Sunday, July 22, 2012

Skype cooperation with law enforcement and privacy policy weasel words

Ryan Gallagher at Slate's Future Tense blog asks whether Skype can intercept VOIP conversations and whether they provide such content to law enforcement. What's more troubling is how evasive Microsoft/Skype appears to be when asked a direct question:

But when I repeatedly questioned the company on Wednesday whether it could currently facilitate wiretap requests, a clear answer was not forthcoming. Citing “company policy,” Skype PR man Chaim Haas wouldn’t confirm or deny, telling me only that the chat service “co-operates with law enforcement agencies as much as is legally and technically possible.”

The post refers to the Skype privacy policy, which appears clear but is really sketchy:

Under Section 3 of the privacy policy, it is stated that Skype or its partners “may provide personal data, communications content and/or traffic data to an appropriate judicial, law enforcement or government authority lawfully requesting such information.” It also notes that instant messages sent over Skype will be stored for a maximum 30 days “unless otherwise permitted or required by law.”

Note the use of "lawfully requesting such information". There's a very real difference between a lawful request and a lawful demand. We have in our Canadian Criminal Code the following section:

Power of peace officer

487.014 (1) For greater certainty, no production order is necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament to ask a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.

In Canada, the police are permitted to ask, lawfully, in circumstances where they have no court order or production order, and therefore can't legally compel the information. (As an aside, I have seen on many, many occasions in my practice "request letters" from law enforcement that use this section as their "lawful authority" to demand information from service providers. Most service providers read this as a legally-enforceable demand that can't be declined.)

Skype isn't alone in this .... many other privacy policies use this sort of language which reserves to the operator the discretion of whether they'll require legal process that compels the production of information.

Transparency/clarity = good. Weasel words = bad.

See: Skype won't comment on whether it can now eavesdrop on conversations.


Warren Bulmer said...

As usual, your blog is misleading. There is a very distinct difference between intercepting VOIP calls and asking for customer records under section 487.14 of the Code. Please correct your misinformation such that you inform your readers that the Police cannot intercept a VOIP call on Skype or on any other platform without a Part 6 wiretap authorization. You might want to read Section 183 of the Code. If the Police lawfully obtain judicial authorization to intercept a Skype call and Skype has the technical means to do so then your point is mute. Police can ask Skype to voluntarily turn over customer information such as name or email address for a Skype account. It may even include IP logs which would then require the police to seek a court order (Production Order 487.12) to learn whom they belong.

It is becoming annoying that many of you Privacy lawyers don't know anything about Criminal law yet you choose to educate the public in such areas. I would suggest you either stick to suing people for copyright infringement or at the very least get your information correct before you post it to the Internet. Under no circumstances can the Police just simply ask Skype to turn over private calls nor force the intercept of such calls by "fooling them" with a form.

privacylawyer said...

While you are entitled to your opinions, I would suggest you read the post again.

I did not say that Canadian police can obtain access to an ongoing VOIP call using s. 487.014. I am familiar with s. 183 of the Code and the meaning of the word "intercept". My reference to s. 487.014 was an illustration of the distinction between a lawful request and a lawful demand. If a privacy policy says the service provider reserves the right to disclose customer information in response to a lawful request, they are likely able to hand it over in the absence of judicial authorization. On the other hand, if they say they will only hand it over in response to a lawful demand, it will take judicial authorization or some other mechanism. Words are important, both in the Criminal Code and in privacy policies.

Judicial authorizations are what protect the Charter rights of Canadians against -- mostly well-intentioned -- overreaching by law enforcement officers. I've seen my share of overreaching and downright bullying by police.

(It's worth nothing that a recording of a VOIP call, if created by a service provider, could be a record requested under s. 487.014. And if a non-Canadian service provider said they could disclose it under a lawful request, they could hand it over.)

It would be helpful if more police officers became educated about the nuances of privacy law instead of turning this discussion into a very unhelpful "us vs. them" argument.

Warren Bulmer said...

Sir, I am well educated in the area of the nuances of Privacy law. It is not binding on the Police in a criminal investigation. Secondly, you started your article under the context of intercepting VOIP calls. Then you inaccurately transitioned that by influencing an under educated reader to draw the inference that if the police ask they will receive. This left the impression that Skype will give the Police anything they ask for when they "lawfully ask".

You even reference the words "weasel" in your description of the privacy policy.

As you should know any Judicial authorization can be challenged in court and if you or any other lawyer felt the Police overreached it would be worth your while to challenge the validity of the warrant.

It's has been difficult not to make this an "us VS them" battle but unfortunately one side is grossly misinforming the public and the other is getting frustrated with the lack of integrity in the information being disseminated.

You and I may take different positions on the constitutionality of privacy in the digital age but unfortunately the courts are tilted my way more so than yours right now. That could change but I think it is prudent to put out accurate information so Joe Pubic is properly informed on their Charter Rights as you pointed out and how the Courts have overwhelming ruled that there is no expectation of privacy in basic ISP subscriber information therefore no charter breach.

Thank you

Jason Testart said...

Joe Public here.

I'm a service provider, and let's say I happen to intercept a private communication where my network is one of the end points of the communication (as allowed in sect 184 (2)(e) of the Code). Use and disclosure of that intercept is outlined in 184 (3), which points to sect 193 (2) of the Code.

Section 193 (2) appears to permit disclosure to a peace officer and CSIS without judicial authorization. It's not compelling, just permissive.

Now, the blog post is about facilitation of wiretap requests. The way I read this, a wiretap request for a communication that has yet to take place either requires judicial authorization or it's covered by sect 184.4. If the request is for an intercept that already exists (lawfully, for a purpose other than law enforcement) then the Criminal Code appears to permit disclosure in circumstances under 193 (2).

I'm sure there's something I'm missing, but that's because I'm Joe Public Service Provider.

Warren Bulmer said...

Hi Jason

Your analysis is a valid one. The key component being that the communication must have been lawfully intercepted and that it is in the interests of the administration of justice. I would also suggest that this situation is rare and what is more likely is the Police will use a search warrant (Judicial authorization) to obtain such records from an ISP under those circumstances. The Police just don't go asking Bell and Rogers for any private communications they may have on file as part of an IT event for the bad guy just because. Additionally, the circumstances of the lawful intercept have to be relevant and afford evidence of a criminal offence. Chances are that any communications intercepted by an ISP under section 184 (2)(e)(i) of the Code would not be.

The main circumstance I see your example being involved in is if someone hacked your website or somehow compromised your network and there was an investigation. [section 184 (2)(e)(ii)]. If private communication was somehow involved then I could see your scenario unfolding as you described it.

Bottom line is if the Police need to intercept the private communications for an individual they will seek prior judicial authorization (wiretap) because that increases the likelihood of its admissibility.

What I would add is that circumstances for 184.4 are also very rare. In April 2012, the Supreme Court of Canada actually ruled in a case called R vs. TSE that section 184.4 is unconstitutional. They gave Parliament 12 months to fix that section. I have included the link for the case if you are interested in reading it.

There are many safeguards in place in part 6 of the Code. Section 195 and 196 force the notification of any intercepts to individuals as well as reporting to the various Government bodies.

Unfortunately some blogs on the Internet generate paranoia. They survive in the theoretical or academic world of privacy not the real constitutional one. Many posts and commentary you read in these places is more like a "wish list" of what some would like to see for Privacy and they combine it with the Charter.

Police are governed by statute and common law and generally don't do things they don't have the authority to do.

Personally speaking as a police officer, I know firsthand what ISPs will or will not give with or without warrant. I can tell you that getting information without prior judicial authorization is tough and they protect their customers and frankly for the most part rightfully so.

The best advice I can offer Joe Public is to read carefully your agreements, terms of use and privacy policies with any Internet Service provider, social network or email service. It will clearly spell out what information they keep about you, what they do with your information and what they will give to Police when asked.

Is the law and are the Police always correct, of course not, but be weary of those who would have you believe that there is some sort of "big brother agenda".

Thanks for the dialogue.

Warren Bulmer said...

A more accurate report of the truth behind LE requests for Skype:

privacylawyer said...

Thanks, Warren. I was going to write about that article later today.