Monday, December 31, 2012

Privacy commissioner to investigate HRSDC privacy breach

According to a report in the London Free Press, the Office of the Privacy Commissioner of Canada appears to be planning to investigate the appalling privacy breach that was announced last week. The language is not as definitive as I would like, however:

Privacy commissioner to investigate security lapse | Canada | News | The London Free Press

LONDON, Ont. - The federal privacy commissioner is poised to launch a full investigation into a security lapse that lost the private information of about 5,000 Canadians.

“I think you can expect that we will be investigating the matter,” Anne-Marie Hayden, spokesperson for the Privacy Commissioner of Canada, said Monday.

The commissioner’s office has already received 100 calls and several official complaints about the loss of a USB stick that contained private medical, employment and education information, as well as Social Insurance numbers.

It would be gravely disappointing if the OPC does not do a full investigation of this breach along with strong recommendations to prevent it from happening again.

Government needs to be held to an even higher standard than the private sector. People do not have a consensual relationship with government. If you do not like how your bank handles your personal information, you can easily switch to another one. If you're not happy with Instagram's new privacy policy, you can close your account. You cannot do that with government. If Human Resources and Skills Development Canada is incompetent in safeguarding sensitive personal information and cavalier in its response, you can't go looking for another Canada Pension Plan provider.

If this breach involved one of the big California-based internet giants, you can bet there would be a full investigation and further calls for order-making powers and the ability to levy fines.

I hope to see a full and public investigation, followed by calls to amend the Privacy Act to bring it into line with more modern provincial statutes that make it an offense to willfully violate the privacy of Canadians.

Saturday, December 29, 2012

Government "loses" sensitive personal information on thousands of Canadians

Over the past week, Human Resources and Skills Development Canada has been notifying approximately 5000 people that their personal information has been lost. According to reports, the information was on a USB device that has been "misplaced". The information includes Social Insurance Number(SIN); surname; primary and, if applicable, secondary medical condition; birthdate; presence of other payers (e.g., workers' compensation); level of education; occupation type; and, Service Canada processing centre.

This is an ENORMOUS screw up by the Government of Canada. Unencrypted personal information should never be put on these devices as they are notoriously easy to lose. I am also surprised that the Privacy Commissioner's office, at least as quoted in the media, has not yet decided whether to do a formal investigation.
Personal info for thousands lost by federal government - Politics - CBC News

A federal government department says there is no evidence that missing personal information about thousands of Canadians has been used for fraudulent purposes.Human Resources and Skills Development Canada says an employee reported on Nov. 16 that a USB key containing personal information, including Social Insurance Numbers, of about 5,000 Canadians was missing.

The department, which handles a variety of files including pensions, old age security, employment insurance and childcare tax credits, says all those affected have been contacted.

A spokesperson said in an email Friday evening that the affected people have been advised of the incident and informed of the steps they can take to help protect their personal information.

HRSDC notified the privacy commissioner's office on Dec. 21 that the data had been lost.

About 60 people have already called an information line at the privacy commissioner's office expressing concern about the incident and complaints have already been filed.
"It's too early to say whether or not these will turn into official, full, investigations," said Anne-Marie Hayden, a spokeswoman for the privacy commissioner.
"We'd have to look at what we receive first and determine next steps from there."
HRSDC said it has seen no evidence that any of the information contained on the missing USB key has been used for fraudulent purposes.

"Nonetheless, we have advised affected individuals to carefully review and verify bank information, credit card information and other financial transaction statements as a means of safeguarding their personal information as a precautionary measure," the email said.

"We are currently analyzing this incident with the view of preventing a similar occurrence in the future," it added.

The commissioner's office is working with HRSDC in an effort to figure out what happened.

Each year, federal departments are required to report on how well they comply with privacy legislation.

In the 2010-2011 report — the most recent one posted on HRSDC's website — the department noted that it had been the subject of three complaints regarding how it handled personal information.

Sunday, December 23, 2012

Lawful Access: There, I fixed it for you.

Regular readers of this blog will know that I am not a fan, at all, of the government's lawful access bill, Bill C-30. In particular, I have a big problem with warrantless access to subscriber information. And I have a bigger problem with the fact that the current Bill C-30 does not put any meaningful limitation on the circumstances under which the police or national security agencies can require subscriber information without a warrant.

(If you want to see why I have a problem with Bill C-30, you just have to read my previous posts or check out my YouTube video on the topic.)

I have tried to be productive in my criticism and, that end, offer the following to replace the warrantless access to subscriber information in the current bill. I have taken into account many of the productive conversations I've had with members of the policing community and the privacy community.

What follows would be an amendment to the Criminal Code of Canada that creates a new form of production order -- a subscriber information production order -- and can, in my view, just be dropped into the Code. It offers judicial oversight, real accountability and notice to the subscriber that their information has been obtained. It is limited only to serious crimes or where the information sought would identify the victim of a serious crime, but can't be used for fishing expeditions. And unlike a search warrant, it is effective nation-wide. And it includes the possibility of obtaining such an order from a judge over the telephone in urgent situations.

I welcome any comments you may have...
Subscriber information production order
*(1) A justice or judge, including a designated judge under the Canadian Security Intelligence Act, may order a telecommunications service provider to produce subscriber information.
Production to peace officer
(2) The order shall require the subscriber information or information regarding multiple subscribers to be produced within the time, at the place and in the form specified and given
(a) to a peace officer named in the order; or
(b) to a public officer named in the order, who has been appointed or designated to administer or enforce a federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament.
Conditions for issuance of order
(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that
(a) there are reasonable grounds to believe that an offense designated under this Section has been, is being or is about to be committed;
(b) there are reasonable grounds to believe that the subscriber information will afford evidence respecting the identity of the person or persons believed to be responsible for the commission of the offence, or the identity of the persons believed to be the victim or the intended victim of such offense;
(c) there are reasonable grounds to believe that the person who is subject to the order has possession or control of the documents or data; and
(d) the issuing of the order will not unduly infringe the relevant subscriber’s rights set out in the Charter of Rights and Freedoms, including freedom of expression, based on the totality of the circumstances.
Terms and conditions
(4) The order may contain any terms and conditions that the justice or judge considers advisable in the circumstances, including terms and conditions to protect a privileged communication between a lawyer and their client or, in the province of Quebec, between a lawyer or a notary and their client.
Power to revoke, renew or vary order
(5) The justice or judge who made the order, or a judge of the same territorial division, may revoke, renew or vary the order on an ex parte application made by the peace officer or public officer named in the order.
Notice
(6) Unless the justice or judge who made the order, or a judge of the same territorial division orders otherwise, any person whose information is obtained as a result of such order shall be notified of the order and the disclosure of his or her subscriber information within six months of the date of the order. An order to delay the giving of notice under this paragraph shall only be applicable for a maximum of six months and shall only be made if such justice or judge is satisfied, based on information on oath in writing, that the giving of such notice will likely compromise an active investigation or prosecution of an offence under this or any other Act of Parliament.
Probative force of copies
(7) Every copy of a document produced under this section, on proof by affidavit that it is a true copy, is admissible in evidence in proceedings under this or any other Act of Parliament and has the same probative force as the original document would have if it had been proved in the ordinary way.
Return of copies
(8) Copies of documents produced under this section need not be returned.
Subscriber information
(9) For the purposes of this section, “subscriber information” means the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.
Use and retention of subscriber information
(10) Unless otherwise ordered by the justice or judge who made the order, or a judge of the same territorial division,
(a) subscriber information obtained pursuant to an order under this Section shall only be used for the investigation and prosecution of the offense or offenses referred to in the information used to obtain the order; and
(b) if the person about whom the subscriber information relates has not been charged with an offense referred to in the information to obtain the order, subscriber information shall only be retained until six months following the date on which the relevant person is notified pursuant to paragraph (6) herein.
Designated offences
(11) For the purposes of this Section, a designated offense means
(a) any offence that may be prosecuted as an indictable offence under this or any other Act of Parliament, or
(b) a conspiracy or an attempt to commit, being an accessory after the fact in relation to, or any counselling in relation to, an offence referred to in paragraph (a).
Tele-production Orders
(12) Section 487.1 respecting telewarrants shall apply with respect to subscriber information production orders, mutatis mutandis, in the same manner as such section applies with respect to search warrants.
National effect
(13) A subscriber information production order issued under this Section shall be applicable with respect to the telecommunciations service provider in any territorial division of Canada without requirement of endorsement by a justice or judge in the territorial division where the telecommunications service provider is located.
Compensation
(14) The telecommunciations service provider named in a subscriber information production order shall be compensated for the production of subscriber information in the manner and in the amount prescribed. Nothing herein shall require a telecommunications service provider to collect or retain any subscriber information beyond that which is ordinarily collected or retained in the course of the telecommunciations service provider’s business.
Report to Parliament
(15) Each calendar year, the Minister shall lay before Parliament a report regarding the use of subscriber information production orders, which report shall include:
(a) the number of subscriber information production orders issued in total for the previous calendar year;
(b) the number of subscriber information production orders issued per designated offense for the previous calendar year;
(c) the number of subscriber information production orders issued per territorial division of Canada for the previous calendar year;
(d) the number of and nature of the charges, prosecutions and convictions respecting each use of subscriber information production orders, including information respecting cases where charges do not result; and
(d) any other information the Minister considers relevant regarding the use of subscriber information production orders.

Friday, December 21, 2012

Be prepared for cloud computing, it's the future of data accessibility

I was interviewed yesterday on Radio Canada International, the CBC's international arm, on privacy, security and cloud computing from a Canadian perspective. You can listen to the interview here: RCI // Highlights // Be prepared for cloud computing, it's the future of data accessibility.

(I'm sure the interview also can be used off-label to get excited kids to sleep on Christmas eve.)

Beware of juice-jacking: That free charge may not be entirely free

Here's a tip for you, just in time for the holiday traveling season: Be cautious about where you plug in your phone or other smart device, looking for a charge. For some devices, simply plugging in your USB to get some juice can give whatever you're connecting to free access to the contents of your device.

My Galaxy Nexus will not give anyone access through the USB unless the device is unlocked. Find out of your device is similarly protected.

Beware of Juice-Jacking — Krebs on Security:

“You should not trust public kiosks with your smart phone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”

Thanks to Milan for passing this tip along.

Wednesday, December 19, 2012

Keeping data in Canada provides illusory protection against foreign government access

I was invited by CATA to give a presentation on cloud computing, privacy and cross border data flows for a number of its members and stakeholders who are involved with the fledgling Shared Services initiative coming out of the Government of Canada.

Here is the presentation, in case it is of interest:

IT World Canada was in attendance and has posted the following article:

Keeping data here no protection against US: Lawyer:

Ottawa may not allow cloud providers to store citizens' data across the border. But a lawyer says a better protection against US law is risk mitigation

By: Howard Solomon

ComputerWorld Canada (19 Dec 2012)

The refusal of some federal government departments to allow outsourcers to store personal data of citizens outside Canada won’t keep foreign governments from getting legal access to it, says a lawyer who specializes in cloud computing.

“Data sovereignty is a bit of an illusion because we’re so interconnected (with law enforcement agencies) and there’s so much data sharing taking place,” David Fraser told an audio conference call Tuesday sponsored by the Canadian Advanced Technology Alliance (CATA).

In particular, fears that the USA Patriot Act acts as a “huge vacuum cleaner” for American law enforcement agencies to get at personal data is baseless, he said.

The Patriot Act is a “boogey man,” he said.

The fact is most developed countries have legal tools that allow their law enforcement agencies to make legal claims on data held in their countries or outside their borders, Fraser said.

Fraser, a partners with the Halifax firm McInnes Cooper, argued the real issue for Ottawa when considering outsourcing that includes storing data in the U.S. should be assessing the risk that data can be lost or unlawfully accessed and taking steps to lower the risk.

The teleconference is part of a campaign by CATA, which represents IT manufacturers, solution providers, system integrators and consultants trying to sell products and services to governments, to get Ottawa to clarify its position on outsourcing data.

In an interview John Reid, CATA chief executive officer, said that since the creation last year of Shared Services Canada, an agency trying to consolidate federal IT services, the government has suggested it may mandate that personal data of citizens must be held in data centres here.

There isn’t a formal federal policy on cross-border data storage, Fraser told the conference call. Nor is there federal law that prohibits it. Instead, it is up to individual departments to do a risk assessment if they decide cross-border data storage is justified and take appropriate privacy measures. Only two provinces, British Columbia and Nova Scotia, have policies forbidding cloud providers from storing provincial data outside Canada.

Shared Services Canada has been trying to create new buying and outsourcing policies, setting up several committees on which CATA and other private sector groups sit. It is those committees, Reid said, that CATA is getting signals of SSC’s only-in-Canada intent.

Earlier this month CATA sent a letter to SSC asking for the department’s intentions, but Reid said he hasn’t had a reply yet.

The department didn’t respond to a request Tuesday from IT World Canada for clarification

One person on the conference call said some government departments already demand in requests for proposals (RPFs) her organization that any outsourced solution has to keep data in Canada.

Reid wants to persuade Ottawa to be more open to cloud solutions where data is stored outside the country in part so his members get opportunities to bid on business, and in part, he said, because the government shouldn’t turn aside possible solutions that will make it more efficient.

Fraser noted that according to international law, U.S. law enforcement authorities have the right to subpoena data even if the data is held outside its borders, as long as there are connecting factors. (The same is true for police here, he added.)

For example, he said, if the data is held in Canada the U.S. could subpoena it through a person working for a company there.

For that reason, he said, a Canadian data centre owner might be able to safeguard data here if none of its executives ever crossed the border.

More practically, he said the Canadian government could take a number of steps to reduce the odds of the personal data of its citizens being misused by U.S. authorities.

The first is to encrypt the data – which should be a standard procedure anyway, he said ---- and make sure control of the encryption keys is held here.

Second, the government could decide that only “low risk” data can be sent out of the country.

Third, the government could demand certain contractual provisions with a service provider, such as clauses that says the data belongs to the customer, not the data centre, that the service provider won’t turn data over unless legally required to so, and that it will notify the customer of any subpoenas.

There could also be a requirement the provider to go a U.S. court to resist a subpoena, although Fraser admitted there’s no guarantee will be successful.

“There isn’t a shortage of ideas of how to mitigate risk,” he said.

Fraser didn’t say, but these risk mitigation options also apply to private sector companies who have been shy about adopting American cloud-based solutions.

Tuesday, December 18, 2012

German privacy regulators tell Facebook to allow pseudonyms. Really?

According to Techcrunch, German privacy regulators have ordered Facebook to cease enforcing its "Real Names" policy in that country, saying it is in violation of German law (See Facebook Users Must Be Allowed To Use Pseudonyms, Says German Privacy Regulator; Real-Name Policy ‘Erodes Online Freedoms’ | TechCrunch).

I am not in a position to comment on whether or how this is consistent with German law, but my initial reaction is "Really? Regulators are getting into the product design business?" This is getting a little ridiculous. The real names policy is an inherent feature of Facebook. If you want to use Facebook, that's what the service includes. If you don't want to use your real name, don't use Facebook. As long as the user is informed at the beginning that real names are required, and as long as there is no "bait and switch", knowledge and consent are satisfied. Nobody is being forced to use Facebook.

People are autonomous, sentient beings who should be able to make choices -- good and bad -- about the products they use. If all products and services online had to be designed based on the lowest common denominator of paranoia and sensitivity, there would be no Facebook or Twitter. Imagine what would have happened to Twitter if it had been forced to implement "protect my tweets" by default. It would be a group messaging service, not the incredible force for good we've seen it become. (The fact that pseudonyms are permitted on Twitter is a choice the company made, not one that should be forced on the company and its users.)

Privacy should be about informed choices about how personal information is collected, used and disclosed. It should not be about taking away those choices.


Monday, December 17, 2012

Vancouver health authority employee fired for snooping on celebrities' records

An employee of Vancouver Coastal Health has been fired for snooping on the records of a number of local celebrities. The employee needed routine access to electronic medical records as part of her job. The inappropriate access was discovered through a routine, internal audit of the use of the electronic records system.

We are seeing a handful of cases like these, and the employees have consistently been terminated for the violation. It will be interesting if labour arbitrators and others uphold such automatic terminations, but they certainly send a strong message that this sort of snooping will not be tolerated.

See: Three Vancouver CTV personalities' private records accessed by health authority employee.

Thursday, December 13, 2012

Privacy Commissioner calls for stronger enforcement powers

Until now, the discussion about giving the Privacy Commissioner stronger enforcement powers has been pretty low key. The conversation has ramped up a few notches as Jennifer Stoddart is more explicitly suggesting that she should have much greater powers. On December 11, 2012, she appeared before the parliamentary Access to Information, Privacy and Ethics standing committee as part of the committee's study of privacy and social media.

Her prepared statement is on her website ( Statement: Second appearance before the House of Commons Standing Committee on Access to Information, Privacy and Ethics on Privacy and Social Media - December 11, 2012).

In the statement, she suggests that the current model is not working and that her office can handle the role of "judge, jury and executioner." I didn't see any detail on how it is not working. The study that she commissioned on whether the ombudsman model is working suggested that the problem is lack of compliance by small and medium sized businesses, but her comments were directed at "internet giants".

Regardless, we are going to hear a lot more of this in the coming years.


Why privacy matters even when you have 'nothing to hide'

Daniel J. Solove, noted privacy scholar from George Washington University law school, has a very good essay in the Chronicle of Higher Education that thoroughly debunks the myth that privacy is only for those who have something to hide. The essay is an excerpt from Nothing to Hide: The False Tradeoff Between Privacy and Security, published earlier this year by Yale University Press.


See Why Privacy Matters Even if You Have 'Nothing to Hide' - The Chronicle Review - The Chronicle of Higher Education.

Tuesday, December 11, 2012

Border guard union rejects name tags on privacy grounds

The union representing front-line border guards in Canada has vowed to fight the modernization of uniforms that includes nametags. The union cites officer safety and privacy as grounds for their objections. See: Name tags for Canada border agents rejected by union - Windsor - CBC News.

In my view, accountability to the public trumps whatever meagre privacy interest they think they might have.

UK Data Anonymization code of practice released

The United Kingdom Information Commissioner has released a guidance document on data anonymisation, Anonymisation: Managing data risk [PDF], which is intended to be a code of practice on that subject. The code is, in part, a response to open government and open data initiatives, which are placing large data sets in the public domain. The code sets standards on how to protect the privacy rights of individuals while providing rich sources of data.

While this is obviously only controlling in the UK, it should be helpful for those elsewhere who have to turn their minds to anonymisation of data sets.

Thursday, December 06, 2012

Video: An overview of Bill C-30, how it's broken and how it can be fixed

My first foray into the world of video blogging ... please forgive the production values.


Feel free to leave any comments below...

Monday, December 03, 2012

Privacy Commissioner on Bill C-30: Police need to get behind privacy

The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has a long opinion piece in the National Post on Bill C-30:

Privacy Commissioner on Bill C-30: Police need to get behind privacy | Full Comment | National Post

Ann Cavoukian: Police need to get behind privacy

Special to National Post | Dec 2, 2012 11:56 PM ET

As Ontario’s Information and Privacy Commissioner, I have a deep respect for law enforcement. I frequently work closely with the police to help them succeed in fulfilling their important functions without sacrificing our vital right to privacy. The guidance I have provided over the years on the privacy implications of new technologies has given the police a roadmap on how to be effective, yet also protect our privacy.

That is why I am perplexed by the ongoing disagreement between law enforcement and Canada’s privacy commissioners over the federal government’s highly intrusive surveillance legislation, Bill C-30. Repeatedly, privacy commissioners have identified a pragmatic and principled approach to fixing the flawed aspects of the Bill. Time and again, members of the law enforcement community have insisted they need overly broad powers, while failing to recognize that they can have both new and effective law enforcement powers, while still protecting the privacy of individual Canadians.

The police want access to “subscriber data,” such as Internet Protocol and email addresses, because the data is powerful. The actual content of your communications does not need to be accessed in order to obtain a digital snapshot of your surfing habits and who you associate with — access to subscriber data can unlock this and more. It can be used to track people and their activities. It’s the key to revealing your identity online. Should the police be granted warrantless access in genuine emergencies? Absolutely. Should the police have unfettered access. No!

What is required is quite simple. The Bill must be amended to ensure that any police power to compel telecoms to disclose subscriber information requires a warrant in all but urgent circumstances — the police would then be required to report their use of such powers.

Our solution-driven approach would mean that urgent police investigations need never be stalled. Terrorists, organized criminals and those who try to harm the vulnerable by misusing the right to anonymity could be exposed and prosecuted in a timely fashion. At the same time, the public’s confidence in law enforcement would be heightened as a result of rules that prevent the identification and profiling of law-abiding citizens. In free societies such as ours, citizens should be entitled to go about their business without being forced to identify themselves. That right must be as strongly protected online as on the street.

The public understands this. Most of us recognize that our digital rights are no less important than other rights and freedoms. This is why Canadians across the country so strongly opposed the introduction of Bill C-30.

The same principles should guide Parliament in amending other provisions in Bill C-30. For example, we do not object to preservation orders. However, the power to compel telecoms to preserve data should be carefully tailored and subject to modern oversight and accountability, as is expected in a free and democratic society.

Citizens and lawmakers in the U.K. and the United States also recognize the importance of digital rights. That’s why elected representatives in those countries continue to express skepticism about the merits of privacy-invasive proposals. It’s not surprising that Bill C-30, and the proposals that our international allies are struggling with, will not be advancing until they receive in-depth scrutiny.

As Justice Sotomayor of the U.S. Supreme Court recognized in that court’s recent GPS monitoring decision, “Awareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse [that] may alter the relationship between citizen and government in a way that is inimical to democratic society.”

It is unfortunate that Bill C-30 would demand such a draconian privacy price from Canadians. Fortunately, the required solutions have already been identified: judicial oversight, allowance for warrantless access only in emergencies, transparency, and openness. Canadians should be proud that we are at the forefront of an international push to ensure that democracies provide for robust privacy protections. By proactively adopting Privacy by Design, the international standard for embedding privacy assurances into information technologies and organizational practices, we can have privacy and security, in unison. Canadians do not need to write a blank cheque for effective law enforcement. Together, we must commit to preserving our privacy ­ now, and well into the future.

National Post

Friday, November 16, 2012

Newfoundland health privacy legislation found "substantially similar" to PIPEDA, exemption order issued

As of October 10, 2012, the Federal Cabinet issued the Personal Health Information Custodians in Newfoundland and Labrador Exemption Order, which has the effect of ceding jurisdiction under PIPEDA with respect to health information custodians under the Personal Health Information Act of Newfoundland and Labrador.

The Order reads:

SI/2012-72 October 10, 2012

PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT

Personal Health Information Custodians in Newfoundland and Labrador Exemption Order

P.C. 2012-1091 September 20, 2012

Whereas the Governor in Council is satisfied that the Personal Health Information Act, SNL 2008, c P-7.01, of Newfoundland and Labrador, which is substantially similar to Part 1 of the Personal Information Protection and Electronic Documents Act (see footnote a), applies to the personal health information custodians referred to in the annexed Order;

Therefore, His Excellency the Governor General in Council, on the recommendation of the Minister of Industry, pursuant to paragraph 26(2)(b) of the Personal Information Protection and Electronic Documents Act (see footnote b), hereby makes the annexed Personal Health Information Custodians in Newfoundland and Labrador Exemption Order.

PERSONAL HEALTH INFORMATION CUSTODIANS IN NEWFOUNDLAND AND LABRADOR EXEMPTION ORDER

EXEMPTION

1. Any personal health information custodian to which the Personal Health Information Act, SNL 2008, c P-7.01, applies is exempt from the application of Part 1 of the Personal Information Protection and Electronic Documents Act in respect of the collection, use and disclosure of personal health information that occurs in Newfoundland and Labrador.

COMING INTO FORCE

2. This Order comes into force on the day on which it is registered.

Federal Court awards minimal damages for good faith violation of PIPEDA by bank

The Federal Court of Canada, in Biron v. RBC Royal Bank, 2012 FC 1095, recently had an opportunity to consider a claim for damages under PIPEDA where the disclosure of personal information was made "in good faith". In connection with a separate proceeding, RBC Royal Bank responded to a series of subpoenas by providing information about a client (who had a joint account with one of the litigants). The individual complained to the Office of the Privacy Commissioner of Canada and then proceeded to the Federal Court seeking damages. Her claim was for punitive damages in the amount of $10,000, $5,000 for distress and inconvenience and $10,000 for moral damages. The court awarded only $2500, plus costs.

The Court noted:

[31] RBC’s conduct in the present matter does not justify an award of damages since any violation of the Act resulted from an error in good faith. According to RBC, its representatives acted in good faith when disclosing the personal information before a judge of the Superior Court, in the absence of any challenge of the subpoena. Furthermore, RBC is of the opinion that Mr. Poirier was authorized to represent Ms. Biron and to agree on her behalf to the disclosure of the personal information contained in the statements of their joint credit card. RBC alleges that Ms. Bouchard was misled when Mr. Poirier told her verbally that she could provide Ms. Grassby with all of the private information without obtaining a Court order and without restriction as to any of the information in the statements regarding Ms. Biron.

With respect to the calculation of damages:

[37] In Randall, above, the Court writes as follows about the damages awarded under section 16 of the Act:
[55] Pursuant to section 16 of the PIPEDA [the Act], an award of damages is not be made lightly. Such an award should only be made in the most egregious situations. I do not find the instant case to be an egregious situation.

[56] Damages are awarded where the breach has been one of a very serious and violating nature such as video-taping and phone-line tapping, for example, which are not comparable to the breach in the case at bar: Malcolm v Fleming (BCSC), Nanaimo Registry No S17603, [2000] BCJ No 2400; Srivastava c Hindu Mission of Canada (Québec) Inc. (QCA), [2001] RJQ 1111, [2001] JQ no 1913.

[38] The alleged damages must also result directly from the fault committed (see Stevens v SNF Maritime Metal Inc, 2010 FC 1137 (CanLII), 2010 FC 1137 at paras 28 and 29). The Court notes further that awarding damages under section 16 of the Act is discretionary (see Nammo, above).

[39] As to punitive damages, the Supreme Court of Canada instructs that these “are restricted to advertent wrongful acts that are so malicious and outrageous that they are deserving of punishment on their own” (see Honda Canada Inc v Keays, 2008 SCC 39 (CanLII), 2008 SCC 39 at para 62). In de Montigny, the Supreme Court stated as follows:

[47] While compensatory damages are awarded to compensate for the prejudice resulting from fault, exemplary damages serve a different purpose. An award of such damages aims at expressing special disapproval of a person’s conduct and is tied to the judicial assessment of that conduct, not to the extent of the compensation required for reparation of actual prejudice, whether monetary or not. As Cory J. stated:
Punitive damages may be awarded in situations where the defendant’s misconduct is so malicious, oppressive and high-handed that it offends the court’s sense of decency. Punitive damages bear no relation to [page88] what the plaintiff should receive by way of compensation. Their aim is not to compensate the plaintiff, but rather to punish the defendant. It is the means by which the jury or judge expresses its outrage at the egregious conduct of the defendant.

(Hill v Church of Scientology of Toronto, 1995 CanLII 59 (SCC), [1995] 2 SCR 1130, at para 196)

[40] In the present proceeding, the Court is of the opinion that, in light of the facts of the case, the damages alleged by Ms. Biron can be tied to RBC’s error. The Court is of the opinion, moreover, that it must consider the fact that Ms. Biron asked RBC to stop disclosing her personal information on two occasions. RBC violated its obligations under subsection 7(3) of the Act by failing to properly protect the personal information of one its clients, a disinterested third party in the divorce proceeding between Mr. Poirier and his ex-wife.

[41] Ms. Biron is also claiming punitive damages in the amount of $10,000. There is, however, no evidence on record demonstrating that RBC committed acts against Ms. Biron that were so malicious and outrageous as to warrant an award of punitive damages.

[42] The only evidence submitted by Ms. Biron in support of her total claim for $15,000 in damages, that is, $5,000 for distress and inconvenience and $10,000 for moral damages, is limited to the representations she had to make to the Privacy Commissioner, the letters sent to RBC and the time spent in helping her spouse in defending himself again his ex-wife’s allegations resulting from the review of the money spent using the joint credit card.

[43] The Court therefore concludes that, given that Ms. Biron, as a third party in a divorce proceeding, objected twice to her personal information being disclosed, that she suffered humiliation under paragraph 16(c) of the Act and that the damages sought by Ms. Biron are directly related to RBC’s fault, the Court awards $2,500 plus interest and costs, to be paid to Ms. Biron by RBC.

Thursday, November 15, 2012

BC Privacy Commissioner tells Victoria Police to change automated license plate scanning system

The Office of the Information and Privacy Commissioner of British Columbia has just released the report of its investigation (PDF) of the use of Automated License Plate Recognition by the Victoria Police Department.

Here is their summary from OIPC's media release (PDF):

NEWS RELEASE

For Immediate Release

Nov. 15, 2012

Police must make changes to licence plate scanning technology, says B.C. Privacy Commissioner

VICTORIA—The Victoria Police Department must make changes to its Automated Licence Plate Recognition program to comply with privacy laws, says B.C.’s Information and Privacy Commissioner.

“Modern technologies such as ALPR can be effective law enforcement tools; however, the use of these tools in British Columbia must comply with Freedom of Information and Protection of Privacy Act,” said Commissioner Elizabeth Denham.

Using cameras mounted to squad cars, Victoria police use ALPR to photograph, scan and record licence plate numbers, including time and geographic location. The ALPR system compares this data to an on-board database of plate numbers provided by the RCMP called an “alert listing.” A “hit” occurs when there is a match between a licence plate scan and the alert listing. If there is no match, the item is categorized as a “non- hit.”

At the end of a shift, a “daily scan” record is returned to the RCMP, which contains the personal information of every registered owner of a vehicle scanned by the ALPR system. This record contains information related both to hits and to non-hits. The RCMP’s current practice is to de-identify non-hit data.

After a detailed investigation, Commissioner Denham concluded that the disclosure of non-hit data to the RCMP is not authorized by FIPPA.

“Non-hit data is personal information about the suspicionless activities of citizens -- information that the police have no reason to believe relates to criminal activity. This information is not serving a law enforcement purpose and therefore, VicPD cannot disclose it to the RCMP,” said Denham.

The Commissioner recommended the ALPR system be reconfigured to delete non-hit data immediately after the system determines that it is not a match.

She also established that future use or disclosure of non-hit data by municipal police would not be authorized under B.C. law.

“Law enforcement agencies have recently discussed retaining non-hit data. Collecting personal information for traffic enforcement and identifying stolen vehicles does not extend to retaining data on the law-abiding activities of citizens just in case it may be useful in the future,” said Denham.

The Commissioner’s investigation was prompted in part by a written submission from three individuals, who expressed concern about the police use of ALPR in British Columbia and its potential use as a tracking tool.

“There are concerns that this technology could be used as a surveillance tool, where data about the location and activities of citizens is used for purposes other than that for which it was collected. In light of these concerns, I felt it was important to provide citizens with a comprehensive look into how this technology is being used,” Denham wrote.

Wednesday, November 14, 2012

Google's most recent Transparency Report: Government requests are on the rise

Google has released its most recent update to the Google Transparency Report, which provides statistics about how many user data requests and how may takedown requests Google receives from governments and copyright owners around the world.

The specific stats for Canada are here: user data, takedowns. The takedown data set is broken down by service and alleged reason.

The Official Google Blog (Transparency Report: Government requests on the rise) provides some additional, global context.

A big hat tip to Google for making this information available, which has led to other companies publishing similar data so some light can be shed on data and takedown requests, which usually occur in the shadows.

Wednesday, November 07, 2012

Privacy Commissioners respond to Police Chiefs on Bill C-30 and lawful access

An interesting debate over lawful access is playing out in the pages of the Windsor Star. First, the paper ran an opinion piece from the leadership of the Canadian Association of Chiefs of Police that peddles the common line that connecting an internet user's IP address to their name and address is just like (and no more intrusive than) using a phone book:

Police chiefs speak out

As Canadians, we rightly place a very high value on our privacy.

As a career police officer, I have spent much of my life ensuring that my actions and those of the officers under my command do not intrude into the privacy of others, unless authorized by law and in pursuit of those who threaten, harm or steal from others.

While all new laws should be subject to rigorous debate, I worry that the misinformation surrounding the proposed Bill C-30 "Protecting Children from Internet Predators Act" is distracting us from the true goal of this bill - protecting victims by updating laws last introduced by Parliament in 1974. At that time, telecommunications consisted of rotary phones, telegraphs and physical lines of wire.

A technology revolution has seen the rapid adoption of mobile devices, computers and social media - an evolution of technology not envisaged by lawmakers back in the 1970s.

Canadians reap many benefits from today's technologies. So do criminals. We have inadvertently created safe havens for those who exploit technology to traffic in weapons, drugs and people. It is a boon to pedophile networks, money launderers, extortionists, deceitful telemarketers, fraudsters and terrorists.

Cyber bullies communicate their vitriol with impunity. If we stand by and do nothing, criminals will continue to use these interactive platforms to harass and threaten others, commit frauds, scams and organized and violent crimes with little fear of being caught.

I enthusiastically agree that privacy is a right to cherish and guard vigorously. We believe that the new legislation, with our recommended amendments to strengthen privacy rights, will help make Canada a safer place. To level the playing field for law enforcement, successive federal governments introduced updated lawful access legislation in 2006, 2007, 2009 and 2010.

All of these bills "Died on the Order Paper." In the meantime, the threats to individuals and community are increasing. The current proposed legislation includes the following assurances/improvements:

  • Access to private information will continue to require a judicial authorization (warrant).

  • Telecommunications providers will be required to preserve data while a warrant is being obtained.

  • Basic subscriber information (the equivalent to information provided by a telephone directory) will be obtainable in a timely and consistent manner. As opposed to today's environment, the new legislation builds in an audit trail to ensure accountability (including making available reporting to the judiciary and privacy commissioners) and to limit those within policing who can make such a request.

What is the cost of not proceeding with the modernization of our laws? Organized criminals will plan their killings and kidnappings using communications providers whose systems do not have the technical ability to be monitored through the warrant process.

Terrorists will be able to exploit these same gaps. Victims of scams will be told that the evidence trail linking the suspect to the crime has disappeared because the service provider has no obligation to preserve data.

Perhaps even worse, the parents of a child who has been lured or criminally harassed over the Internet will learn that the police investigation will be delayed or completely unsuccessful because of the need to obtain a warrant for basic subscriber information.

The RCMP's National Child Exploitation Co-ordination Centre looked at a sample of 1,244 requests for basic subscriber information in 2010. The average response time to gain such information was 12 days. This is unacceptable!

The challenge of Bill C-30 is to strike the right balance between providing law enforcement with investigative tools to ensure individual and public safety while ensuring the protection of privacy. We support the greater protections which have been built into this bill.

Vancouver police Chief Jim Chu is president, Canadian Association of Chiefs of Police.

Privacy Commissioners from Ontario, British Columbia and Alberta have sent the paper a reply:

New surveillance powers shouldn’t come at the expense of our right to privacy | Windsor Star:

Re: Police chiefs speak out, guest column, by Jim Chu, Nov. 6.

In his opinion piece, police Chief Jim Chu repeats the now much-discredited analogy that subscriber data is equivalent to what is found in a phone book. We disagree.

This information, which includes e-mail addresses and Internet protocol addresses, is not publicly available and can be used to reveal the web-related activities of law-abiding citizens.

This is why Canadians across our country expressed such strong concerns about the federal government’s introduction of Bill C-30, the Internet surveillance bill.

As Privacy Commissioners, we understand that the police may need new tools to investigate crime as technology advances.

However, Commissioners have consistently asked for evidence that police need the power to compel Internet Service Providers to turn over personal information of subscribers without a warrant in order to attain these ends.

To date, law enforcement officials have failed to provide persuasive factual evidence that current law has impeded police investigation of serious crimes, like those involving individuals who exploit children.

Current law recognizes exigent circumstances that justify immediate access to information to solve serious crimes.

If police need additional powers, they must be demonstrably justified, and come with appropriate judicial oversight and accountability.

New surveillance powers must not come at the expense of our right to privacy.

ANN CAVOUKIAN, PhD, Information and Privacy Commissioner, Ontario, JILL CLAYTON, Information and Privacy Commissioner, Alberta, and ELIZABETH DENHAM, Information and Privacy Commissioner, B.C.

Today, the Federal Privacy Commissioner added her voice to the debate:

Bill C-30 must be amended to respect privacy rights | Windsor Star

Re: Police chiefs speak out, guest column, by Jim Chu, Nov. 6.

My office appreciates the challenges faced by police officers in fighting online crime, with out-of-date tools and at a time of rapidly changing technologies.

We agree with Jim Chu, chief constable of the Vancouver Police Department and president of the Canadian Association of Chiefs of Police, when he states that the federal government’s lawful access bill could be improved to better protect privacy rights in Canada.

We were encouraged to see the head of the police association specifically support a provision to clarify privacy rights, in his recent op-ed. In fact, Bill C-30 must be amended to respect privacy rights.

Chief Chu suggests the information behind an IP address is equivalent to information found in a phone book. To me, this vastly underestimates what it may reveal about someone.

Unlike a phone book, information behind an IP address is not generally publicly available and can unlock doors to much more information about people.

My office’s technologists are currently looking at this, and studying the degree of privacy intrusiveness in relation to the specific information that the Bill proposes to make readily accessible to law enforcement.

We are also continuing our discussions with public safety and law enforcement officials, as well as civil society, to ensure that privacy issues are adequately addressed.

It is true that law enforcement powers need to be modernized, but so too do the laws that ensure Canadians’ privacy rights are fully respected. The Privacy Act, which applies to federal departments and agencies, has not been substantially amended in more than 30 years and, as a result, citizens have little mechanism for redress when things go wrong. The federal private sector privacy law, PIPEDA, is also well overdue for an update.

We look forward to elaborating on our views about Bill C-30 with parliamentarians and we will also continue to advocate for federal privacy laws that meet the challenges of this new world.

JENNIFER STODDART, Privacy Commissioner of Canada, Ottawa

Monday, November 05, 2012

Don't throw the (judicial oversight) baby out with the bathwater

I have been trying to encourage an informed dialogue about "lawful access" on this blog, in an effort to cut through some of the rhetoric to get to useful substantive issues. In that effort, Detective Constable Warren Bulmer has written a couple of guest posts, including the most recent "A police officer's response to my recent critique of lawful access".

As I indicated when I posted Warren's piece, I mentioned I'd probably have a response. Here it is.

According to police, voluntary disclosure of subscriber information by internet service providers is too unpredictable for police officers to rely upon and the current system of judicial pre-authorization often takes too long. I'll acknowledge that this is a real problem.

My starting premise is that agents of the state (law enforcement and national security types) should not be able to obtain personal information from a third party without judicial authorization (unless there is an actual and immediate threat to life, health or safety). To me, anything that falls short of this is simply not acceptable.

Production orders are the natural means by which police should be able to obtain customer name and address information in the appropriate circumstances. (Search warrants simply don't work for these sorts of cases.)

D/Cst Bulmer has identified that production orders, as currently set up under the Criminal Code are limited to circumstances where the crime has already been committed but don't cover where there are grounds to believe a crime will be committed, so such orders are inadequate. (Though I note conspiracy to commit a future offense is usually an offense.) The solution is not to throw out judicially-authorized production orders but to fix this omission. Amend section 487.012 of the Criminal Code to include circumstances where there are reasonable grounds to believe that the production order will lead to evidence related to a crime that will be committed.

Here is what it would look like:

(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that there are reasonable grounds to believe that

(a) an offence against this Act or any other Act of Parliament has been, is being or is about to be committed or is suspected to have been, is being or is about to be committed;

(b) the documents or data will afford evidence respecting the commission of the offence; and

(c) the person who is subject to the order has possession or control of the documents or data.


Fifteen words fix it.

If there's an emergency -- an actual imminent threat to life, health or safety -- police should be able to get access to subscriber information as soon as possible. The police, D/Cst Bulmer included, complain that ISPs don't always share this sense of urgency. In my own experience and from speaking with some within the ISP industry, this may be a result of "once bitten, twice shy" syndrome due to previous cases where the urgency of the situation was misrepresented, leading to the conclusion that it was only done to circumvent the need to get a production order. The way to deal with this is either via tele-production orders (similar to telewarrants, which are provided for under the Criminal Code) or by after-the-fact accountability.

This works for serious crimes, such as kidnapping, child exploitation and cyber-bullying.

Again, don't throw out judicial oversight simply because of some limited difficulties.

With respect to intervening in suicide, which is not a criminal offence in Canada, I have some difficulties. I am generally of the view that the intrusive powers of the state should be reserved for the investigation of serious criminal offences. Remember, violating a lawful demand under the Criminal Code or under C-30, if passed, would result in criminal charges against the person who refuses to hand over the information. It's not a neutral thing. They can be arrested. If an adult decides to deliver a suicide note via social media, it's not a criminal offense that bears investigating. With a young person, it is a different matter so perhaps an exception should be applicable.

As far as other examples advanced by some law enforcement officers are concerned (but not raised in D/Cst Bulmer's post), the full force of the state should not be brought to bear to reunite an individual with their lost phone. It's absurd that a telco could be criminally charged or convicted of contempt of court for failing to help find the owner of a lost phone.

In a free and democratic society, judicial oversight of the exercise of intrusive state powers is simply essential. It cannot be foregone because the current scheme of production orders is not perfect. Fix what we have so judicial oversight is maintained.

Thursday, November 01, 2012

A police officer's response to my recent critique of lawful access

You may recall that on September 18, 2012, Detective Constable Warren Bulmer of the Toronto Police Service's Computer and Technology Facilitated Crime group had a guest post: Guest post: A police officer's take on informational privacy and the police in the digital age. He sent me the following response to my recent post Despite police chiefs' representations, lawful access is irretrievably broken, and I have his ok to post it here.

I expect I'll have a response to his post in the next day or so.



David

I would like to take this opportunity to provide a few points about your post.

To be fair, the role of the Police in any criminal investigation is not just simply to identify the person responsible for the crime but to try to determine the truth about what happened based on evidence. Often in this work, we receive tips or leads that implicate the wrong person especially in the world of the pseudo-anonymous Internet. Technology itself creates challenges by providing the ability to disguise, alter or otherwise mislead any person attempting to validate Internet sourced information. The police have a responsibility to conduct a thorough investigation which is to also eliminate suspects or persons of interests that may have been implicated by a witness. In the digital age more particularly, we see people who have identified themselves by impersonating another or purporting to be someone they are not. Hard to believe that people don’t use their real name when engaging in questionable behaviour online but it’s true.

In many cases, I agree with you a judicially authorized instrument allows the Police to investigate as long as time is not of the essence. The problem with a judicially authorized Production Order is that the company (ISP) cannot return the information for 30-60 days. So in a public safety situation, or if you or one your readers were targeted by Police as a suspect or person of interest and you had been wrongly implicated, you would be waiting for the Police to clear your good name. The process is completely unfair in this regard. I agree that rights need to be protected but it can’t be at the cost of potential injustice caused by investigative delays to benefit the minority (criminals) versus the rights of the masses. Section 15 of the Charter states “every individual is equal before and under the law and has the right to the equal protection and equal benefit of the law… “

The other part of your post which needs to be clarified is this (quote): “…but based on the premise that the police should not be able to require anybody to provide information about an individual in the absence of reasonable grounds to believe that the information either is or will lead to evidence of a crime that has been, is being or will be committed, and the appropriate checks and balances…”. With respect to the context you have placed this passage in, I think your readers may mistakenly draw the conclusion that the Police could use a Production Order (487.012) to stop or prevent a crime from happening.

As you pointed out in your piece, a Production order can be authorized by a Justice of the Peace or Judge but most commonly the former. The judicial officer can only authorize a Production Order for criminal offences under the Code or other Act of Parliament based on reasonable grounds when an offence has been or is suspected to have been committed. Therefore, it cannot be used to prevent a crime that hasn’t happened yet, or is about to happen. The purpose of a Production Order is to provide police with evidence in a non-intrusive way. It was clearly designed to obtain third party records that exist in the hands of third parties and the extent of that search is not carried out by the Police thereby mitigating the invasion of privacy. It does not carry the level of scrutiny a search warrant does.

As you know, a search warrant (487 CCC) can be used in situations where an offence is about to or will be committed however; it is not the appropriate mechanism to obtain these records because a warrant authorizes the Police to carry out the search. Even with an appropriate assistance order (487.02) it is neither practical nor reasonable for Police to walk into Bell, serve a search warrant and start searching through the ISP’s servers. This leaves the conundrum Police currently find themselves in, an inability to clear innocent people of false allegations of wrong-doing in a timely manner and no judicially authorized mechanism to prevent a crime from happening when the Internet is involved. One additional factor at play is where a case dictates that Police need to intervene when a criminal offence hasn’t been or isn’t at the threshold where a situation meets the definition of an offence. The Police require a criminal offence to seek a judicially authorized search unless there is a lawful exemption.

Bill C30 affords the Police lawful access to basic subscriber information, which incidentally is the same information that is sought via a Production Order, when there is a belief outside of a criminal offence that the Police need that information. I would refer your readers to Section 17 of the Bill which states:

17. (1) Any police officer may, orally or in writing, request a telecommunications service provider to provide the officer with the information referred to in subsection 16(1) in the following circumstances:

(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;

(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and

(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.


The police officer must inform the telecommunications service provider of his or her name, rank, badge number and the agency in which he or she is employed and state that the request is being made in exceptional circumstances and under the authority of this subsection.

(2) The telecommunications service provider must provide the information to the police officer as if the request were made by a designated person under subsection 16(1).


This component would mandate that the Police dictate what constitutes an emergency request based on exigent circumstances not the ISP. As you know, currently the Police make emergency requests and the ISP determines if it meets their version of an emergency. I have heard of numerous incidents where Police have made an emergency request using the ISP’s form and it was denied because they (the ISP) deemed it wasn’t an emergency thereby forcing Police to get a warrant or Production Order and in some cases nothing was obtained because there wasn’t a criminal offence. In those cases, the Police could do nothing and often they were kids or adults alike being mean or nasty to another or worse looking for help on the Internet but there weren’t enough facts to formulate a criminal offence.

Section 17 of the Bill provides the ability for Police to intervene and protect people who may be suicidal perhaps kids who are targets of bullying when it doesn’t meet the threshold of a criminal offence or in identifying someone who says they will blow-up a theatre before they do it. How? By removing the interpretation of a private company as to what constitutes an emergency, harm or unlawful act. If anyone wants a reason as to why this legislation is necessary, it is the “protection” and “prevention” benchmarks available in it that we should be recognizing or enhancing and divert attention away from the enforcement side of the legislation. The Police will always have the authority to ask.

People have and continue to criticize the Police for standing by while dozens of these incidents go under enforced or seemingly ignored. Lawful access provisions like this aren’t the only solution and I am always cognizant of a “police state” but this legislative tool would go a long way to helping Police intervene early-on in cyberbullying cases, for example and may even prevent some suicides or other Internet related life threatening situations. The most important primary duty of a police officer is the preservation of life and that becomes extremely difficult when the Internet is involved. We find it a challenge to help people who are seeking it on a social network when they are using the nicknames of “wolfman” or “crazy cat lady” or “cooldude66”.

Regards

Warren Bulmer

Saturday, October 27, 2012

Despite police chiefs' representations, lawful access is irretrievably broken

If you’re a regular reader of this blog, you’ll know that I’m not a fan of Bill C-30. At all. My most acute concern relates to warrantless access to the names and addresses of customers of telecommunications service providers. Reviewing the very interesting and thought-provoking materials of the Canadian Association of Chiefs of Police hasn’t changed my mind.

This opposition isn’t based on the shameful way the bill was introduced (“you’re either with us or with the child predators”), but based on the premise that the police should not be able to require anybody to provide information about an individual in the absence of reasonable grounds to believe that the information either is or will lead to evidence of a crime that has been, is being or will be committed, and the appropriate checks and balances.

In my view, the only way to provide the checks and balances is to have an impartial party make the determination of whether individual privacy rights need to give way to the public interest in preventing and investigating crime. The police clearly have a job to do, but they are not in a position to appropriately balance these interests. Only an impartial judge can.

As for the suggestion that there really isn’t a privacy interest in customer name and address, I disagree. (Notwithstanding some recent caselaw on this point.) When the police are legitimately looking for a customer name and address to attach to an IP address, it is not being done in a vacuum. The police already have collected evidence (presumably of a crime) and are looking to connect that to a person. People have a reasonable expectation of privacy in what they do in their day-to-day lives online and it should be up to a judge to determine whether that connection can be made.

The Criminal Code already contains all the tools necessary to deal with this. For example, under Section 487.012, the police can obtain a production order against an internet service provider to hand over customer name and address information if they can satisfy the judge of the following:

(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that there are reasonable grounds to believe that
(a) an offence against this Act or any other Act of Parliament has been or is suspected to have been committed;
(b) the documents or data will afford evidence respecting the commission of the offence; and
(c) the person who is subject to the order has possession or control of the documents or data.

It’s only that the order must lead to evidence. Not the smoking gun or as a last resort. Just some evidence. It’s a very low threshold. This would be applicable in cases of child pornography, exploitation, threats, extortion, kidnapping, a rapist who left his phone at the scene and just about every other case cited by the Canadian Association of Chiefs of Police. It’s not an onerous burden.

The officer should appear in front of a judge with a sworn affidavit that sets out the the evidence that an unnamed person using IP address X.X.X.X is engaged in [bad act] and we have reason to believe that the IP address is allocated to [internet service provider]. If the judge thinks that’s sufficient, a production order should be issued.

To put it very simply, if the police cannot convince a judge that the connection should be made, they should not be able to obtain it. If you can’t convince a judge that it will lead to evidence of a crime, the cops should go back to the drawing board.

The main problem pointed to by the proponents of the Bill is that it takes too much effort or too long to get a warrant that requires an internet service provider to hand over customer name and address information that corresponds with an IP address. If that is really the problem they are trying to address, it would be best to address it by making the warrant-seeking process more efficient. Warrantless requests should be left to circumstances where there is a real emergency.

As currently written in Bill C-30, there is effectively no limitation on the circumstances under which police can seek this information. It can be for a parking ticket or some other trivial contravention of the law. The examples the police give are all serious crimes, but C-30 isn’t restricted in that way. (I think the threshold for all production orders should be strengthened to limit the use of these powers to (a) the investigation of serious crimes only under the Criminal Code, the Narcotics Control Act, the Canadian Security Intelligence Service Act and the National Defence Act where there are reasonable and probable grounds to believe that the information is necessary for the investigation of a crime that has occurred or is likely to occur, or (b) where the subscriber about whom the information relates is reasonably believed to be a victim of the crime or whose life or safety is in imminent jeopardy, and the victim’s identity is unknown.)

The second protection should be transparency, in two parts. First, the Attorney General should have to table in Parliament an annual report setting out in detail the number of applications made, the number of investigations they relate to, the offences alleged to have been committed and whether the order was granted. Even better would be including the number of charges laid as a result. This would ensure that the public is informed as to whether these powers are being used appropriately.

The second part should be an obligation to notify the individual whose information was sought, after a reasonable interval of time so that it does not interfere with an ongoing investigation. As drafted in Bill C-30, the individual whose information is sought will likely never know that this information was sought and obtained unless it comes out in open court after charges have been laid. In the current draft C-30, there is actually a gag order that prevents the ISP from telling the individual even if asked.

The information to obtain the disclosure order should be provided to the individual whose information is sought within six months unless a judge agrees, based on affidavit evidence provided by the relevant law enforcement officer, that doing so would be harmful to an ongoing criminal or national security investigation. An individual whose information is wrongfully sought or obtained should have a private right of action against the officer and the officer’s employer if there were not reasonable grounds to seek the information.

Overall, the entire scheme of "lawful access" to customer name and address information is irretrievably broken and needs the protections of independent oversight that only judges can provide.

Friday, October 26, 2012

Canadian police chiefs attempt to revive lawful access

At a time when most observers say that Bill C-30, also known as the "lawful access" bill, is dead in the water, the Canadian Association of Chiefs of Police have today come out swinging calling for its revival.

In connection with this effort CACP have put together a strong collection of documents to put forward their position. Here's the media release [pdf]:

Police Confirm Canadians’ Top Five Fears About Lawful Access CACP Renews Appeal for Lawful Access Legislation


VANCOUVER, BC – The Canadian Association of Chiefs of Police CACP) is launching a renewed effort to inform Canadians as they debate police authority for ‘lawful access’, in the context of Bill C-30 – “Protecting Children from Internet Predators Act.”


“If we stand by and do nothing, criminals will continue to exploit today’s technologies to criminally harass and threaten others and commit frauds, scams and organized and violent crimes with little fear of being caught. Canadians need the same protection against criminals that other western democracies enjoy,” stated CACP President Chief Constable Jim Chu.


Previous Canadian governments have introduced lawful access legislation only to have it ‘die on the order paper.’ The CACP is not willing to watch Bill C-30 fall victim to a similar fate. “If we don’t take a strong stance on this issue, Canadians will not appreciate the limitations that constrain law enforcement in the cyber world. Law enforcement continues to be handcuffed by legislation introduced in 1975, the days of the rotary phone. Today we allow new technologies to be used as a safe-haven for serious criminal activity, but are pulling back from using technology to prevent and investigate these serious crimes,” Chu continues.


“If the laws from the 1970s are not modernized, then organized criminals will plan their killings and kidnappings using telecommunications providers who do not build into their systems the technical ability to be monitored for the purpose of gathering evidence. Terrorists will exploit these same gaps. Victims who have been scammed or extorted over the Internet will be told the electronic footprint linking the suspect to the crime has disappeared because the telecommunications provider has no legal obligation to preserve data. If a suspect lures a child using a landline phone, basic subscriber information is available in a phone directory. But predators today don’t use old technology. The parent of a child who has been lured over the Internet will be told that the police search for their child is delayed because a warrant has to be obtained for basic subscriber information.”


"Criminal bullying is extremely concerning to all Canadians, especially the parents of young children, and Bill C-30 also provides new legislation to help police intervene and investigate cyber bullying in their early stages to prevent needless tragedy. The Bill makes it an offence to use telecommunications, including social media and the internet, to injure, alarm and harass others. " Canadians need to understand what lawful access is truly about.


The CACP has created a video entitled “Police Confirm Canadians’ Top Five Fears About Lawful Access” which can be viewed at http://youtu.be/ymVqkugH8PU In addition, to promote informed discussion on this issue, the CACP has prepared a document entitled “Simplifying Lawful Access – Through the Lens of Law Enforcement.” It is available on the CACP website www.CACP.ca) or directly at http://www.cacp.ca/media/library/download/1243/Final_Simplifying_Lawful_Access_final_english.pdf


The document compares today’s environment to the proposed new legislation, provides answers to ‘frequently asked questions’ and includes a series of case studies describing how law enforcement uses basic subscriber information.


While the CACP endorses Bill C-30, we would like to make it clear there is one part of the bill that has posed concerns to some and we share that concern. Section 34 is currently worded suggesting that an inspector can search anything, including a Canadian's private information at a telecommunications provider's facility, to verify compliance with the act. It is easy to understand why some might conclude from such wording that inspectors would have unfettered access to Canadians' personal records when doing these inspections. While we realize this is not the intention of this section, this must be clarified.


We recognize such inspections are required but the wording in Section 34 needs to be changed to assure Canadians that their personal information will never be a part of that inspection.”


The CACP urges our politicians to provide police with modern tools so they can better protect Canadians from harm. Bill C-30 would achieve this. The CACP agrees with the stronger accountability and oversight provisions in C-30 that protect the public against misuse of police intercept powers. The CACP urges Members of Parliament, the media and all Canadians to review the importance of this legislation through the lens of today’s victims of crime, and the frontline law enforcement officers who are trying to prevent and investigate crimes.


The Canadian Association of Chiefs of Police was established in 1905 and represents approximately 1,000 police leaders from across Canada. The Association is dedicated to the support and promotion of efficient law enforcement and to the protection and security of the people of Canada. Through its member police chiefs and other senior police executives, the CACP represents in excess of 90% of the police community in Canada which include federal, First Nations, provincial, regional and municipal, transportation and military police leaders.


I'll have more to say in the near future about the document produced by the CACP, but in the meantime it will be interesting to see if this will have any effect on the toxic bill.

Thursday, October 25, 2012

Supreme Court will hear Alberta case on constitutionality of privacy legislation

The Supreme Court of Canada has just granted leave to appeal United Food and Commercial Workers, Local 401 v Alberta (Attorney General).

In this case, among other things, the Alberta Court of Appeal found that portions of Alberta's Personal Information Protection Act were unconstitutional as it does not take into account freedom of expression guaranteed under the Charter of Rights and Freedoms.

I've blogged about this case in the past. Check out the tag UFCW Case (Alberta).

From the SCC:

Supreme Court of Canada - Decisions:

Information and Privacy Commissioner et al. v. United Food and Commercial Workers, Local 401 et al. (Alta.) (Civil) (By Leave) (34890)

(The applications for leave to appeal are granted with costs to be determined by the panel hearing the appeals. /

Les demandes d’autorisation d’appel sont accueillies et la décision sur les dépens sera rendue par la formation des juges qui entendra les appels.)

Coram: McLachlin / Rothstein / Moldaver

Tuesday, October 23, 2012

Bill C-12, PIPEDA amendments referred to committee (see correction)

It appears that Bill C-12 is being dusted off and will be sent to committee:
Order Paper and Notice Paper No. 167

C-12 — September 29, 2011 — The Minister of Industry and Minister of State (Agriculture) — Second reading and reference to the Standing Committee on Industry, Science and Technology of Bill C-12An Act to amend the Personal Information Protection and Electronic Documents Act.

Correction: Apparently it has not been referred to committee yet. It has been "on the order paper" to do so for some time, but the status of C-12 has not changed. Thanks to Jason Kee for pointing this out.

Managing and responding to data breaches

This morning I had the pleasure of speaking at the High Technology Investigation Association (Atlantic Chapter) annual professional development event. I was asked to speak about managing and responding to data breaches, particularly in light of the upcoming data breach notification requirements expected to be added to PIPEDA under Bill C-12 (currently languishing in Parliament).

Here's the presentation for anyone who may be interested:

Saturday, October 20, 2012

Interview - CBC Radio Day 6 - Catching Cyberbullies

I was interviewed by Brent Bambury on CBC Radio's Day 6 on October 20, 2012 to discuss cyberbullying. The full audio is available below.

Catching Cyberbullies - Day 6 - CBC Player

DAY 6 | Oct 20, 2012 | 8:49

Catching Cyberbullies

In the wake of Amanda Todd's suicide, cries for justice have echoed around the world. Millions have watched the heart wrenching YouTube video where she describes how she was targetted online and bullied a various schools. Hundreds of thousands have signed petitions and called for law enforcement to arrest the cyber bullies and predators who tormented her for years. Privacy, Internet and media lawyer David Fraser discusses some of the complexities of this type of case.

Friday, October 19, 2012

Discussions about online bullying and harassment

The tragic story of Amanda Todd, a Victoria-area teenager who took her own life after a long period of being stalked and extorted by an adult and bullied by her peers, has placed a renewed focus on online bullying in Canada.

Over the past week, I've contributed to a number of discussions on the topic, including the following:

Catching Cyberbullies | Day 6 with Brent Bambury | CBC Radio: In the wake of Amanda Todd's suicide, cries for justice have echoed around the world. Millions have watched the heart wrenching YouTube video where she describes how she was targeted online and bullied at various schools. Hundreds of thousands have signed petitions and called for law enforcement to arrest the cyberbullies and predators who tormented her for years. Privacy, Internet and media lawyer David Fraser discusses some of the complexities of this type of case. [Audio of interview to be broadcast on October 20, 2012 is available here]

Cyberbullying Panel | CBC The National | CBC TV: Following the death of Amanda Todd, Wendy Mesley hosts a panel on the desire for justice in cyberbullying cases and if the legal system should get involved. [Video, originally broadcast October 19, 2012 is available here (skip to about 30 minutes in]

Interview with Paul Hollingsworth | CTV Atlantic

Supreme Court of Canada finds reasonable expectation of privacy in work-issued laptop

The Supreme Court of Canada just released its decision in R v Cole, 2012 SCC 53, in which a majority of justices of the Court held that a teacher at a school had a reasonable expectation of privacy in the contents of his work-issued laptop. Nevertheless, evidence of child pornography found on it by the school, which was then given to the police, was found to be admissible evidence.

This is bound to be a controversial decision that will have repercussions in the employment law context as well as in criminal trials.

Here's the headnote from the case:

R v Cole, 2012 SCC 53

ON APPEAL FROM THE COURT OF APPEAL FOR ONTARIO

Constitutional law — Charter of Rights — Search and seizure — Information contained on computer — Pornographic pictures of child found on employer-issued work computer — Whether accused had reasonable expectation of privacy in employer-issued work computer — Whether warrantless search and seizure of laptop computer and disc containing Internet files breached accused’s rights under s. 8 of Charter — If so, whether evidence ought to be excluded pursuant to s. 24(2) of Charter.

The accused, a high-school teacher, was charged with possession of child pornography and unauthorized use of a computer. He was permitted to use his work-issued laptop computer for incidental personal purposes which he did. While performing maintenance activities, a technician found on the accused’s laptop a hidden folder containing nude and partially nude photographs of an underage female student. The technician notified the principal, and copied the photographs to a compact disc. The principal seized the laptop, and school board technicians copied the temporary Internet files onto a second disc. The laptop and both discs were handed over to the police, who without a warrant reviewed their contents and then created a mirror image of the hard drive for forensic purposes. The trial judge excluded all of the computer material pursuant to ss. 8 and 24(2) of the Canadian Charter of Rights and Freedoms. The summary conviction appeal court reversed the decision, finding that there was no s. 8 breach. The Court of Appeal for Ontario set aside that decision and excluded the disc containing the temporary Internet files, the laptop and the mirror image of its hard drive. The disc containing the photographs of the student was found to be legally obtained and therefore admissible. As the trial judge had wrongly excluded this evidence, the Court of Appeal ordered a new trial.

Held (Abella J. dissenting): The appeal should be allowed. The exclusionary order of the Court of Appeal is set aside and the order of a new trial is affirmed.

Per McLachlin C.J., and LeBel, Fish, Rothstein, Cromwell and Moldaver JJ.: Computers that are reasonably used for personal purposes — whether found in the workplace or the home — contain information that is meaningful, intimate, and touching on the user’s biographical core. Canadians may therefore reasonably expect privacy in the information contained on these computers, at least where personal use is permitted or reasonably expected. Ownership of property is a relevant consideration, but is not determinative. Workplace policies are also not determinative of a person’s reasonable expectation of privacy. Whatever the policies state, one must consider the totality of the circumstances in order to determine whether privacy is a reasonable expectation in the particular situation. While workplace policies and practices may diminish an individual’s expectation of privacy in a work computer, these sorts of operational realities do not in themselves remove the expectation entirely. A reasonable though diminished expectation of privacy is nonetheless a reasonable expectation of privacy, protected by s. 8 of the Charter. Accordingly, it is subject to state intrusion only under the authority of a reasonable law.

The police in this case infringed the accused’s rights under s. 8 of the Charter. The accused’s personal use of his work-issued laptop generated information that is meaningful, intimate, and organically connected to his biographical core. Pulling in the other direction are the ownership of the laptop by the school board, the workplace policies and practices, and the technology in place at the school. These considerations diminished the accused’s privacy interest in his laptop, at least in comparison to a personal computer, but they did not eliminate it entirely. On balance, the totality of the circumstances support the objective reasonableness of the accused’s subjective expectation of privacy. While the principal had a statutory duty to maintain a safe school environment, and, by necessary implication, a reasonable power to seize and search a school-board issued laptop, the lawful authority of the accused’s employer to seize and search the laptop did not furnish the police with the same power. Furthermore, a third party cannot validly consent to a search or otherwise waive a constitutional protection on behalf of another. The school board was legally entitled to inform the police of its discovery of contraband on the laptop. This would doubtless have permitted the police to obtain a warrant to search the computer for the contraband. But receipt of the computer from the school board did not afford the police warrantless access to the personal information contained within it. This information remained subject, at all relevant times, to the accused’s reasonable and subsisting expectation of privacy.

Unconstitutionally obtained evidence should be excluded under s. 24(2) if, considering all of the circumstances, its admission would bring the administration of justice into disrepute. The conduct of the police officer in this case was not an egregious breach of the Charter. While the police officer did attach great importance to the school board’s ownership of the laptop, he did not do so to the exclusion of other considerations. The officer sincerely, though erroneously, considered the accused’s Charter interests. Further, the officer had reasonable and probable grounds to obtain a warrant. Had he complied with the applicable constitutional requirements, the evidence would necessarily have been discovered. Finally, the evidence is highly reliable and probative physical evidence. The exclusion of the material would have a marked negative impact on the truth-seeking function of the criminal trial process. The admission of the evidence would not bring the administration of justice into disrepute and therefore the evidence should not be excluded.

Generally speaking, the decision to exclude evidence under s. 24(2) should be final. In very limited circumstances however, a material change of circumstances may justify a trial judge to revisit an exclusionary order. In this case, the Court of Appeal invited the trial judge to re-assess the admissibility of the temporary Internet files disc if the evidence becomes important to the truth-seeking function as the trial unfolds. Unconstitutionally obtained evidence, once excluded, will not become admissible simply because the Crown cannot otherwise satisfy its burden to prove the guilt of the accused beyond a reasonable doubt.

Per Abella J. (dissenting): While it is agreed that there has been a Charter breach, the evidence in this case should be excluded under s. 24(2). The Charter-infringing conduct in this case was serious in its disregard for central and well-established Charter standards. The police officer had years of experience in investigating cyber-crime and was expected to follow established Charter jurisprudence. Further, the police officer’s exclusive reliance on ownership to determine whether a warrant was required, was unreasonable and contradicted a finding of good faith for the purposes of s. 24(2). There were also no exigent circumstances or other legitimate reasons preventing the police from getting a warrant. The decision not to get a warrant mandates in favour of exclusion.

The impact of the breach on the accused’s Charter-protected interests, even assuming that his reasonable expectation of privacy was reduced because it was a workplace computer, was significant given the extent of the intrusion into his privacy. The warrantless search and seizure in this case included the entire contents of the accused’s computer. It had no restrictions as to scope. The extent of the search of the accused’s hard drive and browsing history was significant and weighs in favour of exclusion.

Finally, while the evidence in this case is reliable, its importance to the prosecution’s case is at best speculative given that the pornographic photographs themselves were admitted.

Balancing these factors, and in light of the deference owed to trial judges in applying s. 24(2), the evidence should be excluded.