Friday, October 30, 2009

Privacy Commissioner speaks out on lawful access

The Privacy Commissioner of Canada has recently provided parliamentarians with her opinion on the new lawful access bills that are winding their way through the Commons. I have to say I was nodding my head while I read it:

Letter to the Standing Committee on Public Safety and National Security regarding the Commissioner's initial analysis on the privacy implications on Bills C-46 and C-47 - October 27, 2009

The Privacy Commissioner of Canada, Jennifer Stoddart, sent the following letter to the Standing Committee on Public Safety and National Security, regarding her initial analysis on the privacy implications on Bills C-46, the Investigative Powers for the 21st Century Act (IP21C), and C-47, the Technical Assistance for Law Enforcement in the 21st Century Act (TALEA)

October 27, 2009

Mr. Garry Breitkreuz, MP Chair of the Standing Committee on Public Safety and National Security 131 Queen Street – 6th floor House of Commons Ottawa, Ontario K1A 0A6

Dear Mr. Breitkreuz:

I am writing to provide the members of the Standing Committee on Public Safety and National Security with some preliminary views on the privacy implications stemming from Bills C-46 and C-47. As you are aware, I am often called upon to comment on legislation that will result in new or expanded forms of personal information being collected by federal government institutions. Those views, and analysis conducted by my Office, are specifically undertaken to support the deliberations of Parliament.

It must be stated at the outset that we recognize the concerns of law enforcement and national security authorities with the speed of developments in information technology and the anonymity they afford. Bills C-46 and C-47 seek to address the consequent public safety challenges and that objective is valid. That said, whenever new surveillance powers or programs are proposed, it is my view that there must be demonstrated necessity, proportionality and effectiveness. They should also be the least-invasive alternative available. These tests are all the more important in the area of public safety, as the use of surveillance powers by authorities can have deep and lasting impact on peoples’ lives.

The consequences for individuals as their personal information is collected and shared among authorities in various countries can escalate far beyond the initial objectives of public safety. Recent international reports, Canadian court rulings and federal commissions of inquiry have shown this clearly. Proper protections for privacy in this area reside in the strict limitation of invasive powers to what is demonstrably necessary to ensure public safety and in strong measures for accountability, commensurate with the powers vested. It is a matter of protecting human rights and assuring public trust.

Taking into account the real challenges of law enforcement and national security agencies in the Internet age and the fundamental right to privacy that underpins our democratic society, and after careful study and extensive consultation this past summer, I have concluded that elements of the proposed legislation raise significant privacy concerns. These must be addressed by proponents of the bills.

I would draw to the attention of this Committee, and all Parliamentarians, that the proposed legislation contains many provisions that would increase the level of access by law enforcement and national security authorities to personal information. In that regard, it is important that Parliament be satisfied that:

The need for these provisions has been clearly demonstrated,

The lowered legal requirements for use of invasive powers is justified,

The lessons of similar initiatives in other countries are considered, and

The oversight, reporting and accountability mechanisms are carefully calibrated, to ensure they mirror the breadth and scope of new powers

Analytical approach and consultations

It is important to note that our Office approached the examination of both pieces of legislation with fresh eyes and an open mind. While previous iterations or initiatives – like the 1999 Justice Canada initiative, the 2005 public consultation or the 2007 Public Safety request for submissions on Customer Name and Address access – may have served as background, they did not colour our analysis. Instead, since the legislation was tabled this past summer, our Office carefully read and analysed the two bills anew.

We also wanted to hear from informed experts, therefore between June and September of this year, my staff met with representatives of Justice Canada and Public Safety Canada, provincial privacy commissioners, the telecommunications industry (manufacturers, service providers and associations), law enforcement (RCMP and the Canadian Association of Chiefs of Police), civil society groups, academic specialists, as well as subject experts in the fields of information policy, network security, criminal law and intelligence operations. These conversations helped our Office identify the privacy issues raised by the two bills, which relate to the following areas:

Necessity: Though isolated anecdotes abound, and extreme incidents are generally referred to, no systematic case has yet been made that demonstrates a need to circumvent the current legal regime for judicial authorization to obtain personal information. Before all else, law enforcement and national security authorities need to explain how the current provisions on judicial warrants do not meet their needs.

Necessity given international obligations: A principal rationale cited for the need to update Canada’s interception and surveillance regime – as proposed in C-46 and C-47 – is ratification of the Council of Europe Convention on Cybercrime. However, many of the powers introduced in the proposed legislation go far beyond the legal requirements of the Convention. Our analysis would suggest that Canada has already met most of the substantive legal changes required. Certainly some caution should be exercised, given the fact that similar legal initiatives in the US and UK led to significant concerns in relation to privacy.

Proportionality of thresholds: Canadian law imposes rigorous thresholds of evidence for authorities to obtain access to personal information. They form the heart of protections that Parliament put in place to protect privacy in Canada. The downward movement from reasonable grounds to believe to reasonable grounds to suspect in some cases (for some production orders) - or to no threshold of evidence at all (for subscriber data access) - must be shown to be a proportionate response to safety and security imperatives. As it stands, the new powers envisaged are not limited to a specific range or seriousness of criminality, or to a specific level of urgency. In the case of Bill C-47, there is not even a requirement for the commission of a crime to justify access to personal information without a warrant. The onus lies with proponents of the legislation to demonstrate the need for lowered thresholds to obtain personal information.

Proportionality of oversight and review mechanisms: Only prior court authorization serves as rigorous privacy protection. Should Parliament allow law enforcement and national security authorities to circumvent the courts to obtain personal information, the corresponding oversight mechanisms must be established. My Office is clearly implicated at several points in Bill C-47, wherein my staff may review the records created by officers at the RCMP or Competition Bureau as they exercise new powers. Given the scale envisaged, with upwards of thousands of individuals in the RCMP alone potentially empowered to access subscriber data, it would be difficult for us, within our current resources, to offer any assurance to

Parliamentarians or Canadians of proper auditing. Still, review after the fact arrives too late. Privacy has already been breached, it is difficult to properly assess the circumstances, and there is no remedy for the ultimate outcome of the breach.

Demonstrated effectiveness through clear public reporting and accountability: In Bill C-47, audits are conducted internally and not required annually, while follow-up reporting to the responsible Minister and my Office are discretionary, as opposed to regular requirements. This will not afford objective, timely assessment of privacy risks or breaches. It is my view that, should the powers envisaged be granted, copies of those reports from the RCMP and Competition Bureau should be provided to the Minister and my Office on an annual basis. My audit and review staff can then proceed accordingly.

Flowing from these concerns, we would look forward to a constructive dialogue with the Committee on the following points or alternatives:

Examine warrant provisions in the Criminal Code. Rather than creating blanket, open access for authorities to search subscriber data, as in Bill C-47, there are other investigative options or legal changes to consider. Emergency provisions to conduct search, seizure or interception without a warrant in exigent circumstances are already in the Criminal Code. A similar provision for production and assistance orders should be considered to address the issue police have described in obtaining data.

Review the process for court authorization in Canada. If the underlying problem resides in Canada’s current warrant system, this is where the government’s attention should be directed, as opposed to limiting court oversight. Law enforcement and national security authorities should state the shortcomings they identify in the court warrant system so they can be addressed to adapt the system to the new challenges of the Internet age rather than sacrifice the principles that underpin the very society we seek to protect.

Tailor the scope of new powers. Any regime that circumvents court authorization raises significant privacy issues. If Parliament chooses to grant the proposed powers, they must be restricted in their application to the investigation of crimes or threats where such an invasion of privacy is justified. That is the Canadian legal tradition.

Revisit oversight regime. Internal audit, reporting with self-discretion and the role of external review bodies need to be strengthened with provisions for specific reporting requirements, regular review, dedicated resources for oversight and transparent mechanisms for accountability to assure the Canadian public.

Parliament should consider a five-year review for Bill C-46. While Bill C-47 has such a provision, Bill C-46 would also merit close review by Parliament, given how the two pieces of legislation interact. These reviews should be conducted with an eye to demonstrated evidence of effectiveness, minimal invasion of privacy and clear operation within bounds of the law.

Require annual public reporting. Yearly statistics on the use, results and effectiveness of new powers (subscriber data requests, preservation demands, tracking warrants, etc.) should be required by statute. Besides bolstering accountability, these reports would usefully support Parliament’s five-year review of the powers.

Review the regulations flowing from both bills. Given the important administrative, procedural and technical details involved, Parliament should conduct full committee reviews and hear from all interested stakeholders on both legislation and regulations. This should occur before either bill comes into force.

In summary, we urge Parliament to review Bills C-46 and C-47 in light of the following questions:

In specific terms, how is the current regime of judicial authorization not meeting the needs of law enforcement and national security authorities in relation to the Internet? What law enforcement or national security duty justifies access without a warrant by authorities to personal information or preservation of private communication?

Why are some of these powers unrestricted, when the spirit of Canadian law clearly reflects the view that access or seizure without court authorization should be exceptional?

And finally, are the mechanisms for accountability commensurate to the unprecedented powers envisaged?

Based on this initial analysis, my Office will be preparing a full submission for your consideration, in anticipation of your Committee’s study of the legislation. Given the public interest in this issue, we anticipate posting this letter on our website in the near future. I would like to thank you for your attention to this critical issue and look forward to discussing the initiative further when meetings on the bills commence.

Sincerely,

Original signed by

Jennifer Stoddart

Privacy Commissioner of Canada

Well said.

Privacy Commissioner OKs airport body scanners

Apparently the Privacy Commissioner has given the thumbs up body scanners for aviations security:

The Canadian Press: Privacy watchdog OKs see-through scanners

Privacy watchdog OKs see-through scanners

By Jim Bronskill (CP) – 46 minutes ago

OTTAWA — Airport scanners that see through the clothes of travellers have received the blessing of Canada's privacy czar.

Chantal Bernier, the assistant federal privacy commissioner, said Friday the national air security agency has successfully answered her office's questions about the project. The system, tested in British Columbia at the Kelowna airport, allows a screening officer to see whether someone is carrying plastic explosives or other dangerous items.

The proposal has stirred controversy because the scanner produces a three-dimensional outline of a person's naked body.

"It is a very touchy issue, and we have addressed it with exactly that level of care," Bernier told a gathering of security officials and academics.

Under the plan approved by the privacy chief, the officer would view the image in a separate room and never see the actual traveller.

Only people singled out for extra screening would be scanned, and they would have the option of getting a physical pat-down instead.

Bernier said the holographic image generated by the scanner makes it difficult to identify the traveller's face.

"You would not know who it is, even if you knew the person was in line," she said at the annual meeting of the Canadian Association for Security and Intelligence Studies. "We've actually tested it.

"In addition, the image would be deleted the moment the person leaves the screening portal.

"In our view, these privacy safeguards meet the test for the proper reconciliation of public safety and privacy," Bernier said.

The Canadian Air Transport Security Authority has done thorough threat assessments that reveal a need to search passengers for weapons that might elude a conventional metal detector, she said.

Giving a traveller who undergoes secondary screening the choice of either a full-body scan or a pat-down reduces the "sense of invasion" posed by the new tool, Bernier added.

In a preliminary assessment early last year, the air-security authority said the scanner project amounted to a "low privacy risk" due to the built-in safeguards.

The scanners are already in use at airports in cities including Amsterdam, Moscow and Phoenix. They are also found in the high-security "green zone" of Baghdad and at some U.S. courthouses and prisons.

The air-security authority says the low-level radio frequency wave emitted by the body scanner meets Canadian health-and-safety standards.

Data from the Kelowna pilot project will help the security authority determine which Canadian airports would most benefit from scanners.

Transport Canada would then decide whether to approve use of the devices across the country.

Thursday, October 29, 2009

University of Akron may demand DNA from job applicants

Wow. All I can say is wow.
Want A Job In Akron? Hand Over Your DNA - Taking Liberties - CBS News It's not unusual for employers to conduct criminal background checks during the hiring process. But the University of Akron has taken this to a surprising new level.

The Ohio school now reserves the right to require any prospective faculty, staff, or contractor to submit a DNA sample, which genetic-testing experts say makes it the first employer in the nation to take such an extreme and potentially intrusive step.

The new policy, which says a "DNA sample for purpose of a federal criminal background check" may be collected, took the campus by surprise after it was announced last week. An adjunct faculty member has resigned in protest and is contemplating a lawsuit, and the local chapter of the American Association of University Professors says that genetic testing violates a collective bargaining agreement. ...

Wednesday, October 28, 2009

Amendments to PIPA tabled, including breach notification and regulation of export of personal information

Yesterday (October 27, 2009), the Alberta Government introduced Bill 54, the Personal Information Protection Amendment Act, 2009. The Bill includes notification requirements for export of personal information to a service provider outside of Canada and breach notification. The principal export provision is:
Notification respecting service provider outside Canada

13.1(1) Subject to the regulations, an organization that uses a service provider outside Canada to collect personal information about an individual for or on behalf of the organization with the consent of the individual must notify the individual in accordance with subsection (3).

(2) Subject to the regulations, an organization that, directly or indirectly, transfers to a service provider outside Canada personal information about an individual that was collected with the individual’s consent must notify the individual in accordance with subsection (3).

(3) An organization referred to in subsection (1) or (2) must, before or at the time of collecting or transferring the information, notify the individual in writing or orally of

(a) the way in which the individual may obtain access to written information about the organization’s policies and practices with respect to service providers outside Canada, and

(b) the name or position name or title of a person who is able to answer on behalf of the organization the individual’s questions about the collection, use, disclosure or storage of personal information by service providers outside Canada for or on behalf of the organization.

(4) The notice required under this section is in addition to any notice required under section 13.

Permitted "as required by law" disclosures are now limited to required by Canadian or Alberta law. The breach notification provisions require notice to the Commissioner and the Commissioner may order that individuals be notified. I'm sure we'll be hearing more about this. Here's an extract from yesterday's Hansard:

ISYSweb 8 Search Results for Bill 54

Bill 54

Personal Information Protection Amendment Act, 2009

Mr. Denis: Thank you very much, Mr. Speaker. I rise to introduce Bill 54, the Personal Information Protection Amendment Act, 2009. Mr. Speaker, this bill is a direct result of the hard work of the SelectSpecialPersonalInformation Protection ActReviewCommittee, an all-party special committee of the Legislature that in 2006 undertook a complete review of the act and tabled a report to the Legislature in November 2007 outlining recommendations for amendments. This bill incorporates a number of their proposed amendments.The main proposals for change include emerging issues such as notifying the commissioner or individuals about security breaches that place personal information at risk and informing individuals when services involving personal information are occurring outside of Canada. Mr. Speaker, as required for any new legislation in a rapidly evolving area, this bill also does some updating and finetuning of the existing provisions of this act.

Thank you very much, Mr. Speaker.

[Motion carried; Bill 54 read a first time]

The Speaker: The hon. Government House Leader.

Mr. Hancock: Thank you, Mr. Speaker. I move that Bill 54 be moved onto the Order Paper under Government Bills and Orders.

[Motion carried]

Monday, October 26, 2009

The future of privacy on the internet

I was honoured to be one of the speakers at the Halifax Internet Town Hall hosted at Dalhousie University this evening, sponsored by the Chebucto Community Net and Dalhousie Student Union. My portion of the proceedings -- surprise -- was about privacy. I only had ten minutes, so needed to be short and sweet.

I decided to focus my presentation on the abomination that is Bill C-47, in particular the provision that allows law enforcement to have wholesale access to customer information without a warrant. It is frankly appalling and should not be allowed to pass.

Look at this provision:

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

You can disagree on the finer aspects of whether an ISP should be permitted to match an IP address provided by the cops with the customer name and address information in their files. That's a reasonable debate. But I do not see any limitation in Section 16. There's no oversight. There's no real accountability. There's no nuance. All ISPs will be required to provide any (or all) of the following:

  • name,
  • address,
  • telephone number,
  • electronic mail address,
  • Internet protocol address,
  • mobile identification number,
  • electronic serial number,
  • local service provider identifier,
  • international mobile equipment identity number,
  • international mobile subscriber identity number and
  • subscriber identity module card number

It doesn't have to be connected to a child exploitation investigation. Or a parking ticket. In fact, there's no requirement that there be an underlying lawful investigation. The police will be able to hand a list of names to the ISP and require all of the above information, for an unlimited number of targets.

This is appalling legislation and should not stand.

For other postings on this topic, check out my previous postings tagged Lawful Access.

Saturday, October 17, 2009

Laptop searches at airports infrequent, DHS privacy report says

Computerworld is reporting on the first report of the Department of Homeland Security Privacy Office since the changeover to the Obama administration. The report itself is interesting, but perhaps most interesting are the statistics related to the number of searches of laptops at border crossings. This has been a controversial practice since reports on it came to light some time ago. I was surprised to read that fewer than two thousand took place in the year under review, in light of the millions of people (and laptops) that have crossed the border during that time.

Here's Computerworld's coverage: Laptop searches at airports infrequent, DHS privacy report says.

Thursday, October 15, 2009

Government declines proposed reforms to access and privacy laws

The Minister of Justice has responded to the Standing Committee on Access to Information, Privacy and Ethics' reports on reform to the Privacy Act and the Access to Information Act with a robust "thanks, but no thanks".

House of Commons Committees - ETHI (40-2) - Reports and Government Responses Report 11 - The Access to Information Act: First Steps Towards Renewal (Adopted by the Committee on June 15, 2009; Presented to the House on June 18, 2009)
Government Response: 11th Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Access to Information Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)
Report 10 - The Privacy Act: First Steps Towards Renewal (Adopted by the Committee on June 8, 2009; Presented to the House on June 12, 2009)
Government Response: Tenth Report of the Standing Committee on Access to Information, Privacy and Ethics, "The Privacy Act: First Steps Towards Renewal" (Presented to the House on October 9, 2009)

Thanks to Michael Geist for the pointer.

Some media coverage from the Canadian Press:

The Canadian Press: Harper government refuses to expand information, privacy laws

Harper government refuses to expand information, privacy laws

By Joan Bryden (CP) – 2 hours ago

OTTAWA — The Harper government has quietly nixed recommendations to expand and modernize Canada's access-to-information and privacy laws.

Justice Minister Rob Nicholson's rejection of reforms to the 26-year-old laws sparked accusations Thursday that the Tories have reneged on campaign promises to bring openness and transparency to the federal government.

"The access system now does not work," said Michel Drapeau, a lawyer and a leading expert on accessing government documents.

"They appear to like it this way."

Nicholson's rejection was also greeted with disappointment by privacy experts, who warned that Canada's outdated Privacy Act does not cover modern technologies, such as surveillance cameras and DNA samples collected from suspects.

Nor does it give the privacy commissioner any recourse to the courts when the government inappropriately discloses personal information, no matter how serious the breach.

"We're very disappointed, actually," said Chantal Bernier, assistant privacy commissioner.

"While we agree with the minister that privacy is well protected in Canada, we feel we can do better."

A Commons committee had recommended, among other things, that the information commissioner be given more power to force the government to disclose information in a timely manner.

Drapeau said only 10 to 20 per cent of access requests receive a response within 30 days, as intended under the law. The rest routinely take up to two years with some dragging on as long as four years.

Suzanne Legault, interim information commissioner, said Drapeau's view of the access system is overly pessimistic. She said 57 per cent of requests get a response within 30 days.

Still, she acknowledged there's an "urgent need" to modernize legislation to remedy some "very long delays" in responding to access requests.

Legault pointed out that the act was drafted in the days when bureaucrats kept paper records "in a neat file folder." Now, they are inundated with digital information, such as streams of emails with attachments, that is harder to manage and takes longer to sift through.

"We really live in a world of digital information and the system hasn't adjusted," Legault said.

The Commons committee had also wanted the privacy law expanded to cover new technologies. And it wanted to beef up provisions governing the disclosure of personal information by the Canadian government to foreign states - one of the most urgent needs in the wake of the Maher Arar case, according to Bernier.

Based on information provided by Canadian security authorities, Arar was detained in the U.S. and deported to Syria, where he was tortured.

In responses to the committee tabled quietly last week, Nicholson rejected the proposed reforms as too cumbersome, unnecessary or ill-considered.

He said giving the information commissioner more powers would shift the nature of the job "from an ombudsman model towards a quasi-judicial model," which would be inconsistent with other independent parliamentary watchdogs.

He rejected the notion that information requesters should have direct recourse to the Federal Court if access is refused, arguing that such a reform "would increase the caseload burden on the Federal Court."

On the privacy recommendations, Nicholson ruled out legislative restrictions on the disclosure of personal information to foreign states, arguing that law enforcement and security agencies "require a flexible approach" to information sharing.

"They must be able to share their intelligence within Canada and well as with their foreign partners," he wrote.

Moreover, Nicholson argued that efforts to combat international child abductions, forced marriages and worldwide health threats would be "seriously hampered" by restrictions on information sharing.

Nicholson maintained both the Access to Information Act and the Privacy Act are strong pieces of legislation. And he suggested "administrative alternatives, such as enhanced guidance and training" could be "equally effective" in improving both the access and privacy regimes.

Copyright © 2009 The Canadian Press. All rights reserved.

Wednesday, October 14, 2009

The lawful access debate

The Ottawa Citizen has an interesting article on the debate surrounding "lawful access". Check it out: Security vs. privacy. Via Michael Geist.

Friday, October 09, 2009

The debate about warrantless access to ISP customer information

Just posted on slaw: The debate about warrantless access to ISP customer information >> Slaw

In the privacy community, there has been a debate over whether it is lawful, under PIPEDA, for a custodian of personal information to provide customer information when then police come knocking. The debate has been most heated in the arena of internet service providers customer names and addresses to the police when presented with an IP address. PIPEDA allows a number of disclosures of personal information without consent pursuant to Section 7(3) of the statute. One exception to the general rule relates directly to law enforcement requests:

Disclosure without knowledge or consent

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is ...

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering any law of Canada or a province; [emphasis added]

The debate has raged over differing interpretations of “lawful authority”, and there are conflicting decisions from the Courts over whether internet service providers can disclose customer name and address information to the police in response to a request.

For example, in Re S.C., 2006 ONCJ 343, the court set aside a search warrant that was based on information obtained from an ISP in response to a law enforcement request. In R. v. Kwok, the court found that the customer had a reasonable expectation of privacy in his name and address information and that the police should have obtained a warrant to get this information from the internet service provider. From paragraph 35 of that decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

More recently, in R. v. Ward, 2008 ONCJ 355 (CanLII), the court determined that the customer did not have a reasonable expectation of privacy with respect to this information because the service agreement imposed upon him by Bell’s Sympatico service reduced, if not destroyed, whatever expectation of privacy he might otherwise have had. Similarly, in R. v. Wilson, the court also found no reasonable expectation of privacy.

The pendulum may be swinging the other way. Last week, the Ontario Court of Justice released its decision in R. v. Cuttell. The Court concluded there is a reasonable expectation of privacy in customer account records, but this expectation can be destroyed by an ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepted that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy but there was no proof brought by the police that the Bell contract applied to this customer. What is perhaps most interesting is that the Judge lamendted the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

All of this may become moot (and then some!) thanks to currently pending legislation. Bill C-47, entitled Technical Assistance for Law Enforcement in the 21st Century Act, is about to come up for committee review in parliament. Introduced along with Bill C-46, Investigative Powers for the 21st Century Act, both bills represent a significant shift in the powers of law enforcement. Though marketed as updating current police powers to keep pace with technology, C-47 would give law enforcement virtually unfettered access to customer information from internet and telecommunications service providers without any judicial oversight. The particular provision is at Section 16:

Provision of subscriber information

16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

I am of the view that there should be appropriate judicial oversight of any regime in which service providers are required to identify their users to law enforcement officials. (Subject to exceptions in exigent circumstances.) It is only with judicial oversight that society can be assured that the appropriate balance between privacy and public safety is maintained. The government’s proposal provides no oversight and the powers of law enforcement are completely unfettered. If the concern is that search warrants are too time consuming, then appropriate resources should be put in place to provide for rapid review by independent judicial officers. Removing all the stops from law enforcement powers it not appropriate in this case.

Currently there is a disparity of practices among telecommunication service providers and internet service providers across Canada when dealing with a request from a law enforcement agent to provide a customer name and address connected with a specific IP address. This is due to at least a measure of uncertainty in interpreting the service provider’s obligations under the Personal Information Protection and Electronic Documents Act. Most ISPs will provide customer name and address information if law enforcement officers make a written request in the course of investigation related to child exploitation. In other sorts of investigations, a search warrant is required. Other internet service providers require a search warrant in all circumstances to disclose this information.

For example, Clause 16 as drafted does much more than impose the obligation for service providers to carry out a “reverse look-up” to match one piece of information (such as an IP address) with customer billing information. Instead, it would require the service provider to give law enforcement a laundry list of information in response to any request. This sort of information would be IP address, mobile identification number, electronic serial number, phone number, equipment identifiers and others. This, on its face, goes beyond what law enforcement has been asking for, at least in public.

This power is not subject to meaningful review and is completely unfettered. There is no restriction on the circumstances under which these powers can be used. Currently, requests of this nature generally relate to child exploitation investigations or compelling national security/public safety matters. As drafted, law enforcement would be able to use these powers in connection with parking violations and very minor concerns. In fact, these powers could be used in the complete absence of a lawful investigation. In addition, there is no limitation whatsoever on the volume of these sorts of requests. It would be possible for a law enforcement agency to require the name, address, e-mail address and IP address of every single one of their customers. I think most would say this goes over the line.

It has been said before that a customer’s name and address is not “personal information” or if it is, it is not sensitive information. That misses the point. A customer’s name and address, when connected with an IP address or a mobile phone serial number, is never used in isolation. It is always connected with other information relating to that individual’s behaviours or activities. An individual citizen can carry on their “offline” life in relative anonymity without having to produce identification every time they visit a store or look at a particular book in a library. The realities of network communications mean that every activity undertaken by an individual on the internet, lawful or not, leaves a record of that individual’s IP address. The only protection for that individual’s anonymity is that the connection between the IP address and other identifiers can only be made by the telecommunications service provider. Connecting the identity of an individual to his or her online activities amounts to a collection of personal information that should only be done by law enforcement where the circumstances are sufficiently compelling to tilt the balance in favour of law enforcement/public safety. These provisions do not maintain the traditional balance as has developed in Canada under the Charter and in fact go dramatically and unreasonably in favour of law enforcement.

I've been surprised that discussion of this topic has mostly been contained within the privacy community and hope that the upcoming parliamentary hearings on C-46/C-47 will bring the debate into the wider community, where it belongs.

Thursday, October 08, 2009

New decision on warrantless access to ISP customer data

A friend just provided me with a copy of a recent decision of the Ontario Court of Justice considering the admissibility of information obtained without a warrant from the suspect's internet service provider, Bell. R. v. Cuttell is not on CanLii yet, but I've put a copy here.

The Court concluded there is a reasonable expectation of privacy in your account records, but this expectation can be destroyed by your ISP if their service agreement grants them wide latitude to hand over customer information. The judge accepts that a broadly-worded statement in Bell's contract with the customer might supplant the reasonable expectation of privacy. (I would also question whether a form contract that the customer likey has not read would be enough to mean that subjectively there is no reasonable expectation of privacy.)

In this case, there was no proof brought by the police that the Bell contract applied to this customer so a Charter breach was found.

The Court importantly notes that PIPEDA does not give the police the right to seek information and rejects every crown argument that the police may have had "lawful authority" in the circumstances.

But, in the end, the records were admissible as the police acted in good faith.

What is perhaps most interesting is that the Judge laments the fact that the increasing use of "we will disclose" language in ISP contracts tilt the balance of privacy away from individuals toward the police, without the ability of the Courts to impartially consider what is reasonable in the circumstances.

Tuesday, October 06, 2009

Privacy Commissioner releases annual PIPEDA report, focus on online privacy

The Privacy Commissioner of Canada has this morning tabled her annual report on PIPEDA, the country's private sector privacy law. Not suprisingly, there is much discussion about online privacy and social networking. Here's the release and a link to the report:

News Release: Canadians need to take control of their online personal information: Privacy Commissioner - October 6, 2009

Canadians need to take control of their online personal information: Privacy Commissioner Privacy Commissioner of Canada’s annual report focuses on importance of making informed choices about sharing personal information online.

OTTAWA, October 6, 2009 — As more and more Canadians live their lives online, the Privacy Commissioner is cautioning them to take greater responsibility for securing their privacy and thinking twice about what they post on the Internet.

“Many young people are choosing to open their lives in ways their parents would have thought impossible and their grandparents unthinkable. Their lives play out on a public stage of their own design as they strive for visibility, connectedness and knowledge,” says Jennifer Stoddart, the Privacy Commissioner of Canada.

“Such openness can lead to greater creativity, literacy, networking and social engagement. But putting so much of their personal information out into the open can also … leave an enduring trail of embarrassing moments that could haunt them in future,” the Commissioner says in her annual report to Parliament, which was tabled today.

The Commissioner’s 2008 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act (PIPEDA) highlights the issue of youth privacy. It also looks at 2008 privacy complaint investigations; technology and privacy issues; and the Commissioner’s efforts to encourage the development of international privacy standards.

Commissioner Stoddart noted that many people have been fired, missed out on job interviews and academic opportunities, and been suspended from school for instant messages, wall posts and other types of online correspondence they mistakenly thought were private conversations with friends.

There is also a risk that unguarded personal information could be exploited by identity thieves.

The Office of the Privacy Commissioner recently completed an investigation into the privacy policies and practices of the popular social networking site Facebook. While that investigation focused on Facebook’s obligations under Canadian privacy law, the Commissioner emphasized at the time that, with nearly 12 million Canadians on Facebook, it’s also important for users to adopt the appropriate privacy settings and to understand how their personal information may be used or shared online.

The Privacy Commissioner’s Office has made online youth privacy a key priority, using contests, communications materials and a dedicated youth privacy website to reach out to young people and to encourage them to reflect on privacy issues and to “Think Before You Click.”

“As Canada’s privacy guardian, it is our role to create awareness of privacy risks, show people how to address those risks, and make it easy for them to make informed decisions,” says Commissioner Stoddart.

Adds Assistant Commissioner Elizabeth Denham: “We’re not suggesting the clock be turned back; we just want to ensure Canadians have the information they need to make more privacy-conscious decisions.”

The annual report, available on the OPC website at http://www.priv.gc.ca/, includes details of complaints received and investigated by the Office in 2008.

The OPC received 422 new PIPEDA-related complaints for investigation in 2008, ending a downward trend that had lasted for several years. In 2007, there had been 350 complaints, fewer than half the 723 received in 2004.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of privacy and the protection of personal information rights of Canadians.

Annual Report to Parliament 2008 – Report on the Personal Information Protection and Electronic Documents Act

Ontario Commissioner orders end of juror background checks

The Information and Privacy Commissioner of Ontario has ordered crown attorneys to immediately stop performing intrusive background checks on prospective jurors. From the IPC:

IPC - Office of the Information and Privacy Commissioner/Ontario Commissioner Cavoukian Orders Crown attorneys to stop collecting personal information on prospective jurors – Recommends single screening process, in light of widespread back

News Release October 5, 2009

Commissioner Cavoukian Orders Crown attorneys to stop collecting personal information on prospective jurors – Recommends single screening process, in light of widespread background checks

Investigation finds one-third of Crown attorney offices engaged in excessive background checks, in a practice that “should have been put to a stop 16 years ago.”

TORONTO – Ontario Information and Privacy Commissioner, Dr. Ann Cavoukian, today ordered Crown attorneys to cease collecting any personal information of potential jurors, beyond that which is necessary under the Juries Act and Criminal Code. Proposing a fundamental shift in the way that prospective jurors are screened, the Commissioner also called on the Ministry of the Attorney General (MAG) to implement a single, centralized juror screening process through the existing Provincial Jury Centre, minimizing the need for numerous background checks to be conducted across multiple offices. The new process addresses the lack of consistency in the “patchwork of practices” presently employed by Crown attorney offices and the police.

The Commissioner’s office (IPC) conducted a major investigation into whether the privacy rights of prospective jurors were breached when the police, on behalf of Crown attorneys, conducted background checks through a variety of means, ranging from accessing confidential databases, to informally gathering anecdotal information. Key findings include:

• One third, or 18 of the 55 Crown attorney offices in Ontario had received background information about prospective jurors since March 31, 2006 – this practice extended well beyond the four locales previously identified in the media;

• All 18 Crown attorney offices had gathered personal information that exceeded the criminal conviction eligibility criteria set out in the Juries Act and Criminal Code – in doing so, they had also failed to comply with applicable privacy legislation; and

• There were varying practices regarding the disclosure of this information by Crown attorney offices to defence counsel.

“I want to be clear that we are not talking about a sweeping epidemic – in a relatively small number of cases, the violation of jurors’ privacy was a routine practice,” said Commissioner Cavoukian. “However, while these practices varied in terms of their invasiveness, the fact remains that 18 Crown attorney offices across the province gathered personal information that exceeded the criminal conviction eligibility criteria set out in the Juries Act and Criminal Code. What I find regrettable is that this invasive practice should have been put to a stop 16 years ago.

Under the Juries Act and Criminal Code, an individual is ineligible to serve as a juror if they have been convicted of an indictable offence for which they have not received a pardon. The Criminal Code also allows a juror to be successfully challenged for cause by the Crown and defence counsel if they have been convicted of an offence for which a term of imprisonment exceeding 12 months has been given. The investigation found that practices had developed across Ontario that, in some cases, went far beyond these limits.

This issue of jury vetting was formally flagged by MAG in 1993, after Ontario Superior Court Justice Humphrey questioned the appropriateness of jury background checks. Within weeks, a memorandum on the issue had been written by a senior Crown attorney, culminating in a recommendation that the practice should stop. But it did not stop, and no further action was taken, at that time. Since then, a series of opportunities to provide clear guidance to Crown attorneys were missed, despite this issue surfacing again and again over the years. It was not until March 31, 2006 that a formal instruction to Crown attorneys came into effect, in the form of a MAG ‘Practice Memorandum.’

“Unfortunately, the 2006 Practice Memorandum was not sufficiently clear as to what practices were acceptable,” added the Commissioner. “We found that a patchwork of practices developed across the province, with a wide variety of opinions across Crown attorney offices as to what background checks were appropriate. My Order will hopefully provide clear direction as to what personal information may or may not be collected in the jury selection process.”

The Investigation

On May 25, 2009, media reports emerged that, in Barrie, Ontario, police services had been conducting background checks of prospective jurors, at the request of Crown attorneys. Upon learning that the practice extended beyond Barrie to include other Ontario locations, Commissioner Cavoukian launched an investigation under the Freedom of Information and Protection of Privacy Act and the Municipal Freedom of Information and Protection of Privacy Act into the practices of conducting background checks of prospective jurors, and whether these practices violated the privacy provisions of the legislation. The Commissioner’s investigation received the full support of the Ontario Government. The Premier, the Honourable Dalton McGuinty, expressed the following view as part of a news conference: “The Attorney General has made it perfectly clear this is unacceptable, it’s not in keeping with practice and in fact, it’s against the law …. We will offer whatever cooperation is required in order to ensure that [Commissioner Cavoukian] can conduct whatever full review that she might and we look forward to receiving any recommendations.”

To ensure a comprehensive investigation, the Commissioner’s office pursued multiple channels of inquiry, including:

1. Conducting in-person interviews at four different Ontario locations with various parties: Crown attorneys, court staff, police officials and defence counsel;

2. Undertaking an intensive province-wide empirical survey of all 55 Crown attorney offices;

3. Receiving sworn affidavits from senior Crown attorneys;

4. Retaining the services of the Auditor General’s staff to review the document capture process involving jury lists; and

5. Receiving legal submissions from the Ministry of the Attorney General, the Ministry of Community Safety and Correctional Services, the Criminal Lawyers’ Association, the University of Toronto’s David Asper Centre for Constitutional Rights, and the Canadian Civil Liberties Association.

“We have made every effort to deliver a full review of the issues associated with background checks, and to provide workable solutions, to bring to an end any unacceptable practices,” said Commissioner Cavoukian.

The Order and Recommendations

Based on the findings of the investigation, the Commissioner is ordering Crown attorneys to cease collecting any personal information of potential jurors beyond that which is permitted under the Juries Act and the Criminal Code, relevant to criminal conviction eligibility. Further, the Commissioner is recommending a fundamental shift in the way that prospective jurors are screened in Ontario. Proposing a complete overhaul of the existing system, the Commissioner has recommended that MAG, through its Provincial Jury Centre (PJC), be the only central body to screen jurors who are ineligible for jury duty, based on criminal conviction. As the single entity already in receipt of the names and personal information of all prospective jurors, the PJC is the obvious candidate to perform this role. Operating from a single location in London, Ontario, the PJC is also in an ideal position to implement strict privacy and security measures that can be strongly enforced, thereby providing a consistently high degree of protection for personal information.

In total, the Commissioner made 22 recommendations directed primarily at Ministry of the Attorney General (MAG), including:

• The Provincial Jury Centre of MAG should be the only central body to screen out jurors who are ineligible for jury duty, based on criminal conviction;

• Crown attorneys should cease the practice of requesting the police to provide criminal conviction information relating to potential jurors, barring exceptional and compelling circumstances;

• Where Crown attorneys do obtain criminal conviction information relating to prospective jurors, they should share this information with defence counsel, in accordance with MAG policy;

• MAG should re-write and re-design the jury service qualification questionnaire in order to make it more clear, transparent and user-friendly for all prospective jurors;

• MAG should develop and implement a policy for Crown attorneys on the appropriate retention and disposal of jury panel lists.

“Any practice that taints, or is perceived to taint, the jury process strikes at the heart of the values we share as citizens of a free and democratic society,” said Commissioner Cavoukian. “My Order and Recommendations should ensure that a number of important goals are met. Juror privacy will be enhanced, all parties to a criminal proceeding will have equal access to relevant information on prospective jurors, and we will have increased accountability surrounding the entire jury selection process.”

For a complete copy of the Order, visit www.ipc.on.ca

Monday, October 05, 2009

Justice Minister mulls breathalyzer testing for all drivers

The CBC News is reporting that the Justice Minister is considering amending Canadian laws to allow for random breathalyzer testing of all drivers, regardless of whether there is any reason to believe that the driver is intoxicated. See: CBC News - Canada - Random breathalyzer tests considered for Canada.