Wednesday, March 27, 2013

It's not your job to collect or retain customer information for the cops

Let me preface this post by saying good on Telus for challenging the police for attempting to use a general warrant to get text messages instead of a wiretap order in the R v Telus case released by the Supreme Court of Canada (and summarized in Canadian Privacy Law Blog: Supreme Court of Canada says that wiretap order is required to obtain text messages).

However, I can't help but wonder why Telus chooses to keep text messages for thirty days when other telcos do not. The Court noted:

[6] When Telus subscribers send a text message, the transmission of that message takes place in the following sequence. It is first transmitted to the nearest cell tower, then to Telus’ transmission infrastructure, then to the cell tower nearest to the recipient, and finally to the recipient’s phone. If the recipient’s phone is turned off or is out of range of a cell tower, the text message will temporarily pause in Telus’ transmission infrastructure for up to five days. After five days, Telus stops trying to deliver the message and deletes it without notifying the sender.

[7] Unlike most telecommunications service providers, Telus routinely makes electronic copies of all the text messages sent or received by its subscribers and stores them on a computer database for a period of 30 days. Text messages that are sent by a Telus subscriber are copied to the computer database during the transmission process at the point in time when the text message enters Telus’ transmission infrastructure. Text messages received by a Telus subscriber are copied to the computer database when the Telus subscriber’s phone receives the message. In many instances, this system results in text messages being copied to the computer database before the recipient’s phone has received the text message and/or before the intended recipient has read the text message.

It obviously isn't material to the Court's decision, but I wonder why.

Actors in the private sector, such as internet service providers, often collect and retain information that may be useful for law enforcement or as part of private litigation. You may recall from the Privacy Commissioner's investigation of Nexopia that the kid-focused social networking site retained information indefinitely, at least in part, in case the police asked for it. In my view, that's not ok. It's not a service provider's job to police its customers, nor is it its job to deputize themselves as agents of the state.

So what should service providers to do? Here are my thoughts (and comments are welcome):

  1. Don't collect personal information that you don't need just because it could be useful, particularly if it could be useful to law enforcement or to private litigants. Even if you think you may be required to collect it later, that's no justification to collect it now.
  2. Don't keep personal information around any longer than you actually need it. If you are asked for personal information by law enforcement or private litigants, it is much easier to say you don't have it than to go to court to resist providing it (see below).
  3. Don't offer law enforcement unsolicited access to personal information just because you see something suspicious. Unless you come across evidence of fraud against your organization or compelling evidence of a serious crime, it is not your job to hand over reams of information to law enforcement.

    PIPEDA does allow you to disclose personal information to law enforcement on your own initiative under section 7(3) of the law:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (d) made on the initiative of the organization to an investigative body, a government institution or a part of a government institution and the organization

    (i) has reasonable grounds to believe that the information relates to a breach of an agreement or a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

    (ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

  4. If asked by law enforcement for personal information that is in your custody, don't hand it over without a warrant. This is the diciest situation and PIPEDA offers a bit of guidance. Under section 7(3), you are permitted to disclose personal information without consent in the following circumstances:

    (3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

    (c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;

    (c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

    (i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

    (ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

    (iii) the disclosure is requested for the purpose of administering any law of Canada or a province;

    It must be noted that these provisions are permissive, meaning that they allow you to disclose the information in these circumstances without offending PIPEDA. Nothing in the above require you to disclose the information. Any compulsion has to come from another statute or rule of law. So, if asked, preserve the information and ask that they return with a warrant. If they have probable cause and a reasonable basis to compel the information, they'll be back.

  5. If you are served with a subpoena for personal information about a customer, you should immediately notify the customer. If you aren't able to, you should resist the disclosure. A subpoena is not a search warrant. In most jurisdictions, any lawyer representing any litigant can print out a subpoena and go to the court to get a fancy looking stamp on it. All a subpoena means is that you are required to attend at court with the information to have a judge make the final call. There may be no basis for the demand for information and your organization should avoid any situation where it has provided personal information that it was not legally required to hand over. When the internet service providers in the recent file sharing case resisted disclosure and took the matter to court, they emerged as staunch defenders of their users' privacy. That's certainly better than the alternatives.

2 comments:

Eric Feunekes said...

I couldn't agree more with this post, a company's obligation is to its customers not law enforcement. Don't get me wrong, there is nothing wrong with helping law enforcement or collecting personal information.
Take Google for example, I happily hand over all personal information they ask for because I like that I get personalized search results and ads. That's right, I like the ads too, if I'm going to see them anyways they might as well be useful to me. I realize that not everyone agrees with my view and that is their prerogative, Google offers opt-out of these things and they are relatively up-front about it.
The problem with Telus that you write about and I agree with is that they are collecting information on their subscribers (without telling them, at least google offers an opt-out) with no intent on using it to benefit the user. In fact, from what I can see they are using it to harm the user.
More and more companies seem to be forgetting how they actually make money: people paying for their service. Unfortunately, too few people know about things like this but that is why it's important to get the message out and I thank you for doing so.
Keep it up

Eric Feunekes said...

I couldn't agree more with this post, a company's obligation is to its customers not law enforcement. Don't get me wrong, there is nothing wrong with helping law enforcement or collecting personal information.
Take Google for example, I happily hand over all personal information they ask for because I like that I get personalized search results and ads. That's right, I like the ads too, if I'm going to see them anyways they might as well be useful to me. I realize that not everyone agrees with my view and that is their prerogative, Google offers opt-out of these things and they are relatively up-front about it.
The problem with Telus that you write about and I agree with is that they are collecting information on their subscribers (without telling them, at least google offers an opt-out) with no intent on using it to benefit the user. In fact, from what I can see they are using it to harm the user.
More and more companies seem to be forgetting how they actually make money: people paying for their service. Unfortunately, too few people know about things like this but that is why it's important to get the message out and I thank you for doing so.
Keep it up