Saturday, October 27, 2012

Despite police chiefs' representations, lawful access is irretrievably broken

If you’re a regular reader of this blog, you’ll know that I’m not a fan of Bill C-30. At all. My most acute concern relates to warrantless access to the names and addresses of customers of telecommunications service providers. Reviewing the very interesting and thought-provoking materials of the Canadian Association of Chiefs of Police hasn’t changed my mind.

This opposition isn’t based on the shameful way the bill was introduced (“you’re either with us or with the child predators”), but based on the premise that the police should not be able to require anybody to provide information about an individual in the absence of reasonable grounds to believe that the information either is or will lead to evidence of a crime that has been, is being or will be committed, and the appropriate checks and balances.

In my view, the only way to provide the checks and balances is to have an impartial party make the determination of whether individual privacy rights need to give way to the public interest in preventing and investigating crime. The police clearly have a job to do, but they are not in a position to appropriately balance these interests. Only an impartial judge can.

As for the suggestion that there really isn’t a privacy interest in customer name and address, I disagree. (Notwithstanding some recent caselaw on this point.) When the police are legitimately looking for a customer name and address to attach to an IP address, it is not being done in a vacuum. The police already have collected evidence (presumably of a crime) and are looking to connect that to a person. People have a reasonable expectation of privacy in what they do in their day-to-day lives online and it should be up to a judge to determine whether that connection can be made.

The Criminal Code already contains all the tools necessary to deal with this. For example, under Section 487.012, the police can obtain a production order against an internet service provider to hand over customer name and address information if they can satisfy the judge of the following:

(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that there are reasonable grounds to believe that
(a) an offence against this Act or any other Act of Parliament has been or is suspected to have been committed;
(b) the documents or data will afford evidence respecting the commission of the offence; and
(c) the person who is subject to the order has possession or control of the documents or data.

It’s only that the order must lead to evidence. Not the smoking gun or as a last resort. Just some evidence. It’s a very low threshold. This would be applicable in cases of child pornography, exploitation, threats, extortion, kidnapping, a rapist who left his phone at the scene and just about every other case cited by the Canadian Association of Chiefs of Police. It’s not an onerous burden.

The officer should appear in front of a judge with a sworn affidavit that sets out the the evidence that an unnamed person using IP address X.X.X.X is engaged in [bad act] and we have reason to believe that the IP address is allocated to [internet service provider]. If the judge thinks that’s sufficient, a production order should be issued.

To put it very simply, if the police cannot convince a judge that the connection should be made, they should not be able to obtain it. If you can’t convince a judge that it will lead to evidence of a crime, the cops should go back to the drawing board.

The main problem pointed to by the proponents of the Bill is that it takes too much effort or too long to get a warrant that requires an internet service provider to hand over customer name and address information that corresponds with an IP address. If that is really the problem they are trying to address, it would be best to address it by making the warrant-seeking process more efficient. Warrantless requests should be left to circumstances where there is a real emergency.

As currently written in Bill C-30, there is effectively no limitation on the circumstances under which police can seek this information. It can be for a parking ticket or some other trivial contravention of the law. The examples the police give are all serious crimes, but C-30 isn’t restricted in that way. (I think the threshold for all production orders should be strengthened to limit the use of these powers to (a) the investigation of serious crimes only under the Criminal Code, the Narcotics Control Act, the Canadian Security Intelligence Service Act and the National Defence Act where there are reasonable and probable grounds to believe that the information is necessary for the investigation of a crime that has occurred or is likely to occur, or (b) where the subscriber about whom the information relates is reasonably believed to be a victim of the crime or whose life or safety is in imminent jeopardy, and the victim’s identity is unknown.)

The second protection should be transparency, in two parts. First, the Attorney General should have to table in Parliament an annual report setting out in detail the number of applications made, the number of investigations they relate to, the offences alleged to have been committed and whether the order was granted. Even better would be including the number of charges laid as a result. This would ensure that the public is informed as to whether these powers are being used appropriately.

The second part should be an obligation to notify the individual whose information was sought, after a reasonable interval of time so that it does not interfere with an ongoing investigation. As drafted in Bill C-30, the individual whose information is sought will likely never know that this information was sought and obtained unless it comes out in open court after charges have been laid. In the current draft C-30, there is actually a gag order that prevents the ISP from telling the individual even if asked.

The information to obtain the disclosure order should be provided to the individual whose information is sought within six months unless a judge agrees, based on affidavit evidence provided by the relevant law enforcement officer, that doing so would be harmful to an ongoing criminal or national security investigation. An individual whose information is wrongfully sought or obtained should have a private right of action against the officer and the officer’s employer if there were not reasonable grounds to seek the information.

Overall, the entire scheme of "lawful access" to customer name and address information is irretrievably broken and needs the protections of independent oversight that only judges can provide.

No comments: