Saturday, November 26, 2011

Ontario Commissioner Issues Significant Order on Custody or Control of University Records

If any part of your practice involves advising universities on access to information issues, run -- don't walk -- over to Dan Michaluk's summary of the recently released decision in University of Ottawa – Order PO-3009-F (November 7, 2011).

One of the big issues these days is whether records held by a university professor is in the custody or control of the university, so that they may be subject to access to information legislation. The Information and Privacy Commissioner of Ontario has just held that it is up to the IPC and not any other process (such as arbitration or reference to arbitral jurisprudence) to determine whether this is the case. The decision also provides the following very helpful guidance:

Accordingly, I conclude that the arbitral awards are not determinative with respect to the custody or control of records that may be responsive in this case. Rather, the determination is to be made based in the principles enunciated in this order. The significant conclusions I have reached in this regard are:

1. records or portions of records in the possession of an APUO member that relate to personal matters or activities that are wholly unrelated to the university’s mandate, are not in the university’s custody or control;

2. records relating to teaching or research are likely to be impacted by academic freedom, and would only be in the university’s custody and/or control if they would be accessible to it by custom or practice, taking academic freedom into account;

3. administrative records are prima facie in the university’s custody and control, but would not be if they are unavailable to the university by custom or practice, taking academic freedom into account.

Run to Dan's summary: Ontario Commissioner Issues Significant Order on Custody or Control of University Records « All About Information.

Thursday, November 24, 2011

SCC declines to hear Alberta Privacy Commissioner's appeal

The Supreme Court of Canada announced today that they will not hear the appeal of the Information and Privacy Commissioner of Alberta in the case of Leon's Furniture Limited v. Alberta (Information and Privacy Commissioner), 2011 ABCA 94.

For some history, see:

Bill C-12 and “lawful authority” under PIPEDA

Phillipa Lawson has a very well thought out post over at Slaw on "lawful authority" under PIPEDA and the ability of businesses to share personal information with law enforcement. Check it out: Bill C-12 and “lawful authority” under PIPEDA — Slaw.

Tuesday, November 22, 2011

Current issues in privacy: Social media and cloud computing

Today, I was honoured to be asked to present to the Nova Scotia Association of Educational Administrators on current privacy issues. A very interesting group of people with some great questions. Here's the presentation, in case you're interested:

What information is law enforcement looking for under "lawful access"?

Christopher Parsons has a great and detailed blog post on the sort of information that would be open for inspection by law enforcement under "lawful access". And it's isn't "phone book" information. Check it out: The Anatomy of Lawful Access Phone Records | Technology, Thoughts, and Trinkets.

Paper on Canadian ISP cooperation with law enforcement

An interesting read:

Updated: Business disclosure of personal information to law enforcement agencies: PIPEDA and the CNA letter of request protocol (PDF):

By Suzanne Morin with the assistance of Amy Awad and Dee Pham

Canadian Internet Service Providers (“ISPs”) are continuing their strategy to deal with a subset of requests for customer information from law enforcement agencies requests that is of particular concern to them – those pertaining to online child exploitation investigations.

The initiative, where participating ISPs voluntarily disclose customer name and address linked to an IP address at a particular date and time to law enforcement at the pre-warrant stage of child exploitation investigations, remains interesting at a number of levels.

It touches on privacy issues pertaining to the proper interpretation of PIPEDA and the reasonable privacy expectations of ISPs’ customers. It also provides an ongoing example of a relatively successful voluntary collaboration between private business, law enforcement and privacy regulators aimed at tackling legal uncertainties where they may most negatively affect the public good.

Friday, November 18, 2011

Nova Scotia Privacy Review officer reviews workers' comp board

Until recently, the "Review Officer" appointed under Nova Scotia's Freedom of Information and Protection of Privacy Act only had the power to deal with access to information issues and not privacy complaints. That's now changed and the Protection of Privacy Review Officer, Dulcie McCallum has come out swinging following a review of the province's Workers' Compensation Board. Below is the press release, summarizing Review P-11-01 (PDF):

REVIEW OFFICER ISSUES PUBLIC REPORT: RECOMMENDS CHANGES TO WCB PRIVACY PRACTICES

November 18, 2011

Dulcie McCallum, Nova Scotia’s Privacy Review Officer, today released her report investigating the privacy practices of the Nova Scotia Workers’ Compensation Board: Privacy Matters: Creating a Zero Tolerance Privacy Environment. Ms. McCallum made 21 recommendations that she believes will improve the privacy culture at the WCB, and the WCB has agreed to implement all of the recommendations.

“Because privacy is such an important part of how we define ourselves, I have recommended that the WCB work towards creating an institutional goal where privacy is given priority, where one privacy breach is one too many,” said Ms. McCallum. “I believe this approach to privacy lines up closely to WCB’s primary emphasis on safety in the workplace, where one accident is one too many.”

The Review marks the first time the Privacy Review Officer has completed a systemic privacy review of a public body. Ms. McCallum launched the investigation early this year when it was publicly reported that at least two separate individuals had received another WCB claimant’s claim file when requesting their own. Most claimant's files include considerable personal information and in particular personal health information.

Before this report was made public, the Review Officer shared a draft version with the WCB in order to ensure that the Review Office had fully captured the work of the WCB and its privacy practices. In its response, the WCB emphasized the similarities between efforts to prevent workplace injuries and efforts to prevent privacy breaches and agreed to implement all 21 recommendations.

“I am happy to report that the WCB has fully accepted preventing privacy breaches as a priority and has indicated that our expert advice as to how to go about achieving that is welcome,” said Ms. McCallum. “I want to thank the WCB for the full cooperation it provided throughout this investigation.”

The WCB has committed to implementing seven of the recommendations immediately, while the remaining 14 will require a reasonable period of time to fully adopt. The Review Office intends to revisit the progress being made by the WCB on implementation within the next year.

The Privacy Review was expedited to ensure any privacy breaches that may have occurred were not ongoing and had been sufficiently contained by the WCB. The Privacy Review Officer found that they had been contained, though the overall privacy practices of the WCB needed improvement in order to give privacy protection the attention it deserved.

Thursday, November 17, 2011

Privacy Commissioner of Canada releases annual report on public sector privacy law

Jennifer Stoddart has just tabled her annual report to Parliament on the Privacy Act, Canada's federal public sector privacy law: Annual Report to Parliament 2010-2011 - Report on the Privacy Act.

From her media release on the topic:

Audit of airport security measures flags concerns about over-collection and safeguarding of travellers’ personal information

2010-2011 Annual Report to Parliament on the Privacy Act examines the stewardship of personal information by Canada’s airport security authority, the RCMP and other federal departments and agencies

OTTAWA, November 17, 2011 – The Government of Canada is collecting too much information about some air travellers and is not always safeguarding it properly, Privacy Commissioner Jennifer Stoddart found in an audit published with her annual report today.

The audit of the privacy policies and practices of the Canadian Air Transport Security Authority (CATSA) concluded that the agency was reaching beyond its mandate by completing security reports on incidents which were not related to aviation security.

This was the case even with incidents involving an activity that was legal. For example, CATSA collected information about air passengers who were found to be carrying large sums of cash on domestic flights. CATSA also contacted police in such cases. Since it should not be collecting personal information about legal activities not related to aviation security, the Office of the Privacy Commissioner of Canada recommended that CATSA immediately cease that practice. CATSA agreed.

Moreover, the audit found that such incident reports, and other types of personal information collected by the agency, were not always properly secured.

“Documents containing sensitive personal information were left on open shelves and in plain view in a room where passengers may be taken for security checks,” Commissioner Stoddart reported.

The audit also identified other concerns about procedures not being followed during the screening process. When auditors visited the rooms where CATSA officials screen full-body scans, they discovered a cell phone and a closed-circuit TV camera even though these types of devices are strictly prohibited according to CATSA’s operating procedures.

“Fortunately, these irregularities were uncommon and we were pleased that CATSA moved quickly to correct them by issuing a reminder to staff and conducting inspections to ensure proper procedures were followed,” said Commissioner Stoddart.

Even so, she added, “the Government of Canada is entrusted with highly sensitive personal information, and is obliged to handle it with an uncompromising level of care—not some of the time, or even most of the time, but all of the time.”

The audit was summarized in the 2010-2011 annual report on the Privacy Act, which was tabled in Parliament today.

The annual report also contains a summary of another audit conducted by the Office of the Privacy Commissioner of Canada (OPC). It examined the Royal Canadian Mounted Police’s (RCMP) management of operational databases that are widely shared with other police forces, government institutions and other organizations.

The audit determined that, while the RCMP has policies and procedures to safeguard the sensitive information contained in the databases, there were also some disturbing gaps.

For instance, the Privacy Act, which governs the information-handling practices of federal government departments and agencies, requires that organizations retain personal information no longer than absolutely necessary. And yet, information about offences for which a pardon had been granted, or that resulted in a wrongful conviction, continues to be accessible in a database called the Police Reporting and Occurrence System.

“People who were convicted of an offence they did not commit, or who have been granted a pardon, have a right to go about their lives without information—and especially misinformation—about their past coming to light,” Commissioner Stoddart noted. “Such information must be more tightly controlled.”

The annual report highlights the work of the OPC in 2010-2011 in strengthening the privacy rights of Canadians. It summarizes key investigations into privacy complaints and data breaches that the Office conducted under the Privacy Act. The report also describes several Privacy Impact Assessments that federal institutions submitted to the Office for review during the past fiscal year.

Aimed at assessing the government’s stewardship of personal information, the report has separate chapters devoted to the collection, use and disclosure of data. Given the sensitive nature of the personal information that the state needs to govern, the report warns of grave consequences for its over-collection, misuse or inappropriate disclosure.

Aside from the two audit summaries, here are other highlights of today’s reports:

  • Biometric identifiers: Citizenship and Immigration Canada submitted Privacy Impact Assessments for two initiatives involving the use of fingerprints and other biometric identifiers for immigration control. The OPC recommended ways to strengthen privacy safeguards for vulnerable populations such as refugee claimants.
  • Passenger behaviour observation: A Privacy Impact Assessment for a new pilot project to observe airport travellers for suspicious activity raised several concerns, including the potential for inappropriate risk profiling based on characteristics such as race, age or gender.
  • Personal data breaches: The OPC received a record number of reports of breaches of personal information in 2010-2011. One involved a malfunction of the new My Service Canada Account website, a day after its launch, which allowed an estimated 75 users to see financial and other personal data of previous visitors to the site.
  • Follow-up to past audits: During follow-ups on three audits originally conducted in 2008 and 2009, the entities that we audited indicated that 32 of 34 of the OPC’s recommendations had been fully or substantially implemented. For example, the RCMP reported that it had removed tens of thousands of surplus files from its exempt databanks, in compliance with the Privacy Commissioner’s recommendations.

The full annual report and audit reports on CATSA’s aviation security measures and the RCMP operational databanks are available at www.priv.gc.ca.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman and guardian of privacy in Canada.

Monday, November 14, 2011

Ontario Court: Information about landlords not Personal Information

Dan Michaluk has a summary of a very recent Ontario Superior Court of Justice Case which held that information about landlords in the capacity as landlords is not really personal information, but is instead business information. Check it out: Information About Landlords not Personal Information « All About Information.

Thursday, November 10, 2011

Cloud computing session at Privacy and Information Security Congress 2011

I'm going to be on a panel discussion at the Reboot conference "Privacy and Information Security Congress 2011" on November 28/29 in Ottawa.

The session is entitled Borderless Cloud Computing – "Hey You, Get Off My Cloud!"

Moderator: Winn Schwartau, President, Interpact, Inc. Author of Information Warfare, Cyber Shock, Time Based Security and Internet & Computer Ethics for Kids

Speakers:

  • David Fraser, Partner, McInnes Cooper
  • Omkhar Arasaratnam, Lead Security Architect, SmartCloud Enterprise+, IBM
  • Ibrahim Gedeon*, Chief Technology Officer, TELUS

For more info, check out the agenda here: http://www.rebootconference.com/ottawaPS2011/agenda.php

Monday, November 07, 2011

ISP's terms of use allow disclosure of customer information to police

Once again, a Canadian trial court has determined that an internet service provider's "terms of use" mean that a customer does not have a reasonable expectation of privacy in their identity information when the police come knocking. R. v. Lo, 2011 ONSC 6527.

I can't help but wonder how many people have ever read the terms of use for the internet service provider and how you can really conclude that an expectation of privacy can be vitiated by something that the vast majority of people have never read.

I also note that the police had more than enough information to get a warrant or a production order, but didn't.

Ontario Commissioner releases great response to government position on "lawful access"

The Information and Privacy Commissioner of Ontario has not been shy about wading into the debate about "lawful access" and she has just unleashed what might be the most significant salvo to date. An open letter to the Ministers of Justice and Public Safety. It is here and reproduced below. It is a must read.

 

 

October 31, 2011

VIA ELECTRONIC MAIL AND COURIER

 

The Honourable Vic Toews
Minister of Public Safety
269 Laurier Avenue West
Ottawa, Canada
K1A 0P8

The Honourable Robert Nicholson
Minister of Justice and Attorney General of Canada
284 Wellington Street
Ottawa, Ontario
K1A 0H8

 

Dear Ministers:

Introduction

As the Information and Privacy Commissioner of Ontario, I felt compelled to write to you today regarding the federal government’s insistence on enacting a highly intrusive surveillanceregime. I do so in full support of Canada’s Privacy Commissioner Stoddart and the open letter she sent to Minister Toews on October 26th.

At the outset, please note that my mandate includes commenting on developments that affect the personal privacy of Ontarians, and overseeing law enforcement compliance with privacy legislation in Ontario. The proposed surveillanceregime will have a substantial impact on the privacy rights of Ontarians, law enforcement functions, and the role of my office.

Media reports referring to Minister Toews’ rejection of Commissioner Stoddart’s concerns and quoting his defence of the regime suggest that the government will re-introduce Bills C-50, C-51, and C-52 (“the Bills”) in essentially the same form in which they appeared in the last Parliament. In my view, that would be highly regrettable for the people of Ontario and Canada. I am writing this open letter to outline my specific concerns and concrete recommendations.

I have first summarized the privacy concerns identified by my office into five categories, followed by an in-depth discussion of each.

Summary of Privacy Concerns:

Reconsidering the Privacy Implications of Expanded Surveillance and Access

Before providing a detailed analysis of the privacy issues, my concerns may be summarized as follows:

  1. The proposed powers must not come at the expense of the necessary privacy safeguards guaranteed under the Canadian Charter of Rights and Freedoms; in order to maintain the integrity of this constitutional framework, the government must acknowledge the sensitivity of traffic data, stored data, and tracking data.

  2. Intrusive proposals require essential matching legislative safeguards; the courts, affected individuals, future Parliaments, and the public must be well informed about the scope, effectiveness, and deleterious effects of intrusive powers. If Parliament enacts expansive new surveillance powers, we urge the federal government to publicly commit to enacting the necessary oversight legislation in tandem.

  3. Even with matching oversight, the proposed surveillance and access powers will require more stringent conditions precedent to determine the situations when surveillance or access may be appropriate and necessary.

  4. The government must not impose a mandatory surveillance capacity regime on the public and its telecommunication service providers (TSPs) without adequate safeguards to protect the future of freedom and privacy; a comprehensive and public cost-benefit analysis should precede rather than follow the making of so many significant public policy decisions. Public Parliamentary hearings should be scheduled to ensure that civil society, as well as industry, have a full opportunity to provide substantial input on all of the Bills including Bill C-52 (the Electronic Communications Act). In addition, the Electronic Communications Act should be amended to require that all interception-related capacity requirements be approved by Parliament before they can be imposed.

  5. The proposal for warrantless access to subscriber information is untenable and should be withdrawn; it remains our view that the Electronic Communications Act should be amended to require that the provisions setting out TSP obligations concerning “subscriber information” be deleted and replaced with a court supervised regime

1) New Powers Must Not Come at the Expense of the Constitutional Framework

In a steady stream of communiqués dating back almost a decade and spanning 2002, 2005, 2007, 2009, and 2011, our office has cautioned against taking a legislative approach to new surveillance powers that undermines the judicially supervised rules and procedures which secure our shared rights to privacy, freedom and security of the person. Two of these were in joint communiqués led by the Privacy Commissioner of Canada, and signed by all the provincial and territorial privacy commissioners and ombudsmen (“privacy commissioners”). 1

Together, they accurately reflect the general nature of many of our current concerns and recommendations. (We also urge you to carefully consider the federal Privacy Commissioner’s November 2010 publication A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century.)

The concerns voiced by Canada’s privacy commissioners have been echoed by legal and academic experts specializing in technology, privacy and the law and, most importantly, by thousands of concerned Canadians who wish to have both effective law enforcement and strong privacy protections.

In this context, there can be little doubt that the most recent iteration of the government’s approach to expansive surveillance legislation has significant implications for personal privacy, state powers, and the longstanding constitutional compromise between the two, as well as for the oversight functions of courts and privacy commissioners, and the future of innovation, costs and competiveness in the communications and technology fields.

The fact that the government appears to be committed to limiting real-time surveillance of private communications including in-transit e-mail under the “wiretapping” rules set out in Part VI of the Criminal Code is welcome news. We also welcome the absence of any public call for the creation of data retention rules with respect to subscribers and their day-to-day use of the new technologies. No such retention rules should be countenanced.

At the same time, we believe that critical elements of the proposed legislative regime suggest that the government misconceives how Canadians interact with new communications technologies and significantly underestimates the sensitivity of the personal information involved. The concomitant risks to privacy and other fundamental rights are significant.

Why? Because new surveillance powers leverage new and still evolving technologies. As a result, they significantly increase rather than merely maintain the state’s surveillance capacity. Accordingly, attempts to frame the public debate in terms of maintaining capacity are misleading:

  • The ways in which we communicate with each other have undergone such enormous changes that it is entirely fanciful to say that there are simple equivalents in the Internet and broader digital domain to the communications surveillance techniques used for conventional voice-based telephones. There are many new types of communication available between individuals, but nearly all of these are in forms that are very easily computer-readable and therefore capable of complex analysis by computers. The range of tools available to law enforcement to track and link activity and database content is now vast and growing all the time. The debate is thus not about maintenance of capability but trying to determine a proper balance in new circumstances.2

In this context, the legal distinction traditionally drawn between the content of a private communication such as is exchanged during a telephone call or via e-mail and the associated traffic data is being overtaken by social, economic and technological developments. What we refer to as trafficdata has evolved and it will continue to do so. Certainly, it is no longer confined to a list of phone numbers obtained by a dial recorder or rows of text on a telephone bill.

It extends digitally to link and trace the ongoing interactions of networks of users through unique identifying device numbers vis-à-vis their location in time, their location on and along the ground, their activity and interactivity within the Internet, and their relatedness within and across communities. The resulting digital trails are routinely retained by service providers and various third parties for weeks, months or even years. These trails paint a detailed and evolving picture that reflects on who we are.

Furthermore, there are strong indications that law enforcement’s appetite for the surveillance of live telephone communications is being dwarfed by their interest in accessing the private content in the mass of digital trails created every time an individual sends a message, surfs the Internet, e-banks or simply carries a 3G enabled device.3 Computer facilitated analysis of this data canreadily reveal the interwoven layers of core biographical information that animate communications data, particularly where the scrutiny extends for a significant period of time. As recognized by the United States Court of Appeals for the District of Columbia in a Fourth Amendment GPS vehicle tracking case being heard by the U.S. Supreme Court on November 8, 2011:

  • Prolonged surveillance reveals types of information not revealed by short-term surveillance, such as what a person does repeatedly, what he does not do, and what he does ensemble. These types of information can each reveal more about a person than does any individual trip viewed in isolation. Repeated visits to a church, a gym, a bar, or a bookie tell a story not told by any single visit, as does one’s not visiting any of these places over the course of a month. The sequence of a person’s movements can reveal still more; a single trip to a gynaecologist’s office tells little about a woman, but that trip followed a few weeks later by a visit to a baby supply store tells a different story. A person who knows all of another’s travels can deduce whether he is a weekly church goer, a heavy drinker, a regular at the gym, an unfaithful husband, an outpatient receiving medical treatment, an associate of particular individuals or political groups — and not just one such fact about a person, but all such facts.4

Properly supervised, surveillance powers can be invaluable to law enforcement. However, it is equally true that where individuals are subject to unwarranted suspicions, evidence is poorly handled, or erroneous conclusions are hastily drawn, the consequences for innocent individuals can be devastating. Recent national security-related investigations make this all too clear (e.g., Maher Arar).

While we continue to support the vital law enforcement interest in pursuing electronic evidence and intelligence about serious wrongdoing, we also urge the government to ensure that any search, seizure, or surveillance of personal communications be subject to the most rigorous oversight. The constitutional values at stake demand such safeguards.

On the basis of all the above, we reject the Bills’ implicit claim that the so-called non-content data elements associated with new communication devices and services are of significantly lesser constitutional significance. Safeguards comparable to those necessary to properly regulate the wiretapping of a rotary phone are required with respect to 21st century communications, including, but not limited to, rigorous prior judicial scrutiny.

2) Intrusive Proposals Require Essential Matching Legislative Safeguards

Read together, the legislative proposals substantially diminish the privacy rights of Canadians. They do so by enhancing the capacity of the state to conduct surveillance, as well as access private information, while reducing the frequency and vigour of judicial scrutiny, thus making it easier for the state to subject more individuals to surveillance and scrutiny.

Are the current processes that provide for oversight of surveillance-related powers sufficient to keep pace with the proposed expansion of state power? With the anticipated re-introduction of the Bills, Canadians are being asked to rely on oversight regimes designed decades ago to provide sufficient safeguards for the protection of our fundamental rights and freedoms today. The supervision provided by prior judicial authorization, the criminal trial process, and complaint-driven oversight under police and privacy-related statutes, while critical, are fundamentally insufficient. Let me explain.

The proposed surveillance and access regime will frequently involve complex, highly technical, and sensitive information. Moreover, where prior judicial authorization is required, the relevant surveillance and access applications are necessarily held in camera and ex parte. Where the resultant surveillance and access activities produce legal charges that lead to a criminal trial, the trials invariably have a narrow focus on the accused. National security-related investigations, which often have a much broader focus, invariably proceed in secrecy, and are rarely subject to public scrutiny. In both contexts, innocent individuals subject to surreptitious invasions of their privacy may never be in a position to learn about, let alone file for or find any redress. In addition, existing complaint regimes are limited as to their reach, powers and remedies. Any in depth public scrutiny of such matters will be the rare exception to a general rule of confidentiality and secrecy.

Furthermore, under the Bills, local, provincial, and federal law enforcement agencies will be equally empowered to use these intrusive powers in pursuit of both domestic and international investigations. Without a focused harmonizing and coordinating authority, inconsistent policies and practices are likely to develop among the various jurisdictions. Inevitably, privacy rights and civil liberties will suffer from fragmented and inconsistent protections.

Canadians have a constitutional right to be secure from unreasonable search and seizure. The expansive surveillance proposals bring this right into question. And, since the state’s authority to intrude on privacy does not come with concomitant responsibilities with respect to accountability, notification and transparency, the net negative effect on human rights is likely to be compounded over time.

To its credit, the government has responded to recent court rulings 5 by including a provision in Bill C-50 that will require that: (i) a person who has been the target of a warrantless exceptional circumstances interception must be notified of the interception within a specified period; and (ii) the relevant Minister must report publicly on police resort to such warrantless wiretaps.

At the same time, we note that these notice and reporting mechanisms are confined to providing a modest degree of notice, transparency and accountability (restricted as they are to only notifying the target of the surveillance, and confined as they are to limited numeric reporting) with respect to a single surveillance power – the power to intercept a private communication. In addition, the reporting practices of provincial and federal Attorneys General with respect to the use of these Part VI wiretap powers have varied considerably (as seen in jurisdictions where the required annual reports have sometimes not appeared until several years have passed).

In this context, we call for the government’s public commitment to the enactment of sufficient safeguards to match the array of new and existing powers.

Support for this call can be found in recent U.S. and Canadian court decisions. In a unanimous decision of September 6, 2011 requiring the U.S. Department of Justice to publicly disclose information showing the government’s use of cell phone location data in criminal prosecutions resulting in a guilty plea or a conviction, the United States Court of Appeals for the District of Columbia determined that:

  • The disclosure sought by the plaintiffs would inform … ongoing public policy discussion by shedding light on the scope and effectiveness of cell phone tracking as a law enforcement tool. It would, for example, provide information about the kinds of crimes the government uses cell phone tracking data to investigate. As the plaintiffs note, with respect to wiretapping Congress has balanced privacy interests with law enforcement needs by permitting the government to use that technique for only the more serious offenses … and the plaintiffs (and others) may decide to argue for similar legislation to govern cell phone tracking. Disclosure would also provide information regarding how often prosecutions against people who have been tracked are successful, thus shedding some light on the efficacy of the technique and whether pursuing it is worthwhile in light of the privacy implications. 6

And, as indicated above, recent rulings of the Superior Courts of Ontario and British Columbia have determined that notice and reporting safeguards are constitutionally required with respect to intrusive surveillance powers, such as the power Parliament granted peace officers in section 184.4 of the Criminal Code (a power to conduct warrantless wiretapping in certain exceptional circumstances). For example, in R. v. Six Accused Persons, the B.C. Supreme Court determined that:

  • Although the Crown submits that in most cases where … persons whose communications have been intercepted will receive de facto notification by way of the prosecution of the underlying offence, that submission fails to recognize that the communications of persons other than the alleged perpetrator may have been intercepted. It also fails to address situations where, for whatever reason, the police may have erred in their assessment of the need to intercept private communications, intercepted more communications than those to which they were lawfully entitled or over a longer period of time, or those that were intercepted under circumstances which did not result in a prosecution.

    In any or all of those circumstances, the police would be answerable to no one. Further, the fact that there is no obligation to disclose surreptitious invasions of privacy to those persons whose communications have been intercepted removes an important safeguard to the potential abuse of power that can arise without accountability.

    This case is illustrative of some of those concerns … To this day, many of the persons whose communications were intercepted by the police are unlikely to know of that invasion of their privacy. That circumstance is exacerbated by the police having engaged in the automatic monitoring of all calls to the telephones they had identified as being appropriate for interception. Any discovery by third parties of the police having intercepted their private communications would be fortuitous.

    Requirements to notify persons whose private communications have been intercepted of the fact of that interception afford an important constitutional and accountability safeguard to the potential abuse of state power in invading the privacy of its citizens.

    The interception of private communications in exigent circumstances is not like situations of hot pursuit, entry into a dwelling place to respond to a 9-1-1 call, or searches incidental to arrest when public safety is engaged. In those circumstances, the person who has been the subject of a search will immediately be aware of both the circumstances and consequences of police action. The invasion of privacy by interception of private communications will, however, be undetectable, unknown and undiscoverable by those targeted unless the state seeks to rely on the results of its intentionally secretive activities in a subsequent prosecution.

    I am accordingly satisfied that the failure of … the [Criminal Code] to provide notification of surreptitious interception of private communications to those persons whose communications are intercepted is a serious impediment to the constitutional validity of s. 184.4.
    …..
    If the intention of Parliament in requiring the provision of [public] reports [enumerating resort to surveillance powers] is to oversee the frequency and circumstances of the interception of private communications by the police, the failure to provide a similar reporting requirement under s. 184.4 of the Code removes the potential for that oversight. As with the failure to require notification of those intercepted of the fact of an interception, the lack of any reporting requirement undermines both constitutionality and police accountability. 7

Bearing all of the above in mind, and in addition to the adjustments we call for to Bills C-51 and C-52, we renew our call for the creation of an independent, arm’s-length Surveillance and Access Review Agency (SARA), with a legislative mandate to supervise state access to the highly sensitive personal information associated with digital communications and to report annually to Parliament and the public on the use of the surveillance and access powers. 8

In establishing SARA, Parliament would require law enforcement and security agencies who obtain any communication-related data from TSPs to notify all of the individuals whose personal
information is involved within one year of the information being obtained unless the individual cannot readily be identified or reasonably located, or notification would prejudice an ongoing investigation. Notification of all readily identifiable individuals would be required within five years of the information being obtained unless, on application to SARA, it is determined that the public interest in non-disclosure outweighs the right to notification.

In this context, TSPs should be required to publish annual reports on how many interception and access orders (and requests) they receive a year from which law enforcement and security agencies, in respect of how many individuals; and how many orders (and requests) result in the disclosure of personal information, and in respect of how many individuals.

In renewing the call for the creation of SARA, we acknowledge that the preparation and enactment of the necessary legislative framework will take time and that, in the meantime, the government may well decide to proceed with its plan to substantially reshape the state’s capacity to conduct surveillance. To the extent that you are not prepared to redraft the Bills to ensure that the new surveillance powers are justified and that the necessary safeguards are in place before the regime comes into force, we strongly urge you to publicly commit to enact a SARA Act in tandem with the proposed surveillance and access regime, even as you move to amend the current legislative proposals to provide additional if limited safeguards on it coming into force, as further discussed below.

3) Even with Matching Oversight, the Proposed Powers Require Adjustment

Bill C-51, the Investigative Powers for the 21st Century Act, will amend the Criminal Code, giving “peace officers” and “public officers” new avenues to obtain access to information generated electronically. As such, a wide range of officers, extending well beyond police, will be empowered to:

  • Issue preservation demands on their own say so with respect to a wide array of primarily corporate-held data in the course of investigating any offence, including on behalf of a foreign state, and impose any conditions in the demand that they consider appropriate, including conditions prohibiting the disclosure of its existence or some or all of its contents,
  • Apply for new suspicion-based preservation and production orders to preserve and gain access to information about transmission, traffic, communication, tracking, transaction and financial data,
  • Apply for new suspicion-based warrants to enable the remote live tracking of vehicles and other things,
  • Apply for belief-based warrants to enable the remote live tracking of individuals by tracking the location of cell phones or other things they usually carry or wear, and
  • Apply for non-disclosure/secrecy orders with respect to all of the above.

It is our view that, as a general rule, law enforcement access to data, particularly communications-related data, as well as the new tracking powers, should be subject to prior judicial scrutiny, limited to the investigation of serious crime, generally subject to higher belief rather than suspicion-based thresholds, and come with additional oversight and accountability-related safeguards.

In this context, I note that an August 22, 2011 U.S. District Court decision invites us to raise the question as to the constitutionality of the proposed suspicion-based, as well as belief-based, production order making powers. 9 In this case, the U.S. government had asked the Court for “orders directing Verizon Wireless, a cell-phone service provider, to disclose recorded information of cell-site-location records for one of its customers pursuant … to the Stored Communications Act or ‘SCA’).” The proposed order sought stored, historical cell-site-location records tied to a period in excess of 113 days. On its face, the SCA provides that such an order “may be issued by … a court of competent jurisdiction … only if the governmental entity offers specific and articulable facts showing that there are reasonable grounds to believe that the contents of a wire or electronic communication, or the records or other information sought, are relevant and material to an ongoing criminal investigation.” (Emphasis added.) The Court determined that “the Fourth Amendment to the United States Constitution requires a warrant and a showing of probable cause before the Government may obtain the cell-site-location records requested here.”

As the Court clearly understood, the problem with these kinds of production orders is their implication for the privacy of society at large and, in my view, the concerns expressed by the Court with respect to Americans apply equally with respect to Canadians:

  • The vast majority of Americans own cell phones. Many Americans have abandoned land line phones entirely, and use cell phones for all telephonic communications. Typically people carry these phones at all times: at work, in the car, during travel, and at home. For many Americans, there is no time in the day when they are more than a few feet away from their cell phones.

    Cell phones work by communicating with cell-sites operated by cell-phone service providers. Each cell-site operates at a certain location and covers a certain range of distance. The number of cell-sites that must be placed within a particular area, and thus the distance between cell-sites, is determined by several factors, including population density.

    If a user’s cell phone has communicated with a particular cell-site, this strongly suggests that the user has physically been within the particular cell-site’s geographical range. By technical and practical necessity, cell-phone service providers keep historical records of which cell-sites each of their users’ cell phones have communicated.
    The implication of these facts is that cellular service providers have records of the geographic location of almost every American at almost every time of day and night. And under current statutes and law enforcement practices, these records can be obtained without a search warrant and its requisite showing of probable cause.

    What does this mean for ordinary Americans? That at all times, our physical movements are being monitored and recorded, and once the Government can make a showing of less-than-probable-cause, it may obtain these records of our movements, study the map our lives, and learn the many things we reveal about ourselves through our physical presence.

In the same vein, in the Maynard case now pending before the U.S. Supreme Court, the reasoning of the United States Court of Appeals for the District of Columbia provokes questions as to the constitutionality of the proposed suspicion-based, as well as belief-based, tracking warrants. As the Appeal Court found in Maynard, “prolonged GPS monitoring [of a person’s vehicle travelling on public roads] defeats an expectation of privacy that our society recognizes as reasonable” and must comply with Fourth Amendment standards.

The Court’s holding was echoed as recently as September 21, 2011 in a report issued by the Liberty and Security Committee of the U.S. Constitution Project. This bi-partisan committee, whose members include two former members of Congress, former FBI director William Sessions, a former U.S. Court of Appeals judge and a former chair of the American Conservative Union, concludes that “when powerful tracking technologies to conduct pervasive surveillance are paired with [a computer’s] analytic capability and a digital database, such monitoring can violate an individual’s reasonable expectation of privacy even in a public place.”

The Committee recommends that, if the U.S. Supreme Court does not adopt the proper approach in the Maynard case, Congress should do so by enacting legislation requiring court warrants for any location tracking lasting more than 24 hours.10

Consistent with these developments, in my view, it is essential that more stringent conditions precedent be enacted in relation to the proposed surveillance and access powers. The use of production orders and tracking warrants should be confined to investigations in respect of the list of serious offences in section 183 of the Criminal Code. Before issuing such orders or warrants, a superior court judge ought to be satisfied that:

  • There are reasonable and probable grounds to believe that an offence under section 183 of the Criminal Code has been or is being committed,
  • Other less intrusive investigative methods are likely to prove impracticable,
  • Measures will be taken to safeguard the privacy of the personal information obtained, particularly of non-suspects, and
  • The intrusion is otherwise in the best interests of the administration of justice.

As indicated, Bill C-51 also proposes to create a new set of powers that police could invoke to require data managers to locate and hold personal information in documents or databanks. Government has argued that these preservation powers are necessary to support the production order powers discussed above. In our view, any power to issue a preservation demand or order should be confined to the same list of serious offences in section 183 of the Criminal Code.

In addition, in order to address the risk to accountability that non-disclosure or secrecy orders entail, we recommend that all those whose personal information is obtained under a surveillance and access regime should be entitled to notification at the appropriate time. And, in accord with our SARA-related recommendations, state use of these powers and access to this personal information should be superintended and reviewed by an independent agency.

It is also noteworthy that in introducing sections 487.0195(1) and (2) to the Criminal Code, Bill C-51 provides broad immunity from “any criminal or civil liability” to any person who voluntarily preserves data or provides a document to an officer. The person is no longer required to show that he or she acted on reasonable grounds per the operation of what is now section 487.014 with section 25 of the Criminal Code. The person need only show that his or her cooperation was not “prohibited by law.” In our view, individuals and entities responsible for safeguarding personal information of members of the public must act reasonably before they should be entitled to such immunity. A reasonableness standard provides volunteers with significant protection while helping to rule out the possibility that, for example, malicious or incompetent decision makers will enjoy undeserved immunity.

Accordingly, section 487.0195(2) should be amended to provide that:

  • A person who preserves data or provides a document in the circumstances described in subsection (1) does not incur any criminal or civil liability for doing so if he or she acted reasonably in the circumstances.

Bill C-50, the Improving Access to Investigative Tools for Serious Crimes Act, will amend the Criminal Code, first by providing that if a wiretap authorization is granted under Part VI, the judge may at the same time issue one or more Bill C-51-related warrants or orders that relate to the investigation in respect of which the wiretap authorization is given. That is, in obtaining a wiretap warrant, police may also contemporaneously obtain companion production orders and tracking warrants, all from a single judge. Rules respecting secrecy and confidentiality that apply in respect of a wiretap authorization will also apply in respect of a request for a related warrant or order. In addition, the Bill will permit a peace officer or a public officer to install and make use of a number recorder without a warrant in exigent circumstances. The Bill will also extend to one year the maximum period of validity of a warrant for a tracking device and a number recorder if the warrant is issued in respect of a terrorism offence or an offence relating to a criminal organization (the maximum is now 60 days).
The critical development brought forward in Bill C-50 is that the efficiencies it may purchase in streamlining the conduct of judicially authorized state surveillance and access may come at some cost to the rigour of prior judicial scrutiny. In some cases, a single judge hearing a multitude of inter-related applications may be better informed about the extent of the overarching surveillance employed. At the same time, the demands on judges are likely to grow. In the context of what are necessarily ex parte and in camera proceedings, there will be an increased risk that a greater degree of intrusive surveillance and access will be granted in cases where it is not warranted. While we do not oppose Bill C-50 per se, its enactment will likely intensify the effect of the new surveillance regime. Such intensification increases the need for the adoption of matching safeguards under a SARA Act.

4) Surveillance Must Not Undercut the Future of Freedom, Innovation and Privacy

In addition to the controversial plan to provide law enforcement with warrantless access to subscriber information (discussed in section 5 below), the Electronic Communications Act sets in motion a fundamental change to the way communication services are regulated. It does so by entrenching the power of security officials to require TSPs to:

  • Build in and continuously maintain a wide array of yet to be specified interception capabilities into all their networks, systems and software for the purpose of allowing authorized agencies to intercept, isolate and accurately correlate multiple communications per court orders,
  • Notify law enforcement and CSIS officials regarding changes to state provided equipment or systems where those changes are likely to reduce interception capability;
  • Assist designated persons who will have warrantless access to TSP facilities, systems, documents and information to test, inspect, and access TSP facilities, services and systems for regulatory purposes,
  • Provide prescribed specialized telecommunications support to CSIS and law enforcement agencies,
  • Submit lists of TSP personnel to CSIS and/or the RCMP for the purposes of conducting security assessments of employees who may assist in the interception of communications, and
  • Comply with prescribed confidentiality and security measures. 11

The Electronic Communications Act will also establish numerous offences and violations and subject TSPs, their officers, directors, and employees to prosecution and fines for failing to comply with obligations, including those relating to systems requirements.

Each additional day in breach of the statute will add to the count of violations and increase the exposure of TSPs, their officers, directors, and employees to fines of up to $50,000 per offence for an individual and $250,000 for a corporation. The Electronic Communications Act will allow the state to seek a court injunction ordering a TSP to cease operating a transmission apparatus, or to refrain from acquiring, installing or operating new software, if the TSP is contravening or likely to contravene interception requirements.

It is also noteworthy that the Electronic Communications Act does not address the financial and commercial implications of these proposals, either to businesses, consumers, or taxpayers. It only authorizes the payment of some monies to compensate TSPs in relation to: (i) compliance with a Ministerial order to provide interception capabilities additional to those prescribed; (ii) the provision of subscriber information; and (iii) the provision of certain specialized telecommunications support. Reports about the cost of related proposals in the U.S. and the U.K. warrant careful consideration in Canada.

In October of 2010, it was reported that, in response to the Obama administration’s intention to submit comparable surveillance legislation, American TSPs are “likely to object to increased government intervention in the design or launch of services. Such a change … could have major repercussions for industry innovation, costs and competitiveness.”12

In the U.K., a related though more intrusive data retention and “Interception Modernization Program” was being considered until it was abandoned by the British government in late 2009 because of concerns about cost, controversy and feasibility. Prior to this, it was reported that development costs will be high (2 to 13 billion pounds). “The bulk of the costs will be incurred by [TSPs]. The most ignored cost comes in the form of opportunity costs as engineers will be tasked to develop this [surveillance] solution instead of developing their core business, i.e. new ways to enhance the networks for advancing consumer and business interests.”13

None of these immediate financial costs would necessarily translate into privacy issues per se if it were not for the fact that the Electronic Communications Act risks causing additional marketplace distortions by effectively prohibiting the use and development of any systems or software that might impair a TSP’s capacity to facilitate simultaneous multiple intercepts. While the goal of facilitating compliance with court ordered surveillance is valid, there is a significant risk that in implementing this legislation, the authorities will impede the development and use of new communications technologies and services, particularly, for example, privacy enhancing technologies and services such as those that provide for encryption.

In this regard, the Electronic Communications Act requires that a TSP must “use the means in its control” to provide an intercepted communication “in the same form as it was before the communication was treated by the service provider” by way of encoding, compression, or encryption. A TSP is not required to make the form of an intercepted communication the same as it was before the communication was treated if it would be required to develop or acquire new decryption techniques or tools. The legislation appears to allow companies like Research in Motion to continue to provide existing encryption protected communication services. It remains to be seen what the future holds for new companies and new strong encryption techniques and services in the field of communications. For example, there is a risk that the Electronic Communications Act will set the stage for rules requiring back-door state access to encryption services.

It is evident that many of the critical details flowing from the Electronic Communications Act will be left to policies, procedures, regulations and evolving relationships between TSPs and the state. In passing so many significant public policy decisions on to security-oriented officials, Parliamentarians and the public risk being left out of the decision-making process and Canadians risk seeing TSPs transformed into agents of the state. This represents a significant and needless risk to a free and open society.

We only have to look to recent U.S. history to consider the implications. Many will now be familiar with reports of the secretive and controversial assistance that major telecommunications carriers provided the National Security Agency in the conduct of warrantless eavesdropping on international calls by suspected terrorists after 9/11. As recognized by U.S. courts, such surveillance has the potential to expose “journalistic sources, witnesses, experts, foreign government officials, and victims of human rights abuses located outside the United States” to “violence and retaliation by their own governments, non-state actors, and the U.S. government.” 14

While the Electronic Communications Act will be subject to a form of Parliamentary review five years out, in the meantime, if passed, it will substantially alter the design and operation of communication systems, the role and function of TSPs, their ability to be transparent, and the relationship between citizens, TSPs and the state.

A comprehensive and public cost benefit analysis should precede rather than follow the making of so many significant public policy decisions. Before imposing the kind of interception capacity regime the Electronic Communications Act would impose on TSPs, Parliament should ensure that such a capacity regime will be proportionate and designed to ensure not only appropriate surveillance capacity but also necessary competiveness and privacy.

It follows that the Parliamentary committee eventually mandated to consider the kinds of proposals in the Electronic Communications Act should be adequately resourced to ensure that civil society, as well as industry, has a full opportunity to provide substantial input.

In addition, the Electronic Communications Act should be amended to require that all interception-related capacity requirements be publicly vetted for their impact on privacy and competiveness before they are imposed (in the future, SARA should have a role to play in reporting on the impact of capacity-related requirements). Such requirements should be provided for in the form of draft regulations which would only come into force after a vote by Parliament to approve them as a whole.

5) Warrantless Access to Subscriber Information Must Be Withdrawn

In addition to providing the state with substantial control over the design and operation of TSP systems, the Electronic Communications Act will also provide law enforcement and CSIS officials with warrantless access to subscriber information for the purposes of performing any of their duties or functions. Subscriber information includes a named individual’s IP address or mobile ID number, or the name and contact information of a subscriber associated with an IP address or mobile ID number.

The Electronic Communications Act provides for attenuated post facto review of warrantless access to subscriber information. In doing so, it relies on provincial and territorial privacy commissioners to: (i) conduct audits to assess local and provincial police compliance with provisions of the statute empowering the collection and use of subscriber information; and (ii) review police reports generated to the extent that police decide that something has occurred with respect to their own exercise of these access powers that, in their opinion, ought to be brought to the attention of the responsible provincial minister (in Ontario, the attorney general).

Under section 20(6) of the legislation, the Privacy Commissioner of Canada must provide Parliament with an annual report identifying the provincial and territorial privacy commissioners who may receive any such opinion-based reports and the powers that they have to conduct section 20 compliance audits.

Like a number of other provincial and territorial privacy commissioners, I lack the necessary powers. In particular, under Ontario’s privacy statutes, I do not have any audit powers. Even those privacy commissioners with sufficient powers are likely to need additional resources in order to adequately perform the legislative duties imposed under section 20 of the Electronic Communications Act.

In a letter of March 9, 2011 signed by all the federal, provincial and territorial privacy commissioners, we joined our colleagues in calling on the federal government to commit to working with provincial and territorial governments to ensure that all of our offices have sufficient powers and resources should the Electronic Communications Act be enacted. It does not appear that any such commitment has been forthcoming.

Quite apart from the constitutional issues raised by the enactment of a regime of warrantless access, it is noteworthy that in some circumstances, aspects of post facto oversight of communications-related surveillance powers have been found by Superior Courts to be constitutionally required (see, for example R. v. Six Accused Persons, [2008] B.C.J. No. 293 and R. v. Riley, [2008] O.J. No. 2887). In the absence of the necessary provincial and territorial powers and resources, the Electronic Communications Act’s reliance on provincial and territorial privacy commissioners is untenable. In addition, the audit duties to be imposed on provincial and territorial privacy commissioners under section 20 may raise division of powers problems.
It remains our view that the Electronic Communications Act should be amended to require that provisions setting out TSP obligations concerning “subscriber information” should be deleted and replaced with a court supervised regime.

“Subscriber information” is personal information. To date, all individual customers enjoy the legal right to insist that, subject to narrowly defined exceptions, their subscriber information remains private and confidential. The law currently provides for warrant procedures, expedited tele-warrants, and an organization’s special exercise of discretion to disclose personal information to law enforcement without an individual’s consent, for example, in aid of an Internet-related child pornography investigation, or in comparable exigent-like circumstances. Granting law enforcement and intelligence officials an almost unfettered power to issue their own administrative “warrants” for the purposes of performing any of their duties or functions is a substantial departure from the legal and constitutional framework in Canada. Such a departure requires extraordinary justification and a substantial framework for accountability.

Consistent with our earlier comments, law enforcement and security agency access to informationlinkingsubscribers to devices (and vice versa) should generally be subject to prior judicial scrutiny accompanied by the appropriate checks and balances. Before issuing an order requiring the disclosure of subscriber information, a judge ought to be satisfied that:

  • There are reasonable and probable grounds to believe that an offence under section 183 of the Criminal Code has been or is being committed,
  • Measures will be taken to safeguard the privacy of the personal information obtained, particularly of any non-suspects, and
  • The intrusion is otherwise in the best interests of the administration of justice.

In the alternative, if Parliament is determined to allow warrantless access to subscriber information, the legislative safeguards in section 20 of the Electronic Communications Act should be strengthened so that they provide a much greater degree of post facto oversight. In particular:

  • The power to demand warrantless access to subscriber information should be narrowed to only apply in circumstances where access is necessary to the investigation of a specific and defined category of serious crime, for example, sexual offences involving children and minors, or to prevent or eliminate a significant and imminent risk of serious bodily harm.
  • The “consistent use” limitation regarding subscriber information collected by law enforcement and security agencies should be strengthened. A use should only be considered as consistent if a reasonable person might reasonably have expected such a use.
  • Law enforcement and security agencies should be required to securely destroy information that is provided in response to a subscriber information request one year after the individual has been notified of its collection, or once retention of the information is no longer necessary for the purpose for which the information was obtained, or for a use consistent with that purpose, whichever is later.
  • The requirement that law enforcement and security agencies must report to attorneys general and privacy commissioners should be strengthened. Agencies should be expressly required to report any collection, use or retention practices that do not appear to be necessary and proportionate in relation to the duty or function for which they were originally obtained.
  • In reporting to Parliament on the adequacy of audit and investigation powers available to provincial and territorial privacy commissioners, the Privacy Commissioner should also report on whether those commissioners consider themselves to have adequate resources to conduct the necessary audits and reviews.
  • If, after consulting with a provincial or territorial commissioner, the Privacy Commissioner reports that her colleague does not have substantially similar powers, the subscriber information powers available to police services within that jurisdiction should automatically lapse until the Privacy Commissioner reports back that the provincial or territorial commissioner has been provided with those powers.

To the extent that Parliament chooses to rely on provincial and territorial privacy commissioners to perform post facto review of warrantless access to subscriber information, it follows that the federal government must commit to working with provincial and territorial governments to ensure that all of the relevant privacy commissioners have sufficient powers and resources. In this regard, please note that I have written two letters to Ontario’s Attorney General, asking that the Ontario government play its part in these important law reform and oversight-related issues. Copies of those letters are attached.

Conclusion

The surveillance regime being put forward is aimed at capturing the full range of content, communication and traffic data associated with digital communications. As communication services continue to evolve, thelegislation will empower the state to develop, update and enforce regulations directly aimed at shaping the technological capacities of telecommunication services so as to ensure that Web 2.0, 3.0 etc. communications can be readily intercepted, isolated and accurately correlated. In this context, it is reasonable to foresee that it will be much easier for the state to subject more individuals, including innocent individuals, to unwanted surveillance and scrutiny.

This debate is not about maintaining the state’s surveillance capabilities, but trying to determine the proper balance in the evolving information age. In the face of so many significant changes, with so much at stake, and with so much left to regulation and implementation by policy, we are concerned that the public, Parliament and industry will be hard pressed to keep abreast of the technological challenges, the financial costs, and the invasiveness of an expanding surveillance regime. It is essential that Parliament and the public be well informed on technological, legal, regulatory and financial issues. The implications for privacy and other human rights must also be fully addressed, by providing for the necessary transparency, accountability and oversight. No less than the future of privacy – the future of freedom, is at stake.

Yours sincerely,

.

Ann Cavoukian, Ph.D.
Commissioner

Enclosures (2)

c: The Honourable John Gerretsen, Attorney General of Ontario
William Baker, Deputy Minister, Public Safety Canada
Myles Kirvan, Deputy Minister of Justice & Deputy Attorney General of Canada
Murray Segal, Deputy Attorney General of Ontario

2 London School of Economics, Briefing on the Interception Modernisation Programme, June 2009, p. 6.

3 See “The Law Enforcement Surveillance Reporting Gap” by Christopher Soghoian , Indiana University Bloomington - Center for Applied Cybersecurity Research, April 10, 2011.

4 United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010), cert. granted, United States v. Jones, 2011 WL 1456728 (June 27, 2011), U.S.S.C. Docket No. 10-1259.

5 See R. v. Six Accused Persons, [2008] B.C.J. No. 293 (S.C.) and R. v. Riley, [2008] O.J. No. 2887 (S.C.J).

6 American Civil Liberties Union v. United States, United States Court of Appeals for the District of Columbia Circuit, September 6, 2011, No. 10-5159.

7 R. v. Six Accused Persons, [2008] B.C.J. No. 293 (S.C.)

8 For more information about the functions and duties we propose for SARA, please see our April 21, 2005 letter to the then Minister of Justice and Attorney General of Canada.

9 In the matter of an application of the United States of America for an Order authorizing the release of historical cell-site information No. 10-MC-897, United States District Court, E.D. New York (August 22, 2011).

10 See the Liberty and Security Committee September 21st, 2011 Statement on Location Tracking at http://www.constitutionproject.org/pdf/LocationTrackingReport.pdf.

11 Note that, to date, security officials have been able to impose a similar framework largely outside Parliamentary scrutiny through, for example, the Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications, and Conditions of Licence for New Cellular and PCS Licences issued by the Minister of Industry under the Radiocommunication Act (see http://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf09251.html).

12 “Officials Push to Bolster Law on Wiretapping”, Charlie Savage, New York Times, October 18, 2010.

13 London School of Economics, Briefing on the Interception Modernisation Programme, June 2009, p. 44-45.

14 Amnesty Int’l USA et al. v. Clapper et al., United States Court of Appeals for the Second Circuit, September 21st, 2011, 09-4112-cv, at pages 8-9 of Circuit Judge Lynch’s decision, quoting from Amnesty Int’l USA v. Clapper, 638 F.3d 118 (2d Cir. 2011).

2,700 personal tax files go missing after auditor takes work home

The Globe & Mail is reporting that approximately 2,700 personal tax files are missing after a Canada Revenue Agency employee did something that appears staggeringly stupid:

2,700 personal tax files go missing after auditor takes work home - The Globe and Mail

... The major breach occurred in early 2006, when an auditor in the agency’s Toronto office asked a government computer technician to download 37,488 of her e-mails and 776 documents onto 16 CDs. The confidential material covered the years 2000 to 2006, and was not encrypted as required by agency rules.

The woman took the CDs home, and allowed a male friend to copy at least one of them to a laptop.

The breach only came to light when the woman produced the CDs during a grievance hearing before the Public Service Labour Relations Board in 2008. She wanted the panel to read a key 2005 e-mail on one of the CDs, in support of her grievance that the CRA had not accommodated her health problems....

I can't imagine the justification for having taken the unencrypted CDs home. Copying them onto another laptop is simply surreal. But then not reporting the breach of any of the taxpayers involved or to the Privacy Commissioner is staggering.

This is further support to my belief that one of the most significant risks to data security is portable data. If employees are given secure remote access to their work data, the possibility of breaches such as this is virtually eliminated.

Saturday, November 05, 2011

Dealing with police "Letters of Request for Information"

(This post is not intended to be legal advice. If you find yourself in a situation like those described below, seek competent legal advice. This post is principally meant to serve as a resource for lawyers who may have to deal with these issues from time to time. -- And I should emphasize that this relates to Canadian law only.)

As part of my practice, I often deal with business clients who call when the police or national security folks are knocking on the door and are looking for information about customers. When faced with a cop or a CSIS agent with a badge, particularly when they are pushy and use words like "obstruction", the natural inclination may be to hand over the information.

When the police show up and start asking for customer information, unless they have a search warrant and unless they say it is a matter of life and death, the business should request that they put their request in writing. This provides a clear record of what the police asked for and what they assert as the legal basis for their request. In conversation, what appears to be a compulsory process translates into a voluntary one once put in writing.

(If the police clearly say it's a matter of imminent life or death, the business is probably justified in providing the information and any risk of liability for the disclosure would likely be minimal. Still, try to get it in writing.)

Oftentimes, what will arrive next will be a "Letter of Request for Information".

It is important to carefully read and thoroughly understand what the letter says. Here's an example based on one that recently crossed my desk.

[Police letterhead]
LETTER OF REQUEST FOR INFORMATION

Business Name

Bus Address

Bus Fax #

Date of Request: *** Our file: ***

[1] I, Detective/Constable *** of the ***, am a peace officer within the *** Unit. I am involved in the ongoing investigation *** and am requesting *** information pursuant to Section 487.014 of the Criminal Code for this investigation. In accordance with my duty to investigate contraventions of the Criminal Code, I am requesting the following information from you which is necessary for my investigation:

  • [2]***

[3]The information I am providing you relates to a criminal investigation. This information and the existence of this query should not be further disseminated or divulged outside the purpose for which it is provided to you; any attempt to further disseminate or divulge the information outside this purpose may be construed as obstructing, perverting or defeating the course of justice possibly resulting in criminal sanctions under s. 139(2) of the Criminal Code.

Please provide the information requested to myself, ***, by means of email to *** or by phone ***.

Peace Office rank and name Peace Officer Badge # Peace Officer Telephone Number Supervisor’s rank and name Supervisor’s Telephone Number

To begin with, it must be clearly understood that nothing in such a letter requires the business to provide any information whatsoever to the police. Unless it is a search warrant, a production order or a subpoena, any information to be provided is voluntary on the part of the business.

Let's parse the letter.

[1] This section sets out some of the background facts to the investigation and is presumably there set the foundation for "lawful authority" to request the information as is required under Section 7(3)(c.1) of PIPEDA:

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is

. . .

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority (emphasis added) to obtain the information and indicated that . . .
(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or...

The paragraph continues that the request is pursuant to Section 487.014 of the Criminal Code. This makes it sound like the recipient of the letter has to provide the information, but that's far from the case. This section only says that the police can ask for information to be provided voluntarily.

Power of peace officer

487.014 (1) For greater certainty, no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.

[2] This paragraph or list sets out the information requested.

[3] This paragraph suggests a gag order and implicitly threatens that if the recipient tells anyone, they could be obstructing justice. One has to be very careful with this. Telling the subject of the investigation of the existence of the request would perhaps constitute obstruction, but the business should be free to seek legal advice without fear of this supposed gag order.

So what's a business to do? It is up to the business at this stage to decide whether it wants to comply, but it has to be mindful of any other legal obligations that it might have that would prevent it from making the disclosure. There is some question as to whether Section 7(3)(c.1) of PIPEDA is intended to permit businesses to hand over information without a warrant in connection with a criminal investigation. There is some legal authority either way, but none of the published decisions address any liability for the business. At the very least, the business needs to ask itself if it wants to make the disclosure and whether it's prepared to take the risk of some liability to the subject of the investigation.

Part of the examination of potential liability should involve an examination of any privacy policies or privacy statements that the business uses. For example, if the policy has language that suggests information will only be provided to third parties where "required by law", this written request does not constitute "required by law". Again, it's only voluntary.

If information is provided, the business should keep a copy.

My personal preference is to require a warrant or a production order in all circumstances, since it is not the job of any business to act as a deputy of the police. If the police can convince a judge that they need to have it, then that's good enough for me. Anything less is something less.


A final word about subpoenas: a subpoena is not an order to provide particular information to the police, but an order to appear in court with the information. Just because they have a subpoena about the information doesn't mean the recipient can -- or should -- just hand it over.

Saskatchewan Court refuses to admit expert evidence on reasonable expectation of privacy for ISP customer information

The Saskatchewan Court of Queen's bench has just released a decision in which the Court refused the defendant's application to admit expert evidence to support the proposition that there exists a reasonable expectation of privacy in customer name and address information when the police request it from an ISP with only an IP address.

In R v Pinsky, 2011 SKQB 371, police were carrying out an investigation into alleged possession and distribution of child pornography. The police had an IP address and asked Shaw, an internet service provider, for the customer name and address connected to the IP address at the relevant time. The ISP handed it over without a warrant.

In the course of the trial, the defendant asserted that there is a reasonable expectation of privacy in such information and that the evidence obtained following this should be excluded. The defendant sought to have Dr. Sunny Handa qualified as an expert, but the Court declined on the basis that such evidence is not necessary.

The decision only deals with the question of whether expert evidence can be put forward for such an argument, not whether the reasonable expectation of privacy exists. It'll be interesting to see how the court decides on the ultimate question.

Friday, November 04, 2011

Ontario Court concludes search of cell phone was unlawful; evidence excluded

There has recently been some controversy in the United States about the lawfulness of police "searching" (ie reading the contents of) cellphones and smartphones of individuals who have been arrested, and whether it is just an ordinary search "incident to arrest". (See, for example, Police push for warrantless searches of cell phones | Politics and Law - CNET News.)

At least in Canada, the Ontario Superior Court of Justice has said it's a no-no.

Following an arrest in connection with a heroin importation investigation, police seized a cellular phone from one of the suspects and subsequently perused the contents. The phone revealed a number of text messages, which were believed to be to and from an alleged co-conspirator. Police later exchanged text messages with the suspect and phoned the number after the suspect had been arrested to confirm that he was in possession of the relevant phone. The defendant argued that the search of the cell phone was an unlawful breach of the defendant’s privacy rights and should be excluded under the Charter. The Court determined, in R. v. Burchell, 2011 ONSC 6236 (available on Quicklaw, CanLii link to come), that the evidence should be excluded as reviewing the contents of the phone was unlawful.

The Court said, at paragraph 55:

“If the police had found a sealed box of files in the applicant's vehicle, no one would credibly argue that the officers could conduct a detailed analysis of the files as part of their power to search incident to arrest. There is no reason in principle why the search of a phone should be treated any differently.”

What's the justification for warrantless access to customer data in "lawful access"

The Public Safety Minister and various police folks are arguing that telecom operators should have to hand over any and all of the following information without a warrant and without an underlying criminal investigation: name, address, telephone number and electronic mail address, Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

None of them have come up with any shred of a justification for such measures, other than empty platitudes that come down to "think of the children" and broken analogies that liken the above information to what you'd find in a phone book. Since both of these supposed justifications are--on their face--worthless, let's speculate about what the real justification might be and whether they can be properly addressed.

  1. Police need this information to get bad guys but often can't convince a judge that they should get a search warrant or a production order for this information. - The answer is that if you can't convince a judge that the public interest in the police obtaining this information outweighs the individual right of privacy, then you should not be getting it. By definition, it would be an unconstitutional invasion of privacy.
  2. Police need this information to get bad guys but it takes too long to get a warrant or a production order. - This is a resources or a procedures issue. Frankly, I want it to take some time and effort on the part of the police to be able to pry into the private lives of Canadians. But if it really takes too long, streamline the processes and appoint more judges and justices of the peace. Don't sacrifice individual privacy on the altar of cost-cutting.
  3. Police URGENTLY need this information to get bad guys and there are lives hanging in the balance. - That's why we have telewarrants and exigent circumstances. Don't use a non-problem to justify stripping away individual rights from Canadians. Every Canadian telco I've spoken to on the topic tells me they will provide this information if a police officer says that the circumstances are exigent.

Maybe I'm missing something here and there is an adequate justification that I just haven't heard yet. If you've got one, leave it in the comments. I'd like to hear it.

Ontario Commissioner corrects Public Safety Minister on "lawful access"

In the ongoing battle over "lawful access", the Information and Privacy Commissioner of Ontario fires back in today's National Post in response to the Public Safety Minister's response (see here) to her original criticism of the faulty plan (see here).

Privacy war (III):

National Post · Nov. 4, 2011 | Last Updated: Nov. 4, 2011 3:09 AM ET

Re: Minister of Public Safety Responds, Nov. 2.; Privacy Invasion Shouldn't Be 'Lawful,' Anne Covoukian, Oct, 31.

I must correct the inaccuracies in Minister Vic Toews' letter.

The proposed surveillance bills will capture information that bears little resemblance to "phone book information." The public does not have access to this information, nor should they - it goes far beyond address and phone number. Consider just one of the new threats to our fundamental freedoms: police could force telecoms to provide the name, address and unique device number of people (enabling online tracking) who posted comments on newspapers' websites under pseudonyms - without a warrant, without explanation and in secret. This should only be accessible through a courtordered, judicial warrant. This is unacceptable: 88 pages of new powers, without matching judicial safeguards.

One of the many complexities glossed over, the government's surveillance capacity, risks transforming telecoms into agents of the state. Much of our online activity is an extension of our in-home personal life. Everyone wants to stop child predators, but responding to this by eroding our online privacy illustrates a dated zero-sum mentality. Subjecting innocent individuals to unwarranted surveillance can have devastating consequences. Properly designed powers can assist law enforcement and also respect the rights of ordinary Canadians - we must have both. We must resist any further erosion of our fundamental freedoms and liberty.

Ann Cavoukian, Information and Privacy Commissioner, Ontario

I have to say I agree with this 100%.

Minister of Public Safety responds to Ontario Commissioner

The Public Safety Minister responds to the scathing criticism of "lawful access" by the Information and Privacy Commissioner of Ontario (see here):

Minister of Public Safety responds

National Post · Nov. 2, 2011 | Last Updated: Nov. 2, 2011 3:07 AM ET

Re: Privacy Invasion Shouldn't Be 'Lawful,' Ann Cavoukian, Oct. 31.

I would like to clear up some clear inaccuracies in Ontario Privacy Commissioner Ann Cavoukian's opinion piece regarding our government's proposed lawful access legislation.

Technology is a critical aspect of the way Canadians do business and communicate with each other. However, as technology advances, many criminal activities become easier. In the face of this reality, we will be proposing legislation that strikes an appropriate balance between the privacy rights of Canadians and the ability of police to enforce our laws.

There are two components to our lawful access proposals. First, we will allow police officers to access "phone book" information from telecom service providers. If it becomes necessary to find a suspect's name, address, phone number or other similar identifier, companies will be required to disclose that information. Second, telecom providers will be required to have the capacity to allow for police officers to investigate, with a warrant, all communications methods.

Let me be clear. No legislation by a Conservative government will create powers for police to read emails without a warrant. Our proposed approach of linking an internet address to subscriber information is on par with the phone book linking phone numbers to an address. What this will NOT allow for is access to private communications without a warrant.

That being said, our message is clear: if you use technology to commit crimes - like distributing child pornography - the police will apprehend you and you will be punished to the fullest extent of the law.

Vic Toews, Minister of Public Safety, Ottawa.