Monday, October 31, 2011

Ontario Commissioner on lawful access (actually, "expanded surveillance")

In the National Post, Ontario's Information and Privacy Commissioner adds her strong voice to the call for increased scrutiny of any "lawful access" proposals:

Privacy Commissioner Ann Cavoukian: Privacy invasion shouldn’t be ‘lawful’ | Full Comment | National Post:

By Ann Cavoukian

I must add my voice to the growing dismay regarding the impact of impending “lawful access” legislation in this country. In my view, it is highly misleading to call it “lawful.” Let’s call it what it is — a system of expanded surveillance.

At issue is the anticipated re-introduction of a trio of federal bills that will provide police with much greater ability to access and track information, via the communications technologies we use every day, such as the Internet, smart phones and other mobile devices. I have no doubt that, collectively, the legislation will substantially diminish the privacy rights of Ontarians and Canadians as a whole.

Let’s take a brief look at the surveillance bills, which were introduced prior to the last election:

  • Bill C-50 would make it easier for the police to obtain judicial approval of multiple intercept and tracking warrants and production orders, to access and track e-communications.
  • Bill C-51 would give the police new powers to obtain court orders for remote live tracking, as well as suspicion-based orders requiring telecommunication service providers and other companies to preserve and turn over data of interest to the police.
  • Bill C-52 would require telecommunication service providers to build and maintain intercept capability into their networks for use by law enforcement, and gives the police warrantless power to access subscriber information.

I well understand the attraction for law enforcement officials — the increased ability to access and track our e-communications, with reduced judicial scrutiny, would put a treasure trove of new information at their fingertips.

However, we must be extremely careful not to allow the admitted investigative needs of police forces to interfere with or violate our constitutional right to be secure from unreasonable state surveillance. The proposed surveillance powers come at the expense of the necessary privacy safeguards guaranteed under the Charter of Rights and Freedoms. The federal government must be persuaded to acknowledge the sensitivity of traffic data, stored data and tracking data, and strongly urged to re-draft the bills. For a start, the proposal for warrantless access to subscriber information is untenable and should be withdrawn. If special access to subscriber information is considered to be absolutely necessary, it must take place under a court-supervised regime.

The government needs to step back and consider all of these implications. A comprehensive cost-benefit analysis should precede the entrenchment of so many significant public policy decisions. Public Parliamentary hearings must also be scheduled to ensure that civil society, as well as the telecom industry, has a full opportunity to provide input.

Canadians must press the federal government to publicly commit to enacting much-needed oversight legislation in tandem with any expansive surveillance measures. Intrusive proposals require, at the very least, matching legislative safeguards. The courts, affected individuals, future Parliaments and the public must be well informed about the scope, effectiveness and damaging negative effects of such intrusive powers.

We can, and must, have both greater security and privacy, in unison. It cannot be one at the expense of the other. The true value of privacy must be recognized in any effort to modernize law enforcement powers. Imposing a mandatory surveillance regime on the public and its telecom service providers must not go forward without strong safeguards to protect the future of our fundamental freedoms.

National Post

Ann Cavoukian is the Information Privacy Commissioner of Ontario.

Sunday, October 30, 2011

Why lawful access legislation should not be allowed

This is why lawful access legislation should not be allowed to pass.

The Guardian is reporting on equipment being used by London's Metropolitan Police to eavesdrop on cell phones: Met police using surveillance system to monitor mobile phones | UK news | The Guardian.

The last iteration of lawful access legislation that fell off the order paper with the last federal election would have allowed police to obtain any of the following information, without a warrant, without oversight, without justification and even without any active investigation:

  • name,
  • address,
  • telephone number and
  • electronic mail address,
  • Internet protocol address,
  • mobile identification number,
  • electronic serial number,
  • local service provider identifier,
  • international mobile equipment identity number,
  • international mobile subscriber identity number and
  • subscriber identity module card number that are associated with the subscriber’s service and equipment.

In the abstract, that may sound innocuous, but it's far from it.

The equipment described in the Guardian article allows police to scan the airwaves and pick out the unique identifiers for all cell phones in the area. With that identifier, they can get any of the above information, again without a warrant and without any justification. Such a device could be used to identify anyone at a lawful protest, regardless of whether they had done anything wrong. We expect to carry on our lawful lives free from police intrusion unless a judge can be persuaded that the police are justified in their intrusion into your life, including the fact that the intrusion relates to a lawful investigation into criminal wrongdoing. Lawful access would remove the only check and balance, allowing police the ability monitor citizens without any reason.

This is not the country we should aspire to live in.

Welsh nightclubs to fingerprint customers

I have a feeling that every time Canadians come up with a really, really intrusive idea, there's a bunch of folks in the British Isles who look over their shoulders and think we're amateurs.

While (some) Canadians have been worried about "Barwatch" (see past posts tagged "id swping"), a controversial program that scans the ID cards of bar patrons and puts them in a massive database, bar owners in Wales (with the support of the local police) are looking to fingerprint anyone who fancies a drink and a dance.

This is a phenomenally bad idea.

Check out: Welsh nightclubs to fingerprint customers - Boing Boing.

Privacy Commissioner calls out Public Safety Minister for lack of justification for lawful access

This past week, the Privacy Commissioner of Canada sent an open letter to Public Safety Minister Vic Toews, again coming out against "lawful access" and highlighting the fact that there has been no compelling justification put forward for the expected measures.

The Minister, in a statement given to Postmedia News, did not directly address the question of warrantless access to customer information, but offered the following predictable talking point:

"Our approach strikes an appropriate balance between the investigative powers used to protect public safety and the necessity to safeguard the privacy of Canadians," Toews said in a statement Thursday in response to Stoddart's letter.

"As technology evolves, many criminal activities — such as the distribution of child pornography — become much easier. We are proposing measures to bring our laws into the 21st Century and provide police with the tools they need to do their job."

I've heard all that before, but still there's no justification for the intrusive measures.

Friday, October 14, 2011

Cloudlaw: Law and Policy in the Cloud

I'm spending the day today at a conference being hosted by the University of Toronto's Faculty of Law and the Centre for Innovation Law and Policy focused on cloud computing. The full agenda is at cloudlaw.ca and it looks like it will be a very interesting day.

I'm speaking at 1:00 on a panel that includes Patricia Kosseim (General Counsel to the Office of the Privacy Commissioner of Canada) and Professor Christopher Millard (Professor of Privacy and Information Law at the University of London). The topic is, not surprisingly, "Privacy and Security".

Here is my presentation, in case it's of interest:

Wednesday, October 12, 2011

Critics pan portions of proposed amendments to BC's public sector privacy law

Some critics have come out swinging over the proposed new amendments to BC's public sector privacy law:
Critics say new B.C. privacy laws put data at risk - British Columbia - CBC News

....

Program would permit sharing amongst ministries

The amendments to the Freedom of Information and Protection of Privacy Act would make a number of changes.

The province says the proposed legislation would let ministries share information when government programs involve more than one department. It would:

  • Permit use of so-called data linking to combine existing databases, such as for research.
  • Allow the government to create a proposed secure ID that would combine driver's licences and health-care cards.
  • Pave the way to offering more services over the Internet, such as access to health records or voting.
  • It would also require ministries to proactively release more government records, which Premier Christy Clark has already ordered them to do.

Friday, October 07, 2011

Call for addition of business transaction rule in Quebec privacy law

Éloïse Gratton has a good opinion piece in yesterday's Montreal Gazette calling for the adoption of a business transaction rule in the Quebec private sector privacy law. Check it out: Opinion: Quebec should amend its private sector data protection law.

Thursday, October 06, 2011

Questions from the bench suggest Ontario will get invasion of privacy tort

The appeal in Jones v Tsige was heard by the Ontario Court of Appeal last week. Though the court reserved judgement, I have heard from one person in attendance (and now the Financial Post) that questions from the bench suggest a likelihood that there will be a tort of invasion of privacy before long:

Ontario to get invasion of privacy tort? | Legal Post | Financial Post

Julius Melnitzer Oct 5, 2011 – 3:20 PM ET | Last Updated: Oct 5, 2011 3:24 PM ET

Proponents of an invasion of privacy tort for Ontario were heartened by the Court of Appeal’s response at the hearing of the appeal in Jones v. Tsige on September 30, 2011, in which the existence or creation of such a tort was directly in issue. The Ontario Superior Court of Justice ruled at first instance that there was no such tort in the province.

The court reserved, but observers say the questions and comments during the hearing suggested the court seemed strongly inclined to create such a tort and couple it with meaningful damages as a deterrent force.

Chris Du Vernet and Carlin McGoogan of Du Vernet Stewart were counsel for the plaintiff Sandra Jones. Alex Cameron of Fasken Martineau Dumoulin acted for the defendant Winnie Tsige.

Wednesday, October 05, 2011

British Columbia proposes amendments to public sector privacy and access law

The province of British Columbia has introduced legislation to significantly revise the Freedom of Information and Protection of Privacy Act. I haven't head a chance to really plumb the depths of the amendments yet, but did note that it does nothing to address the problem posed by the broad prohibition against cross-border transfers of personal information.

The bill is here: Bill 3 — 2011: Freedom of Information and Protection of Privacy Amendment Act, 2011.

And a markup of the full statute, showing the proposed amendments in track changes are here.

Just remember, this is at first reading stage so may be subject to amendment at the committee stage.