and address one another.  We have all given our name in various contexts hundreds if not thousands of times and it is safe to say that it is the purpose for our name.  Many of us wear our names on ID cards as we walk around in the public domain yet somehow it is expected that when we use the Internet our name becomes this secret entity hidden behind screens and wires.  

The Internet encourages people to believe that they are completely anonymous online however; when carefully deconstructed one can see that technology has made us more vulnerable than ever.  Every device we use creates a digital record, every time we go to the mall we are captured on dozens of high definition security cameras, and when we use an ATM the entire transaction is captured.  When you use the Internet there can be a digital trail that when followed could lead back to you.

As an Internet user you require an Internet Service Provider or Telecommunications company to facilitate that access.  ISPs are private companies like Bell Canada, or Rogers Communications and their business model requires the ability to maintain customer databases for their Internet subscribers for the purposes of billing.  These databases contain information such as your name, address, phone number, email address and credit card or banking information.  The ISPs are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) which legislates the collection, use and disclosure of your personal information by private companies. The Police have no authority to search under PIPEDA.

The ISP provides the mechanism to connect to the Internet by assigning a user an Internet Protocol (IP) address.  This unique number is assigned to the customer (subscriber) and is logged with a date and time reference as to when it was used and by whom.  This is the central issue in the whole “lawful access” debate.  

Your name, which is generally not entitled to Charter protection, is now attached to an IP address which proponents argue means that it should attract Section 8 protection. Their argument is basically derived from the belief that if the police have your name associated to an IP address, they therefore can construct a complete picture of your “electronic trails” on the Internet.  This concept is not technically possible despite the so-called “wishes” of the police.  One of many parameters is that IP addresses are dynamic and constantly change between customers.  A computer must be physically examined to learn of those electronic trails or traces.

PIPEDA supports the notion that an ISP may voluntarily provide police with customer name and address information when asked without the knowledge or consent of the customer.  These provisions are provided for in 7(3) of the Act.  If the ISP does not decide to disclose the information which by the way is only a name, address and email address then the police would have to seek judicial authorization to obtain it.  For example, in child exploitation cases many ISPs will voluntary disclose the names and addresses of customers who may be involved in offences involving child pornography or child luring.  In fraud cases for example, ISPs have refused to voluntarily provide this information and directed police to obtain a court order for it.  In this circumstance, the information remains the same and all that is accomplished is the police, the victim and the justice system as a whole, suffer unnecessary delay.

PIPEDA does not grant the police any powers or authority and neither does the newly proposed lawful access Bill C-30 (Preventing Criminal Electronic Communications Act).  Equally however; PIPEDA also does not grant citizens an extraordinary Section 8 Charter protection. The crux of this debate is the misrepresentation of “personal information”.  Section 2 of PIPEDA defines personal information as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization”.  Section 3 of PIPEDA is the stated purpose of the Act: “The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

Herein lays the fundamental flaw in the argument that customer names subscribed to an Internet Service attract Section 8 protection. The definition provided in PIPEDA of “personal information” is completely different than the constitutional definition provided for in Section 8 of the Charter.   In 1993, the Supreme Court of Canada determined what information is subject to Section 8 protection in a case called Plant (R. v. Plant, 1993 CanLII 70 (SCC), [1993] 3 SCR 281) stating the following: “In fostering the underlying values of dignity, integrity and autonomy, it is fitting that s. 8 of the Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state. This would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual.”  

It becomes clear then that PIPEDA cannot be used to solely determine if there was a valid breach under Section 8 of the Charter.  It requires an analysis in the totality of the circumstances.  This approach was confirmed by the Nova Scotia Court of Appeal in Chehil (R. v. Chehil, 2009 NSCA 111).  The Supreme Court provided the same criteria back in 1996 in Edwards (R. v. Edwards, [1996] 1 SCR 128) using a list of factors to potentially be considered in evaluating but not limiting the totality approach.  They can be found at paragraph 45 of the judgement.

The police don’t seek customer names or IP address subscribers under PIPEDA.  Their authority to ask for the information voluntarily comes from Section 487.014(1) of the Criminal Code which makes it clear that production orders (prior judicial authorization) are not necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament from asking a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.

 In 2004, the Supreme Court of Canada stated in Tessling (R. v. Tessling, [2004] 3 S.C.R. 432) at paragraph 26, “Nevertheless, Plant clearly establishes that not all information an individual may wish to keep confidential necessarily enjoys s. 8 protection”.  

Section 8 of the Charter does cover Informational Privacy and when assessing the facts on each case the Courts have evaluated a number of factors.  Included in these decisions is the relationship between the ISP and the customer usually disclosed in the form of a contract.  Most ISP have conditions or terms of use that a customer must agree to in order to use the Service.  These terms are typically phrased similarly to: “The client is warned that they must not use the service in a manner contrary to an applicable law” or “the client “agrees” that the named ISP has the right to monitor or investigate the use by the client of the network and to disclose any information necessary to satisfy any laws … or other governmental request … as necessary”.  These contractual terms fall under the analysis of the totality of circumstances when evaluating an objective or subjective expectation of privacy enjoyed by the customer.  

The argument over whether or not a name and address associated to an IP address deserves Section 8 protection is not a new one.  In fact, to the contrary, it has been litigated in numerous cases across Canada.  Here are just some of those case citations where no expectation of privacy was found in a name and address of an individual:

R. v. Wilson, [2009] O.J. No. 1067 (S.C.)

R. v. Ward, [2008] O.J. No. 3116 (C.J.)

R. v. Friers, [2009] O.J. No. 5646 (C.J.)

R. v. Trapp, [2009] S.J. No. 32 (Prov. Ct.)

R. v. Vasic, [2009] O.J. No. 685 (S.C.)

R. v. Spencer, [2009] SKQB No. 31

R. v. Ewanshyn, [2009] unreported AltaCA

R. v. Brown, [2000] O.J. No. 1177 (S.C.)

R. v. Lillico (1994), 92 C.C.C. (3d) 90 (Ont. C.A.)

R. v. McNeice, [2010] B.C.J. No. 2131 (B.C.S.C.)

R v. McGarvie, 2009 CarswellOnt 500 (Ct. Jus.)

To be fair, many of these cases relied heavily on the contractual terms and agreements between the customer and their ISP but some did find no expectation of privacy regardless of those terms.   There are a few decisions in the lower level courts that did rule in favour of a Section 8 protection of CNA such as Kwok (R. v. Kwok, [2008] O.J. No. 2414 (C.J.) but there was no information about the contractual relationship entered into evidence.  So it is not that we keep score but it is fair to say that there is a significant amount of cases that after careful judicial analysis, declare there is no constitutional protection afforded to a person’s name.  To argue differently implies there has been a large number of trial Judges who got it wrong.  

To put things into context on informational privacy, the police do not need a warrant to type the licence plate of a car into their computer system to learn the name and address of the registered owner.  The police do not need a warrant to get the registered name and address of a cellular or residential phone number.  Many of these items of personal description do not meet the threshold of a subjective expectation of privacy due to the lack of an objective reasonableness in that belief.  We are talking about one of the least intrusive searches the police can engage in.  There is no physical search by police through the Bell Canada servers and despite what you have heard no spying of a person’s Internet browsing.  

Reality Check

According to 2011 Internet Statistics, there were over 3.1 billion email accounts globally.  Does anyone realistically think the police have the time or resources to sneak a peek or read the trillions of messages exchanged?  There are over 17 million Canadians on Facebook each with an average friend’s list of 150 friends.  In 2010, there were 25 billion tweets sent out on Twitter.  In February 2012, police announced the take down of 60 individuals involved in child pornography offences and revealed that the overall investigation involved 9000 IP addresses and several hundred suspects who will go unprosecuted.

In all of these electronic “cybernetic peregrinations” to quote the Supreme Court of Canada in Morelli (R. v. Morelli, 2010 SCC 8) the police have to obtain IP logs and customers associated to this data if commencing a criminal investigation in relation to them.  When police require this information and it is not voluntarily supplied by the ISP for whatever reason they have to seek a court order called a Production Order.   Section 487.012 of the Criminal Code is the authority police have to do this.  Most companies require a minimum of 30 days to comply with this order.  If it is an emergency, that being imminent losses of life or grievous bodily harm, most ISPs have an emergency form that the police can use.  The determination of what constitutes an emergency is not necessary made by the police but the ISP ultimately.  It still reverts back to what was written earlier, the police can ask and the ISP can say “yes or no”.  

A great example of this impasse is the recent situation in New York.  The NYPD had information a person was going to attend a Mike Tyson show at a particular theatre and commit mass murder.  He posted it on Twitter and when the NYPD served Twitter with an emergency request to identify this person, Twitter refused and stated it wasn’t a bonafide emergency.   Twitter forced the NYPD to obtain a court order which took valuable time and resources.  Read more about this case here.  What’s troubling is Twitter’s position in light of the fact it occurred shortly after the 2 mass shooting sprees in Colorado and Wisconsin.  Had the suspect actually shown up at the theatre and shot people before police could have arrested him, who would have taken the brunt of the blame? The police?  I am curious to know what the people attending the theatre show that night thought.  I mean the police took the threat seriously what more could they have done?  Where is the public bashing for Twitter?  

Lawful Access

The proposed Bill C-30 by the Federal Government announced in February this year is an attempt to alleviate some of these concerns.  In the above scenario, if in Canada, Twitter would have no choice but to provide the name.  The proposed Bill would change the voluntary discretion of an ISP to provide a name and address to the Police, by making it mandatory.  (Section 16(1) of the Investigating and Preventing Criminal Electronic Communications Act).

The Bill is certainly not without its flaws, but no piece of legislation is perfect.  What’s important is that public safety and the pursuit of criminals is paramount and the legislation or something like it is necessary to achieve these basic police functions.  The justice system cannot continue to stall for 30, 60 or 90 days because a private company determines how the police are to conduct a criminal investigation.  The criteria the police require to ask for the information remains the same as it is now.  It remains a lawful request, which the police are accountable for and will be scrutinized if they abuse this authority.  Their authority also remains unchanged in that the request has to be based on their existing mandates and authorities.  The Bill does not guarantee against an abuse of process or investigative errors but neither does the system we have now.

On a positive note the Bill mandates tracking, recording and other administrative oversights of the police use of lawful requests.  This is not currently done or even mandated under PIPEDA.  The police and the public have no idea of knowing how many times we have asked for someone’s information because we aren’t keeping track.  This is unacceptable the police should be accountable for such requests and the public should be able to demand through the freedom of information process how often the police make these types of requests.  The public may not be able to learn the details for each one because of confidentiality, ongoing investigations or a court ordered prohibition but at the very least the public should know how often these requests are made.

Wrap up

I share the same concerns as many people about how the Internet, particularly social networks, is creating a database of epic proportions.  But in fairness, as a user, are you not responsible for the content you choose to share?  I would be more worried about what the Facebook’s, the Google’s and the Apple’s of the world are collecting about me than the police.  If you are a law-abiding citizen and don’t use the Internet to facilitate, perpetrate or associate with criminal activity than you don’t really exist for the police.  

There are times when victims are caught up in these situations where their Internet activity becomes a relevant issue but overall “Joe-q-public” has nothing to fear.  If you are a criminal and you choose to involve the Internet in your life, be warned.  The police are there; they are getting better at finding you in the anonymous World Wide Web with or without a warrant and you should be concerned.  The courts generally see the Internet for what it is; a public domain and if you choose to incriminate yourself while using technology, you have nobody to blame but yourself.

Warren Bulmer

Detective Constable (1406)

Toronto Police Service

Instructor – Computer and Technology Facilitated Crime

Toronto Police College - Criminal Investigation Section

416-808-4882 (direct)

warren.bulmer@torontopolice.on.ca 

Author’s Bio

Detective Constable Warren Bulmer has been a member of the Toronto Police Service since 1990.  Detective Constable Bulmer’s policing career has been predominantly spent within the field of criminal investigation including a total of 11 years assigned to Major Crime and the Child Exploitation Section of the Sex Crimes Unit.  Detective Constable Bulmer continues to be an International instructor in the area of computer-facilitated crime having lectured over 2500 Police and Prosecutors in 11 different countries to date.  Detective Constable Bulmer has taught at the Canadian Police College and the Ontario Police College where he still teaches on a part time basis. From 2005 to 2009 he was a qualified Computer Forensic Examiner and has testified in court as an expert in various capacities relating to digital evidence.  For the past 3 years, Detective Constable Bulmer has specialized in the area in Social Networks and is called upon by Police all over Canada to teach how law enforcement can balance the right to investigate with the protections afforded to citizens under the Charter. As a member of the Toronto Police College for the past 3 years, Detective Constable Bulmer continues to instruct on conducting computer and Internet investigations, the lawful search and seizure of electronic devices as well as the identification, categorization and management of digital evidence.

Warren is a published writer of many articles and a contributing author to a book entitled “Evidence and Investigation: From the Crime Scene to the Courtroom” by Emond Montgomery Publications.        http://www.emp.ca/evidence-and-investigation-from-the-crime-scene-to-the-courtroom.html 

 

Article References

  1. Case law citations as provided
  2. http://royal.pingdom.com/2012/01/17/internet-2011-in-numbers/ 
  3. R v. David WARD Ontario Court of Appeal, 2012, Court file #C50206, Respondent’s (MINISTRY OF THE ATTORNEY GENERAL) Factum
  4. Criminal Code of Canada http://laws-lois.justice.gc.ca/eng/acts/C-46/ 
  5. PIPEDA (Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html 
  6. Bill C-30 (Investigating and Preventing Criminal Electronic Communications Act)

http://www.parl.gc.ca/HousePublications/Publication.aspx?Docid=5380965&file=4 

3 comments:

Tim Burrows said...

Excellent article that clearly lays out many of the concerns and challenges to present and pending legislation.

Criminals and those people who wish to use technology for nefarious reasons will look to stop and spread false information about what data can and may be used for.

Warren has alleviated many of those fears and has said it succinctly with one line, "If you are a law-abiding citizen and don’t use the Internet to facilitate, perpetrate or associate with criminal activity than you don’t really exist for the police.

Thank you Warren.

Anonymous said...

Thank you for this well thought-out post. I have a few thoughts:

As a starting point, I think it should be pointed out that the 'emergency situation' scenarios you refer to are a bit of a red herring. I've read Bill C-30, and I do not see anything in there that gives an ISP any discretion to refuse an emergency request for customer identification. I further note that no one is realistically objecting to the emergency provisions in the legislation and were Bill C-30 limited to these, it would likely have passed by now.

Turning to the underlying implication of your post -- that, by and large, if you are not a criminal, you need not worry -- I'm wondering what you mean when you make this point. Is it that those who have committed no crimes online will not have their privacy invaded? Or is it that the innocent may well have their anonymous online activity spied upon, but are unlikely to face more direct harm as a result? If it is the former, then I am wondering why anyone would object to limiting the proposed C-30 powers to scenarios where there are objective criteria indicating information will be collected that might help in an investigation. If it's the latter, then I think I take issue with that as the basic premise of privacy protection is to prevent the state from invading the privacy of its citizens without cause.

Finally, turning in brief to your Charter analysis, I wonder if a.) you have looked at R. v. Trapp 2011 SKCA 143, and R. v. Spencer 2011 SKCA 144 (the only appellate decisions to weigh in directly on this issue, to date). These cases seemed to think there is an expectation of privacy in one's anonymous online activity. In civil discovery contexts, courts have found along the same lines: Warman v. Fournier, 2010 ONSC 2126.

In any case, the SCC will, I'm certain, eventually decide anonymous online actions implicate a biographical core, but putting that aside for now, I'm wondering what your basis is for concluding that the internet is a 'public domain'? You say at the outset of your discussion that names are not private, but there are, of course, many scenarios where a name is private. To take an archetypal example, police do not have the right to stop random people in the street and force them to disclose their names if they have done nothing wrong. Why should the Internet be different?

Tamir

Clear2Go said...

While I agree that law enforcement is getting better at finding the identity of individuals on the Internet, and the general public is getting worse at hiding their identity on the Internet, my feeling is that the debate is not really about anonymity at all, but rather control of anonymity.

It is possible to hide your identity completely -- techniques such as tor, i2p or freenet with the properly configured systems can make finding the identity of a target if not impossible, challenging and costly. The difference is not only can I be anonymous, but I control my anonymity. I would be curious if readers feel that any individual should be able to hide their anonymity from anyone should they choose to do so?

That to me is the real debate, not being anonymous itself, but the individual having the control to decide if their anonymity should or should not be revealed.