Apparently my testimony tomorrow at the House of Commons Justice and Human Rights committee on Bill C-13, the Protecting Canadians from Online Crime Act will not be webcast. Nor will it be on C-PAC or available on Pay Per View at your local arena. So, in case you are interested in what I plan to say, here you go ... (subject to tweaking as I finalize the text)
Introduction
Thank you very much for providing me with the opportunity to speak with you today.
For the purposes of introduction, my name is David Fraser. I’m a partner with the Atlantic Canadian law firm McInnes Cooper, but I do need to emphasise that I am here speaking as a private individual and my comments should not be attributed to my firm, its clients or any other organization with which I am affiliated.
I have been practicing internet and privacy law for over a dozen years. I have represented a range of clients over the years, including victims of cyberbullying, victims whose intimate images have been posted online, and I have represented and advised service providers.
Most notably, I was part of a team at my firm that took the case of a 15 year old victim of cyberbullying to the Supreme Court of Canada, pro bono. This was the first time that the Court had the opportunity to consider the phenomenon of cyberbullying and the unanimous Court came out very strongly to protect the interests of the victim of sexualized cyberbullying.
I have also advised people who have been accused of cyberbullying. I hope that this experience from a number of different perspectives will provide this Committee with some assistance in its important task of considering Bill C-13.
Bill C-13 as a whole
I am disappointed that Bill C-13 combines two very different but related matters: the dissemination of intimate images, on one hand, and law enforcement powers more generally, on the other hand. Both aspects raise very important issues that merit close scrutiny but we are seeing that debate about police powers is overshadowing the discussion of cyberbullying.
That said, we have one bill in front of us and I’m pleased to provide you my thoughts.
Intimate Images
It has been suggested that Bill C-13, if it had been in force, could have saved Amanda Todd and Rehtaeh Parsons. That makes a good soundbite, but the world is much more complicated than that. Creation, possession and dissemination of child pornography is already a crime. So is the creation, possession and dissemination of voyeurism images. So is extortion. So is criminal harassment.
That said, there is a gap that we should fill: the malicious dissemination of intimate images without the consent of the person depicted in them.
We need to be very careful about how we craft this offence. The current reality is that young people and adults, whether we like it or not, take photos of themselves and voluntarily share them with intimate partners. Those digital images can easily be spread around without the consent of the of the person depicted.
We want to criminalize the boyfriend who posts pictures of his ex-girlfriend online without her consent -- so-called “revenge porn”. We want to criminalize the actions of the person who forwards around images of current or former intimate partners. In each of those cases, the individual would know -- or ought to have known -- whether they had the consent of the person depicted in the image.
But we shouldn’t inadvertently criminalize behaviour that is not blameworthy: someone finds a picture online of someone naked and forwards it to a friend. That person knows nothing about the circumstances in which the photo was taken. It could be a professional model. The photo may have been posted by the person in the photo herself. There’s no way to tell whether consent was obtained, whether there was any expectation of privacy at the time the photo was taken and the individual has no way of determining this.
The real challenge arises when addressing third parties who do not know the person depicted in the image, nor do they know the circumstances under which the image was taken. The provisions in the bill use a “recklessness” standard, which in my view is too low. Recklessness applies where a person should have looked into it but decided to be “willfully blind”. However, given the huge amount of naked images online, it is not possible to “look into it.”
This is especially important for online service providers who have no way of knowing and no way of finding out the circumstances under which an image was taken or uploaded.
We need to be especially attentive to crafting the law so that it will survive a challenge in the Courts and “recklessness” poses the risk of having the law struck down or making criminals out of people who are not truly blameworthy.
Police powers
Transmission data
Bill C-13 creates a “Production Order for Transmission Data” (section 487.016) and a “Warrant for Transmission Data Recorders” (section 492.2). It has been said that the purpose of the transmission data provisions of the Bill is to extend the current police powers -- that are coupled with judicial oversight -- related to telephony information to the internet age, without significantly extending the status quo.
While this may be a reasonable objective, this must be done very carefully because “transmission data” is significantly different from traditional telephony signalling data.
With conventional telephony, “transmission data” refers to the number called from, the number called, whether the call was completed and the duration of the call. In the internet context, the amount of information and what it reveals is dramatically different. It would include the IP address of the originating computer, information about the computer, the browser or other program being used, the internet communications protocol being used (web surfing, file transfer, peer-to-peer, voice over IP, video conferencing, etc.), the IP address or domain name of the server or computer being communicated with, URL of the page visited and whether the transmission was completed. An interception of “transmission data” would tell law enforcement agencies whether the target of the surveillance was visiting a search engine (and possibly what is searched for), an encyclopaedia (and again, what is being viewed), a poker site or a medical site. Furthermore, the data will also provide greater insight into the likely physical location of the surveillance target. This is a dramatic expansion of the information provided compared to traditional telephone communications.
Individuals use computer assisted communications in a very different manner than the telephone system. A telephone call is usually a singular event that creates one small packet of transmission data. A browsing session will create a new packet for each page or site visited, which amounts to many, many packets during a session. And information about what sites are visited and in what sequence also communicate -- by inference -- information about the content of that communications. Finally, individuals use web browsers for many purposes that go well beyond the traditional uses of telephones.
Even with the express exclusion of “content” from the definition, transmission data may provide insight into the content of the communications. And in any event, internet transmission data will provide law enforcement agencies with information that goes to the biographical core of the target of the surveillance, which triggers a need for heightened legal protections under s. 8 of the Charter.
The increased privacy intrusion represented by these new law enforcement powers can be mitigated in either of the following two ways:
(a) the extension of the current lawful access to telephony transmission data to other forms of transmission data should be accompanied by a higher threshold: from “reasonable grounds to suspect” to “reasonable grounds to believe”; or
(b) the definition of “transmission data” should be refined to strictly limit the scope of what is included so that it much more closely tracks telephony transmission data.
Notice to the affected individuals
On important element is missing from all of this … the individual whose information is being sought. I am of the view that the police or government agency seeking information about an individual should inform him or her as soon as doing so would not prejudice the lawful investigation. This should be no later than six months after the information is sought, unless a judge orders otherwise.
Immunity
The immunity provisions in the new s. 487.0195 are gravely problematic. This is a very cleverly drafted provision. We are told that this is simply “for greater certainty”, but everything we know suggests otherwise. It says you will not be liable for handing over any data that you are not prohibited by law from handing over, and if you do so you are civilly immune.
Only the criminal law creates real legal prohibitions. Handing over data might not be a criminal offense, but it may create civil liability. This civil liability is there for a reason. I may not be legally prohibited from accidentally - emphasis on “accidentally” -- hitting your car with mine, but I certainly should be liable to pay for the harm that I cause. This is an incentive for me to pay attention when I am driving. Likewise, service providers should have to think about all the interests involved before handing over data, willy-nilly. This provision should be removed. It cannot be fixed and will only encourage over-reaching by law enforcement.
This is not simply providing needed clarity, but taking rights away from citizens.
While we don’t have Bill S-4, the Digital Privacy Act, in front of us, I am concerned that we are weakening Canadians’ privacy under the guise of protecting it. While this immunity provision tells service providers, “it’s OK, hand it over”, the new provisions in S-4 underscore that and seem to allow any business to hand over customer information to police, government and other businesses without any due process and without any notice to the affected individual. This is a very regressive step