Supreme Court of Canada says that wiretap order is required to obtain text messages

The Supreme Court of Canada released its decision this morning in the case of R. v. TELUS Communications Co., 2013 SCC 16.

The question the court had to answer was whether the police should be required to get an interception order under the Criminal Code to obtain the contents of text messages being sent and received by a customer of TELUS Communications. The answer was yes.

TELUS Communications, for reasons that are unclear to me, keeps all customer text messages for thirty days. The police sought from TELUS copies of all text messages sent and received by one of their customers, on a daily, rolling basis. So each day, the telco would have to hand over the text messages from the preceding 24 hours.

Instead of getting an interception order under the Criminal Code, the police used a residual, catch-all provision for a “general warrant”, which is usually only available if there is no other applicable form of order to obtain the information. The majority of the Supreme Court of Canada determined that, notwithstanding that the text messages were provided after the fact and from a cache, it amounted to an interception of private communications and an interception order – with its higher burden on the cops – should be applicable. There are some strong dissents, including from the Chief Justice, which are worth looking at.

Here is the headnote:

Criminal law — Interception of communications — General warrant — Telecommunications company employing unique process for transmitting text messages resulting in messages stored on their computer database for brief period of time — General warrant requiring telecommunications company to produce all text messages sent and received by two subscribers on prospective, daily basis — Whether general warrant power in s. 487.01 of Criminal Code can authorize prospective production of future text messages from service provider’s computer — Whether investigative technique authorized by general warrant in this case is an interception requiring authorization under Part VI of Criminal Code — Whether general warrant may properly issue where substance of investigative technique, if not its precise form, is addressed by existing legislative provision — Criminal Code, R.S.C. 1985, c. C‑46, ss. 487.01.

Unlike most telecommunications service providers, TELUS Communications Company routinely makes electronic copies of all the text messages sent or received by its subscribers and stores them on a computer database for a brief period of time. The police in this case obtained a general warrant and related assistance order under ss. 487.01 and 487.02 of the Criminal Code requiring Telus to provide the police with copies of any stored text messages sent or received by two Telus subscribers. The relevant part of the warrant required Telus to produce any messages sent or received during a two‑week period on a daily basis. Telus applied to quash the general warrant arguing that the prospective, daily acquisition of text messages from their computer database constitutes an interception of private communications and therefore requires authorization under the wiretap authorization provisions in Part VI of the Code. The application was dismissed. The focus of the appeal is on whether the general warrant power can authorize the prospective production of future text messages from a service provider’s computer.

Held (McLachlin C.J. and Cromwell J. dissenting): The appeal should be allowed and the general warrant and related assistance order should be quashed.

Per LeBel, Fish and Abella JJ.: Part VI of the Criminal Code provides a comprehensive scheme for “wiretap authorizations” for the interception of private communications. The purpose of Part VI is to restrict the ability of the police to obtain and disclose private communications.

Telus employs a unique process for transmitting text messages that results in the messages being stored on their computer database for a brief period of time. In considering whether the prospective, daily production of future text messages stored in Telus’ computer falls within Part VI, we must take the overall objective of Part VI into account.

Text messaging is, in essence, an electronic conversation. Technical differences inherent in new technology should not determine the scope of protection afforded to private communications. The only practical difference between text messaging and traditional voice communications is the transmission process. This distinction should not take text messages outside the protection to which private communications are entitled under Part VI.

Section 487.01 of the Code, the general warrant provision, was enacted in 1993 as part of a series of amendments to the Code in Bill C‑109, S.C. 1993, c. 40. It authorizes a judge to issue a general warrant permitting a peace officer to “use any device or investigative technique or procedure or do anything described in the warrant that would, if not authorized, constitute an unreasonable search or seizure”. Notably, s. 487.01(1)(c) stipulates that the general warrant power is residual and resort to it is precluded where judicial approval for the proposed technique, procedure or device or the “doing of the thing” is available under the Code or another federal statute.

Section 487.01(1)(c) should be broadly construed to ensure that the general warrant is not used presumptively to prevent the circumvention of the more specific or rigorous pre‑authorization requirements for warrants, such as those found in Part VI. To decide whether s. 487.01(1)(c) applies, namely, whether another provision would provide for the authorization sought in this case, requires interpreting the word “intercept” in Part VI. “Intercept” is used throughout Part VI with reference to the intercept of private communications. This means that in interpreting “intercept a private communication”, we must consider the broad scope of Part VI and its application across a number of technological platforms, as well as its objective of protecting individual privacy interests in communications by imposing particularly rigorous safeguards. The interpretation should not be dictated by the technology used to transmit such communications, like the computer used in this case, but by what was intended to be protected under Part VI. It should also be informed by the rights enshrined in s. 8 of the Charter, which in turn must remain aligned with technological developments.

A technical approach to “intercept” would essentially render Part VI irrelevant to the protection of the right to privacy in new, electronic and text‑based communications technologies, which generate and store copies of private communications as part of the transmission process. A narrow definition is also inconsistent with the language and purpose of Part VI in offering broad protection for private communications from unauthorized interference by the state.

The interpretation of “intercept a private communication” must, therefore, focus on the acquisition of informational content and the individual’s expectation of privacy at the time the communication was made. To the extent that there may be any temporal element inherent in the technical meaning of intercept, it should not trump Parliament’s intention in Part VI to protect an individual’s right to privacy in his or her communications. The use of the word “intercept” implies that the private communication is acquired in the course of the communication process. The process encompasses all activities of the service provider which are required for, or incidental to, the provision of the communications service. Acquiring the substance of a private communication from a computer maintained by a telecommunications service provider would, as a result, be included in that process.

Text messages are private communications and, even if they are stored on a service provider’s computer, their prospective production requires authorization under Part VI of the Code. If Telus did not maintain its computer database, there is no doubt that the police would be required to obtain an authorization under Part VI to secure the prospective, and in this case continuous, production of text messages. Most service providers do not routinely copy text messages to a computer database as part of their transmission service. Accordingly, if the police wanted to target an individual who used a different service provider, they would have no option but to obtain wiretap authorizations under Part VI to compel the prospective and continuous production of their text messages. This creates a manifest unfairness to individuals who are unlikely to realize that their choice of telecommunications service provider can dramatically affect their privacy. The technical differences inherent in Telus’ transmission of text messages should not deprive Telus subscribers of the protection of the Code that every other Canadian is entitled to.

The general warrant in this case was invalid because the police had failed to satisfy the requirement under s. 487.01(1)(c) of the Code that a general warrant could not be issued if another provision in the Code is available to authorize the technique used by police. Since the warrant purports to authorize the interception of private communications, and since Part VI is the scheme that authorizes the interception of private communications, a general warrant was not available.

Per Moldaver and Karakatsanis JJ.: There is agreement with Abella J. that the police are entitled to a general warrant only where they can show that “no other provision” of the Criminal Code or any other Act of Parliament would provide for the investigative technique, including a substantively equivalent technique, for which authorization is sought. The investigative technique in this case was substantively equivalent to an intercept. The general warrant is thus invalid. Resolution of whether what occurred in this case was or was not, strictly speaking, an “intercept” within the meaning of s. 183 of the Code is unnecessary. A narrower decision guards against unforeseen and potentially far‑reaching consequences in this complex area of the law.

The result is driven by the failure of the authorities to establish the requirement in s. 487.01(1)(c) that there be “no other provision” that would provide for the search. This provision ensures that the general warrant is used sparingly as a warrant of limited resort. In creating the general warrant, Parliament did not erase every other search authorization from the Code and leave it to judges to devise general warrants on an ad hoc basis as they deem fit. Courts must therefore be careful to fill a legislative lacuna only where Parliament has actually failed to anticipate a particular search authorization. The “no other provision” requirement must be interpreted so as to afford the police the flexibility Parliament contemplated in creating the general warrant, while safeguarding against its misuse. There is a need for heightened judicial scrutiny where Parliament has provided an authorization for an investigative technique that is substantively equivalent to what the police seek but requires more onerous pre-conditions. Thus, the test under s. 487.01(1)(c) must consider the investigative technique that the police seek to utilize with an eye to its actual substance and not merely its formal trappings.

The approach to the “no other provision” requirement accepts a measure of uncertainty by tasking judges with the job of inquiring into the substance of purportedly “new” investigative techniques. When uncertainty exists, the police would do well to err on the side of caution. General warrants may not be used as a means to circumvent other authorization provisions that are available but contain more onerous pre-conditions. Judges faced with an application where the investigative technique, though not identical, comes close in substance to an investigative technique covered by another provision for which more rigorous standards apply should therefore proceed with extra caution. Where careful scrutiny establishes that a proposed investigative technique, although similar, has substantive differences from an existing technique, judges may grant the general warrant, mindful of their obligation under s. 487.01(3) to impose terms and conditions that reflect the nature of the privacy interest at stake.

A literal construction of s. 487.01(1)(c) must be rejected. Such an approach strips the provision of any meaning and renders it all but valueless. Legislative history confirms that general warrants were to play a modest role, affording the police a constitutionally sound path for investigative techniques that Parliament has not addressed. Ensuring that general warrants are confined to their limited role is the true purpose of s. 487.01(1)(c). While the “best interest” requirement in s. 487.01(1)(b) serves to prevent misuse of the general warrant, this provision should not be interpreted as swallowing the distinct analytical question that the “no other provision” test asks. A purposive approach to s. 487.01(1)(c) has nothing to do with investigative necessity. Under the “no other provision” test, the police are not asked to show why an alternative authorization would not work on the facts of a particular case, but rather why it is substantively different from what Parliament has already provided.

In this case, the general warrant is invalid because the investigative technique it authorized was substantively equivalent to an intercept. What the police did — securing prospective authorization for the delivery of future private communications on a continual, if not continuous, basis over a sustained period of time — was substantively equivalent to what they would have done pursuant to a Part VI authorization. It was thus, at a minimum, tantamount to an intercept. Though there is no evidence to suggest that the police acted other than in good faith, the police failed to meet their burden to show that the impugned technique was substantively different from an intercept. On the facts here, the general warrant served only to provide a means to avoid the rigours of Part VI. The police could and should have sought a Part VI authorization.

Per McLachlin C.J. and Cromwell J. (dissenting): The question of whether what the police did under this general warrant is an interception of a private communication is one of statutory interpretation. When the text of the statutory provisions is read in its full context, it is clear that the general warrant does not authorize an interception that requires a Part VI authorization. While there is no doubt that the text message is a private communication and that text messages here were intercepted by Telus by means of an electro-magnetic, acoustic, mechanical or other device, the police in this case, did not intercept those messages when Telus turned over to them copies of sent and received messages previously intercepted by Telus and stored in its databases. Therefore, the investigative technique authorized by the general warrant in this case was not an interception of private communication.

Fundamental to both the purpose and to the scheme of the wiretap provisions is the distinction between the interception of private communications and the disclosure, use or retention of private communications that have been intercepted. The purpose, text and scheme of Part VI show that the disclosure, use or retention of intercepted private communications is distinct from the act of interception itself. That is, if disclosure or use of a private communication were an interception of it, there would be no need to create the distinct disclosure or use offence. Similarly, the exemptions from criminal liability show that Parliament distinguished between interception on one hand and retention, use and disclosure on the other.

In this case, it is not disputed that Telus was intercepting text messages when it copied them for its own systems administration purposes. However, it is also agreed that Telus lawfully intercepted private communications. Under the general warrant, the police sought disclosure from Telus of information that it had already lawfully intercepted. The general warrant did not require Telus to intercept communications, but to provide copies of communications that it had previously intercepted for its own lawful purposes. As the scheme of the legislation makes clear, disclosure or use of a lawfully intercepted communication is not an interception. It is inconsistent with the fundamental distinction made by the legislation to conclude that the police were intercepting private communications when Telus provided them with copies of previously intercepted and stored text messages. The distinction in the statute between interception and disclosure cannot be dismissed as a mere “technical difference”. The distinction is fundamental to the scheme of the provisions. When Telus turns over to the police the copies of the communications that it has previously intercepted, Telus is disclosing the communications, not intercepting them again. This disclosure by Telus from its databases cannot be an interception by the police.

Acquiring the content of a previously intercepted and stored communication cannot be an interception because that broad reading is inconsistent with the clear distinction between interception and disclosure in the provisions. Applied broadly, this interpretation of “acquire” would extend the scope of investigative techniques which require wiretap authorizations far beyond anything ever previously contemplated. Further, introducing a temporal aspect of interception would confuse the act of interception with the nature of its authorization. Interception is a technique, a way of acquiring the substance of a private communication. It could not be that exactly the same technique, which acquires information in exactly the same form may be either a seizure of stored material or an interception, depending on the point in time at which the technique is authorized.

The general warrant is not one of limited resort that should be used sparingly. On the contrary, as numerous authorities have acknowledged, the provision is cast in wide terms. Therefore, it is not accepted as an imperative that s. 487.01 must be interpreted with a view to heavily restricting its use. The focus of the inquiry is on two matters (in addition of course to reasonable grounds to believe that an offence has been committed and that information concerning the offence will be obtained): is authorization for the “technique, procedure or device to be used or the thing to be done” provided for in any other federal statute and is it in the best interests of the administration of justice to authorize it to be done? Section 487.01(1)(c) provides that a general warrant may issue if “there is no other provision . . . that would provide for a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done”. The words “technique”, “procedure”, “device to be used” and “thing to be done” all are concerned with what the police want to do, not why they want to do it. This paragraph does not require issuing judges to consider whether other techniques are similar or allow access to the same evidence; it simply asks if the same technique can be authorized by another provision. This is not simply a narrow, literal interpretation of s. 487.01. Rather, it is an interpretation that reflects its purpose of conferring a broad judicial discretion to authorize the police to “use any device or investigative technique or procedure or do any thing”, provided of course that the judge is satisfied that it is in the best interests of the administration of justice to do so, having due regard to the importance of the constitutional right to be free of unreasonable searches and seizures. However, courts should not authorize anything the police seek to do simply because it is not authorized elsewhere. The judicial discretion to issue the warrant must give full effect to the protection of reasonable expectations of privacy as set out under s. 8 of the Charter.

There is no support in the text or the purpose of s. 487.01(1)(c), or in the jurisprudence, for building into it a “substantive equivalency” test. The paragraph asks a simple question: Does federal legislation provide for “a warrant, authorization or order permitting the technique, procedure or device to be used or the thing to be done”? Where this threshold is met, the judge is entitled to consider granting the requested authorization. The further question of whether the authorization ought to be granted is not the focus of this paragraph of the section. Rather, whether a general warrant ought to issue is properly considered under s. 487.01(1)(b), which asks whether authorizing the warrant would be in the best interests of the administration of justice. This approach is not only supported by the text, purpose and jurisprudence, but the application of a “substantive equivalency” test creates unnecessary uncertainty and distracts the issuing judge from the question of whether the technique sought to be authorized is inconsistent with the right to be free from unreasonable searches and seizures. Predictability and clarity in the law are particularly important in the area of judicial pre-authorization of searches. The primary objective of pre-authorization is not to identify unreasonable searches after the fact, but to ensure that unreasonable searches are not conducted. The requirements for pre-authorization should be as clear as possible to ensure that Charter rights are fully protected.

The technique sought to be authorized here is not the substantive equivalent of a wiretap authorization. On the facts of this case, a wiretap authorization alone would not allow the police to obtain the information that Telus was required to provide under the general warrant. Three separate authorizations would be required in order to provide the police with the means to access the information provided to them under the general warrant. Therefore, even if one were to accept reading into s. 487.01(1)(c) a “substantive equivalency” test, neither the facts nor the law would support its application in this case.

The police did not seek a general warrant in this case as a way to avoid the rigours of Part VI. The general warrant achieved the legitimate aims of the police investigation in a much more convenient and cost-effective manner than any other provision would have allowed. There is no evidence of “misuse” of s. 487.01. The effective and practical police investigation by a relatively small municipal police force was fully respectful of the privacy interests of the targets of the investigation and other Telus subscribers.

Microsoft releases first "transparency report" with stats on law enforcement user data requests

Following the lead of Google, Twitter and Facebook, Microsoft has released its first "Transparency report" which provides some visibility into the number of law enforcement requests for user data it receives and what its policies are regarding the disclosure of such data: 2012 Law Enforcement Requests Report. Well done, Microsoft.

Now let's see some Canadian telcos follow suit.

Google adds (rounded) numbers for National Security Letters on its Transparency Report

Again, Google leads the way in transparency about government demands for user information.

This time, they've added numbers for National Security Letters (a form of administrative subpoena that the FBI can use to get non-content information about users). The numbers are not precise, apparently because reporting actual information about NSLs is illegal under the relevant statutes. But some information is better than no information.

Check out the official Google blog post about this addition to the Transparency Report: Official Blog: Transparency Report: Shedding more light on National Security Letters.

Lawful access dead, says Justice Minister

According to the CBC, Bill C-30 is officially dead and any replacement measure will not have a provision for warrantless access to customer information:

Government killing online surveillance bill - Politics - CBC News

Federal Justice Minister Rob Nicholson says the controversial Bill C-30, known as the online surveillance or warrantless wiretapping bill, won't go ahead due to opposition from the public.

Canadians rallied against the bill after the public safety minister told an opposition MP that he could "either stand with us or with the child pornographers."

"We will not be proceeding with Bill C-30 and any attempts that we will continue to have to modernize the Criminal Code will not contain the measures contained in C-30, including the warrantless mandatory disclosure of basic subscriber information or the requirement for telecommunications service providers to build intercept capability within their systems," Nicholson said.

"We've listened to the concerns of Canadians who have been very clear on this and responding to that."

Nicholson made the announcement after introducing a bill to update provisions that would allow for warrantless phone tapping in emergencies.

Canadian law allows police to wiretap without authorization from a court when there is the risk of imminent harm, such as a kidnapping or bomb threat, but the Supreme Court last year struck down the law and gave Parliament 12 months to rewrite another one.

Happy data privacy day!

Today is international data privacy day. I am sure there'll be some interesting content posted through the day around the world to acknowledge the event and I'll try to post links as I'm able.

First, Google's top lawyer, David Drummond, has posted on the Official Google Blog greater detail about Google's approach to government requests for user data (Google’s approach to government requests for user data). In the post, he points to a new part of their groundbreaking Transparency Report that provides even more information on "User Data Requests". It's great that Twitter has followed suit with its own Transparency Report. More companies should do so.

And speaking of Twitter, follow the #DPD13 hashtag to see what others are saying about Data Privacy Day.

Facebook has launched "Ask our CPO", where users can submit questions to be answered by Chief Privacy Officer Erin Egan.
If you are in Halifax, you should also check out Dalhousie University's annual Data Privacy Day. It's being celebrated all afternoon on Wednesday, January 30, 2013 with a great lineup of speakers, including Jill Clayton, the Information and Privacy Commissioner of Alberta. I'll be your emcee for the event.

Members of the privacy community demand transparency from Skype/Microsoft on disclosure of user information

A group of civil society organizations and privacy activists are calling upon Microsoft and Skype to be much more forthcoming about Skype's privacy practices, particularly those related to disclosures of user information to governments and law enforcement. The open letter to Skype calls for Microsoft to follow the lead of Google's and Twitter's transparency reports:

Open Letter to Skype

We call on Skype to release a regularly updated Transparency Report that includes:

1. Quantitative data regarding the release of Skype user information to third parties, disaggregated by the country of origin of the request, including the number of requests made by governments, the type of data requested, the proportion of requests with which it complied — and the basis for rejecting those requests it does not comply with.
2. Specific details of all user data Microsoft and Skype currently collects, and retention policies.
   
3. Skype’s best understanding of what user data third-parties, including network providers or potential malicious attackers, may be able to intercept or retain.
   
4. Documentation regarding the current operational relationship between Skype with TOM Online in China and other third-party licensed users of Skype technology, including Skype’s understanding of the surveillance and censorship capabilities that users may be subject to as a result of using these alternatives.
   
5. Skype's interpretation of its responsibilities under the Communications Assistance for Law Enforcement Act (CALEA), its policies related to the disclosure of call metadata in response to subpoenas and National Security Letters (NSLs), and more generally, the policies and guidelines for employees followed when Skype receives and responds to requests for user data from law enforcement and intelligence agencies in the United States and elsewhere.

Lawful Access: There, I fixed it for you.

Regular readers of this blog will know that I am not a fan, at all, of the government's lawful access bill, Bill C-30. In particular, I have a big problem with warrantless access to subscriber information. And I have a bigger problem with the fact that the current Bill C-30 does not put any meaningful limitation on the circumstances under which the police or national security agencies can require subscriber information without a warrant.

(If you want to see why I have a problem with Bill C-30, you just have to read my previous posts or check out my YouTube video on the topic.)

I have tried to be productive in my criticism and, that end, offer the following to replace the warrantless access to subscriber information in the current bill. I have taken into account many of the productive conversations I've had with members of the policing community and the privacy community.

What follows would be an amendment to the Criminal Code of Canada that creates a new form of production order -- a subscriber information production order -- and can, in my view, just be dropped into the Code. It offers judicial oversight, real accountability and notice to the subscriber that their information has been obtained. It is limited only to serious crimes or where the information sought would identify the victim of a serious crime, but can't be used for fishing expeditions. And unlike a search warrant, it is effective nation-wide. And it includes the possibility of obtaining such an order from a judge over the telephone in urgent situations.

I welcome any comments you may have...

Subscriber information production order

*(1) A justice or judge, including a designated judge under the Canadian Security Intelligence Act, may order a telecommunications service provider to produce subscriber information.

Production to peace officer

(2) The order shall require the subscriber information or information regarding multiple subscribers to be produced within the time, at the place and in the form specified and given

(a) to a peace officer named in the order; or

(b) to a public officer named in the order, who has been appointed or designated to administer or enforce a federal or provincial law and whose duties include the enforcement of this or any other Act of Parliament.

Conditions for issuance of order

(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that

(a) there are reasonable grounds to believe that an offense designated under this Section has been, is being or is about to be committed;

(b) there are reasonable grounds to believe that the subscriber information will afford evidence respecting the identity of the person or persons believed to be responsible for the commission of the offence, or the identity of the persons believed to be the victim or the intended victim of such offense;

(c) there are reasonable grounds to believe that the person who is subject to the order has possession or control of the documents or data; and

(d) the issuing of the order will not unduly infringe the relevant subscriber’s rights set out in the Charter of Rights and Freedoms, including freedom of expression, based on the totality of the circumstances.

Terms and conditions

(4) The order may contain any terms and conditions that the justice or judge considers advisable in the circumstances, including terms and conditions to protect a privileged communication between a lawyer and their client or, in the province of Quebec, between a lawyer or a notary and their client.

Power to revoke, renew or vary order

(5) The justice or judge who made the order, or a judge of the same territorial division, may revoke, renew or vary the order on an ex parte application made by the peace officer or public officer named in the order.

Notice

(6) Unless the justice or judge who made the order, or a judge of the same territorial division orders otherwise, any person whose information is obtained as a result of such order shall be notified of the order and the disclosure of his or her subscriber information within six months of the date of the order. An order to delay the giving of notice under this paragraph shall only be applicable for a maximum of six months and shall only be made if such justice or judge is satisfied, based on information on oath in writing, that the giving of such notice will likely compromise an active investigation or prosecution of an offence under this or any other Act of Parliament.

Probative force of copies

(7) Every copy of a document produced under this section, on proof by affidavit that it is a true copy, is admissible in evidence in proceedings under this or any other Act of Parliament and has the same probative force as the original document would have if it had been proved in the ordinary way.

Return of copies

(8) Copies of documents produced under this section need not be returned.

Subscriber information

(9) For the purposes of this section, “subscriber information” means the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.

Use and retention of subscriber information

(10) Unless otherwise ordered by the justice or judge who made the order, or a judge of the same territorial division,

(a) subscriber information obtained pursuant to an order under this Section shall only be used for the investigation and prosecution of the offense or offenses referred to in the information used to obtain the order; and

(b) if the person about whom the subscriber information relates has not been charged with an offense referred to in the information to obtain the order, subscriber information shall only be retained until six months following the date on which the relevant person is notified pursuant to paragraph (6) herein.

Designated offences

(11) For the purposes of this Section, a designated offense means

(a) any offence that may be prosecuted as an indictable offence under this or any other Act of Parliament, or

(b) a conspiracy or an attempt to commit, being an accessory after the fact in relation to, or any counselling in relation to, an offence referred to in paragraph (a).

Tele-production Orders

(12) Section 487.1 respecting telewarrants shall apply with respect to subscriber information production orders, mutatis mutandis, in the same manner as such section applies with respect to search warrants.

National effect

(13) A subscriber information production order issued under this Section shall be applicable with respect to the telecommunciations service provider in any territorial division of Canada without requirement of endorsement by a justice or judge in the territorial division where the telecommunications service provider is located.

Compensation

(14) The telecommunciations service provider named in a subscriber information production order shall be compensated for the production of subscriber information in the manner and in the amount prescribed. Nothing herein shall require a telecommunications service provider to collect or retain any subscriber information beyond that which is ordinarily collected or retained in the course of the telecommunciations service provider’s business.

Report to Parliament

(15) Each calendar year, the Minister shall lay before Parliament a report regarding the use of subscriber information production orders, which report shall include:

(a) the number of subscriber information production orders issued in total for the previous calendar year;

(b) the number of subscriber information production orders issued per designated offense for the previous calendar year;

(c) the number of subscriber information production orders issued per territorial division of Canada for the previous calendar year;

(d) the number of and nature of the charges, prosecutions and convictions respecting each use of subscriber information production orders, including information respecting cases where charges do not result; and

(d) any other information the Minister considers relevant regarding the use of subscriber information production orders.

Border guard union rejects name tags on privacy grounds

The union representing front-line border guards in Canada has vowed to fight the modernization of uniforms that includes nametags. The union cites officer safety and privacy as grounds for their objections. See: Name tags for Canada border agents rejected by union - Windsor - CBC News.

In my view, accountability to the public trumps whatever meagre privacy interest they think they might have.

Video: An overview of Bill C-30, how it's broken and how it can be fixed

My first foray into the world of video blogging ... please forgive the production values.

Feel free to leave any comments below...

Privacy Commissioner on Bill C-30: Police need to get behind privacy

The Information and Privacy Commissioner of Ontario, Ann Cavoukian, has a long opinion piece in the National Post on Bill C-30:

Privacy Commissioner on Bill C-30: Police need to get behind privacy | Full Comment | National Post

Ann Cavoukian: Police need to get behind privacy

Special to National Post | Dec 2, 2012 11:56 PM ET

As Ontario’s Information and Privacy Commissioner, I have a deep respect for law enforcement. I frequently work closely with the police to help them succeed in fulfilling their important functions without sacrificing our vital right to privacy. The guidance I have provided over the years on the privacy implications of new technologies has given the police a roadmap on how to be effective, yet also protect our privacy.

That is why I am perplexed by the ongoing disagreement between law enforcement and Canada’s privacy commissioners over the federal government’s highly intrusive surveillance legislation, Bill C-30. Repeatedly, privacy commissioners have identified a pragmatic and principled approach to fixing the flawed aspects of the Bill. Time and again, members of the law enforcement community have insisted they need overly broad powers, while failing to recognize that they can have both new and effective law enforcement powers, while still protecting the privacy of individual Canadians.

The police want access to “subscriber data,” such as Internet Protocol and email addresses, because the data is powerful. The actual content of your communications does not need to be accessed in order to obtain a digital snapshot of your surfing habits and who you associate with — access to subscriber data can unlock this and more. It can be used to track people and their activities. It’s the key to revealing your identity online. Should the police be granted warrantless access in genuine emergencies? Absolutely. Should the police have unfettered access. No!

What is required is quite simple. The Bill must be amended to ensure that any police power to compel telecoms to disclose subscriber information requires a warrant in all but urgent circumstances — the police would then be required to report their use of such powers.

Our solution-driven approach would mean that urgent police investigations need never be stalled. Terrorists, organized criminals and those who try to harm the vulnerable by misusing the right to anonymity could be exposed and prosecuted in a timely fashion. At the same time, the public’s confidence in law enforcement would be heightened as a result of rules that prevent the identification and profiling of law-abiding citizens. In free societies such as ours, citizens should be entitled to go about their business without being forced to identify themselves. That right must be as strongly protected online as on the street.

The public understands this. Most of us recognize that our digital rights are no less important than other rights and freedoms. This is why Canadians across the country so strongly opposed the introduction of Bill C-30.

The same principles should guide Parliament in amending other provisions in Bill C-30. For example, we do not object to preservation orders. However, the power to compel telecoms to preserve data should be carefully tailored and subject to modern oversight and accountability, as is expected in a free and democratic society.

Citizens and lawmakers in the U.K. and the United States also recognize the importance of digital rights. That’s why elected representatives in those countries continue to express skepticism about the merits of privacy-invasive proposals. It’s not surprising that Bill C-30, and the proposals that our international allies are struggling with, will not be advancing until they receive in-depth scrutiny.

As Justice Sotomayor of the U.S. Supreme Court recognized in that court’s recent GPS monitoring decision, “Awareness that the Government may be watching chills associational and expressive freedoms. And the Government’s unrestrained power to assemble data that reveal private aspects of identity is susceptible to abuse [that] may alter the relationship between citizen and government in a way that is inimical to democratic society.”

It is unfortunate that Bill C-30 would demand such a draconian privacy price from Canadians. Fortunately, the required solutions have already been identified: judicial oversight, allowance for warrantless access only in emergencies, transparency, and openness. Canadians should be proud that we are at the forefront of an international push to ensure that democracies provide for robust privacy protections. By proactively adopting Privacy by Design, the international standard for embedding privacy assurances into information technologies and organizational practices, we can have privacy and security, in unison. Canadians do not need to write a blank cheque for effective law enforcement. Together, we must commit to preserving our privacy ­ now, and well into the future.

National Post

Google's most recent Transparency Report: Government requests are on the rise

Google has released its most recent update to the Google Transparency Report, which provides statistics about how many user data requests and how may takedown requests Google receives from governments and copyright owners around the world.

The specific stats for Canada are here: user data, takedowns. The takedown data set is broken down by service and alleged reason.

The Official Google Blog (Transparency Report: Government requests on the rise) provides some additional, global context.

A big hat tip to Google for making this information available, which has led to other companies publishing similar data so some light can be shed on data and takedown requests, which usually occur in the shadows.

Privacy Commissioners respond to Police Chiefs on Bill C-30 and lawful access

An interesting debate over lawful access is playing out in the pages of the Windsor Star. First, the paper ran an opinion piece from the leadership of the Canadian Association of Chiefs of Police that peddles the common line that connecting an internet user's IP address to their name and address is just like (and no more intrusive than) using a phone book:

Police chiefs speak out

As Canadians, we rightly place a very high value on our privacy.

As a career police officer, I have spent much of my life ensuring that my actions and those of the officers under my command do not intrude into the privacy of others, unless authorized by law and in pursuit of those who threaten, harm or steal from others.

While all new laws should be subject to rigorous debate, I worry that the misinformation surrounding the proposed Bill C-30 "Protecting Children from Internet Predators Act" is distracting us from the true goal of this bill - protecting victims by updating laws last introduced by Parliament in 1974. At that time, telecommunications consisted of rotary phones, telegraphs and physical lines of wire.

A technology revolution has seen the rapid adoption of mobile devices, computers and social media - an evolution of technology not envisaged by lawmakers back in the 1970s.

Canadians reap many benefits from today's technologies. So do criminals. We have inadvertently created safe havens for those who exploit technology to traffic in weapons, drugs and people. It is a boon to pedophile networks, money launderers, extortionists, deceitful telemarketers, fraudsters and terrorists.

Cyber bullies communicate their vitriol with impunity. If we stand by and do nothing, criminals will continue to use these interactive platforms to harass and threaten others, commit frauds, scams and organized and violent crimes with little fear of being caught.

I enthusiastically agree that privacy is a right to cherish and guard vigorously. We believe that the new legislation, with our recommended amendments to strengthen privacy rights, will help make Canada a safer place. To level the playing field for law enforcement, successive federal governments introduced updated lawful access legislation in 2006, 2007, 2009 and 2010.

All of these bills "Died on the Order Paper." In the meantime, the threats to individuals and community are increasing. The current proposed legislation includes the following assurances/improvements:

• Access to private information will continue to require a judicial authorization (warrant).
  
  
• Telecommunications providers will be required to preserve data while a warrant is being obtained.
  
  
• Basic subscriber information (the equivalent to information provided by a telephone directory) will be obtainable in a timely and consistent manner. As opposed to today's environment, the new legislation builds in an audit trail to ensure accountability (including making available reporting to the judiciary and privacy commissioners) and to limit those within policing who can make such a request.

What is the cost of not proceeding with the modernization of our laws? Organized criminals will plan their killings and kidnappings using communications providers whose systems do not have the technical ability to be monitored through the warrant process.

Terrorists will be able to exploit these same gaps. Victims of scams will be told that the evidence trail linking the suspect to the crime has disappeared because the service provider has no obligation to preserve data.

Perhaps even worse, the parents of a child who has been lured or criminally harassed over the Internet will learn that the police investigation will be delayed or completely unsuccessful because of the need to obtain a warrant for basic subscriber information.

The RCMP's National Child Exploitation Co-ordination Centre looked at a sample of 1,244 requests for basic subscriber information in 2010. The average response time to gain such information was 12 days. This is unacceptable!

The challenge of Bill C-30 is to strike the right balance between providing law enforcement with investigative tools to ensure individual and public safety while ensuring the protection of privacy. We support the greater protections which have been built into this bill.

Vancouver police Chief Jim Chu is president, Canadian Association of Chiefs of Police.

Privacy Commissioners from Ontario, British Columbia and Alberta have sent the paper a reply:

New surveillance powers shouldn’t come at the expense of our right to privacy | Windsor Star:

Re: Police chiefs speak out, guest column, by Jim Chu, Nov. 6.

In his opinion piece, police Chief Jim Chu repeats the now much-discredited analogy that subscriber data is equivalent to what is found in a phone book. We disagree.

This information, which includes e-mail addresses and Internet protocol addresses, is not publicly available and can be used to reveal the web-related activities of law-abiding citizens.

This is why Canadians across our country expressed such strong concerns about the federal government’s introduction of Bill C-30, the Internet surveillance bill.

As Privacy Commissioners, we understand that the police may need new tools to investigate crime as technology advances.

However, Commissioners have consistently asked for evidence that police need the power to compel Internet Service Providers to turn over personal information of subscribers without a warrant in order to attain these ends.

To date, law enforcement officials have failed to provide persuasive factual evidence that current law has impeded police investigation of serious crimes, like those involving individuals who exploit children.

Current law recognizes exigent circumstances that justify immediate access to information to solve serious crimes.

If police need additional powers, they must be demonstrably justified, and come with appropriate judicial oversight and accountability.

New surveillance powers must not come at the expense of our right to privacy.

ANN CAVOUKIAN, PhD, Information and Privacy Commissioner, Ontario, JILL CLAYTON, Information and Privacy Commissioner, Alberta, and ELIZABETH DENHAM, Information and Privacy Commissioner, B.C.

Today, the Federal Privacy Commissioner added her voice to the debate:

Bill C-30 must be amended to respect privacy rights | Windsor Star

Re: Police chiefs speak out, guest column, by Jim Chu, Nov. 6.

My office appreciates the challenges faced by police officers in fighting online crime, with out-of-date tools and at a time of rapidly changing technologies.

We agree with Jim Chu, chief constable of the Vancouver Police Department and president of the Canadian Association of Chiefs of Police, when he states that the federal government’s lawful access bill could be improved to better protect privacy rights in Canada.

We were encouraged to see the head of the police association specifically support a provision to clarify privacy rights, in his recent op-ed. In fact, Bill C-30 must be amended to respect privacy rights.

Chief Chu suggests the information behind an IP address is equivalent to information found in a phone book. To me, this vastly underestimates what it may reveal about someone.

Unlike a phone book, information behind an IP address is not generally publicly available and can unlock doors to much more information about people.

My office’s technologists are currently looking at this, and studying the degree of privacy intrusiveness in relation to the specific information that the Bill proposes to make readily accessible to law enforcement.

We are also continuing our discussions with public safety and law enforcement officials, as well as civil society, to ensure that privacy issues are adequately addressed.

It is true that law enforcement powers need to be modernized, but so too do the laws that ensure Canadians’ privacy rights are fully respected. The Privacy Act, which applies to federal departments and agencies, has not been substantially amended in more than 30 years and, as a result, citizens have little mechanism for redress when things go wrong. The federal private sector privacy law, PIPEDA, is also well overdue for an update.

We look forward to elaborating on our views about Bill C-30 with parliamentarians and we will also continue to advocate for federal privacy laws that meet the challenges of this new world.

JENNIFER STODDART, Privacy Commissioner of Canada, Ottawa

Don't throw the (judicial oversight) baby out with the bathwater

I have been trying to encourage an informed dialogue about "lawful access" on this blog, in an effort to cut through some of the rhetoric to get to useful substantive issues. In that effort, Detective Constable Warren Bulmer has written a couple of guest posts, including the most recent "A police officer's response to my recent critique of lawful access".

As I indicated when I posted Warren's piece, I mentioned I'd probably have a response. Here it is.

According to police, voluntary disclosure of subscriber information by internet service providers is too unpredictable for police officers to rely upon and the current system of judicial pre-authorization often takes too long. I'll acknowledge that this is a real problem.

My starting premise is that agents of the state (law enforcement and national security types) should not be able to obtain personal information from a third party without judicial authorization (unless there is an actual and immediate threat to life, health or safety). To me, anything that falls short of this is simply not acceptable.

Production orders are the natural means by which police should be able to obtain customer name and address information in the appropriate circumstances. (Search warrants simply don't work for these sorts of cases.)

D/Cst Bulmer has identified that production orders, as currently set up under the Criminal Code are limited to circumstances where the crime has already been committed but don't cover where there are grounds to believe a crime will be committed, so such orders are inadequate. (Though I note conspiracy to commit a future offense is usually an offense.) The solution is not to throw out judicially-authorized production orders but to fix this omission. Amend section 487.012 of the Criminal Code to include circumstances where there are reasonable grounds to believe that the production order will lead to evidence related to a crime that will be committed.

Here is what it would look like:

(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that there are reasonable grounds to believe that

(a) an offence against this Act or any other Act of Parliament has been, is being or is about to be committed or is suspected to have been, is being or is about to be committed;

(b) the documents or data will afford evidence respecting the commission of the offence; and

(c) the person who is subject to the order has possession or control of the documents or data.

Fifteen words fix it.

If there's an emergency -- an actual imminent threat to life, health or safety -- police should be able to get access to subscriber information as soon as possible. The police, D/Cst Bulmer included, complain that ISPs don't always share this sense of urgency. In my own experience and from speaking with some within the ISP industry, this may be a result of "once bitten, twice shy" syndrome due to previous cases where the urgency of the situation was misrepresented, leading to the conclusion that it was only done to circumvent the need to get a production order. The way to deal with this is either via tele-production orders (similar to telewarrants, which are provided for under the Criminal Code) or by after-the-fact accountability.

This works for serious crimes, such as kidnapping, child exploitation and cyber-bullying.

Again, don't throw out judicial oversight simply because of some limited difficulties.

With respect to intervening in suicide, which is not a criminal offence in Canada, I have some difficulties. I am generally of the view that the intrusive powers of the state should be reserved for the investigation of serious criminal offences. Remember, violating a lawful demand under the Criminal Code or under C-30, if passed, would result in criminal charges against the person who refuses to hand over the information. It's not a neutral thing. They can be arrested. If an adult decides to deliver a suicide note via social media, it's not a criminal offense that bears investigating. With a young person, it is a different matter so perhaps an exception should be applicable.

As far as other examples advanced by some law enforcement officers are concerned (but not raised in D/Cst Bulmer's post), the full force of the state should not be brought to bear to reunite an individual with their lost phone. It's absurd that a telco could be criminally charged or convicted of contempt of court for failing to help find the owner of a lost phone.

In a free and democratic society, judicial oversight of the exercise of intrusive state powers is simply essential. It cannot be foregone because the current scheme of production orders is not perfect. Fix what we have so judicial oversight is maintained.

A police officer's response to my recent critique of lawful access

You may recall that on September 18, 2012, Detective Constable Warren Bulmer of the Toronto Police Service's Computer and Technology Facilitated Crime group had a guest post: Guest post: A police officer's take on informational privacy and the police in the digital age. He sent me the following response to my recent post Despite police chiefs' representations, lawful access is irretrievably broken, and I have his ok to post it here.

I expect I'll have a response to his post in the next day or so.

---

David

I would like to take this opportunity to provide a few points about your post.

To be fair, the role of the Police in any criminal investigation is not just simply to identify the person responsible for the crime but to try to determine the truth about what happened based on evidence. Often in this work, we receive tips or leads that implicate the wrong person especially in the world of the pseudo-anonymous Internet. Technology itself creates challenges by providing the ability to disguise, alter or otherwise mislead any person attempting to validate Internet sourced information. The police have a responsibility to conduct a thorough investigation which is to also eliminate suspects or persons of interests that may have been implicated by a witness. In the digital age more particularly, we see people who have identified themselves by impersonating another or purporting to be someone they are not. Hard to believe that people don’t use their real name when engaging in questionable behaviour online but it’s true.

In many cases, I agree with you a judicially authorized instrument allows the Police to investigate as long as time is not of the essence. The problem with a judicially authorized Production Order is that the company (ISP) cannot return the information for 30-60 days. So in a public safety situation, or if you or one your readers were targeted by Police as a suspect or person of interest and you had been wrongly implicated, you would be waiting for the Police to clear your good name. The process is completely unfair in this regard. I agree that rights need to be protected but it can’t be at the cost of potential injustice caused by investigative delays to benefit the minority (criminals) versus the rights of the masses. Section 15 of the Charter states “every individual is equal before and under the law and has the right to the equal protection and equal benefit of the law… “

The other part of your post which needs to be clarified is this (quote): “…but based on the premise that the police should not be able to require anybody to provide information about an individual in the absence of reasonable grounds to believe that the information either is or will lead to evidence of a crime that has been, is being or will be committed, and the appropriate checks and balances…”. With respect to the context you have placed this passage in, I think your readers may mistakenly draw the conclusion that the Police could use a Production Order (487.012) to stop or prevent a crime from happening.

As you pointed out in your piece, a Production order can be authorized by a Justice of the Peace or Judge but most commonly the former. The judicial officer can only authorize a Production Order for criminal offences under the Code or other Act of Parliament based on reasonable grounds when an offence has been or is suspected to have been committed. Therefore, it cannot be used to prevent a crime that hasn’t happened yet, or is about to happen. The purpose of a Production Order is to provide police with evidence in a non-intrusive way. It was clearly designed to obtain third party records that exist in the hands of third parties and the extent of that search is not carried out by the Police thereby mitigating the invasion of privacy. It does not carry the level of scrutiny a search warrant does.

As you know, a search warrant (487 CCC) can be used in situations where an offence is about to or will be committed however; it is not the appropriate mechanism to obtain these records because a warrant authorizes the Police to carry out the search. Even with an appropriate assistance order (487.02) it is neither practical nor reasonable for Police to walk into Bell, serve a search warrant and start searching through the ISP’s servers. This leaves the conundrum Police currently find themselves in, an inability to clear innocent people of false allegations of wrong-doing in a timely manner and no judicially authorized mechanism to prevent a crime from happening when the Internet is involved. One additional factor at play is where a case dictates that Police need to intervene when a criminal offence hasn’t been or isn’t at the threshold where a situation meets the definition of an offence. The Police require a criminal offence to seek a judicially authorized search unless there is a lawful exemption.

Bill C30 affords the Police lawful access to basic subscriber information, which incidentally is the same information that is sought via a Production Order, when there is a belief outside of a criminal offence that the Police need that information. I would refer your readers to Section 17 of the Bill which states:

17. (1) Any police officer may, orally or in writing, request a telecommunications service provider to provide the officer with the information referred to in subsection 16(1) in the following circumstances:

(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;

(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and

(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.

The police officer must inform the telecommunications service provider of his or her name, rank, badge number and the agency in which he or she is employed and state that the request is being made in exceptional circumstances and under the authority of this subsection.

(2) The telecommunications service provider must provide the information to the police officer as if the request were made by a designated person under subsection 16(1).

This component would mandate that the Police dictate what constitutes an emergency request based on exigent circumstances not the ISP. As you know, currently the Police make emergency requests and the ISP determines if it meets their version of an emergency. I have heard of numerous incidents where Police have made an emergency request using the ISP’s form and it was denied because they (the ISP) deemed it wasn’t an emergency thereby forcing Police to get a warrant or Production Order and in some cases nothing was obtained because there wasn’t a criminal offence. In those cases, the Police could do nothing and often they were kids or adults alike being mean or nasty to another or worse looking for help on the Internet but there weren’t enough facts to formulate a criminal offence.

Section 17 of the Bill provides the ability for Police to intervene and protect people who may be suicidal perhaps kids who are targets of bullying when it doesn’t meet the threshold of a criminal offence or in identifying someone who says they will blow-up a theatre before they do it. How? By removing the interpretation of a private company as to what constitutes an emergency, harm or unlawful act. If anyone wants a reason as to why this legislation is necessary, it is the “protection” and “prevention” benchmarks available in it that we should be recognizing or enhancing and divert attention away from the enforcement side of the legislation. The Police will always have the authority to ask.

People have and continue to criticize the Police for standing by while dozens of these incidents go under enforced or seemingly ignored. Lawful access provisions like this aren’t the only solution and I am always cognizant of a “police state” but this legislative tool would go a long way to helping Police intervene early-on in cyberbullying cases, for example and may even prevent some suicides or other Internet related life threatening situations. The most important primary duty of a police officer is the preservation of life and that becomes extremely difficult when the Internet is involved. We find it a challenge to help people who are seeking it on a social network when they are using the nicknames of “wolfman” or “crazy cat lady” or “cooldude66”.

Regards

Warren Bulmer

Despite police chiefs' representations, lawful access is irretrievably broken

If you’re a regular reader of this blog, you’ll know that I’m not a fan of Bill C-30. At all. My most acute concern relates to warrantless access to the names and addresses of customers of telecommunications service providers. Reviewing the very interesting and thought-provoking materials of the Canadian Association of Chiefs of Police hasn’t changed my mind.

This opposition isn’t based on the shameful way the bill was introduced (“you’re either with us or with the child predators”), but based on the premise that the police should not be able to require anybody to provide information about an individual in the absence of reasonable grounds to believe that the information either is or will lead to evidence of a crime that has been, is being or will be committed, and the appropriate checks and balances.

In my view, the only way to provide the checks and balances is to have an impartial party make the determination of whether individual privacy rights need to give way to the public interest in preventing and investigating crime. The police clearly have a job to do, but they are not in a position to appropriately balance these interests. Only an impartial judge can.

As for the suggestion that there really isn’t a privacy interest in customer name and address, I disagree. (Notwithstanding some recent caselaw on this point.) When the police are legitimately looking for a customer name and address to attach to an IP address, it is not being done in a vacuum. The police already have collected evidence (presumably of a crime) and are looking to connect that to a person. People have a reasonable expectation of privacy in what they do in their day-to-day lives online and it should be up to a judge to determine whether that connection can be made.

The Criminal Code already contains all the tools necessary to deal with this. For example, under Section 487.012, the police can obtain a production order against an internet service provider to hand over customer name and address information if they can satisfy the judge of the following:

(3) Before making an order, the justice or judge must be satisfied, on the basis of an ex parte application containing information on oath in writing, that there are reasonable grounds to believe that

(a) an offence against this Act or any other Act of Parliament has been or is suspected to have been committed;
(b) the documents or data will afford evidence respecting the commission of the offence; and
(c) the person who is subject to the order has possession or control of the documents or data.

It’s only that the order must lead to evidence. Not the smoking gun or as a last resort. Just some evidence. It’s a very low threshold. This would be applicable in cases of child pornography, exploitation, threats, extortion, kidnapping, a rapist who left his phone at the scene and just about every other case cited by the Canadian Association of Chiefs of Police. It’s not an onerous burden.

The officer should appear in front of a judge with a sworn affidavit that sets out the the evidence that an unnamed person using IP address X.X.X.X is engaged in [bad act] and we have reason to believe that the IP address is allocated to [internet service provider]. If the judge thinks that’s sufficient, a production order should be issued.

To put it very simply, if the police cannot convince a judge that the connection should be made, they should not be able to obtain it. If you can’t convince a judge that it will lead to evidence of a crime, the cops should go back to the drawing board.

The main problem pointed to by the proponents of the Bill is that it takes too much effort or too long to get a warrant that requires an internet service provider to hand over customer name and address information that corresponds with an IP address. If that is really the problem they are trying to address, it would be best to address it by making the warrant-seeking process more efficient. Warrantless requests should be left to circumstances where there is a real emergency.

As currently written in Bill C-30, there is effectively no limitation on the circumstances under which police can seek this information. It can be for a parking ticket or some other trivial contravention of the law. The examples the police give are all serious crimes, but C-30 isn’t restricted in that way. (I think the threshold for all production orders should be strengthened to limit the use of these powers to (a) the investigation of serious crimes only under the Criminal Code, the Narcotics Control Act, the Canadian Security Intelligence Service Act and the National Defence Act where there are reasonable and probable grounds to believe that the information is necessary for the investigation of a crime that has occurred or is likely to occur, or (b) where the subscriber about whom the information relates is reasonably believed to be a victim of the crime or whose life or safety is in imminent jeopardy, and the victim’s identity is unknown.)

The second protection should be transparency, in two parts. First, the Attorney General should have to table in Parliament an annual report setting out in detail the number of applications made, the number of investigations they relate to, the offences alleged to have been committed and whether the order was granted. Even better would be including the number of charges laid as a result. This would ensure that the public is informed as to whether these powers are being used appropriately.

The second part should be an obligation to notify the individual whose information was sought, after a reasonable interval of time so that it does not interfere with an ongoing investigation. As drafted in Bill C-30, the individual whose information is sought will likely never know that this information was sought and obtained unless it comes out in open court after charges have been laid. In the current draft C-30, there is actually a gag order that prevents the ISP from telling the individual even if asked.

The information to obtain the disclosure order should be provided to the individual whose information is sought within six months unless a judge agrees, based on affidavit evidence provided by the relevant law enforcement officer, that doing so would be harmful to an ongoing criminal or national security investigation. An individual whose information is wrongfully sought or obtained should have a private right of action against the officer and the officer’s employer if there were not reasonable grounds to seek the information.

Overall, the entire scheme of "lawful access" to customer name and address information is irretrievably broken and needs the protections of independent oversight that only judges can provide.

Canadian police chiefs attempt to revive lawful access

At a time when most observers say that Bill C-30, also known as the "lawful access" bill, is dead in the water, the Canadian Association of Chiefs of Police have today come out swinging calling for its revival.

In connection with this effort CACP have put together a strong collection of documents to put forward their position. Here's the media release [pdf]:

Police Confirm Canadians’ Top Five Fears About Lawful Access CACP Renews Appeal for Lawful Access Legislation

VANCOUVER, BC – The Canadian Association of Chiefs of Police CACP) is launching a renewed effort to inform Canadians as they debate police authority for ‘lawful access’, in the context of Bill C-30 – “Protecting Children from Internet Predators Act.”

“If we stand by and do nothing, criminals will continue to exploit today’s technologies to criminally harass and threaten others and commit frauds, scams and organized and violent crimes with little fear of being caught. Canadians need the same protection against criminals that other western democracies enjoy,” stated CACP President Chief Constable Jim Chu.

Previous Canadian governments have introduced lawful access legislation only to have it ‘die on the order paper.’ The CACP is not willing to watch Bill C-30 fall victim to a similar fate. “If we don’t take a strong stance on this issue, Canadians will not appreciate the limitations that constrain law enforcement in the cyber world. Law enforcement continues to be handcuffed by legislation introduced in 1975, the days of the rotary phone. Today we allow new technologies to be used as a safe-haven for serious criminal activity, but are pulling back from using technology to prevent and investigate these serious crimes,” Chu continues.

“If the laws from the 1970s are not modernized, then organized criminals will plan their killings and kidnappings using telecommunications providers who do not build into their systems the technical ability to be monitored for the purpose of gathering evidence. Terrorists will exploit these same gaps. Victims who have been scammed or extorted over the Internet will be told the electronic footprint linking the suspect to the crime has disappeared because the telecommunications provider has no legal obligation to preserve data. If a suspect lures a child using a landline phone, basic subscriber information is available in a phone directory. But predators today don’t use old technology. The parent of a child who has been lured over the Internet will be told that the police search for their child is delayed because a warrant has to be obtained for basic subscriber information.”

"Criminal bullying is extremely concerning to all Canadians, especially the parents of young children, and Bill C-30 also provides new legislation to help police intervene and investigate cyber bullying in their early stages to prevent needless tragedy. The Bill makes it an offence to use telecommunications, including social media and the internet, to injure, alarm and harass others. " Canadians need to understand what lawful access is truly about.

The CACP has created a video entitled “Police Confirm Canadians’ Top Five Fears About Lawful Access” which can be viewed at http://youtu.be/ymVqkugH8PU In addition, to promote informed discussion on this issue, the CACP has prepared a document entitled “Simplifying Lawful Access – Through the Lens of Law Enforcement.” It is available on the CACP website www.CACP.ca) or directly at http://www.cacp.ca/media/library/download/1243/Final_Simplifying_Lawful_Access_final_english.pdf

The document compares today’s environment to the proposed new legislation, provides answers to ‘frequently asked questions’ and includes a series of case studies describing how law enforcement uses basic subscriber information.

While the CACP endorses Bill C-30, we would like to make it clear there is one part of the bill that has posed concerns to some and we share that concern. Section 34 is currently worded suggesting that an inspector can search anything, including a Canadian's private information at a telecommunications provider's facility, to verify compliance with the act. It is easy to understand why some might conclude from such wording that inspectors would have unfettered access to Canadians' personal records when doing these inspections. While we realize this is not the intention of this section, this must be clarified.

We recognize such inspections are required but the wording in Section 34 needs to be changed to assure Canadians that their personal information will never be a part of that inspection.”

The CACP urges our politicians to provide police with modern tools so they can better protect Canadians from harm. Bill C-30 would achieve this. The CACP agrees with the stronger accountability and oversight provisions in C-30 that protect the public against misuse of police intercept powers. The CACP urges Members of Parliament, the media and all Canadians to review the importance of this legislation through the lens of today’s victims of crime, and the frontline law enforcement officers who are trying to prevent and investigate crimes.

The Canadian Association of Chiefs of Police was established in 1905 and represents approximately 1,000 police leaders from across Canada. The Association is dedicated to the support and promotion of efficient law enforcement and to the protection and security of the people of Canada. Through its member police chiefs and other senior police executives, the CACP represents in excess of 90% of the police community in Canada which include federal, First Nations, provincial, regional and municipal, transportation and military police leaders.

I'll have more to say in the near future about the document produced by the CACP, but in the meantime it will be interesting to see if this will have any effect on the toxic bill.

Canadian internet surveillance bill dying in Parliament

John Ibbitson writes in the Globe & Mail that Bill C-30 isn't just dying, it's pretty well dead.

It hasn't gone to committee, it hasn't gone anywhere. It's just silently decaying on the order paper.

Let me be among the first to throw a shovel of dirt on its grave.

Here's Ibbiton's opinion piece:

John Ibbitson: The quiet death of the Internet surveillance bill - The Globe and Mail: What Parliament isn’t debating can be as interesting as what it is debating. This fall it emphatically isn’t debating Bill C-30.

That’s because, for all intents and purposes, the Conservatives’ Internet surveillance legislation is dead.

C-30, you will remember, would grant the federal government and law enforcement agencies the power to obtain information about individuals who are online without having to apply for a warrant.

You will also remember that Public Safety Minister Vic Toews endured a world of hurt back in February when he told critics of the bill that they could “either stand with us or with the child pornographers.”

Stung by the widespread opposition, including from the federal and provincial privacy commissioners and from within its own caucus, the Conservative government said it would refer the bill to a committee.

Last May, your correspondent was rebuked by Mr. Toews for writing that the bill was, in reality, “dead in the water.”

“Our government has been very clear, that matter will be referred to a parliamentary committee,” he insisted.

But the five hours of debate needed before the bill could be referred to the committee didn’t happen that May. It didn’t happen in June. It didn’t happen in September, when the House returned from summer recess. October? So far, nada.

When asked when and whether C-30 would come before the House this autumn, Mr. Toews’ spokeswoman, Julie Carmichael, said by email: “Our government is thoroughly reviewing this legislation.

“At all times we will strike an appropriate balance between protecting privacy and giving police the tools they need to do their job,” she wrote.

Which may be another way of saying the Internet surveillance bill is not just dead in the water – it’s at the bottom of the sea.

Nathan Cullen, House Leader for the NDP, says he has asked about the status of C-30 at virtually every one of his weekly meetings with Conservative House Leader Peter Van Loan.

“I always get the exact same answer back, which is a non-answer,” said Mr. Cullen in an interview.

“I don’t know whether it was because the Minister so screwed up the messaging, or whether they’ve had some other input saying they went too far or it just can’t be salvaged,” he speculates.

What isn’t speculation is that the Internet bill has disappeared from the radar – for good, it would appear.

Stephen Harper is likely to have Parliament prorogued this coming winter, in anticipation of a major cabinet shuffle and a throne speech to mark the halfway point in his majority government. With prorogation, C-30 will die on the order paper, unmourned.

A new Public Safety Minister may introduce new lawful access legislation that would require a judicial warrant before anyone could compel an Internet Service Provider to divulge information about a client.

But that’s down the road. What matters is this: If you’re with the child pornographers, or with the privacy commissioners, or with at least some of the Tory caucus, or with the millions of other Canadians who want to limit the power of the federal government to snoop online, you can forget about C-30.

The Tories appear content to leave this political shipwreck alone.

Ontario Court of Appeal rules no expectation of privacy in connecting IP address to customer name

The Ontario Court of Appeal has today released its decision in R. v. Ward, 2012 ONCA 660, in which it held that -- in the circumstances of the case -- a customer has no expectation of privacy in his or her customer name and address when the police come armed with an IP address. I haven't had a chance to digest the full decision, but it gets added to the list of cases that permit the police, in certain circumstances, to obtain customer details when they have the IP address of a suspect.

I expect that this will further embolden those who support the resurrection of lawful access legislation before parliament.

Similar to other cases that have found no expectation of privacy in customer name and address information, the Ontario Court of Appeal held that Bell Sympatico had expressly "circumscribed" its customer's expectation of privacy:

[100] Setting aside the contractual terms for the moment, I think the “reasonable and informed person” identified by Binnie J. in Patrick, at para. 14, would view a customer’s reasonable expectation of privacy in his or her subscriber information to be circumscribed by the service provider’s discretion to disclose that information to the police where it was both reasonable to do so and a PIPEDA compliant request for disclosure had been made by the police.

Guest post: A police officer's take on informational privacy and the police in the digital age

Warren Bulmer is a detective constable with the Toronto Police and an instructor on Computer and Technology Facilitated Crime for the Toronto Police College. Recently, Warren has written comments on some of the posts about lawful access on this blog that show a perspective on the issue that differs from what I usually write. I invited Warren to write a guest post as it would be helpful for readers of this blog and those interested in the lawful access debate to hear things from his perspective.

---

Informational Privacy and the Police in the Digital Age

Background

In the past 12 months there has been much attention paid to the issue of “lawful access” and what information police can obtain about your digital trail.  Unfortunately, many of those who write online posts, blogs and communications seem to misunderstand or in some cases grossly mischaracterize such issues.  

Let’s leave aside for a moment, the issues of Internet users who post public information to social networks without any privacy settings.  The reason; the police and any other citizen can access that information and use it for any purpose thereby making any subsequent claim to an expectation of privacy, absurd.  Having said that, one must understand that if the police intend on using that information in a criminal prosecution, they must account for how it was obtained and for their authority to obtain it.

The police have many authorities that govern how they obtain information, which can be with or without a search warrant.  The most common authorities come from Statutes both Federal, like the Criminal Code and Provincial, like the Highway Traffic Act.  Police are also governed by common law, which is derived from the decisions made at various levels of Canadian courts.

The Charter of Rights and Freedoms Section 8 protects citizens against “unreasonable search and seizure” and the key term is “unreasonable”.  In a Supreme Court of Canada decision Hunter v. Southam, [1984] 2 S.C.R. 145 the court outlined that a search (by the State) without prior judicial authorization (i.e. a warrant) is presumed to be unreasonable.  The State has to justify or explain why a search is reasonable if they didn’t have a warrant.  There are also six exceptions written into law where the police are exempt from having to obtain a warrant.  They are consent, abandonment, incident to arrest, investigative detention, exigent circumstances and plain view.  

Informational Privacy

We are all given a name at birth.  Our name identifies us and distinguishes us from each other.  We provide our name to others to connect and address one another.  We have all given our name in various contexts hundreds if not thousands of times and it is safe to say that it is the purpose for our name.  Many of us wear our names on ID cards as we walk around in the public domain yet somehow it is expected that when we use the Internet our name becomes this secret entity hidden behind screens and wires.  

The Internet encourages people to believe that they are completely anonymous online however; when carefully deconstructed one can see that technology has made us more vulnerable than ever.  Every device we use creates a digital record, every time we go to the mall we are captured on dozens of high definition security cameras, and when we use an ATM the entire transaction is captured.  When you use the Internet there can be a digital trail that when followed could lead back to you.

As an Internet user you require an Internet Service Provider or Telecommunications company to facilitate that access.  ISPs are private companies like Bell Canada, or Rogers Communications and their business model requires the ability to maintain customer databases for their Internet subscribers for the purposes of billing.  These databases contain information such as your name, address, phone number, email address and credit card or banking information.  The ISPs are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) which legislates the collection, use and disclosure of your personal information by private companies. The Police have no authority to search under PIPEDA.

The ISP provides the mechanism to connect to the Internet by assigning a user an Internet Protocol (IP) address.  This unique number is assigned to the customer (subscriber) and is logged with a date and time reference as to when it was used and by whom.  This is the central issue in the whole “lawful access” debate.  

Your name, which is generally not entitled to Charter protection, is now attached to an IP address which proponents argue means that it should attract Section 8 protection. Their argument is basically derived from the belief that if the police have your name associated to an IP address, they therefore can construct a complete picture of your “electronic trails” on the Internet.  This concept is not technically possible despite the so-called “wishes” of the police.  One of many parameters is that IP addresses are dynamic and constantly change between customers.  A computer must be physically examined to learn of those electronic trails or traces.

PIPEDA supports the notion that an ISP may voluntarily provide police with customer name and address information when asked without the knowledge or consent of the customer.  These provisions are provided for in 7(3) of the Act.  If the ISP does not decide to disclose the information which by the way is only a name, address and email address then the police would have to seek judicial authorization to obtain it.  For example, in child exploitation cases many ISPs will voluntary disclose the names and addresses of customers who may be involved in offences involving child pornography or child luring.  In fraud cases for example, ISPs have refused to voluntarily provide this information and directed police to obtain a court order for it.  In this circumstance, the information remains the same and all that is accomplished is the police, the victim and the justice system as a whole, suffer unnecessary delay.

PIPEDA does not grant the police any powers or authority and neither does the newly proposed lawful access Bill C-30 (Preventing Criminal Electronic Communications Act).  Equally however; PIPEDA also does not grant citizens an extraordinary Section 8 Charter protection. The crux of this debate is the misrepresentation of “personal information”.  Section 2 of PIPEDA defines personal information as “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization”.  Section 3 of PIPEDA is the stated purpose of the Act: “The purpose of this Part is to establish, in an era in which technology increasingly facilitates the circulation and exchange of information, rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.”

Herein lays the fundamental flaw in the argument that customer names subscribed to an Internet Service attract Section 8 protection. The definition provided in PIPEDA of “personal information” is completely different than the constitutional definition provided for in Section 8 of the Charter.   In 1993, the Supreme Court of Canada determined what information is subject to Section 8 protection in a case called Plant (R. v. Plant, 1993 CanLII 70 (SCC), [1993] 3 SCR 281) stating the following: “In fostering the underlying values of dignity, integrity and autonomy, it is fitting that s. 8 of the Charter should seek to protect a biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state. This would include information which tends to reveal intimate details of the lifestyle and personal choices of the individual.”  

It becomes clear then that PIPEDA cannot be used to solely determine if there was a valid breach under Section 8 of the Charter.  It requires an analysis in the totality of the circumstances.  This approach was confirmed by the Nova Scotia Court of Appeal in Chehil (R. v. Chehil, 2009 NSCA 111).  The Supreme Court provided the same criteria back in 1996 in Edwards (R. v. Edwards, [1996] 1 SCR 128) using a list of factors to potentially be considered in evaluating but not limiting the totality approach.  They can be found at paragraph 45 of the judgement.

The police don’t seek customer names or IP address subscribers under PIPEDA.  Their authority to ask for the information voluntarily comes from Section 487.014(1) of the Criminal Code which makes it clear that production orders (prior judicial authorization) are not necessary for a peace officer or public officer enforcing or administering this or any other Act of Parliament from asking a person to voluntarily provide to the officer documents, data or information that the person is not prohibited by law from disclosing.

 In 2004, the Supreme Court of Canada stated in Tessling (R. v. Tessling, [2004] 3 S.C.R. 432) at paragraph 26, “Nevertheless, Plant clearly establishes that not all information an individual may wish to keep confidential necessarily enjoys s. 8 protection”.  

Section 8 of the Charter does cover Informational Privacy and when assessing the facts on each case the Courts have evaluated a number of factors.  Included in these decisions is the relationship between the ISP and the customer usually disclosed in the form of a contract.  Most ISP have conditions or terms of use that a customer must agree to in order to use the Service.  These terms are typically phrased similarly to: “The client is warned that they must not use the service in a manner contrary to an applicable law” or “the client “agrees” that the named ISP has the right to monitor or investigate the use by the client of the network and to disclose any information necessary to satisfy any laws … or other governmental request … as necessary”.  These contractual terms fall under the analysis of the totality of circumstances when evaluating an objective or subjective expectation of privacy enjoyed by the customer.  

The argument over whether or not a name and address associated to an IP address deserves Section 8 protection is not a new one.  In fact, to the contrary, it has been litigated in numerous cases across Canada.  Here are just some of those case citations where no expectation of privacy was found in a name and address of an individual:

R. v. Wilson, [2009] O.J. No. 1067 (S.C.)

R. v. Ward, [2008] O.J. No. 3116 (C.J.)

R. v. Friers, [2009] O.J. No. 5646 (C.J.)

R. v. Trapp, [2009] S.J. No. 32 (Prov. Ct.)

R. v. Vasic, [2009] O.J. No. 685 (S.C.)

R. v. Spencer, [2009] SKQB No. 31

R. v. Ewanshyn, [2009] unreported AltaCA

R. v. Brown, [2000] O.J. No. 1177 (S.C.)

R. v. Lillico (1994), 92 C.C.C. (3d) 90 (Ont. C.A.)

R. v. McNeice, [2010] B.C.J. No. 2131 (B.C.S.C.)

R v. McGarvie, 2009 CarswellOnt 500 (Ct. Jus.)

To be fair, many of these cases relied heavily on the contractual terms and agreements between the customer and their ISP but some did find no expectation of privacy regardless of those terms.   There are a few decisions in the lower level courts that did rule in favour of a Section 8 protection of CNA such as Kwok (R. v. Kwok, [2008] O.J. No. 2414 (C.J.) but there was no information about the contractual relationship entered into evidence.  So it is not that we keep score but it is fair to say that there is a significant amount of cases that after careful judicial analysis, declare there is no constitutional protection afforded to a person’s name.  To argue differently implies there has been a large number of trial Judges who got it wrong.  

To put things into context on informational privacy, the police do not need a warrant to type the licence plate of a car into their computer system to learn the name and address of the registered owner.  The police do not need a warrant to get the registered name and address of a cellular or residential phone number.  Many of these items of personal description do not meet the threshold of a subjective expectation of privacy due to the lack of an objective reasonableness in that belief.  We are talking about one of the least intrusive searches the police can engage in.  There is no physical search by police through the Bell Canada servers and despite what you have heard no spying of a person’s Internet browsing.  

Reality Check

According to 2011 Internet Statistics, there were over 3.1 billion email accounts globally.  Does anyone realistically think the police have the time or resources to sneak a peek or read the trillions of messages exchanged?  There are over 17 million Canadians on Facebook each with an average friend’s list of 150 friends.  In 2010, there were 25 billion tweets sent out on Twitter.  In February 2012, police announced the take down of 60 individuals involved in child pornography offences and revealed that the overall investigation involved 9000 IP addresses and several hundred suspects who will go unprosecuted.

In all of these electronic “cybernetic peregrinations” to quote the Supreme Court of Canada in Morelli (R. v. Morelli, 2010 SCC 8) the police have to obtain IP logs and customers associated to this data if commencing a criminal investigation in relation to them.  When police require this information and it is not voluntarily supplied by the ISP for whatever reason they have to seek a court order called a Production Order.   Section 487.012 of the Criminal Code is the authority police have to do this.  Most companies require a minimum of 30 days to comply with this order.  If it is an emergency, that being imminent losses of life or grievous bodily harm, most ISPs have an emergency form that the police can use.  The determination of what constitutes an emergency is not necessary made by the police but the ISP ultimately.  It still reverts back to what was written earlier, the police can ask and the ISP can say “yes or no”.  

A great example of this impasse is the recent situation in New York.  The NYPD had information a person was going to attend a Mike Tyson show at a particular theatre and commit mass murder.  He posted it on Twitter and when the NYPD served Twitter with an emergency request to identify this person, Twitter refused and stated it wasn’t a bonafide emergency.   Twitter forced the NYPD to obtain a court order which took valuable time and resources.  Read more about this case here.  What’s troubling is Twitter’s position in light of the fact it occurred shortly after the 2 mass shooting sprees in Colorado and Wisconsin.  Had the suspect actually shown up at the theatre and shot people before police could have arrested him, who would have taken the brunt of the blame? The police?  I am curious to know what the people attending the theatre show that night thought.  I mean the police took the threat seriously what more could they have done?  Where is the public bashing for Twitter?  

Lawful Access

The proposed Bill C-30 by the Federal Government announced in February this year is an attempt to alleviate some of these concerns.  In the above scenario, if in Canada, Twitter would have no choice but to provide the name.  The proposed Bill would change the voluntary discretion of an ISP to provide a name and address to the Police, by making it mandatory.  (Section 16(1) of the Investigating and Preventing Criminal Electronic Communications Act).

The Bill is certainly not without its flaws, but no piece of legislation is perfect.  What’s important is that public safety and the pursuit of criminals is paramount and the legislation or something like it is necessary to achieve these basic police functions.  The justice system cannot continue to stall for 30, 60 or 90 days because a private company determines how the police are to conduct a criminal investigation.  The criteria the police require to ask for the information remains the same as it is now.  It remains a lawful request, which the police are accountable for and will be scrutinized if they abuse this authority.  Their authority also remains unchanged in that the request has to be based on their existing mandates and authorities.  The Bill does not guarantee against an abuse of process or investigative errors but neither does the system we have now.

On a positive note the Bill mandates tracking, recording and other administrative oversights of the police use of lawful requests.  This is not currently done or even mandated under PIPEDA.  The police and the public have no idea of knowing how many times we have asked for someone’s information because we aren’t keeping track.  This is unacceptable the police should be accountable for such requests and the public should be able to demand through the freedom of information process how often the police make these types of requests.  The public may not be able to learn the details for each one because of confidentiality, ongoing investigations or a court ordered prohibition but at the very least the public should know how often these requests are made.

Wrap up

I share the same concerns as many people about how the Internet, particularly social networks, is creating a database of epic proportions.  But in fairness, as a user, are you not responsible for the content you choose to share?  I would be more worried about what the Facebook’s, the Google’s and the Apple’s of the world are collecting about me than the police.  If you are a law-abiding citizen and don’t use the Internet to facilitate, perpetrate or associate with criminal activity than you don’t really exist for the police.  

There are times when victims are caught up in these situations where their Internet activity becomes a relevant issue but overall “Joe-q-public” has nothing to fear.  If you are a criminal and you choose to involve the Internet in your life, be warned.  The police are there; they are getting better at finding you in the anonymous World Wide Web with or without a warrant and you should be concerned.  The courts generally see the Internet for what it is; a public domain and if you choose to incriminate yourself while using technology, you have nobody to blame but yourself.

Warren Bulmer

Detective Constable (1406)

Toronto Police Service

Instructor – Computer and Technology Facilitated Crime

Toronto Police College - Criminal Investigation Section

416-808-4882 (direct)

warren.bulmer@torontopolice.on.ca 

Author’s Bio

Detective Constable Warren Bulmer has been a member of the Toronto Police Service since 1990.  Detective Constable Bulmer’s policing career has been predominantly spent within the field of criminal investigation including a total of 11 years assigned to Major Crime and the Child Exploitation Section of the Sex Crimes Unit.  Detective Constable Bulmer continues to be an International instructor in the area of computer-facilitated crime having lectured over 2500 Police and Prosecutors in 11 different countries to date.  Detective Constable Bulmer has taught at the Canadian Police College and the Ontario Police College where he still teaches on a part time basis. From 2005 to 2009 he was a qualified Computer Forensic Examiner and has testified in court as an expert in various capacities relating to digital evidence.  For the past 3 years, Detective Constable Bulmer has specialized in the area in Social Networks and is called upon by Police all over Canada to teach how law enforcement can balance the right to investigate with the protections afforded to citizens under the Charter. As a member of the Toronto Police College for the past 3 years, Detective Constable Bulmer continues to instruct on conducting computer and Internet investigations, the lawful search and seizure of electronic devices as well as the identification, categorization and management of digital evidence.

Warren is a published writer of many articles and a contributing author to a book entitled “Evidence and Investigation: From the Crime Scene to the Courtroom” by Emond Montgomery Publications.        http://www.emp.ca/evidence-and-investigation-from-the-crime-scene-to-the-courtroom.html 

 

Article References

1. Case law citations as provided
2. http://royal.pingdom.com/2012/01/17/internet-2011-in-numbers/ 
3. R v. David WARD Ontario Court of Appeal, 2012, Court file #C50206, Respondent’s (MINISTRY OF THE ATTORNEY GENERAL) Factum
4. Criminal Code of Canada http://laws-lois.justice.gc.ca/eng/acts/C-46/ 
5. PIPEDA (Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html 
6. Bill C-30 (Investigating and Preventing Criminal Electronic Communications Act)

http://www.parl.gc.ca/HousePublications/Publication.aspx?Docid=5380965&file=4