Friday, February 17, 2012

The hidden gag order in Bill C-30 (aka the lawful access bill)

While much attention has been focused on the general problems with Bill C-30 - Protecting Children from Internet Predators Act, we are starting to see some very good commentary on the details.

One detail that hasn't really seen the light (and it may not be an accident) is the hidden gag order. Not only will the police, national security folks and the competition cops be able to get customer names, addresses, IP addresses and e-mail addresses without a warrant, there's a gag order that means you'll likely never find out you've been the subject of such an inquiry even if you ask your ISP.

Section 23 looks like it was designed to be obscure and obtuse:

23. Personal information, as defined in subsection 2(1) of the Personal Information Protection and Electronic Documents Act, that is provided under subsection 16(1) or 17(1) is deemed, for the purposes of subsections 9(2.1) to (2.4) of that Act, to be disclosed under subparagraph 7(3)(c.1)(i) or (ii), and not under paragraph 7(3)(i), of that Act. This section operates despite the other provisions of Part 1 of that Act.

Unless you're familiar with the Personal Information Protection and Electronic Documents Act, you'll probably miss what this means.

In short, by default everyone has the right to ask any company that is subject to the law what information they have about him or her, how they've used it and to whom they've disclosed it. That is, unless that right is overridden by Section 9. Section 23 of C-30 essentially says that any personal information that is handed over without a warrant under the lawful access law has to be treated in the same way under PIPEDA as information disclosed in response to a law enforcement request. Here's where the gag order kicks in. If the person exercises his lawful right to seek his or her personal information and accounting of its use, the ISP is prohibited from telling him or her unless the police, national security agencies or competition cops give their OK. And they can refuse to give their OK on a number of relatively flexible bases.

This is the opposite of transparency, and it looks like it was designed this way.


Update (18 February 2012): It is really worth noting that this gag order is not new. It has existed in PIPEDA for quite some time. What is new is extending it to cover "lawful access" requests.

People should be aware that -- I am told -- in the vast majority of cases, internet service providers will willingly hand over customer information without a warrant when the police tell them that it is connected with a child exploitation investigation (using something cynically called a "PIPEDA Request", which I've blogged about before). If your internet service provider hands over your information voluntarily, that's also subject to the gag order in Section 9 of PIPEDA.



For statute nerds, the particular subsections of PIPEDA referred to in Section 23 of C-30 are:

Information related to paragraphs 7(3)(c), (c.1) or (d)

9(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization

(a) inform the individual about

(i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or

(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or


(b) give the individual access to the information referred to in subparagraph (a)(ii).


Notification and response

(2.2) An organization to which subsection (2.1) applies

(a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and

(b) shall not respond to the request before the earlier of

(i) the day on which it is notified under subsection (2.3), and

(ii) thirty days after the day on which the institution or part was notified.


Objection

(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to

(a) national security, the defence of Canada or the conduct of international affairs;

(a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or

*(a.1) the detection, prevention or deterrence of money laundering; or

*[Note: Paragraph 9(2.3)(a.1), as enacted by paragraph 97(1)(c) of chapter 17 of the Statutes of Canada, 2000, will be repealed at a later date.]

(b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.


Prohibition

(2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization

(a) shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);

(b) shall notify the Commissioner, in writing and without delay, of the refusal; and

(c) shall not disclose to the individual

(i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,

(ii) that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or

(iii) that the institution or part objects.

7 comments:

Ethan Smith said...

Whow!

Geordie said...

That's really offensive.

Nick Fillmore said...

Offensive, but not a surprise! Harper knows what he wants -- a state that can arrest evil liberal-minded people, and break all the unions. Harper's views are very dangerous: http://nickfillmore.blogspot.com/2012/02/is-stephen-harper-displaying-fascist.html

Anonymous said...

Wouldn't it make sense that the police would not want someone to know that they are about to get a warrant? Not sure why someone would care that the police know your contact information.

privacylawyer said...

(1) It makes sense during the investigation, but after the investigation anyone should know if the police have been snooping around into what they're doing. It's the law when it comes to warrants and wiretap orders and should also be the case with these sorts of things.
(2) The reason why it's an issue is that it is not just "contact information", but a person's contact information connected with other information that the police have already found and then subsequently connect it to. Your name on a voters' list doesn't say much about you, but your name on a list of people who spent the night in the drunk tank says something else entirely. Both are "just your name" but context is everything.

Anonymous said...

No surprise there. C-30 is very much the US patriot act redux and "disclosure non-disclosure" is a key feature of that law.

Liberal Bias  said...

Your post is certainly one of the best source of valuable information every reader must follow. Glad to hear a lot from you soon. Keep on sharing! Thanks