Some suggestions to fix the lawful access bill

There are many, many problems with the warrantless access to customer data in Bill C-30, known as the lawful access bill. The main problem pointed to by the proponents of the Bill is that it takes too long to get a warrant that requires an internet service provider to hand over customer name and address information that corresponds with an IP address. If that is really the problem they are trying to address, it would be best to address it by making the warrant-seeking process more efficient and limit warrantless requests to circumstances where there is a real emergency.

Since the government has suggested it is open to amending the Bill, it doesn’t sound like they are amenable to throwing it out and fixing the warrant process. In hopes of adding to the discussion on what’s wrong with the Bill and how it can be fixed, below I’ve set out some of the major problems and how they can be fixed in a way that restores the protection of privacy while permitting law enforcement to investigate serious crimes.

I don’t expect these are the only solutions, but will hopefully start a discussion on how to fix lawful access.

1. There is no limitation on the circumstances under what these powers can be used.
   

   Problem: As drafted, there is no limitation under which these powers can be used. They can be used for child exploitation investigations or serious crime, but can also be used without any justification or to reunite someone with their lost iPhone.
   

   Solution: Limit the use of these powers to (a) the investigation of serious crimes only under the Criminal Code, the Narcotics Control Act, the Canadian Security Intelligence Service Act and the National Defence Act where there are reasonable and probable grounds to believe that the information is necessary for the investigation of a crime that has occurred or is likely to occur, or (b) where the subscriber about whom the information relates is reasonably believed to be a victim of the crime or whose life or safety is in imminent jeopardy, and the victim’s identity is unknown.
   

   (If lost iPhones are a serious problem that require police intervention, require the police to hand them them to the telco and require the telcos to reunite them with their heartbroken owners.)
   

2. There is no accountability to the justice system.
   

   Problem: The requesting officer is not required to justify the request and to be accountable to the wider justice system. Under a warrants-based system, an affidavit is required and it needs to be filed with the courts.
   

   Solution: Require that the requesting officer swear an affidavit, under oath, articulating the circumstances described above and the basis for this belief. The affidavit shall be filed with the superior court of the relevant jurisdiction. This affidavit can be filed after the fact in exigent circumstances. This affidavit should be counter-signed by an officer of superior rank to the requesting officer or a senior crown attorney, who will also swear that she is of the view that the facts set out by the officer form the basis for a lawful request.
   

3. There is no accountability to the individual if charges do not result.
   

   Problem: The individual whose information is sought will likely never know that this information was sought and obtained unless it comes out in open court after charges have been laid. In the current draft C-30, there is actually a gag order that prevents the ISP from telling the individual even if asked.
   

   Solution: The affidavit referred to above shall be provided to the individual whose information is sought within six months unless a judge agrees, based on affidavit evidence provided by the relevant law enforcement officer, that doing so would be harmful to an ongoing criminal or national security investigation. An individual whose information is wrongfully sought or obtained should have a private right of action against the officer and the officer’s employer if there were not reasonable grounds to seek the information.
   

4. There is no accountability to the public at large.
   

   Problem: The Bill, as currently drafted, doesn’t give the public at large any understanding of how the intrusive powers are used and under what circumstances.
   

   Solution: The Minister of Justice or the Minister of Public Safety shall table an annual report before Parliament setting out the number of such requests, including the requesting police agency, the criminal code section or other violation being investigated, whether charges were laid against the individual and whether a conviction resulted. This is in addition to the ability of the federal and provincial privacy commissioners to audit the practices of the agencies within their jurisdiction, except that summary results of their audits shall be tabled in Parliament annually. (Additional funding to each privacy commissioner should be provided to defray the costs of such audits.)

I'd be happy to hear any other proposed solutions ...

Police "PIPEDA requests" for customer information

As a follow-up to my previous post 'Dealing with police "Letters of Request for Information"', I thought I'd discuss a particular species of request letters, commonly referred to as "PIPEDA Requests".

The names are a bit misleading, since in many cases the recipient is led to believe that the authority to obtain the information is found in PIPEDA (the Personal Information Protection and Electronic Documents Act).

Here is an example letter, taken from R. v. Ward, 2008 ONCJ 355:

I, Constable Jason Tree of the National Child Exploitation Coordination Centre, am a law enforcement officer with the Royal Canadian Mounted Police.

I am conducting an investigation in relation to child sexual exploitation offences under the Criminal Code and I am requesting account information pursuant only to that investigation.

I request this disclosure in accordance with s. 7(3)(c.1) of the Personal Information Protection Electronic Documents Act. My authority to request and obtain this information derives from the Royal Canadian Mounted Police Act and the Royal Canadian Mounted Police Regulations as well as common law.

I am requesting the last known customer name and address of the account holder associated with IP address [number] used [date and time].

Should you agree to this request, please provide the information in the section below and reply via e-mail to Jason.tree@rcmp-grc.gc.ca.

As I understand it, the form of letter was a result of the coordinated effort of law enforcement and a group of internet service providers who have agreed to provide warrantless access to customer account information in connection with child exploitation investigations. They are designed to satisfy the requirements of Section 7(3)(c.1)(ii) of PIPEDA which permits disclosures of personal information to the police where they have the "lawful authority" to obtain the information and the information relates to "enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law".

While I generally have a dim view of disclosing customer information without a warrant, I can certainly understand why internet service providers have worked with law enforcement to address these particularly grim crimes.

Lawful Access then and now: Comparing C-30 to 2005's Modernization of Investigative Techniques Act

I was asked how the new Bill C-30 compares to the Modernization of Investigative Techniques Act tabled by the liberals in 2005. Here's a redline to draw your own conclusions: https://docs.google.com/open?id=0B_bUaJvZ9k_BNmY2ODc1YmQtMzU3OC00MjhjLTlmMDYtYzA0OTAzMjhjNzAw.

---

Update: When the liberals introduced the Modernization of Investigative Techniques Act, it contained a provision that would allow the police to obtain warrantless access to customer information:

17. (1) Every telecommunications service provider shall, in accordance with the regulations, provide to a person designated under subsection (3), on his or her written request, any information in the service provider’s possession or control respecting the name and address of any subscriber to any of the service provider’s telecommunications services and respecting any other identifiers associated with the subscriber.

This is essentially the same as what's in the new Bill C-30 - Protecting Children from Internet Predators Act,

16. (1) On written request by a person designated under subsection (3) that includes prescribed identifying information, every telecommunications service provider must provide the person with identifying information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.

The Conservatives C-30 is actually more circumscribed, since the information is limited to customer name, address, phone number, e-mail address and IP address. The Liberals' C-74 allowed for name, address and "any other identifiers". I would assume that "any other identifiers" would include the laundry list of items that was included in last year's proposed Bill C-52:

• mobile identification number,
  
• electronic serial number (ESN),
  
• local service provider identifier,
  
• international mobile equipment identity (IMEI) number,
  
• international mobile subscriber identity (IMSI) number and
  
• subscriber identity module (SIM) card number

Regardless of the federal political party that is advocating for its adoption, warrantless access to customer information is a very bad idea.

The hidden gag order in Bill C-30 (aka the lawful access bill)

While much attention has been focused on the general problems with Bill C-30 - Protecting Children from Internet Predators Act, we are starting to see some very good commentary on the details.

One detail that hasn't really seen the light (and it may not be an accident) is the hidden gag order. Not only will the police, national security folks and the competition cops be able to get customer names, addresses, IP addresses and e-mail addresses without a warrant, there's a gag order that means you'll likely never find out you've been the subject of such an inquiry even if you ask your ISP.

Section 23 looks like it was designed to be obscure and obtuse:

23. Personal information, as defined in subsection 2(1) of the Personal Information Protection and Electronic Documents Act, that is provided under subsection 16(1) or 17(1) is deemed, for the purposes of subsections 9(2.1) to (2.4) of that Act, to be disclosed under subparagraph 7(3)(c.1)(i) or (ii), and not under paragraph 7(3)(i), of that Act. This section operates despite the other provisions of Part 1 of that Act.

Unless you're familiar with the Personal Information Protection and Electronic Documents Act, you'll probably miss what this means.

In short, by default everyone has the right to ask any company that is subject to the law what information they have about him or her, how they've used it and to whom they've disclosed it. That is, unless that right is overridden by Section 9. Section 23 of C-30 essentially says that any personal information that is handed over without a warrant under the lawful access law has to be treated in the same way under PIPEDA as information disclosed in response to a law enforcement request. Here's where the gag order kicks in. If the person exercises his lawful right to seek his or her personal information and accounting of its use, the ISP is prohibited from telling him or her unless the police, national security agencies or competition cops give their OK. And they can refuse to give their OK on a number of relatively flexible bases.

This is the opposite of transparency, and it looks like it was designed this way.

---

Update (18 February 2012): It is really worth noting that this gag order is not new. It has existed in PIPEDA for quite some time. What is new is extending it to cover "lawful access" requests.

People should be aware that -- I am told -- in the vast majority of cases, internet service providers will willingly hand over customer information without a warrant when the police tell them that it is connected with a child exploitation investigation (using something cynically called a "PIPEDA Request", which I've blogged about before). If your internet service provider hands over your information voluntarily, that's also subject to the gag order in Section 9 of PIPEDA.

---

For statute nerds, the particular subsections of PIPEDA referred to in Section 23 of C-30 are:

Information related to paragraphs 7(3)(c), (c.1) or (d)

9(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization

(a) inform the individual about

(i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or

(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or

(b) give the individual access to the information referred to in subparagraph (a)(ii).

Notification and response

(2.2) An organization to which subsection (2.1) applies

(a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and

(b) shall not respond to the request before the earlier of

(i) the day on which it is notified under subsection (2.3), and

(ii) thirty days after the day on which the institution or part was notified.

Objection

(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to

(a) national security, the defence of Canada or the conduct of international affairs;

(a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or

*(a.1) the detection, prevention or deterrence of money laundering; or

*[Note: Paragraph 9(2.3)(a.1), as enacted by paragraph 97(1)(c) of chapter 17 of the Statutes of Canada, 2000, will be repealed at a later date.]

(b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.

Prohibition

(2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization

(a) shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);

(b) shall notify the Commissioner, in writing and without delay, of the refusal; and

(c) shall not disclose to the individual

(i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,

(ii) that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or

(iii) that the institution or part objects.

Vancouver police can't use ICBC biometric database to ID Stanley Cup rioters, says Privacy Commissioner

The Information and Privacy Commissioner of British Columbia, Elizabeth Denham, has rules that the Vancouver police cannot use the facial recognition database compiled by the Insurance Corporation of British Columbia without a court order or warrant. See: Police can't use ICBC facial recognition to track rioters - British Columbia - CBC News.

Lawful Access then and now: Comparing C-52 to current C-30

In case you are, like me, spending the evening checking out what has changed with respect to warrantless access to subscriber data between Bill C-52 (introduced last year) and Bill C-30 introduced in Parliament today, this redline comparison may help.

Lawful access bill introduced in parliament

It's baaaaack .....

Public Safety Minister Vic Toews has introduced in parliament Bill C-30 - Protecting Children from Internet Predators Act.

Here is the Minister's press release:

Harper government introduces Protecting Children from Internet Predators Act

OTTAWA, February 14, 2012 – The Honourable Vic Toews, Minister of Public Safety, and the Honourable Rob Nicholson, Minister of Justice and Attorney General of Canada, today introduced in the House of Commons the Protecting Children from Internet Predators Act, a Bill that would provide law enforcement and the Canadian Security Intelligence Service (CSIS) with the modern investigative tools they need to help fight crime and national security threats, while strengthening safeguards to protect the privacy of Canadians.

“Our Government is committed to keeping our streets and communities safe. Rapid changes in technology mean crimes and national security threats are more difficult to investigate. As a result, criminals, gangs and terrorists have found ways to exploit technological innovations to hide their illegal activities,” said Minister Toews. “This legislation would give law enforcement and CSIS the investigative tools they need to do their jobs and keep our communities safe.”

Bill C-30 would require telecommunications service providers (TSP) to:

• implement and maintain systems capable of lawfully intercepting communications in order to support the police and CSIS when needed; and
  
• provide basic subscriber information in a consistent and timely fashion to designated police, CSIS and Competition Bureau officials upon request (limited to subscriber name, address, telephone number, e-mail address, the Internet protocol address, and the name of the service provider).

The proposed legislation would help to protect the security and privacy of Canadians by imposing strict limits on the number of CSIS and law enforcement officials who are permitted to make basic subscriber information requests, and apply new requirements for recording, reporting, and auditing those requests.

In addition, the Bill would:

• streamline the application process when court orders or warrants need to be issued in relation to an investigation that involves interceptions;
  
• update existing offences in the Criminal Code to ensure that they are able to cover new ways of committing old crimes;
  
• create new, carefully tailored investigation tools, such as production and preservation orders in the Criminal Code and the Competition Act;
  
• enable Canada to ratify the Council of Europe’s Convention on Cybercrime and its Additional Protocol on Xenophobia and Racism; and
  
• add the safeguards of reporting and notification for the interception of private communications in exceptional circumstances.

“New technologies provide new ways of committing crimes, making them more difficult to investigate. We must ensure that law enforcement has the investigative tools to bring to justice those who break the law,” said Minister Nicholson. “This legislation will enable authorities to keep pace with rapidly changing technology, without diminishing the legal protections currently afforded to Canadians with respect to privacy.”

The proposed legislation is consistent with that of Australia, New Zealand, the United Kingdom and the United States, and will improve Canada’s ability to work with its international partners to combat crime and terrorism.

At the January 2012 meeting of federal, provincial and territorial (FPT) ministers responsible for justice and public safety in Charlottetown, Prince Edward Island, the ministers unanimously agreed on the need to enhance and modernize the investigative capability of law enforcement and urged the federal government to move forward on enacting previously introduced legislation.

“Lawful access represents an important tool to assist policing in combatting serious criminal activity, such as organized crime, sexual predators or identity theft,” said Dale McFee, President of the Canadian Association of Chiefs of Police.

“Modernization of current legislative provisions reflects significant and obvious advancements in communications technologies, which will allow the police to lawfully and effectively investigate serious offences.”

An online version of the proposed legislation will be available at www.parl.gc.ca.

See Also:

• Backgrounder: Protecting Children from Internet Predators Act
  
• Modernizing investigative tools through the Protecting Children from Internet Predators Act

What lawful access is all about and why it matters

The Canadian federal government is expected to table its latest iteration of "lawful access" legislation in Parliament this week. This is a BIG DEAL.

First, let's set the record straight: Assuming this bill is roughly the same as the last one that fell off the order paper, it will NOT allow warrantless access to the contents of any online communications. They can't read your email or watch you surf the internet, unless they get a warrant. But what it does is requires anyone who offers telecommunications services to the public (which would include Microsoft's MSN, Google Talk, Skype, etc.) to build in a backdoor so the police can wiretap it with a warrant. This involves, in many cases, compromising the security of these systems.

But it is expected to set up a system under which the police can get a huge list of non-content personal information without a warrant. And this is very bad.

Ask yourself this:

• Should the police be able to get access to the names and addresses of anyone who shows up at a G20 protest? An Occupy* protest? A Stanley Cup riot? Parliament Hill? The PM's residence? An abortion clinic? A sketchy part of town? If this bill looks anything like the last, they will be able to on a whim without any judicial oversight. (All they need is an "IMSI Catcher" (here's an example of one meant for law enforcement and one made by some guy for $1500), which grabs the unique identifiers of all the cell phones within range and a request to the relevant telcos to hand over the names and addresses associated with the phones. Heck, they can ask for your e-mail address while they're at it.)
  
• Should be police be able to get the name and address of someone who seems to be spending an inordinate amount of time perusing the Criminal Code on the Department of Justice website? They'll be able to do just that.
  
• Should the police be able to get your name and address based on your web browsing activities without having to swear before a judge that there is any compelling reason to get it? If this bill looks anything like the last, they will be able to.
  
• Should the police be able to get your e-mail address, IP address and phone numbers without any probable cause? Yup, they'll be able to get that too.

The Internet is not quite like the real world. When you go to a library or a book store, you don't have to provide ID or leave a record of what you looked at or that you were even there. When you step into a store in the real world, you don't necessarily leave a trace of what you perused and what you bought (if you paid cash). You can send an anonymous letter to the editor of your local newspaper to voice an unpopular opinion without giving your name or any other identifying information. (They probably will not publish it, but that's beside the point.) But the Internet doesn't work like that.

Every device on the network has an IP address. IP addresses can be tied to an individual computer or a range of computers sitting behind a firewall or a router. Every mobile device, such as a cell phone or a smart phone, has a number of unique identifiers that it chirps out to the network that it's attached to. Every interaction that you have online, you can assume is being logged in some fashion in connection with that IP address. Many e-mails you send include in the headers the IP address of the computer it was written on.

It's just the nature of how networks work. That IP can perhaps be traced to you, to your household or to your employer. In most cases, where residential internet accounts are concerned, they are connected to the name and address of the account holder. With phones, that identifier is connected to the individual who owns the phone.

Every mobile phone regularly chirps out its location so that the phone company can route calls to your device. Your phone company always knows where you are (if you have your phone with you and it's on). That chirping is also a transmission of identifying information about your phone, which can be readily intercepted by the police or national security organizations. If your phone can be connected to you personally, it's a beacon about you and under lawful access, it's readily available to them.

In short: Everywhere you go on the internet or with your mobile phone, you leave digital footprints. That's the nature of the modern, networked world. So what protects your privacy when you do anything online? The fact that whoever allocated that IP address or provides your cell phone service has to keep it confidential unless a judge decides that the public interest (or the state interest) overrides your privacy interest. That's why we have a Charter of Rights and Freedoms in Canada and why we have an independent judiciary. There is no absolute anonymity online, but there is effective privacy by obscurity because anyone who can connect your IP address to an individual is bound to keep it confidential unless a judge says otherwise.

However, lawful access takes that important balance away. It would give police forces and national security folks virtually unfettered powers to connect those otherwise anonymous footprints to an actual person (or small group of persons).

Don't get me wrong ... The police should be able to tap phones, track people and search computers, but all with a warrant. The only thing that stands in the way of police over-reaching and the destruction of civil rights is the Charter and independent judges who are called upon every day to decide where to strike the proper balance.

The government has suggested that we shouldn't sweat it, since the information the police would have access to is just like "phone book" information. That's simply not true. Only name and phone number appear in the phone book, which you can opt out of. Lawful access would permit the police to obtain any of the following:

name,
• address,
  
• telephone number and
  
• electronic mail address,
  
• Internet protocol address,
  
• mobile identification number,
  
• electronic serial number (ESN),
  
• local service provider identifier,
  
• international mobile equipment identity (IMEI) number,
  
• international mobile subscriber identity (IMSI) number and
  
• subscriber identity module (SIM) card number that are associated with the subscriber’s service and equipment.

The phone number analogy is completely inappropriate. With a phone book, if you know the name you can get the number. If you know the number, you can get the name. Not a big deal. In this case, the police can have one piece of the above information and demand the ten other pieces of data. And they'd never be asking for it in isolation, but rather they think they've seen something sketchy and want to connect it to a person.

When lawful access was last before Parliament, it was completely devoid of any measures that could be used to protect against abuses other than a closed recordkeeping requirement and the ability of the privacy commissioner to audit. It did not require any report statistics of its usage to Parliament, as is the case for most wiretaps. No requirement to notify the subject of the investigation after the fact. No requirement that there be probable cause. No requirement that the requesting officer justify the demand. No requirement that there even be an actual investigation under the Criminal Code. No oversight whatsoever.

Supporters say "think of the children!" Or we in a war against terrorism! The law could have been tailored to only apply to actual lawful investigations of child exploitation or terrorism offenses, but the government did not do that. Instead, they designed a system that could be used to target people who -- shudder -- violate parking by-laws or engage in lawful expression. It seems purpose-built for fishing expeditions.

Some supporters suggest that getting a warrant is too cumbersome and time-consuming. This suggestion is often misleading: if it's an emergency (exigent circumstances), the cops can get this information right away. And every province has a system where warrants can be issued 24/7 over the phone from a duty judge. If it's too inefficient for most routine investigations, get more judges or streamline the process.

This is important and Canadians should educate themselves about it. Here are some great resources:

• Past blog posts about lawful access
  
• CIPPIC FAQ on lawful access
  
• OpenMedia's Stop Online Spying campaign
  
• Michael Geist's blog posts on lawful access and his great comprehensive guide to lawful access.
  
• Christopher Parsons on lawful access and his report “Lawful Access and Data Preservation/Retention: Present Practices, Ongoing Harm, and Future Canadian Policies” (PDF)
  
• BC Civil Liberties Association: Moving Towards a Surveillance Society: Proposals to Expand “Lawful Access” in Canada (PDF)
  
• Archive of the Ontario Information and Privacy Commissioner's Symposium on "Beware of Surveillance By Design"
  
• Legislative Summary of Bill C-51 by the Library of Parliament
  

Lawful access bill on the order paper for next week

An anticipated bill, entitled “An Act to enact the Investigating and Preventing Criminal Electronic Communications Act and to amend the Criminal Code and others Acts” appears on the parliamentary order paper published on Friday, for introduction this coming week. More to follow ... (See: Order Paper and Notice Paper No. 79.)

The Montreal Gazette reported on its anticipated reappearance:

New law could allow police to view people's web-surfing habits

MONTREAL - Police will get much easier access to the web surfing habits and personal information of all Canadians if a new law, expected to be introduced in the House of Commons next week, passes.

Privacy watchdogs caution if the so-called Lawful Access law is passed, it would give police access to web browsing history, sensitive personal information, and it would grant greater permission to track the cellular phones of suspects, and much of it without the requirement of a warrant.

The bill, which is on the order paper for the week starting Monday, would require Internet service providers and cellular phone companies to install equipment that would monitor the activities of their users so that the information could be turned over to police when requested. It would also grant greater permission to law enforcement authorities to activate tracking mechanisms within cellular phones so they can follow the whereabouts of suspected criminals. If there is a suspicion of terrorist activity, the law would allow such tracking to go on for a year, rather than the current 60-day limit.

This isn’t the first time this law has been introduced. The most previous incarnation of the Lawful Access law died on the order paper when the most recent federal election was called last year.

Public Safety Minister Vic Toews said the law will give the tools to police to adequately deal with 21st century technology, and said anyone opposing the law favours “the rights of child pornographers and organized crime ahead of the rights of law-abiding citizens.”

However, Canada’s privacy commissioner raised a red flag about the law late last year, and wrote a letter to Toews saying she was concerned about the permissions it will grant police.

“In the case of access to subscriber data, there is not even a requirement for the commission of a crime to justify access to personal information – real names, home addresses, unlisted numbers, email addresses, IP addresses and much more – without a warrant,” Jennifer Stoddart wrote. “Only prior court authorization provides the rigorous privacy protection Canadians expect.”

Michael Geist, a law professor at the University of Ottawa, and an outspoken critic of the law, said he’s worried about all the information police will be able to obtain without a warrant.

“The ability to use that kind of information in a highly sensitive way without any real oversight is very real,” Geist said.

As an example of the new powers, Geist said authorities would be able to use equipment to find the cellular phone numbers of people attending a protest, and then be able to ask a cellular phone company to disclose personal information of the people attached to those cellular phone numbers. Police could then track their web behaviours and monitor their movements by tracking their cellular phones.

Geist said Canadians should also be concerned that the information obtained by police here could be shared with their counterparts around the world.

Geist added this could also be a tremendous waste of money, because ISPs would be required to spend a lot to put in place the advanced monitoring infrastructure proposed.

“One thing (the government) has never provided is the evidence to show how the current set of laws has stymied investigations or created a significant barrier to ensure that we’re safe in Canada,” Geist said.

He argued recent investigations into child pornography and the Sûreté du Québec’s recent tapping in of Blackberry Messenger communication to make an arrest of suspected mobsters in a murder case in Montreal show the current laws already work well.

IMSI catchers and why they matter

Christopher Parsons has a very informative blog post about IMSI catchers, which includes a link to an amici curiae submission to a US court which provides a additional insights. "IMSI catchers" are a piece of surveillance technology that allows the user to impersonate a cell phone site and intercept communications between a phone and the cellular network.

This matters right now because the lawful access bill expected to be tabled in Parliament shortly is anticipated to contain a provision that allows warrantless access to customer information, including the following:

• name,
• address,
• telephone number and
• electronic mail address,
• Internet protocol address,
• mobile identification number,
• electronic serial number (ESN),
• local service provider identifier,
• international mobile equipment identity (IMEI) number,
• international mobile subscriber identity (IMSI) number and
• subscriber identity module (SIM) card number that are associated with the subscriber’s service and equipment.

Once an IMSI catcher is set up and catches all the mobile phone IMSIs in the vicinity (of a protest or international event), the police can obtain -- without a warrant -- any of the above information connected to that phone.

Read Christopher's blog post: Amici Curiae on IMSI Catchers | Technology, Thoughts, and Trinkets.

Nova Scotia Commissioner reappointed

The Nova Scotia government has extended the Freedom of Information and Protection of Privacy Review Officer Dulcie McCallum's term to February 5, 2014.

This extension encompasses the full seven year appointment contemplated by the Freedom of Information and Protection of Privacy Act for her first term as Nova Scotia's Review Officer.

The Order in Council can be found here: http://www.foipop.ns.ca/content/Publications/OIC%202012-19.pdf