Being on the receiving end of a warrant from the Canadian Security Intelligence Service (CSIS)

So someone from CSIS just called ….

There’s a first time for everything. You get a call from an “UNKNOWN NUMBER” and the caller says they work with Public Safety Canada and they’re looking for some information. This happens from time to time at universities, colleges, telecoms, internet-based businesses and others. Likely, they actually work for the Canadian Security Intelligence Service (known as CSIS) and they’re doing an investigation. 

So what happens – or should happen – next? You should ask them what they’re looking for and what is their lawful authority. Get their contact information and then you should call a lawyer who has dealt with this sort of situation before. 

CSIS is an unusual entity. They’re not a traditional law enforcement agency. While they can also get warrants (more about that later), they have a very different mission. The mandate of CSIS is to 

• investigate activities suspected of constituting threats to the security of Canada (espionage/sabotage, foreign interference, terrorism, subversion of Canadian democracy);

• take measures to reduce these threats;

• provide security assessments on individuals who require access to sensitive government information or sensitive sites;

• provide security advice relevant to the Citizenship Act or the Immigration and Refugee Protection Act; and

• collect foreign intelligence within Canada at the request of the Minister of Foreign Affairs or the Minister of National Defence.

To carry out this mandate, CSIS may seek and obtain warrants. But they are unlike any warrant or production order you may see handed to you by a cop. CSIS warrants are more complicated to understand and possibly comply with than the more traditional law enforcement variety.

Canadians are often surprised to discover that we have a court that meets in secret, in a virtual bunker and hears applications for TOP SECRET warrants. These warrants can authorize “the persons to whom it is directed to intercept any communication or obtain any information, record, document or thing and, for that purpose, (a) to enter any place or open or obtain access to any thing; (b) to search for, remove or return, or examine, take extracts from or make copies of or record in any other manner the information, record, document or thing; or (c) to install, maintain or remove any thing.” These warrants can be accompanied by an assistance order, directing a person to assist with giving effect to a warrant. 

A problem for third parties with these warrants is that they can be long-term and very open ended. The name of the target of the investigation may be unknown at the time the warrant was obtained, and the warrant may authorize the collection of data related to that unknown person. It can authorize the collection of information about people who are in contact with that unknown person. It may authorize the collection of additional information related to those persons, such as IP addresses, email addresses, communications and even real-time interception of communications. Once the unknown person has been identified by CSIS (by name, an account identifier, online handle, etc.), they will seek to obtain further information. But the warrant itself likely does not name the person or any account identifiers so that the custodian of information cannot easily connect the request to a particular information. And the recipient of the demand must be confident that they are authorized to disclose the requested information, otherwise they would be in violation of privacy laws. 

To complicate things further, because these warrants are generally secret, CSIS is not willing to provide a copy of the complete warrant to a third party from whom they are seeking data. They will generally permit you to look at a redacted version of the warrant but will not let you keep it. Diligent organizations that know they can only disclose personal information if it is authorized and permitted by law, and they have a duty to ensure that they disclose only the responsive  information. To do otherwise risks violating applicable privacy laws. Organizations should also document all aspects of the interaction and disclosure, which is a problem if you can’t get a copy of the warrant. Over time, procedures have been developed by CSIS and third party organizations to address this. 

While all of this may be TOP SECRET, nothing precludes a recipient of a warrant or an assistance order from seeking legal advice on how to properly and lawfully respond. Anyone dealing with such a situation should seek experienced legal advice. 

In just the past few weeks, the Government of Canada launched a consultation on possible reforms to the CSIS Act, mainly under the banner of protecting Canadian democracy against foreign interference. Of course, changes to the statute will affect other aspects of their mission. The consultation is broadly organized under five “issues”, and it’s Issue #2 that is the most relevant to this discussion.

Issue #2: Whether to implement new judicial authorization authorities tailored to the level of intrusiveness of the techniques

Essentially, what they’re proposing is a form of production order similar to what we have in the Criminal Code of Canada. Such an order would still be subject to court approval and could compel a third party to produce information “where CSIS has reasonable grounds to believe that the production of the information is likely to yield information of importance that is likely to assist CSIS in carrying out its duties and functions.” Examples they give are basic subscriber information, call detail records, or transaction records. These would be much more targeted and, in my view, much easier for the custodian of the information to evaluate and respond to. A production order would authorize CSIS to obtain the basic subscriber information of a named person or known account identifier. Under the current warrant authority, those specific people may be unknown at the time the warrant was issued but are still within the ambit of the warrant. Presumably a CSIS production order can be served in the usual way as a criminal code production order and the company can keep a copy of it for its records. I’m generally very skeptical about the expansion of intrusive government powers, particularly when much of it takes place outside of OPEN court but in a closed court, but I don’t see this as an expansion. CSIS can be given this ability, supervised by the court, to streamline its existing authorities. They would need to be very careful if they were to purport to give it extraterritorial effect, since that would likely be very offensive to comity and the sovereignty of other countries. And intelligence collection is generally more offensive and aggressive than investigating ordinary crime. It may specifically be illegal under foreign law for the company to provide data in response to such an order. And I think the order should, like a criminal code production order, explicitly give the recipient the right to challenge it. So that’s the current situation with CSIS investigations, at least from a service provider’s point of view, and a hint at what’s to come. Again, if you find yourself in the uncomfortable and unfamiliar situation of taking a call from “public safety” or CSIS, reach out to get experienced legal advice from a lawyer who has been through the process before.

Canadian government issues "transparency reporting guidelines"

The Canadian federal government has released "Transparency Reporting Guidelines", to provide companies with guidance on reporting law enforcement and national security requests for customer information. Surprisingly, the guidance came from Industry Canada and not Public Safety Canada or the Department of Justice.

What is particularly notable is that the government is strongly advocating for "banding", so it says that companies should not report exact numbers where they are between 1 and 100. Companies who wish to be transparent (which should be all companies) should know that these are guidelines only and there is no basis in law that I am aware of (absent a term in a particular court order) that requires this banding or aggregation.

B. Limitations

When reporting statistics by each of the categories listed in Part A, organizations should respect the following limitations, in order to protect the work of law enforcement, national security, and regulatory agencies

1. As presented in the sample chart below, figures between 0 and 100 should be represented in a band of '0-100' when any figure in column A (Number of Requests) or Column B (Number of Disclosures) is less than 100. In such cases the banding of figures should apply to all columns for that data type whose figure is between 0-100. Any figure over 100 may be represented by its actual number. This is to protect the operational activities and capabilities of Canadian government and law enforcement agencies.

2. Figures should be aggregated to reflect Canada-wide statistics, and should not differentiate between law enforcement, national security, and regulatory agencies (i.e. there should be no breakdown by geography or specific agency). Moreover, these figures should also be aggregated such that service type and its associated network technology are not distinguishable (i.e. cellular voice services should not be subdivided and reported according to 2G, 3G or 4G/LTE network type, etc.). This is to protect the operational activities and capabilities of Canadian government and law enforcement agencies.

3. There should be a six month delay in reporting timeframe. For example, if a report covers the period January 1 to December 31, 2014, it should not be released before July 1, 2015. This is to ensure that most active investigations have no possibility of being compromised.

The limitation provisions will ensure that transparency reporting does not impair or compromise national security or criminal investigations, and the safety and security of Canada and its citizens.

These provisions are dynamic and may be subject to change based on sensitive Canadian government operations that necessitate additional or other safeguards, or to keep pace with suspected criminal and unlawful activities that use telecommunications services and related technologies.

Personally, I think that companies should separately report ordinary criminal law enforcement requests and national security requests.

As an aside, I wonder if this means we'll get transparency reporting from Bell Canada, which is the only major Canadian telco to not provide such reporting.

Supreme Court of Canada to hear case involving foreign spying and misconduct by government lawyers

The Supreme Court of Canada has agreed to hear the appeal from the Federal Court of Appeal in the case of Re X. That was an interesting case on the merits: Can a Canadian judge grant a warrant to Canada's spy agency to do something outside of Canada that would violate the laws of the country where it would be done.

For me, the bigger part of the case was that the Court found that CSIS and the Department of Justice had lied and withheld material evidence in order to get warrants under the CSIS Act to surveil Canadians outside of Canada.

In the lower court, Justice Mosley had found that the Department of Justice lawyers, acting for CSIS in various warrant applications, had withheld information from the Court in order to get warrants under the CSIS Act. What they withheld was that they would get one or more of their Five Eyes partners to do the spying for them. Justice Mosley had found that the CSIS Act (and customary international law) did not permit the Court to grant a warrant that would effectively authorize the intelligence service to violate the laws of wherever the spying was to take place. (This last part has been addressed in proposed amendments to the CSIS Act in Bill C-44.)

I really hope the Supreme Court will delve into the required level of candour and transparency for Government lawyers when they are making secret applications for secret warrants to do intrusive things that otherwise would be unlawful in Canada.

Here's the summary prepared by the Supreme Court of Canada:

Supreme Court of Canada - SCC Case Information - Summary - 3610736107

In the Matter of an Application for Warrants Pursuant to Sections 12 and 21 of the Canadian Security Intelligence Service Act, R.S.C. 1985, c. C-23

(Federal Court) (Civil) (By Leave)

(Sealing order)

Summary - Case summaries are prepared by the Office of the Registrar of the Supreme Court of Canada (Law Branch) for information purposes only.

National security – Security intelligence – Warrants – Federal Court issuing warrant to CSIS for the interception from within Canada of telecommunications of Canadian citizens travelling abroad – CSIS failing to disclose on warrant application its intention to seek the assistance of foreign partner agencies for the interception of telecommunications of Canadians abroad – Federal Court finding that CSIS breached its duty of candour on ex parte warrant application – Federal Court holding that s. 12 of the Canadian Security Intelligence Service Act does not authorize CSIS to make such requests to foreign partner agencies – What is the scope of the Federal Court’s jurisdiction under s. 21 of the CSIS Act to issue warrants governing the interception of communications of Canadians by foreign agencies at Canada’s request – What is the scope of CSIS’s disclosure obligations on warrant applications – Canadian Security Intelligence Service Act, R.S.C. 1985, c. C-23, ss. 12, 21.

In 2009, a warrant was issued permitting the Canadian Security Intelligence Service (“CSIS”) to intercept, within Canada, the telecommunications of two Canadian citizens travelling abroad. In 2013, it came to the attention of the issuing judge that, where similar warrants were issued, it had become the practice for CSIS and for the Communications Security Establishment (“CSE”) to make requests to foreign partner agencies for assistance in the targeting of the communications of Canadians abroad. The court recalled counsel to address two issues: (1) whether the Attorney General had met his duty of candour when applying for such warrants, and in particular, whether the assistance provided by CSE in tasking foreign partners should have been disclosed; and (2) whether s. 12 of the Canadian Security Intelligence Service Act authorizes CSIS to engage the assistance of foreign agencies in intercepting the communications of Canadians abroad. The court found that the Attorney General had breached his duty of candour and that s. 12 of the CSIS Act did not authorize CSIS to engage the assistance of foreign agencies. The Court of Appeal dismissed the Attorney General’s appeal.

Canadians deserve to participate in an informed conversation about privacy and surveillance

I was invited to contribute to the Hill Times Policy Briefing on Information Technology that was released today. Here's what I had to say:

Canadians deserve to participate in an informed conversation about privacy and surveillance

A multi-year conversation about privacy and surveillance is finally coming to a head, and it may be one of the defining issues of our time. This is a pivotal aspect of the relationship between citizens and the state, and Canadians have a right to sufficient information about the government’s activities to contribute to an intelligent conversation.

The topic of privacy and government surveillance has been making headlines in Canada for the last several years. Huge numbers – MILLIONS OF REQUESTS! – grab attention, but there is little understanding of the circumstances under which information is requested and disclosed from telecommunications service providers, the extent to which law enforcement seeks information, or even the nature of the information. Canadian law enforcement and security agencies have many of the same powers as their US counterparts. Canada has an equivalent of the USA Patriot Act: this is little-known and the import is little-understood. Few Canadians are aware that laws, including the Customs Act, the Excise Tax Act and the Environment Act, authorize warrantless access to personal information without judicial oversight or notice to the affected persons. Nobody outside government knows how often or how these powers are used.

Ever since the first efforts at legislating “lawful access” years ago, civil society groups have attempted to engage law enforcement and government in a dialogue to understand privacy and warrantless access to information about citizens. Their efforts have reached a crescendo as leaks from Mr. Snowden, furor over Bill C-13 and the Supreme Court of Canada decision in R. v. Spencer draw further attention to the issue. More recently, it has been reported that Rogers and Telus are challenging an order that they turn over call records of more than forty-thousand customers in one “tower dump”.

Law enforcement’s participation in that dialogue can be summed up in the following: “trust us, but it’s not private information anyway so don’t worry about it.” Government and national security agencies stonewall, telling us: “we don’t talk about national security.” Or cabinet ministers state that questioning such powers puts one in league with child pornographers. The credibility of assertions that Canadians are not targeted for mass warrantless surveillance has been dramatically undermined by documents from Mr. Snowden’s cache. Speculation that members of the “Five Eyes” - Canada included - spy on each other’s citizens is left largely uncontradicted.

The result is an informational vacuum in which hard facts are rare, leading to dire and Orwellian speculation.

Until recently, the only visibility into the Canadian government’s demands for information about its citizens had to be coerced from either the telcos or government. Thankfully, a small handful of telcos followed the lead of Google, Twitter and Facebook by releasing “transparency reports” earlier this year. But even here, the information is sparse, incomplete and likely misleading.

The reported data does not tell us, for example, how many requests are related to call records (so-called metadata) or unlisted numbers, in comparison to looking up the owner of a particular phone number? How many requests sought customer info based on IP addresses, which was the focus of the Spencer decision? How many customer accounts are affected?

Canadians have a Charter-guaranteed right to privacy, which can be limited “subject only to such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.” This is a critical balancing act, recognizing that the state has a compelling interest in protecting society and the national security. At the same time, widespread, warrantless surveillance of a population is one of the hallmarks of a police state and the antithesis of how most Canadians imagine their country.

To what extent are we a free and democratic society? The only way this conversation can take place is when law enforcement agencies and national security organizations are transparent about the use of these powers. We already have similar information about the use of wiretap powers under the Criminal Code, tabled in Parliament annually. Providing statistics cannot conceivably undermine security or the effectiveness of investigative techniques.

Canadians have a right to express informed opinions about where the line should be drawn and where the balance between privacy and security should rest. This conversation is one of the most important for our society, and Canadians have a right to an informed discussion. It may well be that Canadians will be satisfied where the lines are drawn and where the balance lies; but without transparency, we can only speculate.

David TS Fraser practices internet and privacy law with the firm McInnes Cooper. He is the author of the Canadian Privacy Law Blog (blog.privacylawyer.ca) and can also be found on Twitter at @privacylawyer. The views expressed are the author’s alone and should not be attributed to his firm or its clients.

SaskTel issues its first "Transparency Report" on government data demands

Hot on the heels of Telus' transparency report, SaskTel has also released its very first transparency report [PDF] on government data demands.

It's worth giving the report a look, and noting that SaskTel is the only telco in Canada that is also subject to a public sector privacy law that has very broad latitude for data disclosure to law enforcement.

Here are the numbers:

General – Listed Customer Name and Address 1,582

Court order 4,139

Freedom of Information and Protection of Privacy (excluding child sexual exploitation) 896

Federal/provincial government formal demands 233

Emergency requests 718

Emergency requests - after-hours by operator services 3,993

Child sexual exploitation 49

Requests denied 247

It's also worth noting that SaskTel says they have changed their practices in response to the R. v. Spencer case.

Telus issues its first "Transparency Report" on government data demands

Full points to Telus for joining Rogers as the first Canadian telcos to issue a transparency report. The Report for 2013 [PDF] summarizes the disclosures of customer information made by Telus in broad categories:

Court Orders/ Subpoenas**

Court Orders 3,922

Subpoenas 393

Court Orders to comply with a Mutual Legal Assistance Treaty (MLAT) request 2

Customer Name and Address Checks 40,900

Emergency Calls 56,748

Internet Child Exploitation Emergency Assistance Requests 154

Legislative Demands 1,343

TOTAL 103,462

As Telus notes, their methodology for tracking these may differ from other telecommunications providers, so the numbers may not be directly comparable.

It is also particularly notable that Telus states their practices have changed in at least two areas following the R v Spencer decision:

Customer Name and Address Checks

Description: Requests to provide basic customer information, such as customer name and address. These are usually done in order to identify an individual associated with a telephone number. Previously, it was understood that such disclosure was permitted under Canadian law and TELUS’ service terms. However, in light of the recent decision of the Supreme Court of Canada in the case of R. v. Spencer, TELUS has changed its practice and now requires a court order for customer name and address information, except in an emergency or where the information is published in a directory.*

[Note: Hopefully, this does not suggest that they will provide a customer name and address when presented with an IP address, if that name and address are listed.]

Internet Child Exploitation Emergency Assistance Requests

Description: In response to police requests, TELUS disclosed the name and address of a customer using an IP address to help the police investigate a case of online child sexual exploitation. Previously, it was understood that such disclosure without a court order was permitted under Canadian law and TELUS’ service terms. However, the Supreme Court of Canada in the Spencer case (referred to above) has ruled that such disclosure requires a court order, except in an emergency. Accordingly, TELUS has amended its practices in this regard.

The Toronto Star has offered some commentary on this: Telus issues first ‘transparency’ report on requests for customer information | Toronto Star

Google's latest transparency report: Law enforcement requests up 150% over five years

Google has released its most recent iteration of its transparency report. In a posting on the Google Public Policy Blog, Richard Salgado, Legal Director, Law Enforcement and Information Security, writes that Google has seen a 15% increase in government data demands (excluding national security demands) since the second half of last year, and a 150% jump since Google's first report 2009. Breaking out U.S. demands, the numbers have risen 19% since the second half of last year and have leaped 250% since 2009.

The numbers for Canada have actually gone in the other direction. The previous transparency report included 52 demands for info on 73 users, compared to the most recent 27 demands related to 33 user accounts.

Consistent with Google's previous positions Salgado writes:

Governments have a legitimate and important role in fighting crime and investigating national security threats. To maintain public confidence in both government and technology, we need legislative reform that ensures surveillance powers are transparent, reasonably scoped by law, and subject to independent oversight.

Amen to that.

Why Friday's decision in R v Spencer will be a BIG DEAL for privacy

As I blogged yesterday, the Supreme Court of Canada has announced that it will release its decision in the appeal from Saskatchewan Court of Appeal in R v Spencer, 2011 SKCA 144. This decision, regardless of how the Court rules, will likely be a very big deal for privacy rights of customers of telecommunications service providers in Canada. It will hopefully decide whether Canadians have a reasonable expectation of privacy in information that is attached to an IP address.

Here's some background (mainly drawn from the Court of Appeal decision) and why this is a big deal.

The police detected somebody -- at that time unknown -- using the the file sharing program and protocol LimeWire to share child pornography. At that stage, all they had was the IP address of the computer or network connection being used. Using publicly available tools, they determined the IP address was allocated by the internet service provider, Shaw Communications. The police officer, though he likely had sufficient grounds to get a production order under the Criminal Code simply wrote to the ISP with the following request:

Constable Darren Parisien … is investigating a criminal code offence pertaining to child pornography and the internet. We have opened [sic] file investigation in relation to this investigation.

Pursuant to the Personal Information Protection and Electronic Documents Act (PIPEDA), we request the disclosure of customer identifying information including but not limited to name, internet service provider records, address of service, current service status and phone number relevant to the following:

1. Internet Protocol Address 70.64.12.102 on 2007-August-31 at 1246 hours (Local Saskatchewan time)

This information is being requested to assist in an ongoing investigation. We declare that Constable Darren Parisien of the Saskatoon Police Service Organized Crime Unit – Vice Section [sic] has the lawful authority to obtain the information and that the following section of PIPEDA is satisfied for this request: [full text of s. 7(3)(c.1) omitted]

This request specifically satisfies Paragraph 7(3)(c.1)(ii).

And, with that, the police got the customer name and address from the ISP. That information was used to get a search warrant of Spencer's house and he was subsequently arrested. At the trial, Spencer argued that the warrantless disclosure of his information by Shaw was a violation of his Charter rights. This motion was denied and he appealed to the Court of Appeal on this issue.

The Court of Appeal agreed, finding that any objective expectation of privacy was effectively gutted by the Shaw privacy policy and acceptable use policy which reserves to Shaw a very broad discretion to disclose personal information to the police. There was no real discussion about whether such terms of use are ever read by customers and whether they really should temper the expectation of privacy that most of us have about our internet usage.

[42] In summary, neither its contractual relationship with Mr. Spencer’s sister, as set out in the Services Agreement, nor PIPEDA prohibited Shaw from disclosing the Disclosed Information in the circumstances of this case; rather, each clearly provided Shaw with the discretion to disclose information to the police in these exact circumstances, and Shaw had Mr. Spencer’s sister’s express, informed consent to do so. The sum of these factors militates very strongly against a finding that Mr. Spencer’s privacy expectation was reasonable.

In short, the police can ask for and, under the Court's reading of PIPEDA, the internet service provider can provide the customer's personal information.

So what's the big deal? This is not an exceptional case; what's exceptional is that the Supreme Court of Canada is going to weigh in on whether a Canadian has an expectation of privacy in his or her internet activities. We know that thousands of times a year the police go to internet service providers asking for information about their customers and thousands of times a year, this information is provided. Just a quick search of CanLII shows this. Just search for "pipeda request" and you'll get a dozen reported cases. They show voluntary cooperation by such internet service providers as Uniserve, Shaw, Bell Sympatico, Northwestel, and Rogers. (Recently, Rogers and Teksavvy disclosed in their respective transparency reports a high level of providing customer information in similar circumstances withou a warrant. For Rogers, it provided customer information 711 times in 2012/2013.)

As I understand it, the form of letter was a result of the coordinated effort of law enforcement and a group of internet service providers who have agreed to provide warrantless access to customer account information in connection with child exploitation investigations. They are designed to satisfy the requirements of Section 7(3)(c.1)(ii) of PIPEDA which permits disclosures of personal information to the police where they have the "lawful authority" to obtain the information and the information relates to "enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law".

It was exactly this sort of disclosure that was so controversial in Vic Toews' Bill C-30. That bill, if passed, would have permitted police officers to demand customer names and addresses connected to a known IP address. ISPs would have been required to hand over the information. The controversy stemmed from the fact that these demands are unaccountable and are not subject to ANY supervision by the courts. The "request" at issue in R v Spencer is the same: made without a warrant based on reasonable grounds, completely unaccountable and with no judicial oversight. In addition, the relevant individual is NEVER informed of the fact that the request was made or that the information was disclosed. To top it off, there is no information under oath so there is no disincentive to lie in these PIPEDA requests. (I find it to be telling that nowhere near 711 charges resulted from the requests made of Rogers.)

So what's the big deal with having an ISP connect an IP address with a customer's name and address? There has been some suggestion by the law enforcement community that a customer's name and address is just "phone book information" and there's no expectation of privacy in that. That misses the point and shows contempt for the right to privacy. A customer’s name and address, when connected with an IP address is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their "offline" life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that IP address that can often be traced back to an individual or a small group of people. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities pierces the reasonable expectation of anonymity and amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. This is why, in my view, judicial supervision should be required. We'll see whether the Supreme Court of Canada agrees with this view ...

At the very least, I expect the Supreme Court of Canada will provide some clear guidance on whether -- under the Charter of Rights and Freedoms -- there is a reasonable expectation of privacy and anonymity on the internet that can only be pierced by an order from a judge, who is satisfied on information under oath that there are reasonable grounds to believe a crime has been committed and that the order is necessary to uncover evidence of the offender. Stay tuned ...

Canadian telcos release transparency reports

In the past week, in a significant development, both Teksavvy and Rogers have released information that provides much greater insights into government demands for personal information from telecommunications companies.

Teksavvy is one of the largest independent internet service providers and they released their report in the form of a comprehensive response to the letter sent to them by the Citizen Lab's Chris Parsons (See: Citizen Lab calls for transparency by Canadian telcos). Many may remember that Teksavvy was the ISP that went to court to challenge a demand by a Hollywood studio for information about users who were alleged to have violated copyright.

Rogers is one of Canada's largest "full service" telecommunications service providers, offering landline and mobile telephone services, in addition to cable internet. Their report is slightly less detailed, presumably because they are very constrained by the government (by the Solicitor General's guidelines on lawful interception).

This is a great advance in transparency and a good first step. It also provides some useful information for the discussion and debate about warrantless disclosures of personal information by telecommunications service providers. The reports both show that in the period under discussion, both Rogers and Teksavvy disclosed customer information without a warrant in a range of circumstances.

The Teksavvy report shows they provided customer names and addresses when provided with an IP address in at least 16 out of the 17 such disclosures. The circumstances of those disclosures are not reported. (To be fair, they say in their letter that they will no longer do this.) The Rogers report shows they did the same in what they called

Child sexual exploitation emergency assistance requests:

Legal authority: The Criminal Code and PIPEDA. Details: We assist police during child exploitation investigations. Examples of info provided: Confirming a customer’s name and address when provided with an IP address so that police can get a search or arrest warrant to stop the sexual exploitation of a child.

The numbers of these warrantless disclosures are very high: 711 such disclosures. These are presumably controversial PIPEDA Requests, which a number of ISPs have agreed to cooperate with law enforcement when they are told it is connected with a child exploitation investigation. They cite PIPEDA as the authority, though the section in question (s. 7(3)(c.1)) does not require disclosure and is only applicable when the law enforcement agency has shown its "lawful authority" to demand the information. There is not yet any consensus about what "lawful authority" actually means.

For some really great reporting on these transparency reports, check out:

• Colin Freeze, Christine Dobby and Josh Wingrove: TekSavvy, Rogers break silence over government requests for data - The Globe and Mail
  
• Alex Boutilier: Rogers opens curtain on warrantless government snooping - Toronto Star
  
• John Greenwood: In shadow of NSA revelations, Rogers, TekSavvy open up on government data requests - Financial Post
  

Now that Rogers in particular has made this disclosure, I'm looking forward to the other large telcos following suit.

We seriously need transparency about law enforcement demands

Earlier this week, Interim Privacy Commissioner Chantal Bernier dropped a bombshell: Law enforcement agencies asked nine Canadian telcos for personal information 1.2 MILLION times and received data in more than three quarters of those cases. On its face, that number is staggering. It appears even more staggering when you figure that this is only a sub-set of Canadian telcos. But these numbers say virtually nothing about what kind of information we're talking about, what kinds of requests are made, under what circumstances, how many of them are with a warrant and how many are without, how many are based on intrusive and judicially unaccountable orders such as those under the Income Tax Act and the Customs Act? How many relate to the administration of laws, how many relate to law enforcement and how many are for national security purposes?

We know that hundreds of times a year, Canadian telcos provide private customer information to the police without a warrant under a protocol that I believe to be unlawful. (We'll see what the Supreme Court of Canada ultimately has to say about this practice in R v Spencer heard in December of last year.) We also know that not all telcos have adopted this protocol.

In this post-Snowden age and without credible information, we simply assume the worst and -- too often -- these assumptions are borne out.

In response, some telcos are providing some very general information (In my neck of the woods, Atlantic Canada's largest telcos, Bell Aliant and Eastlink both say they don't provide private information without a warrant or other legal compulsion.) But they are generally tight-lipped about what information they can provide, citing that it is law enforcement sensitive.

When the industrious researchers at the Citizen Lab tried to get this information from telcos directly, they were largely told to ask the government. MP Charmaine Borg, when trying to get clear information from federal law enforcement agencies, only received a paltry amount of data.

I don't buy it. And I can't accept it. We saw a huge furore over warrantless access to subscriber information when the federal government proposed Bill C-30. We're seeing a big fuss over this revelation related to the 1.2 million requests. We're about to start debating the new cyberbullying act that revives much of C-30's "lawful access" and we're ramping up to debate S-4, the Digital Privacy Act which extends voluntary disclosures of sensitive personal information beyond law enforcement. We cannot have an informed and educated debate about these incredibly important topics without real information.

So why aren't telcos and law enforcement agencies coming clean? We saw Google take the lead with its Transparency Report, which has been followed by other technology companies including as Twitter and Facebook. The list of companies actually includes telecommunications companies such as AT&T and Time Warner Cable in the US and Telstra in Australia [PDF]. But, to my knowledge, no Canadian company provides any data akin to a transparency report. Do government and law enforcement agencies want us to be in the dark? The cynic in my is starting to think so.

We need more transparency and accountability. We need one Canadian telco to take the courageous first step of producing a comprehensive transparency report, with full details of its methodology and terminology so that other telcos can step out of the shadows and provide comparable useful data. It's probably in their interests, since the speculation that is swirling around is likely worse than the reality. I don't know how or when a Canadian telco will step up, but Canadians should be calling on their providers to come clean with this information.

A hint at the extent of warrantless access to customer data in Canada

Earlier this week, the Halifax Chronicle Herald published a story about information that has come to light about the extent to which law enforcement agencies are seeking -- and getting -- access to private information without a warrant. (See Ottawa has been spying on you | The Chronicle Herald)

MP Charmaine Borg tabled a question in Parliament looking for particulars about how often government agencies look for and get information about customers of telecommunications services. Perhaps not surprisingly, CSIS and CSE refused to answer. The RCMP refused to provide information, saying it does not track this information. The full document is available here [PDF].

What is most interesting about the document is the extent that the Canadian Border Services Agency, the organization that polices Canada's borders, asked for and received telco customer information without a warrant. It happened over 18,000 times and telcos refused only a handful of times, mainly if they didn't have the information requested.

If I had been asked which government agencies seek warrantless access to customer data, I would have put CBSA pretty low on the list and would think they would represent a drop in the bucket. If that's the case, and the "drop in the bucket" is 18,000 requests, we must be looking at a VERY LARGE bucket.

What's also troubling is that unless charges are laid, nobody ever finds out that their information has been obtained by law enforcement. And, in fact, there's a gag order that would prevent you from getting that information from your telco. I highly doubt that CBSA laid 18,000 charges last year, so there are thousands of Canadians whose information has been accessed and they will never know about it.

Not surprisingly, some of the best analysis of this comes from Chris Parsons, a post-doctoral fellow at the CitizenLab at the University of Toronto. Read his full discussion of this here: Mapping the Canadian Government’s Telecommunications Surveillance.

In the media, this story was first reported in the Chronicle Herald by Paul McLeod:

Ottawa has been spying on you

PAUL MCLEOD OTTAWA BUREAU

Published March 25, 2014 - 8:19pm

Last Updated March 25, 2014 - 8:54pm

Telecom firms handing over data without warrants

Telecommunications companies gave individual customer data to the Canada Border Services Agency over 18,000 times in one year.

This information includes the content of voice mails and text messages, websites visited and the rough location of where a cellphone call was made, according to government data.

For cases involving those types of requests, Canada Border Services sought a warrant for the information. But in the vast majority of releases, the agency asked for and received basic subscriber information without obtaining a warrant.

From April 2012 through March 2013, the agency asked telecoms for information 18,849 times. Of those, 99 per cent were for subscriber information that did not involve a warrant.

Telecoms handed over the data in all but 25 cases.

“I find that shocking,” said privacy expert David Fraser, a lawyer with McInnes Cooper in Halifax.

“If you cannot convince a judge or a justice of the peace or a magistrate that you are entitled to that information, then you should not be getting that information.”

Documents show Canada Border Services appears to have an agreement with telecoms wherein basic subscriber information is handed over without the need for a warrant.

According to the agency, this type of information includes “identity and address details provided to the (service provider) when the cellular account was created.”

This includes the name and address of a cellphone user, when the individual activated their phone, their account number and what kind of payment plan is used (such as if their device is prepaid or postpaid).

Canada Border Services requested this information 18,729 times during that fiscal year.

Other information requested included text message content (77 times), voice mails (10 times), geolocation requests (63 times), websites visited or IP addresses (78 times), transmission data (113 times) and cellphone logs (128 times).

The agency says information from telecoms is key to modern crime investigations.

Its parent department, Public Safety Canada, says that when agencies ask for information, “they do so in full respect of

Canadian laws, which are some of the strongest in the world at protecting privacy.”

Public Safety says that while most information requires a warrant to obtain it, information such as a customer’s name and address carries “a lower expectation of privacy and, as such, may be requested (without a warrant) according to Canadian law.”

Subscribers are not normally notified if their information has been handed over to authorities.

Fraser, who authors a blog on Canadian privacy laws, said this arrangement violates citizens’ basic rights to privacy.

He said Canadians already rejected this kind of intrusion in the debate around Bill C-30, the government’s Internet surveillance bill. The Conservatives introduced but then killed the bill due to public backlash.

“We had all of that outrage because that piece of legislation would have legitimized this practice,” said Fraser.

“Even without that legislative cover, we have CBSA looking for this information, but even more outrageously getting it from telecommunications companies.”

Of the 25 times telecoms rejected information requests, some denials were due to phones no longer being active or a customer changing service providers.

The information given to Canada Border Services is kept for up to two years unless it is involved in criminal charges. In those cases, information is kept for up to seven years.

The RCMP, the Canadian Security Intelligence Service and Communications Security Establishment Canada were all asked by Parliament, via a member’s question, to provide the same details about such requests.

They all refused for different reasons.

The RCMP said it does not track how often it asks telecoms for information.

Communications Security Establishment Canada, in charge of foreign intelligence and securing Canadian government electronic information, said providing the information would reveal Canada’s intelligence capabilities. The body is prohibited from spying on Canadians.

The Canadian Security Intelligence Service, a spy agency that investigates suspected threats to Canadian security, admitted it may ask telecoms to provide “subscriber information and access to the content of communications.”

But CSIS said it is not allowed to provide such information because it would be a breach of national security.

I was also interviewed about this for Radio Canada International: Canadian’s private telecom information, not so private.

Interim Privacy Commissioner makes recommendations to Parliament for intelligence oversight

This Special Report to Parliament on surveillance oversight is important and will hopefully be carefully considered by the government of Canada:

News Release: Interim Privacy Commissioner provides recommendations to Parliament for the protection of privacy rights in national security efforts - January 28, 2014

Ottawa, January 28, 2014 — On the occasion of International Data Privacy Day, a special report to Parliament by the Office of the Privacy Commissioner of Canada, with specific recommendations to address current issues surrounding privacy and national security, was tabled in Parliament. Building from consultation with a range of experts and civil society, the Office’s report makes a series of recommendations for Parliament to consider in order to strengthen privacy protection. Specifically, it suggests ways to increase transparency, modernize privacy laws and bolster Parliament’s oversight role.

“Revelations surfacing over the past months have raised questions among many Canadians about privacy in the context of national security,” said Interim Privacy Commissioner of Canada Chantal Bernier. “While a certain level of secrecy is necessary within intelligence activities, so is accountability within a democracy. Given our mission to protect and promote privacy, and our responsibility to provide advice to Parliament, we are putting forward some recommendations and ideas for Parliamentarians to consider on these important issues.”

Increasing transparency

The report recommends measures to increase transparency when it comes to privacy protection to give Canadians a better understanding of the collection, use or disclosure of personal information in the context of federal intelligence activities.

For example, the Communication Security Establishment Canada (CSEC) could make public more detailed, current, statistical information about its operations regarding privacy protection, and submit an annual report on its work to Parliament, as does the Canadian Security Intelligence Service (CSIS).

Reforming federal privacy laws

The report also renews recommendations to amend privacy laws to increase the accountability of federal institutions collecting personal information, as well as businesses that share personal information with authorities.

The Privacy Act, which applies to federal institutions, should require organizations to demonstrate the necessity for collecting personal information and to better promote privacy when such data is exchanged with foreign governments. Changes should also be made to broaden the grounds for Federal Court review to cover institutions’ collection, use and disclosure of personal information.

The report however noted that while the Privacy Act applies to security agencies, CSIS and CSEC are subject to oversight by dedicated, specialised bodies in the form of the Security and Intelligence Review Committee and the Office of the CSE Commissioner. Parliament has entrusted these bodies to monitor the compliance of CSIS and CSEC with their respective enabling legislation and, among other things, privacy protection.

While oversight for privacy protection in the national security context is divided among multiple bodies, the Privacy Act does not allow the OPC to cooperate with the others. As a result, the report recommends the Act should be amended to enable cooperation.

The report also recommends amending the Personal Information Protection and Electronic Documents Act, the federal private sector privacy law, to require private sector companies to publicly report on the use of disclosure provisions that permit organizations to share personal information with authorities without individuals’ consent or court oversight.

Focusing on Parliament’s oversight role

The report recommends as well that a Committee could undertake a specific study of Canada’s intelligence activities and oversight involving academic, civil society, legal, technology and intelligence experts.

“By submitting this report to Parliament, our goal is to contribute to a constructive debate about accountability for the protection of individuals’ privacy in this new age of national security threats,” added Interim Commissioner Bernier. “In striving to protect public safety, it must not be forgotten that the right to privacy is fundamental in our democracy.”

See also: Special Report to Parliament – Checks and Controls: Reinforcing Privacy Protection and Oversight for the Canadian Intelligence Community in an Era of Cyber-Surveillance

CSEC spies on Canadians 'incidentally' to its mandate (but deliberately when helping other agencies)

The Communications Security Establishment of Canada (CSEC) has said, in a new informational website meant to be more transparent, that it sometimes "incidentally" intercepts the communications of Canada when fulfilling its mandate, though it often deliberately does so when assisting other agencies.

However, in the course of targeting foreign entities outside Canada in an interconnected and highly networked world, it is possible that we may incidentally intercept Canadian communications or information. The National Defence Act acknowledges that this may happen and provides for the Minister of National Defence to authorize this interception in specific circumstances. If a private communication is incidentally intercepted (e.g. a foreign individual we are targeting overseas is communicating with someone in Canada), CSE takes steps to protect the privacy of that information.

The website also has a reasonably clear page on the assistance they provide to federal law enforcement and security agencies.

The Ottawa Citizen is reporting on this (Spy agency admits it spies on Canadians ‘incidentally’) as well as the recent Federal Court decision that found CSIS and Department of Justice lawyers deliberately misled the Court in order to obtain warrants.

It's heartening to see that Michael Geist and Tamir Israel share my feelings about that case and are also calling for an independent review of the conduct of those involved.

Canadian intelligence agencies lied to obtain warrants, Federal Court judge says

In what can only be called a stunning decision (IN THE MATTER OF an application by [xxxxx xxxxxx ] for a warrant pursuant to Sections 12 and 21 of the Canadian Security Intelligence Service Act, R.S.C. 1985, c. C-23, 2013 FC 1275 [PDF]), a judge of the Federal Court of Canada has concluded that Canadian intelligence agencies essentially lied to the court in order to get warrants that never would have been granted had they exercised the appropriate level of candor. In addition, they sought to have other members of the "Five Eyes" group carry out surveillance of Canadians that they would have been prohibited from doing themselves.

The Ottawa Citizen does a great job summarizing the decision and its impact: CSIS asked foreign agencies to spy on Canadians, kept court in dark, judge says. It also includes good insights from national security law expert Craig Forcese at the University of Ottawa.

Some extracts from the decision:

“I am satisfied that a decision was made by CSIS officials in consultation with their legal advisers to strategically omit information in applications for 30-08 warrants about their intention to seek the assistance of the foreign partners. As a result, the court was led to believe that all of the interception activity would take place in or under the control of Canada.”

“The principle of comity between nations that implies the acceptance of foreign laws and procedures when Canadian officials are operating abroad ends where clear violations of international law and human rights begin. In tasking the other members of the Five Eyes to intercept the communications of the Canadian targets, CSIS and CSEC officials knew ... this would involve the breach of international law by the requested second parties.”

“There is nothing in any of the material that I have read ... that persuades me that it was the intent of Parliament to give the service authority to engage the collection resources of the second party allies to intercept the private communications of Canadians.”

“It must be made clear, in any grant of a 30-08 warrant, that the warrant does not authorize the interception of the communications of a Canadian person by any foreign service on behalf of the service either directly or through the assistance of CSEC.”

“There must be no further suggestion in any reference to the use of second party assets by CSIS and CSEC, or their legal advisers, that it is being done under the authority of a (section) 21 warrant issued by this court.”

The Citizen also obtained the following unsurprising reactions from CSIS and CSEC, which I would also say don't live up to any reasonable interpretation of "candor":

CSIS: “Protecting Canada’s national security interests in today’s globalized world is increasingly challenging, with little margin for error, especially in matters of counterterrorism. The international character of terrorism means that security is more than ever a shared effort. Everything that CSIS does, alone or with trusted partners, is consistent with Canadian law and Canadian values.

“We understand that protecting Canada’s national security interests is not just an important mandate but a sensitive one. As an organization, we are always looking to become more effective as we adapt to increasingly complicated threat environments.”

CSEC: “We will be reviewing this decision carefully. CSE may only conduct intelligence activities in Canada under its mandate to provide assistance to federal law enforcement and security agencies upon request. These activities respect Canadian laws and Canadian values, and are conducted under the requesting agency’s legal authorities, such as any applicable court warrant. CSE is bound by and must respect any limits in those authorities. All CSE activities are subject to review by the CSE commissioner, who for 16 years has reported that CSEC continues to act lawfully in the conduct of its current activities.”

The Globe & Mail also has good coverage of this decision: Canada’s spy agencies chastised for duping courts.

I can't help but think that though spies are not expected to have scruples and ethics, the Federal Department of Justice lawyers who participated in this likely failed to meet their professional obligations that exist regardless of their political masters and whom they are representing.

The misleading affidavits used at the ex parte hearings to obtain the warrants were prepared by and sworn in front of lawyers who have a free-standing, ethical obligation to never mislead the court. This is noted by Justice Mosley:

[82] The duty of full and frank disclosure in an ex parte proceeding was discussed by the Supreme Court of Canada in Ruby v Canada (Solicitor General) 2002 SCC 75, [2002] 4 S.C.R. 3 at para 27:

In all cases where a party is before the court on an ex parte basis, the party is under a duty of utmost good faith in the representations it makes to the court. The evidence presented must be complete and thorough and no relevant information adverse to the interests of that party may be withheld; Royal Bank, supra, at paragraph 11. Virtually all codes of professional conduct impose such an ethical obligation on lawyers. See for example the Alberta Code of Professional Conduct, c.10, r.8.

[83] The DAGC acknowledges that this duty, also known as the duty of utmost good faith or candour, applies to all of the Service’s ex parte proceedings before the Federal Court: Harkat (Re), 2010 FC 1243 at para 117, rev’d on other grounds 2012 FCA 122, appeal on reserve before the Supreme Court; Charkaoui (Re), 2004 FCA 421 at paras 153, 154; Almrei (Re), 2009 FC 1263, para 498. In making a warrant application pursuant to sections 12 and 21 of the CSIS Act, the Service must present all material facts, favourable or otherwise.

The Court then goes on to note that this misleading conduct was sanctioned by DOJ counsel:

[90] Based on the documentary record before me and Mr. Abbott’s evidence, I am satisfied that a decision was made by CSIS officials in consultation with their legal advisors to strategically omit information in applications for 30-08 warrants about their intention to seek the assistance of the foreign partners. As a result, the Court was led to believe that all of the interception activity would take place in or under the control of Canada.

I find this to be appalling conduct on the part of CSIS, but it is even more egregious that it was in consultation with legal counsel. It brings shame on the profession and also brings the administration of justice into disrepute.

American telcos agree to release transparency info; where are Canadian telcos?

Today, both AT&T and Verizon have agreed to follow Google's (and more recently, Twitter's) lead by releasing transparency reports, disclosing the extent to which they disclose customer information to law enforcement (Verizon to Publish Transparency Report Disclosing Law Enforcement Requests for Customer Information and AT&T Update On Government Surveillance Position: Plans to publish semi-annual transparency report).

Meanwhile, Canadian telecommunications companies and internet service providers are silent even though many disclose customer information to law enforcement without a warrant. It's about time that Canadian telcos step up and tell their customers what information they provide, with and without a warrant.

Google updates transparency report; US government requests for user information double over three years

Google has today updated its industry leading transparency report and is reporting that user data requests by the US government have doubled over the past three years. (For Canada, the numbers have roughly held steady.)

Richard Salgado, Google's Legal Director, Law Enforcement and Information Security, writes in the Google Public Policy Blog:

Google Public Policy Blog: Government requests for user information double over three years

In a year in which government surveillance has dominated the headlines, today we're updating our Transparency Report for the eighth time. Since we began sharing these figures with you in 2010, requests from governments for user information have increased by more than 100 percent. This comes as usage of our services continues to grow, but also as more governments have made requests than ever before. And these numbers only include the requests we're allowed to publish.

Over the past three years, we've continued to add more details to the report, and we're doing so again today. We're including additional information about legal process for U.S. criminal requests: breaking out emergency disclosures, wiretap orders, pen register orders and other court orders.

We want to go even further. We believe it's your right to know what kinds of requests and how many each government is making of us and other companies. However, the U.S. Department of Justice contends that U.S. law does not allow us to share information about some national security requests that we might receive. Specifically, the U.S. government argues that we cannot share information about the requests we receive (if any) under the Foreign Intelligence Surveillance Act. But you deserve to know.

Earlier this year, we brought a federal case to assert that we do indeed have the right to shine more light on the FISA process. In addition, we recently wrote a letter of support for two pieces of legislation currently proposed in the U.S. Congress. And we're asking governments around the world to uphold international legal agreements that respect the laws of different countries and guarantee standards for due process are met.

Our promise to you is to continue to make this report robust, to defend your information from overly broad government requests, and to push for greater transparency around the world.

We strongly believe that the Electronic Communications Privacy Act (ECPA) must be updated in this Congress, and we urge Congress to expeditiously enact a bright-line, warrant-for-content rule. Governmental entities should be required to obtain a warrant—issued based on a showing of probable cause—before requiring companies like Google to disclose the content of users' electronic communications.

Canadian secret national security court calls on amicus curiae to address vexing issues

Most Canadians are surprised to discover that we have a secret court, just like the US Foreign Intelligence Surveillance Court, that meets in a bunker in Ottawa, issuing secret warrants to do a range of cloak and dagger activities including wiretapping and installing bugs. But we do. (They are judges designated under the Canadian Security Intelligence Service Act by the Chief Justice of the Federal Court of Canada.)

Most Canadians are also surprised to learn that we have the canuck equivalent of the National Security Agency (the CSEC) and our own Canada Patriot Act in the Anti-Terrorism Act.

But one thing that distinguishes Canada from the US in an important way is that designated judges under the CSIS Act have, from time to time, retained "friends of the court" to argue positions in opposition to government requests. It hasn't happened often, but is something that our friends to the south may want to consider as controversy about PRISM and a secret body of evolving caselaw is being established.

Unopposed applications resulting in secret decisions with significant civil rights and constitutional implications easily leads to the presumption that the system is rigged and intelligence agencies get a free ride. While transparency would call for published decisions and open court, independent lawyers arguing the other side is a step in the right direction.

I've managed to find three published decisions from Canada where amici where used, and perhaps there are more that are unpublished.

For example, in Re Canadian Security Intelligence Service Act, 2008 FC 300, an amicus assisted the court in considering whether a jurisdictional issue raised in a warrant application could be heard in public, in open court. (The answer was no, but the decision was published.) In connection with the same matter, in Re Canadian Security Intelligence Service Act, 2008 FC 301, an amicus curiae was appointed to consider whether the court can authorize CSIS to carry out clandestine activities outside of Canada. (The answer was no.)

More recently, in Reference re sections 16 and 21 of the Canadian Security Intelligence Service Act, 2012 FC 1437 (CA), the Court called upon a amicus curiae to help with the question of whether "section 16 of the Canadian Security Intelligence Services Act prohibits the naming of [a Canadian citizen, permanent resident or corporation] in a warrant as [a natural or corporate person] whose communications are proposed to be intercepted, when the warrant is issued in relation to a request for assistance in the collection of information or intelligence from the Minister of National Defence or the Minister of Foreign Affairs relating to the capabilities, intentions or activities of [a foreign state or group of foreign states, corporation or person]." Importantly, the Court agreed with the amicus and denied CSIS the warrant.

Don't forget that Canada is in the national security / surveillance business as well

For those Canadians whose eyes have been focused south of the border over the past few days, following the revelation of the Verizon court order and speculation about the PRISM program, it's worth remembering that Canada is in the national security / surveillance business as well.

Canada has a "Canada Patriot Act" in the form of the Anti-Terrorism Act, which amended the CSIS Act and the National Defence Act (read Part V.1). Canada has an equivalent of the American Foreign Intelligence Surveillance Court, established under the CSIS Act. In addition, Canada's Communications Security Establishment is part of the Five Eyes signals intelligence community.

This article from today's Globe & Mail is worth a read, as it lays out Canada's own "metadata collection": Data-collection program got green light from MacKay in 2011 - The Globe and Mail.

Michael Geist has a great overview of this topic in his recent post "Why Canadians should be demanding answers about secret surveillance programs".

Canadian Privacy Commissioner calls for significant overhaul of country's privacy laws

Today, at the International Association of Privacy Professionals Canadian conference, the Canadian Privacy Commissioner unveiled her proposals for significant privacy law reforms. Some of this is not very surprising, but there were some unexpected elements.

The full release is here: New privacy challenges demand stronger protections for Canadians - May 23, 2013 and her speech to the conference can be found here: Looking back – and ahead – after a decade as Privacy Commissioner of Canada. The full discussion paper of her proposals is here: The Case for Reforming the Personal Information Protection and Electronic Documents Act.

In a nutshell, here's what she is calling for along with some of my unsolicited comments:

Stronger enforcement powers: Options include statutory damages to be administered by the Federal Court; providing the Privacy Commissioner with order-making powers and/or the power to impose administrative monetary penalties where circumstances warrant. <- It is very interesting that she is putting forward a range of options rather than advocating one position.

Breach notification: Require organizations to report breaches of personal information to the Privacy Commissioner and to notify affected individuals, where warranted. Penalties should be applied in certain cases. A recent poll found that virtually all Canadians – 97 percent – would want to be notified of a breach involving their personal information. <- This is a bit of a no-brainer, as long as there is no requirement to notify of inconsequential breaches that would have no effect on individuals.

Increase transparency: Add public reporting requirements to shed light on the use of an extraordinary exception under PIPEDA which allows law enforcement agencies and government institutions to obtain personal information from companies without consent or a judicial warrant for a wide range of purposes, including national security; the enforcement of any laws of Canada, provinces or foreign countries; or investigations or intelligence-gathering related to the enforcement of these laws. <- I think this is a great idea. Leaders in transparency, such as Google, are already providing information such as this and Canadians should know to what extent governments and law enforcement are seeking information without a warrant.

Promote accountability: Amend PIPEDA to explicitly introduce “enforceable agreements” to help ensure that organizations meet their commitments to improve their privacy practices following an investigation or audit. <- This is an interesting proposal. I think I'll need to reflect on it a bit more before arriving at an opinion.

I expect all of this will fall on deaf ears in Ottawa, as the federal government has no appetite for any privacy law reforms.

Microsoft releases first "transparency report" with stats on law enforcement user data requests

Following the lead of Google, Twitter and Facebook, Microsoft has released its first "Transparency report" which provides some visibility into the number of law enforcement requests for user data it receives and what its policies are regarding the disclosure of such data: 2012 Law Enforcement Requests Report. Well done, Microsoft.

Now let's see some Canadian telcos follow suit.