Saturday, September 29, 2012

Nova Scotia trade union resurrects the USA Patriot Act boogeyman to prevent outsourcing

For those who have been following this topic in Canada, you'll remember that the first time that the USA Patriot Act appeared on the country's radar in earnest was when the British Columbia government proposed to outsource IT processing to the Canadian subsidiary of a US company. The union, most likely concerned about job losses latched onto the USA Patriot Act as the hook that would get some traction in the media and in the public mind.

That led to the inquiry by BC's Information and Privacy Commissioner, then amendments to that province's Freedom of Information and Protection of Privacy Act and then Nova Scotia's Personal Information International Disclosure Protection Act.

Now, somewhat predictably, the principal Nova Scotia trade union for public employees is resurrecting the boogeyman to try to stop outsourcing of IT services by the provincial government. We'll see how this plays out ...

Data at risk in private-sector deal | The Chronicle Herald

Union worried Nova Scotian’s records vulnerable

The province’s largest public-sector union is worried about the security of Nova Scotians’ information if the government contracts out information technology work in a deal workers say could total $100 million over 10 years.

Joan Jessome, president of the Nova Scotia Government and General Employees Union, said Thursday that there’s a vast amount and array of data in the SAP computer system. She said it includes everything from payroll numbers to procurement information and data from the Registry of Motor Vehicles.

“There probably isn’t a single Nova Scotian ... that has not been impacted by SAP,” Jessome said.

“(Our members) are telling us that we have reason, no matter what the agreement is, that once that (information) goes to an international company, we should always be concerned about how far that goes and what acts does it cover in different countries across the world.”

She said employees mentioned the Patriot Act in the United States, passed after the 9-11 attacks. It requires U.S. companies to provide records to the American government upon demand.

A 2005 provincial auditor general’s report raised a concern that U.S. companies with Canadian subsidiaries could also be compelled to turn over information. In 2006, the minority Tory government of the day passed the Personal Information International Disclosure Protection Act, meant to prevent U.S. authorities from inappropriately accessing Nova Scotians’ information under the Patriot Act.

Finance Department spokeswoman Michelle Lucas had said Wednesday that ensuring information is secure would be a top priority. She had no further comment on the potential outsourcing Thursday.

On Monday, government officials met with employees who run the system to tell them about the possibility their jobs will be contracted out. There are about 73 unionized workers, and another 35 who aren’t unionized. The non-union workers run the system for district health authorities and the IWK Health Centre.

Jessome said workers told her that the government is considering a 10-year contract for the work, worth $10 million a year.

Lucas had said Wednesday that a multinational firm approached the province last year about setting up a “global delivery centre” in the province. Its main office would be in Halifax, with a smaller one in Sydney.

Sources have said the firm is IBM Canada. Jessome said the government has told her which company, but she agreed to keep it confidential.

IBM Canada spokeswoman Carrie Bendsza said the company, which has employees in Halifax now, doesn’t comment on rumour or speculation. She also said it doesn’t reveal how many employees it has in individual cities or countries.

Jessome said there are currently eight union SAP information technology workers in Sydney, three in Truro, and the rest in Halifax.

Lucas has said that if the province does make a deal with the company, all affected provincial employees would be offered a job. Jessome said many have already indicated they wouldn’t take it.

She said they’d lose the security of being in the union, the work week would likely go up to 40 hours from 35, their pension plan would change to defined contribution from defined benefit, and they could face months-long placements at the company’s other locations, such as China and India.

“They’re certainly concerned about their jobs, no question, but the other thing that they were scared of is the security of information,” Jessome said.

Lucas also said the potential contracting out isn’t being considered as a cost-cutting measure, but as an economic development opportunity in the hope of creating more jobs.

The province has spent many millions on the SAP system since first adopting it in 1996, with some projects going over budget, and the system not always working properly.

Thursday, September 27, 2012

Supreme Court upholds children's privacy, allows cyberbullying victim to proceed anonymously

The Supreme Court of Canada's decision in AB v. Bragg Communications, 2012 SCC 46 has just been released and the Court has allowed the appeal in part. The decision supports the right of a child victim of cyber-bullying to proceed in the civil courts anonymously.

In the interests of full disclosure, I need to state that my firm represented the victim and my partners Michelle Awad and Jane O'Neill argued the case at the Supreme Court of Canada.

Here is the headnote:

Courts — Open court principle — Publication bans — Children — 15‑year old victim of sexualized cyberbullying applying for order requiring Internet provider to disclose identity of person(s) using IP address to publish fake and allegedly defamatory Facebook profile — Victim requesting to proceed anonymously in application and seeking publication ban on contents of fake profile — Whether victim required to demonstrate specific harm or whether court may find objectively discernable harm.

A 15‑year old girl found out that someone had posted a fake Facebook profile using her picture, a slightly modified version of her name, and other particulars identifying her. The picture was accompanied by unflattering commentary about the girl’s appearance along with sexually explicit references. Through her father as guardian, the girl brought an application for an order requiring the Internet provider to disclose the identity of the person(s) who used the IP address to publish the profile so that she could identify potential defendants for an action in defamation. As part of her application, she asked for permission to anonymously seek the identity of the creator of the profile and for a publication ban on the content of the profile. Two media groups opposed the request for anonymity and the ban. The Supreme Court of Nova Scotia granted the request that the Internet provider disclose the information about the publisher of the profile, but denied the request for anonymity and the publication ban because there was insufficient evidence of specific harm to the girl. The judge stayed that part of his order requiring the Internet provider to disclose the publisher’s identity until either a successful appeal allowed the girl to proceed anonymously or until she filed a draft order which used her own and her father’s real names. The Court of Appeal upheld the decision primarily on the ground that the girl had not discharged the onus of showing that there was evidence of harm to her which justified restricting access to the media.

Held: The appeal should be allowed in part.

The critical importance of the open court principle and a free press has been tenaciously embedded in the jurisprudence. In this case, however, there are interests that are sufficiently compelling to justify restricting such access: privacy and the protection of children from cyberbullying.

Recognition of the inherent vulnerability of children has consistent and deep roots in Canadian law and results in the protection of young people’s privacy rights based on age, not the sensitivity of the particular child. In an application involving cyberbullying, there is no need for a child to demonstrate that he or she personally conforms to this legal paradigm. The law attributes the heightened vulnerability based on chronology, not temperament.

While evidence of a direct, harmful consequence to an individual applicant is relevant, courts may also conclude that there is objectively discernable harm. It is logical to infer that children can suffer harm through cyberbullying, given the psychological toxicity of the phenomenon. Since children are entitled to protect themselves from bullying, cyber or otherwise, there is inevitable harm to them — and to the administration of justice — if they decline to take steps to protect themselves because of the risk of further harm from public disclosure. Since common sense and the evidence show that young victims of sexualized bullying are particularly vulnerable to the harms of revictimization upon publication, and since the right to protection will disappear for most children without the further protection of anonymity, the girl’s anonymous legal pursuit of the identity of her cyberbully should be allowed.

In Canadian Newspapers Co. v. Canada (Attorney General), [1988] 2 S.C.R. 122, prohibiting identity disclosure was found to represent only minimal harm to press freedom. The serious harm in failing to protect young victims of bullying through anonymity, as a result, outweighs this minimal harm. But once the girl’s identity is protected through her right to proceed anonymously, there is little justification for a publication ban on the non‑identifying content of the profile. If the non‑identifying information is made public, there is no harmful impact on the girl since the information cannot be connected to her. The public’s right to open courts –and press freedom – therefore prevail with respect to the non‑identifying Facebook content.

Wednesday, September 26, 2012

Landmark cyberbullying and children's privacy decision expected from Supreme Court of Canada

The Supreme Court of Canada will tomorrow release its decision in the appeal of A.B. v. Bragg Communications Inc., 2011 NSCA 26. At issue is whether a young person can initiate a legal proceeding under a pseudonym in circumstances where the young person is seeking information to identify a cyberbully. In addition, the Court will consider the imposition of a publication ban on the details of the underlying defamation.


Here are the details from the SCC:

Supreme Court of Canada - Decisions - Judgments to be Rendered in Appeals

34240 A.B. by her Litigation Guardian, C.D. v. Bragg Communications Incorporated, a body corporate and Halifax Herald Limited, a body corporate

(Publication Ban in Case) (Sealing Order)

Civil procedure ‑ Confidentiality orders ‑ Defamation ‑ Appellant applying for order requiring disclosure of identity of persons who used particular IP address to create fake profile on Facebook ‑ Appellant also applying for permission to proceed by way of initials and for order prohibiting publication of allegedly defamatory statements in profile ‑ Whether a minor seeking a civil remedy for online sexualized bullying should be entitled to bring a motion to determine the identity of the intended defendant using a pseudonym and under a publication ban concerning the substance of the statement ‑ Whether a court should take notice of the inherent vulnerability of young people subject to online sexualized bullying and the serious risk of harm to them if they are required to republish the comments and reveal their identity to seek a remedy, in considering if a confidentiality order and publication ban should be granted ‑ Whether a court can invoke its parens patriae jurisdiction to protect a child, in considering whether a confidentiality order and publication ban should be granted for a child subject to online sexualized bullying ‑ Whether media that choose to intervene in a motion for a publication ban should be entitled to costs if the motion is not successful, particularly when the motion involves interests broader than those of the applicant.

The appellant became aware of a fake profile on the social networking website Facebook, which included a photograph of the appellant, a slightly modified version of her name, and other particulars which identified her. The fake profile also discussed the appellant’s physical appearance, her weight, and allegedly included scandalous sexual commentary of a private and intimate nature. The appellant, by her litigation guardian, applied in chambers for an order requiring the respondent Bragg Communications to disclose the identity of the persons who used a particular IP address to perpetrate the alleged defamation. As additional relief, the appellant sought an order which would allow her to proceed by pseudonym (initials), and as well, a partial publication ban to prevent the public from knowing the words contained in the fake Facebook profile. LeBlanc J. granted the disclosure order but refused the additional relief sought. The Court of Appeal upheld that decision.

Origin of the case: Nova Scotia

File No.: 34240

Judgment of the Court of Appeal: March 4, 2011

Counsel: Michelle Awad, Q.C. for the appellant
Daniel W. Burnett as Amicus Curiae

Who polices political parties' privacy practices? Nobody.

The recent minor scandal resulting from the Immigration Minister's mass e-mailing to members of the LGBT community has again focused attention on the fact that Canadian political parties are beyond the jurisdiction of Canada's public sector and private sector privacy laws.

See: Political parties operate outside Canada's privacy laws - Politics - CBC News.

This is not the first time that this gap has been noticed. Check out a few of the past examples from this blog by clicking the "political parties" tag.

Tuesday, September 25, 2012

Government email to gay community leads to privacy concerns

An e-mail from the office of Canadian Immigration Minister Jason Kenney that was targeted to members of the LGBT community has many people concerned that the government is maintaining databases of highly sensitive information like sexual orientation. See: Government email to gay community causes privacy concerns - Politics - CBC News.

Saturday, September 22, 2012

Mobile and location privacy presentation

This past week, I co-chaired the Canadian Institute's Privacy Law and Compliance conference in Toronto. I also gave a presentation on Mobile and geolocation privacy issues.

In case you're interested, here it is:

Friday, September 21, 2012

Ontario Information Privacy Commissioner blesses cross-border outsourcing of province's hunting and fishing license system

This decision from the Information and Privacy Commissioner of Ontario snuck under my radar this summer while I was on vacation.



This investigation is the result of a complaint brought by a Member of the Provincial Parliament about the Ontario Government's decision to outsource the processing and management of fishing and hunting licenses to a US-based business. The Commissioner did a thorough investigation and I am told they were pleasantly surprised by what they found. With regard to the USA Patriot Act, the Commissioner wrote:



The PATRIOT Act



The complainant has expressed concerns that the personal information of Ontarians will be subject to and accessible under American laws, including the PATRIOT Act. It is important to remember that, in Ontario, there is no legislative prohibition against the storing of personal information outside of the province or Canada. In other words, Ontario law, including the Act, does not speak to this issue. However, the Act and its regulations do require provincial institutions to ensure that reasonable measures are in place to protect the privacy and security of their records containing personal information. This applies regardless of where the records are located. Further, Ontario provincial institutions remain accountable for the actions of their agents or service providers, whether located in Ontario or in other jurisdictions.



I understand the complainant’s concern that the PATRIOT Act may be used by U.S. law enforcement agencies to access Ontarians’ personal information. However, the risk that law enforcement agencies may access personal information is not restricted to information held in the U.S. In fact, Canadian law enforcement agencies have similarly robust legal powers to obtain personal information held in Canada, and similar powers exist throughout most countries in the world. Further, law enforcement agencies in Canada, the U.S. and other countries have the ability to reach across borders to access personal information under various laws and agreements.



In this regard, the federal Privacy Commissioner of Canada has found that the privacy risks posed by the PATRIOT Act are similar to those found in Canada and, therefore, the privacy protection afforded by a U.S. service provider is comparable to that of a Canadian-based provider. In particular, the federal Privacy Commissioner has stated:



The risk of personal information being disclosed to government authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities.


The federal Privacy Commissioner has also found that prior to the passing of the PATRIOT Act, U.S. authorities were able to access records held by U.S.-based firms relating to foreign intelligence gathering in a number of ways, including through formal bilateral agreements.3



Canadian legal scholars and practitioners have also carefully examined and commented on the privacy implications of the PATRIOT Act. Professor Michael Geist, Canada Research Chair in Internet and E-commerce Law, has written:



Claims that the enactment of the USA Patriot Act has dramatically altered the legal landscape are simply false. The U.S. law enforcement toolkit, which allows for the compelled, secret disclosure of personal information, pre-dates the USA Patriot Act by decades. Suggestions that the problem can be solved by keeping personal information from flowing outside the country are not realistic from a real-world, commercial perspective, where data is transferred and stored instantly on computer servers in other jurisdictions without regard for location.


David T.S. Fraser, a prominent Canadian privacy lawyer, has also been very clear in writing:



Most people are surprised to learn that some of the most “problematic” provisions of the USA Patriot Act are replicated in Canadian law in the Anti-Terrorism Act. We just don’t hear about it as much. People are also surprised to learn of huge amount of information sharing that takes place between agencies in Canada and their counterparts in the US.


The Act does not prohibit provincial institutions from outsourcing services on the basis that foreign law, including the PATRIOT Act, may apply. Similarly, there is no prohibition on the storage of personal information by government institutions outside the province. In fact, as noted by Professor Geist, outsourcing of technology services is a reality, whether by government agencies or private sector companies. Personal information may be subject to disclosure to law enforcement authorities, whether stored in the province or elsewhere. The critical question for institutions which have outsourced their operations across provincial or international borders is whether they have taken reasonable steps to protect the privacy and security of the records in their custody and control. I have always taken the position that you can outsource services, but you cannot outsource accountability. With this in mind, I now turn to consider what measures the Ministry has put into place in the circumstances of this complaint.





The decision is worth reading in its entirety: IPC - Office of the Information and Privacy Commissioner/Ontario | Reviewing the Licensing Automation System of the Ministry of Natural Resources: A Special Investigation Report [PC12-39].

Tuesday, September 18, 2012

Guest post: A police officer's take on informational privacy and the police in the digital age

Warren Bulmer is a detective constable with the Toronto Police and an instructor on Computer and Technology Facilitated Crime for the Toronto Police College. Recently, Warren has written comments on some of the posts about lawful access on this blog that show a perspective on the issue that differs from what I usually write. I invited Warren to write a guest post as it would be helpful for readers of this blog and those interested in the lawful access debate to hear things from his perspective.


Informational Privacy and the Police in the Digital Age

Background

In the past 12 months there has been much attention paid to the issue of “lawful access” and what information police can obtain about your digital trail.  Unfortunately, many of those who write online posts, blogs and communications seem to misunderstand or in some cases grossly mischaracterize such issues.  

Let’s leave aside for a moment, the issues of Internet users who post public information to social networks without any privacy settings.  The reason; the police and any other citizen can access that information and use it for any purpose thereby making any subsequent claim to an expectation of privacy, absurd.  Having said that, one must understand that if the police intend on using that information in a criminal prosecution, they must account for how it was obtained and for their authority to obtain it.

The police have many authorities that govern how they obtain information, which can be with or without a search warrant.  The most common authorities come from Statutes both Federal, like the Criminal Code and Provincial, like the Highway Traffic Act.  Police are also governed by common law, which is derived from the decisions made at various levels of Canadian courts.

The Charter of Rights and Freedoms Section 8 protects citizens against “unreasonable search and seizure” and the key term is “unreasonable”.  In a Supreme Court of Canada decision Hunter v. Southam, [1984] 2 S.C.R. 145 the court outlined that a search (by the State) without prior judicial authorization (i.e. a warrant) is presumed to be unreasonable.  The State has to justify or explain why a search is reasonable if they didn’t have a warrant.  There are also six exceptions written into law where the police are exempt from having to obtain a warrant.  They are consent, abandonment, incident to arrest, investigative detention, exigent circumstances and plain view.  

Informational Privacy

We are all given a name at birth.  Our name identifies us and distinguishes us from each other.  We provide our name to others to connect and address one another.  We have all given our name in various contexts hundreds if not thousands of times and it is safe to say that it is the purpose for our name.  Many of us wear our names on ID cards as we walk around in the public domain yet somehow it is expected that when we use the Internet our name becomes this secret entity hidden behind screens and wires.  

The Internet encourages people to believe that they are completely anonymous online however; when carefully deconstructed one can see that technology has made us more vulnerable than ever.  Every device we use creates a digital record, every time we go to the mall we are captured on dozens of high definition security cameras, and when we use an ATM the entire transaction is captured.  When you use the Internet there can be a digital trail that when followed could lead back to you.

As an Internet user you require an Internet Service Provider or Telecommunications company to facilitate that access.  ISPs are private companies like Bell Canada, or Rogers Communications and their business model requires the ability to maintain customer databases for their Internet subscribers for the purposes of billing.  These databases contain information such as your name, address, phone number, email address and credit card or banking information.  The ISPs are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) which legislates the collection, use and disclosure of your personal information by private companies. The Police have no authority to search under PIPEDA.

The ISP provides the mechanism to connect to the Internet by assigning a user an Internet Protocol (IP) address.  This unique number is assigned to the customer (subscriber) and is logged with a date and time reference as to when it was used and by whom.  This is the central issue in the whole “lawful access” debate.  

Your name, which is generally not entitled to Charter protection, is now attached to an IP address which proponents argue means that it should attract Section 8 protection. Their argument is basically derived from the belief that if the police have your name associated to an IP address, they therefore can construct a complete picture of your “electronic trails” on the Internet.  This concept is not technically possible despite the so-called “wishes” of the police.  One of many parameters is that IP addresses are dynamic and constantly change between customers.  A computer must be physically examined to learn of those electronic trails or traces.

PIPEDA supports the notion that an ISP may voluntarily provide police with customer name and address information when asked without the knowledge or consent of the customer.  These provisions are provided for in 7(3) of the Act.  If the ISP does not decide to disclose the information which by the way is only a name, address and email address then the police would have to seek judicial authorization to obtain it.  For example, in child exploitation cases many ISPs will voluntary disclose the names and addresses of customers who may be involved in offences involving child pornography or child luring.  In fraud cases for example, ISPs have refused to voluntarily provide this information and directed police to obtain a court order for it.  In this circumstance, the information remains the same and all that is accomplished is the police, the victim and the justice system as a whole, suffer unnecessary delay.

PIPEDA does not grant the police any powers or authority and neither does the newly proposed lawful access Bill C-30 (Preventing Criminal Electronic Communications Act).  Equally however; PIPEDA also does not grant citizens an extraordinary Section 8 Charter protection. The crux of this debate is the misrepresentation of “personal information”.  Section 2 of PIPEDA defines personal information as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization”.  Section 3 of PIPEDA is the stated purpose of the Act: “The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

Herein lays the fundamental flaw in the argument that customer names subscribed to an Internet Service attract Section 8 protection. The definition provided in PIPEDA of “personal information” is completely different than the constitutional definition provided for in Section 8 of the Charter.   In 1993, the Supreme Court of Canada determined what information is subject to Section 8 protection in a case called Plant (R. v. Plant, 1993 CanLII 70 (SCC), [1993] 3 SCR 281) stating the following: “In fostering the underlying values of dignity, integrity and autonomy, it is fitting that s. 8 of the Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state. This would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual.”  

It becomes clear then that PIPEDA cannot be used to solely determine if there was a valid breach under Section 8 of the Charter.  It requires an analysis in the totality of the circumstances.  This approach was confirmed by the Nova Scotia Court of Appeal in Chehil (R. v. Chehil, 2009 NSCA 111).  The Supreme Court provided the same criteria back in 1996 in Edwards (R. v. Edwards, [1996] 1 SCR 128) using a list of factors to potentially be considered in evaluating but not limiting the totality approach.  They can be found at paragraph 45 of the judgement.

The police don’t seek customer names or IP address subscribers under PIPEDA.  Their authority to ask for the information voluntarily comes from Section 487.014(1) of the Criminal Code which makes it clear that production orders (prior judicial authorization) are not necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament from asking a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.

 In 2004, the Supreme Court of Canada stated in Tessling (R. v. Tessling, [2004] 3 S.C.R. 432) at paragraph 26, “Nevertheless, Plant clearly establishes that not all information an individual may wish to keep confidential necessarily enjoys s. 8 protection”.  

Section 8 of the Charter does cover Informational Privacy and when assessing the facts on each case the Courts have evaluated a number of factors.  Included in these decisions is the relationship between the ISP and the customer usually disclosed in the form of a contract.  Most ISP have conditions or terms of use that a customer must agree to in order to use the Service.  These terms are typically phrased similarly to: “The client is warned that they must not use the service in a manner contrary to an applicable law” or “the client “agrees” that the named ISP has the right to monitor or investigate the use by the client of the network and to disclose any information necessary to satisfy any laws … or other governmental request … as necessary”.  These contractual terms fall under the analysis of the totality of circumstances when evaluating an objective or subjective expectation of privacy enjoyed by the customer.  

The argument over whether or not a name and address associated to an IP address deserves Section 8 protection is not a new one.  In fact, to the contrary, it has been litigated in numerous cases across Canada.  Here are just some of those case citations where no expectation of privacy was found in a name and address of an individual:

R. v. Wilson, [2009] O.J. No. 1067 (S.C.)

R. v. Ward, [2008] O.J. No. 3116 (C.J.)

R. v. Friers, [2009] O.J. No. 5646 (C.J.)

R. v. Trapp, [2009] S.J. No. 32 (Prov. Ct.)

R. v. Vasic, [2009] O.J. No. 685 (S.C.)

R. v. Spencer, [2009] SKQB No. 31

R. v. Ewanshyn, [2009] unreported AltaCA

R. v. Brown, [2000] O.J. No. 1177 (S.C.)

R. v. Lillico (1994), 92 C.C.C. (3d) 90 (Ont. C.A.)

R. v. McNeice, [2010] B.C.J. No. 2131 (B.C.S.C.)

R v. McGarvie, 2009 CarswellOnt 500 (Ct. Jus.)

To be fair, many of these cases relied heavily on the contractual terms and agreements between the customer and their ISP but some did find no expectation of privacy regardless of those terms.   There are a few decisions in the lower level courts that did rule in favour of a Section 8 protection of CNA such as Kwok (R. v. Kwok, [2008] O.J. No. 2414 (C.J.) but there was no information about the contractual relationship entered into evidence.  So it is not that we keep score but it is fair to say that there is a significant amount of cases that after careful judicial analysis, declare there is no constitutional protection afforded to a person’s name.  To argue differently implies there has been a large number of trial Judges who got it wrong.  

To put things into context on informational privacy, the police do not need a warrant to type the licence plate of a car into their computer system to learn the name and address of the registered owner.  The police do not need a warrant to get the registered name and address of a cellular or residential phone number.  Many of these items of personal description do not meet the threshold of a subjective expectation of privacy due to the lack of an objective reasonableness in that belief.  We are talking about one of the least intrusive searches the police can engage in.  There is no physical search by police through the Bell Canada servers and despite what you have heard no spying of a person’s Internet browsing.  

Reality Check

According to 2011 Internet Statistics, there were over 3.1 billion email accounts globally.  Does anyone realistically think the police have the time or resources to sneak a peek or read the trillions of messages exchanged?  There are over 17 million Canadians on Facebook each with an average friend’s list of 150 friends.  In 2010, there were 25 billion tweets sent out on Twitter.  In February 2012, police announced the take down of 60 individuals involved in child pornography offences and revealed that the overall investigation involved 9000 IP addresses and several hundred suspects who will go unprosecuted.

In all of these electronic “cybernetic peregrinations” to quote the Supreme Court of Canada in Morelli (R. v. Morelli, 2010 SCC 8) the police have to obtain IP logs and customers associated to this data if commencing a criminal investigation in relation to them.  When police require this information and it is not voluntarily supplied by the ISP for whatever reason they have to seek a court order called a Production Order.   Section 487.012 of the Criminal Code is the authority police have to do this.  Most companies require a minimum of 30 days to comply with this order.  If it is an emergency, that being imminent losses of life or grievous bodily harm, most ISPs have an emergency form that the police can use.  The determination of what constitutes an emergency is not necessary made by the police but the ISP ultimately.  It still reverts back to what was written earlier, the police can ask and the ISP can say “yes or no”.  

A great example of this impasse is the recent situation in New York.  The NYPD had information a person was going to attend a Mike Tyson show at a particular theatre and commit mass murder.  He posted it on Twitter and when the NYPD served Twitter with an emergency request to identify this person, Twitter refused and stated it wasn’t a bonafide emergency.   Twitter forced the NYPD to obtain a court order which took valuable time and resources.  Read more about this case here.  What’s troubling is Twitter’s position in light of the fact it occurred shortly after the 2 mass shooting sprees in Colorado and Wisconsin.  Had the suspect actually shown up at the theatre and shot people before police could have arrested him, who would have taken the brunt of the blame? The police?  I am curious to know what the people attending the theatre show that night thought.  I mean the police took the threat seriously what more could they have done?  Where is the public bashing for Twitter?  

Lawful Access

The proposed Bill C-30 by the Federal Government announced in February this year is an attempt to alleviate some of these concerns.  In the above scenario, if in Canada, Twitter would have no choice but to provide the name.  The proposed Bill would change the voluntary discretion of an ISP to provide a name and address to the Police, by making it mandatory.  (Section 16(1) of the Investigating and Preventing Criminal Electronic Communications Act).

The Bill is certainly not without its flaws, but no piece of legislation is perfect.  What’s important is that public safety and the pursuit of criminals is paramount and the legislation or something like it is necessary to achieve these basic police functions.  The justice system cannot continue to stall for 30, 60 or 90 days because a private company determines how the police are to conduct a criminal investigation.  The criteria the police require to ask for the information remains the same as it is now.  It remains a lawful request, which the police are accountable for and will be scrutinized if they abuse this authority.  Their authority also remains unchanged in that the request has to be based on their existing mandates and authorities.  The Bill does not guarantee against an abuse of process or investigative errors but neither does the system we have now.

On a positive note the Bill mandates tracking, recording and other administrative oversights of the police use of lawful requests.  This is not currently done or even mandated under PIPEDA.  The police and the public have no idea of knowing how many times we have asked for someone’s information because we aren’t keeping track.  This is unacceptable the police should be accountable for such requests and the public should be able to demand through the freedom of information process how often the police make these types of requests.  The public may not be able to learn the details for each one because of confidentiality, ongoing investigations or a court ordered prohibition but at the very least the public should know how often these requests are made.

Wrap up

I share the same concerns as many people about how the Internet, particularly social networks, is creating a database of epic proportions.  But in fairness, as a user, are you not responsible for the content you choose to share?  I would be more worried about what the Facebook’s, the Google’s and the Apple’s of the world are collecting about me than the police.  If you are a law-abiding citizen and don’t use the Internet to facilitate, perpetrate or associate with criminal activity than you don’t really exist for the police.  

There are times when victims are caught up in these situations where their Internet activity becomes a relevant issue but overall “Joe-q-public” has nothing to fear.  If you are a criminal and you choose to involve the Internet in your life, be warned.  The police are there; they are getting better at finding you in the anonymous World Wide Web with or without a warrant and you should be concerned.  The courts generally see the Internet for what it is; a public domain and if you choose to incriminate yourself while using technology, you have nobody to blame but yourself.

Warren Bulmer

Detective Constable (1406)

Toronto Police Service

Instructor – Computer and Technology Facilitated Crime

Toronto Police College - Criminal Investigation Section

416-808-4882 (direct)

warren.bulmer@torontopolice.on.ca 

Author’s Bio

Detective Constable Warren Bulmer has been a member of the Toronto Police Service since 1990.  Detective Constable Bulmer’s policing career has been predominantly spent within the field of criminal investigation including a total of 11 years assigned to Major Crime and the Child Exploitation Section of the Sex Crimes Unit.  Detective Constable Bulmer continues to be an International instructor in the area of computer-facilitated crime having lectured over 2500 Police and Prosecutors in 11 different countries to date.  Detective Constable Bulmer has taught at the Canadian Police College and the Ontario Police College where he still teaches on a part time basis. From 2005 to 2009 he was a qualified Computer Forensic Examiner and has testified in court as an expert in various capacities relating to digital evidence.  For the past 3 years, Detective Constable Bulmer has specialized in the area in Social Networks and is called upon by Police all over Canada to teach how law enforcement can balance the right to investigate with the protections afforded to citizens under the Charter. As a member of the Toronto Police College for the past 3 years, Detective Constable Bulmer continues to instruct on conducting computer and Internet investigations, the lawful search and seizure of electronic devices as well as the identification, categorization and management of digital evidence.

Warren is a published writer of many articles and a contributing author to a book entitled “Evidence and Investigation: From the Crime Scene to the Courtroom” by Emond Montgomery Publications.        http://www.emp.ca/evidence-and-investigation-from-the-crime-scene-to-the-courtroom.html 

 

Article References

  1. Case law citations as provided
  2. http://royal.pingdom.com/2012/01/17/internet-2011-in-numbers/ 
  3. R v. David WARD Ontario Court of Appeal, 2012, Court file #C50206, Respondent’s (MINISTRY OF THE ATTORNEY GENERAL) Factum
  4. Criminal Code of Canada http://laws-lois.justice.gc.ca/eng/acts/C-46/ 
  5. PIPEDA (Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html 
  6. Bill C-30 (Investigating and Preventing Criminal Electronic Communications Act)

http://www.parl.gc.ca/HousePublications/Publication.aspx?Docid=5380965&file=4