Canadian Privacy Law Blog

White paper compares government access to cloud data in ten jurisdictions

2012-05-26T20:35:00.001-03:00

In the last week, law firm Hogan Lovells released a very interesting white paper on government access to cloud data across ten jurisdictions, mainly focused on debunking many of the myths associated with the USA Patriot Act. The white paper was released in association with a Round Table on Government Access to Data with European policy makers at the Openforum Academy.

More information is available at the Hogan Lovells Chronicle of Data Protection: Hogan Lovells White Paper on Governmental Access to Data in the Cloud Debunks Faulty Assumption That US Access is Unique : HL Chronicle of Data Protection.

Here's the white paper: A Global Reality: Governmental Access to Data in the Cloud -- A comparative analysis of ten international jurisdictions.

Globe & Mail: Lawful Access bill should be sent back to the drawing board

2012-05-15T08:28:00.000-03:00

John Ibbitson's column in the Globe & Mail suggests that Bill C-30 should be sent back to the drawing board since it will never be passed in its present (comatose) state. Once re-drafted from scratch, it should be introduced by a different minister because of the way Vic Toews mishandled it the first time:

Tory law-and-order agenda meets its match online - The Globe and Mail
The Internet surveillance legislation sponsored by Public Safety Minister Vic Toews has disappeared down a dark legislative hole. For all intents and purposes, the bill is dead.
If the Harper government still wants to pass a law that would make it easier for police to track people who use the web to commit crimes, it will have to start from scratch.
That new bill, if there is one, will probably be shepherded by a different minister. That’s how much damage this botched legislation inflicted on the government and on Mr. Toews.
Bill C-30, also known as the lawful access legislation, would allow police to compel Internet service providers to cough up identifying information about anyone using the Internet.
The authorities would not be able to track a person’s activity on the web without a warrant. But they could find out whose name is attached to an IP address without that warrant, and without the person’s knowledge or consent, which is why both the federal and provincial privacy commissioners strongly objected to the bill as an unjustified violation of privacy rights.
Many Tory MPs are also said to be unhappy with the bill. They wonder why the government would abolish both the mandatory long-form census and the long-gun firearms registry in the name of privacy rights, and then violate those same rights with a bill that lets the government snoop on people who go online.
Mr. Toews responded to the criticism by declaring critics “can either stand with us or with the child pornographers.” This was fatal. As the Public Safety Minister reeled from online attacks – including from a Liberal staffer who tweeted the details of his divorce – the government hastily retreated, declaring the bill needed further study.
What has happened since? Nothing. And that nothing is everything.
Normally, after a bill receives first reading, debate begins on second reading, which is approval in principle. Once the bill passes second reading, it goes to a committee, where only minor amendments are permitted before the bill returns for third and final reading.
Instead of this usual route, House Leader Peter Van Loan decided to send C-30 to the public safety committee first, where it is supposed to be extensively revised, before returning to the House for second and third reading.
But before any of that can happen, the rules state that the House must debate the motion to send the bill to committee. That debate must last at least five hours – in effect, one sitting day.
But that debate hasn’t happened. And sources report that it won’t happen before the House rises for summer recess. That makes C-30 dead in the water.
Of course, the Conservatives could decide to send C-30 it to the public safety committee in the autumn. But it would take months to rewrite the bill, and then weeks to get it through second and third reading, before the bill went to the Senate for further study.
Long before then, Stephen Harper is expected to prorogue Parliament in preparation for a new Throne Speech. With that prorogation, Bill C-30 will quietly expire.
Before proroguing the House, Mr. Harper is expected to shuffle his cabinet. Public Safety is near the top of the list of portfolios in need of a fresh face. A new minister will have the job of putting together a new lawful-access bill, one that doesn’t unite opposition parties, privacy commissioners and the Tory caucus.
To assuage these concerns, the new bill will have to restrict the right of police to acquire any information about someone’s online identity without first obtaining a judicial warrant.
“If they truly removed the warrantless access provisions of the bill, across the board, then we would be delighted to sit with the government and work with them on additional amendments that we would still be seeking, but that would be doable,” said Ann Cavoukian, Ontario’s Information and Privacy Commissioner, in an interview.
But C-30 in its present form will never become law. The Conservatives’ law-and-order agenda has finally had a comeuppance. It was delivered by everyone who wants to be left alone online.

Cloud Computing and the Patriot Act: A Red Herring?

2012-05-11T17:23:00.001-03:00

The 2012 International Association of Privacy Professionals Canada Symposium has just wrapped up. I had the pleasure of giving a presentation on cloud computing and the USA PATRIOT Act with Lindsey Finch, the Senior Global Privacy Counsel with salesforce.com. Our presentation is here:

Cloud Computing and the Patriot Act: A Red Herring?
Cloud computing is revolutionizing the information technology industry by providing cost savings, flexibility and innovation. But many Canadian companies are concerned that use of cloud computing services may cause them to violate Canadian privacy laws, particularly because of potential non-Canadian government access to data stored in the cloud. Join our expert panel as they address persistent Canadian myths regarding cloud computing and privacy, discuss how cloud computing services can be used in compliance with Canadian privacy laws and the real impact of the Patriot Act, and provide tips to use during RFP cycles and contractual negotiations.
Lindsey Finch, CIPP/US, Senior Global Privacy Counsel, salesforce.com
David T.S. Fraser, Partner, McInnes Cooper, Halifax

What you’ll take away:
Learn how to manage privacy risk and legal compliance in cloud computing decisions, including both public and private sector privacy laws
Understand the similarities and differences between U.S. and Canadian government powers to access data in the course of a terrorism investigation and how the two governments share data to assist each other in such investigations
Learn when Canadian privacy law permits the transfer of personal information outside of country for processing purposes
Leave with a checklist, based on established best practices, to facilitate decisions about moving information to the cloud and a checklist to use in a RFP or contract with a cloud provider

Most of the other conference presentations are here.

Privacy icons a la creative commons

2012-05-08T11:22:00.001-03:00

A group of law students have put together a scheme of icons to describe in a succinct way a website's privacy practices (much like the creative commons icons), so you'll know at a glance what to expect. Check it out: Privacy Simplified.

One big problem, however, is that they are binary (yes/no). For example, there is no "not applicable" option if, for example, the website does not collect user data.

Interesting nonetheless.

Alberta Court of Appeal finds applying provincial privacy law to picket-line activities unconstitutional

2012-05-07T13:59:00.001-03:00

You may recall in September of last year when the Alberta Court of Queen's Bench declared portions of the province's Personal Information Protection Act to be unconstitutional (See: Alberta court declares portions of provincial privacy law unconstitutional). As expected, the case was appealed and the Court of Appeal has just recently handed down its decision. In United Food and Commercial Workers, Local 401 v Alberta (Attorney General), 2012 ABCA 130, the Court of Appeal upheld the decision of the Court of Queen's Bench.

The Court of Queen's Bench had found that the exception in the Act for journalistic collection was too narrowly drafted, as it required that the collection of personal information be for journalistic purposes and for no other purposes. This was an unreasonable restriction; if the collection were, in part, for journalistic purposes, then the Act should not restrict or regulate it. The Court of Appeal, in contrast, concluded that the purposes were not really journalistic, but were nevertheless constitutionally protected freedom of expression.

[58] The Act contains no general exemption for forms of expression that are constitutionally protected. To the extent that the exemptions in the Act are not sufficient to permit the type of collection and use of information engaged in by the union, its constitutionality should be analyzed directly, not indirectly through an artificial screen of journalistic purposes. Whether the restrictions on the union’s expression are demonstrably justified in a free and democratic society should not be based on the premise that a journalistic purpose was involved. The issue is whether it is justifiable to restrain expression in support of labour relations and collective bargaining activities such as existed here.
[59] In summary, it is not helpful to analyze this situation as “journalism”. Not every piece of information posted on the Internet qualifies. If the union wished to publish information about the activities on the picket line in a newspaper or on television, that would likely qualify as journalism. But that need not be decided here, because that is not what the complaints were about.

The collection of information at a picketline is inherently expressive and is limited by the Act:

[67] It is clear that there are many aspects of the Adjudicator’s order that had a direct impact on the right of the union to free expression:
Newsletters and strike leaflets are entirely expressive; preventing the use of the images in them was a serious infringement on free expression;
Spreading news of the existence of the strike, and attempting to dissuade people from entering the casino are essentially expressive activities;
The use of the vice president’s image was also expressive. Satire has always been a powerful form of persuasion;
Education of union members, and providing information to other unions is expressive at its core.

Dissuading people from crossing the picket line, enhancing morale of the strikers, deterring violence and threats, and achieving a favourable end to the strike are all legitimate purposes supported by the right to free expression. Persuading people to think or act in a certain way is a direct purpose of free expression.
[72] The union has established a prima facie breach of its s. 2 Charter rights. Are the provisions of the Act demonstrably justified in a free and democratic society? Is the Adjudicator’s decision unreasonable because its effect on the union’s expressive rights is disproportional? To paraphrase Doré at para. 66, the appellant must demonstrate that the Adjudicator’s decision gave due regard to the importance of the expressive rights at issue, both in light of the union’s right to expression and the public’s interest in open discussion.

In order to determine if the infringement of the freedom guaranteed in s. 2 of the Charter is justified, the Court carried out the traditional Oakes test and found the legislation wanting in the proportionality branch of the test:

[77] There is, however, a problem relating to proportionality. The constitutional problems with the Act arise because of its breadth. It does not appear to have been drafted in a manner that is adequately sensitive to protected Charter rights. There are a number of aspects to the over-breadth of the Act:
It covers all personal information of any kind, and provides no functional definition of that term. (The definition of “personal information” as “information about an identifiable individual” is essentially circular.) The Commissioner has not to date narrowed the definition in his interpretation of the Act in order to make it compliant with Charter values.
The Act contains no general exception for information that is personal, but not at all private. For example, the comparative statutes in some provinces exempt activity that occurs in some public places.
The definition of “publicly available information” is artificially narrow.
There is no general exemption for information collected and used for free expression.
There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses.

This appeal clearly demonstrates the impact that the Act can have on protected rights. The legitimate right of the union to express itself and communicate about the strike and its economic objectives have been directly impacted by the Adjudicator’s order. The appellant has not demonstrated why this heavy handed approach to privacy is necessary, given the impact it has on expressive rights.

The result is that the Court declared the application of the Act to the union's constitutionally protected activities was unconstitutional.

This case will almost undoubtedly be appealed to the Supreme Court of Canada. Stay tuned.

It's also notable that the decision contains the following observation, quoted above but worth restating: "There is no exemption allowing organizations to reasonably use personal information that is reasonably required in the legitimate operation of their businesses." This statement was not necessary for the determination of the case under appeal, but potentially has significant consequences for the future.

FBI seeking wiretap-ready internet, like Canada

2012-05-04T18:11:00.001-03:00

There's a lot of buzz around the internet on the FBI's quiet effort to have the Communications Assistance to Law Enforocement Act expanded beyond traditional telcos to include anyone who provides communications services online. (See: FBI: We need wiretap-ready Web sites -- now.)

If this sounds oddly familiar to Canadians, it should. While most of the buzz about Bill C-30 was connected to warrantless access to subscriber information, a large part of the Bill requires any teleecommunications service provider to provide real-time, simultaneous access to transmissions. What's under-reported is the incredibly expansive definition of "telecommunications service provider", which depends on other definitions as well:

“telecommunications facility” means any facility, apparatus or other thing that is used for telecommunications or for any operation directly connected with telecommunications.
“telecommunications service” means a service, or a feature of a service, that is provided by means of telecommunications facilities, whether the provider owns, leases or has any other interest in or right respecting the telecommunications facilities and any related equipment used to provide the service.
“telecommunications service provider” means a person that, independently or as part of a group or association, provides telecommunications services.

This definition, though convoluted, is pretty broad and goes well beyond what many would consider to be traditional telcos.

So before you look south of the border and sneer about the FBI's latest initiative, look toward Ottawa as well.

Alberta Commissioner faults Calgary police employee for logging into colleague's personal e-mail account

2012-04-30T17:17:00.002-03:00

The Office of the Information and Privacy Commissioner of Alberta has found that a civilian employee violated the province's public sector privacy law by logging into a police service employee's personal e-mail account.

Here's a summary of ORDER F2012-07 [PDF], made against the Calgary Police Service:

Summary: The Complainant was a civilian employee with the Calgary Police Service (“Public Body”). In March 2010, the Public Body’s HR consultant was informed by the Complainant’s manager that several of the Complainant’s coworkers had made allegations about the Complainant’s behavior at work, including allegations of inappropriate sexual conduct.
The Public Body began to monitor the Complainant’s computer activities, as well as reviewing her past work email activity. While reviewing her work email, the IT Security Manager (“IT Manager”) found a personal email that the Complainant had sent to a family member, which included the login ID and password information for the Complainant’s personal web-based email account. The IT Manager used this information to access the Complainant’s personal email account and found photographs of a sexual nature, which appeared to have been taken on the Public Body’s premises. The IT Manager copied these photographs, and provided them to the Complainant’s manager and the HR consultant. These photographs were used in the Public Body’s decision to terminate the Complainant’s employment, and were also used by the Public Body during the subsequent grievance process.
The Complainant made a complaint to this office, stating that the Public Body collected, used, and disclosed her personal information in contravention of Part 2 of the Freedom of Information and Protection of Privacy Act (“FOIP Act”). Specifically, the Complainant objected to the Public Body accessing her personal email account, and the subsequent collection, use, and disclosure of photographs found by the Public Body in that email account.
The Public Body argued that the collection of the Complainant’s personal information occurred during the course of investigating the allegations of workplace misconduct against the Complainant, and that the subsequent use and disclosure of the photographs found in the Complainant’s personal email account were for the same purpose as they were collected.
The Adjudicator found that the Public Body collected the Complainant’s login ID and password to her personal email account in the course of reviewing the Complainant’s work email, to which the Complainant did not object. However, Adjudicator found that the use of the Complainant’s personal email login ID to access the Complainant’s personal email was not for the purpose of employee management, since the IT Manager had not been requested to monitor the Complainant’s personal email, rather only her work email. There was also no evidence of wrongdoing that would justify accessing a personal email account. The Adjudicator also noted that even were the use of the Complainant’s personal information for the purpose of the workplace investigation, a Public Body may only use personal information to the extent necessary to carry out its purposes in a reasonable manner; logging in to the Complainant’s personal web-based email account was exceptionally invasive, and patently unreasonable in the circumstances.
The Adjudicator found that the collection of the photographs from the Complainant’s personal email account could not be considered separately from the fact that they were collected from the Complainant’s personal email account. Because the photographs, even if relevant to the workplace investigation, were found as a result of an unauthorized use of personal information, their collection and subsequent use could not be justified as “necessary” for the purpose of the Public Body’s investigation.
The Adjudicator determined that the Complainant’s personal information was not disclosed to, but rather used by, various employees of the Public Body. The Adjudicator had already determined that the use was not authorized under the Act, but found that even if the personal information had been disclosed to the employees, the disclosure would not have been authorized, for similar reasons.

CSIS oversight and accountability to be slashed to save $1M

2012-04-27T10:04:00.001-03:00

One of the arguments made in favour of Bill C-30 by the government when it was introduced was that it had accountability: Internal audits and a veneer of oversight by the Office of the Privacy Commissioner of Canada. Accountability is key.

Now, it is being reported that the federal government is eliminating the position of Inspector General of the Canadian Security Intelligence Services. (See: CSIS watchdog to be cut in budget - Politics - CBC News). It's hard to believe that the government is committed to oversight and accountability in the use of incredibly intrusive powers when steps such as these are taken.

What's worse is that it is being done for fiscal reasons and will only save $1,000,000. If you ask me, that's a million dollars well spent.

RIM reportedly gives Indian government access to full range of BlackBerry messages

2012-04-08T09:17:00.000-03:00

The Toronto Star is reporting that RIM has agreed to provide the Indian Government with access to the full range of Blackberry communications (RIM gives India access to BlackBerry messages - thestar.com). The article this is based on (http://indiatoday.intoday.in/story/govt-to-tap-blackberry-messenger-security-privacy/1/183403.html) suggests that the Indian Government has been given some sort of backdoor into Blackberry Enterprise Servers, which is something that RIM has staunchly refused to do until now.

If this is true, the era in which Blackberry was the ultra-secure communications platform is over.

This also shows that what was once Blackberry's main strength is also its greatest weakness. Blackberry is a system and RIM controls everything, from the device to the servers. If they compromise one aspect of it, the whole system is compromised. On my Android phone, on the other hand, I can configure just about anything, including what VPN to use and what communications apps to run.

House committee looking to require telcos and device manufacturers to decrypt communications

2012-04-03T07:27:00.001-03:00

Bill C-30, with warrantless access to subscriber data and real-time internet monitoring, is the tip of the iceberg if the recommendations of the House Committee on Justice and Human Rights are followed. In a report just issued, The State of Organized Crime [PDF], the committee recommends changes to the law to require telcos to provide access to unencrypted communications:

RECOMMENDATION
The Committee recommends that the Government of Canada pursue legislation requiring telecommunications service providers and telecommunications device manufacturers to build the ability to intercept telecommunications into their equipment and networks.
RECOMMENDATION
The Committee recommends that the Government of Canada introduce legislation requiring telecommunications service providers and telecommunications device manufacturers to decrypt legally intercepted communications or to provide assistance to law enforcement agencies in this regard.

From the Motreal Gazette:

Proposal would force telecoms to decrypt messages
Telecommunications companies would be forced to decrypt messages for law-enforcement agencies if the federal government legislates recommendations outlined in a report by a House standing committee.
"Law-enforcement agencies are way behind, or have been way behind, in the ability to deal with the new modes of communications," said Conservative MP Dave MacKenzie, chair of the House standing committee on justice and human rights.
The report, the State of Organized Crime, states that although telecommunications can be intercepted, the service providers don't always release standardized information to law-enforcement agencies.
The committee argues that federal legislation could address this lack of standards by furthering ideas found in Bill C-30, the online surveillance bill.
"When you're dealing with organized crime, they're very well-funded and wellorganized .... They move communications abilities around in different ways: passing cellphones around is just the very beginning," said MacKenzie.
NDP MP Jack Harris added: "There has to be some sort of modernization of the law with respect to surveillance. We've got laws with respect to telephone surveillance and some of those laws should apply to use of other electronic devices, whether they be cellphones, emails and things like that."
The committee wants federal legislation requiring both telecommunications service providers and their manufacturers "to decrypt legally intercepted communications or to provide assistance to law enforcement agencies in this regard."
Under the committee's plan, all telecommunications companies would have to have access to decryption techniques or tools - something that wasn't provided for in Bill C-30.
Bill C-30 would require service providers to have the ability to intercept communications on their networks and to provide this information in the form specified by law enforcement.
Typically, law enforcement would want encrypted data decrypted to facilitate use of the information gathered.
Encryption is often used by organizations - both lawful and criminal - to protect the transmission of sensitive and private information.
As it stands, some service providers do not have the tools or techniques to decrypt these communications, exempting them from the requirement to provide decrypted information to police.
Although Harris said he believes that surveillance methods need to be updated, he has doubts about making decryption abilities mandatory.
"It certainly may be impractical and perhaps technologically infeasible," he said.
Telecommunication companies seemed to share that worry.
"Our primary concern in this area has always been the capacity of industry to implement any new requirements and who bears the cost," said Bell Canada spokesperson Jacqueline Michelis.
Should the recommendation become legislated, telecommunications manufacturers also would be affected.

Updated (April 4, 2012) - Apparently the article has been removed from the Gazette, Vancouver Sun and other PostMedia sites ...

Michael Geist adds:

The report includes a dissenting opinion from the NDP on the lawful access recommendations. There does not appear to be a similar dissent from the Liberals, who were represented on the committee by Irwin Cotler. Postmedia covered the release of the report but the article is no longer available on its media sites. The article included specific comments from Bell that suggest its primary concern associated with these demands boils down to questions of who will bear the costs. A company spokesperson stated "our primary concern in this area has always been the capacity of industry to implement any new requirements and who bears the cost." That is a troubling position for many Canadians who rightly expect their telecom companies to also be concerned with the privacy of their customers. After the outcry in February over Bill C-30, many also expected the government to be open to change on lawful access, yet this report suggests that the changes may not be what many were anticipating.

Some suggestions to fix the lawful access bill

2012-02-21T09:11:00.001-04:00

There are many, many problems with the warrantless access to customer data in Bill C-30, known as the lawful access bill. The main problem pointed to by the proponents of the Bill is that it takes too long to get a warrant that requires an internet service provider to hand over customer name and address information that corresponds with an IP address. If that is really the problem they are trying to address, it would be best to address it by making the warrant-seeking process more efficient and limit warrantless requests to circumstances where there is a real emergency.

Since the government has suggested it is open to amending the Bill, it doesn’t sound like they are amenable to throwing it out and fixing the warrant process. In hopes of adding to the discussion on what’s wrong with the Bill and how it can be fixed, below I’ve set out some of the major problems and how they can be fixed in a way that restores the protection of privacy while permitting law enforcement to investigate serious crimes.

I don’t expect these are the only solutions, but will hopefully start a discussion on how to fix lawful access.

There is no limitation on the circumstances under what these powers can be used.

Problem: As drafted, there is no limitation under which these powers can be used. They can be used for child exploitation investigations or serious crime, but can also be used without any justification or to reunite someone with their lost iPhone.

Solution: Limit the use of these powers to (a) the investigation of serious crimes only under the Criminal Code, the Narcotics Control Act, the Canadian Security Intelligence Service Act and the National Defence Act where there are reasonable and probable grounds to believe that the information is necessary for the investigation of a crime that has occurred or is likely to occur, or (b) where the subscriber about whom the information relates is reasonably believed to be a victim of the crime or whose life or safety is in imminent jeopardy, and the victim’s identity is unknown.

(If lost iPhones are a serious problem that require police intervention, require the police to hand them them to the telco and require the telcos to reunite them with their heartbroken owners.)
There is no accountability to the justice system.

Problem: The requesting officer is not required to justify the request and to be accountable to the wider justice system. Under a warrants-based system, an affidavit is required and it needs to be filed with the courts.

Solution: Require that the requesting officer swear an affidavit, under oath, articulating the circumstances described above and the basis for this belief. The affidavit shall be filed with the superior court of the relevant jurisdiction. This affidavit can be filed after the fact in exigent circumstances. This affidavit should be counter-signed by an officer of superior rank to the requesting officer or a senior crown attorney, who will also swear that she is of the view that the facts set out by the officer form the basis for a lawful request.
There is no accountability to the individual if charges do not result.

Problem: The individual whose information is sought will likely never know that this information was sought and obtained unless it comes out in open court after charges have been laid. In the current draft C-30, there is actually a gag order that prevents the ISP from telling the individual even if asked.

Solution: The affidavit referred to above shall be provided to the individual whose information is sought within six months unless a judge agrees, based on affidavit evidence provided by the relevant law enforcement officer, that doing so would be harmful to an ongoing criminal or national security investigation. An individual whose information is wrongfully sought or obtained should have a private right of action against the officer and the officer’s employer if there were not reasonable grounds to seek the information.
There is no accountability to the public at large.

Problem: The Bill, as currently drafted, doesn’t give the public at large any understanding of how the intrusive powers are used and under what circumstances.

Solution: The Minister of Justice or the Minister of Public Safety shall table an annual report before Parliament setting out the number of such requests, including the requesting police agency, the criminal code section or other violation being investigated, whether charges were laid against the individual and whether a conviction resulted. This is in addition to the ability of the federal and provincial privacy commissioners to audit the practices of the agencies within their jurisdiction, except that summary results of their audits shall be tabled in Parliament annually. (Additional funding to each privacy commissioner should be provided to defray the costs of such audits.)

I'd be happy to hear any other proposed solutions ...

Police "PIPEDA requests" for customer information

2012-02-18T10:01:00.000-04:00

As a follow-up to my previous post 'Dealing with police "Letters of Request for Information"', I thought I'd discuss a particular species of request letters, commonly referred to as "PIPEDA Requests".

The names are a bit misleading, since in many cases the recipient is led to believe that the authority to obtain the information is found in PIPEDA (the Personal Information Protection and Electronic Documents Act).

Here is an example letter, taken from R. v. Ward, 2008 ONCJ 355:

I, Constable Jason Tree of the National Child Exploitation Coordination Centre, am a law enforcement officer with the Royal Canadian Mounted Police.
I am conducting an investigation in relation to child sexual exploitation offences under the Criminal Code and I am requesting account information pursuant only to that investigation.
I request this disclosure in accordance with s. 7(3)(c.1) of the Personal Information Protection Electronic Documents Act. My authority to request and obtain this information derives from the Royal Canadian Mounted Police Act and the Royal Canadian Mounted Police Regulations as well as common law.
I am requesting the last known customer name and address of the account holder associated with IP address [number] used [date and time].
Should you agree to this request, please provide the information in the section below and reply via e-mail to Jason.tree@rcmp-grc.gc.ca.

As I understand it, the form of letter was a result of the coordinated effort of law enforcement and a group of internet service providers who have agreed to provide warrantless access to customer account information in connection with child exploitation investigations. They are designed to satisfy the requirements of Section 7(3)(c.1)(ii) of PIPEDA which permits disclosures of personal information to the police where they have the "lawful authority" to obtain the information and the information relates to "enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law".

While I generally have a dim view of disclosing customer information without a warrant, I can certainly understand why internet service providers have worked with law enforcement to address these particularly grim crimes.

Lawful Access then and now: Comparing C-30 to 2005's Modernization of Investigative Techniques Act

2012-02-17T17:00:00.002-04:00

I was asked how the new Bill C-30 compares to the Modernization of Investigative Techniques Act tabled by the liberals in 2005. Here's a redline to draw your own conclusions: https://docs.google.com/open?id=0B_bUaJvZ9k_BNmY2ODc1YmQtMzU3OC00MjhjLTlmMDYtYzA0OTAzMjhjNzAw.

Update: When the liberals introduced the Modernization of Investigative Techniques Act, it contained a provision that would allow the police to obtain warrantless access to customer information:

17. (1) Every telecommunications service provider shall, in accordance with the regulations, provide to a person designated under subsection (3), on his or her written request, any information in the service provider’s possession or control respecting the name and address of any subscriber to any of the service provider’s telecommunications services and respecting any other identifiers associated with the subscriber.

This is essentially the same as what's in the new Bill C-30 - Protecting Children from Internet Predators Act,

16. (1) On written request by a person designated under subsection (3) that includes prescribed identifying information, every telecommunications service provider must provide the person with identifying information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment.

The Conservatives C-30 is actually more circumscribed, since the information is limited to customer name, address, phone number, e-mail address and IP address. The Liberals' C-74 allowed for name, address and "any other identifiers". I would assume that "any other identifiers" would include the laundry list of items that was included in last year's proposed Bill C-52:

mobile identification number,
electronic serial number (ESN),
local service provider identifier,
international mobile equipment identity (IMEI) number,
international mobile subscriber identity (IMSI) number and
subscriber identity module (SIM) card number

Regardless of the federal political party that is advocating for its adoption, warrantless access to customer information is a very bad idea.

The hidden gag order in Bill C-30 (aka the lawful access bill)

2012-02-17T14:54:00.000-04:00

While much attention has been focused on the general problems with Bill C-30 - Protecting Children from Internet Predators Act, we are starting to see some very good commentary on the details.

One detail that hasn't really seen the light (and it may not be an accident) is the hidden gag order. Not only will the police, national security folks and the competition cops be able to get customer names, addresses, IP addresses and e-mail addresses without a warrant, there's a gag order that means you'll likely never find out you've been the subject of such an inquiry even if you ask your ISP.

Section 23 looks like it was designed to be obscure and obtuse:

23. Personal information, as defined in subsection 2(1) of the Personal Information Protection and Electronic Documents Act, that is provided under subsection 16(1) or 17(1) is deemed, for the purposes of subsections 9(2.1) to (2.4) of that Act, to be disclosed under subparagraph 7(3)(c.1)(i) or (ii), and not under paragraph 7(3)(i), of that Act. This section operates despite the other provisions of Part 1 of that Act.

Unless you're familiar with the Personal Information Protection and Electronic Documents Act, you'll probably miss what this means.

In short, by default everyone has the right to ask any company that is subject to the law what information they have about him or her, how they've used it and to whom they've disclosed it. That is, unless that right is overridden by Section 9. Section 23 of C-30 essentially says that any personal information that is handed over without a warrant under the lawful access law has to be treated in the same way under PIPEDA as information disclosed in response to a law enforcement request. Here's where the gag order kicks in. If the person exercises his lawful right to seek his or her personal information and accounting of its use, the ISP is prohibited from telling him or her unless the police, national security agencies or competition cops give their OK. And they can refuse to give their OK on a number of relatively flexible bases.

This is the opposite of transparency, and it looks like it was designed this way.

Update (18 February 2012): It is really worth noting that this gag order is not new. It has existed in PIPEDA for quite some time. What is new is extending it to cover "lawful access" requests.

People should be aware that -- I am told -- in the vast majority of cases, internet service providers will willingly hand over customer information without a warrant when the police tell them that it is connected with a child exploitation investigation (using something cynically called a "PIPEDA Request", which I've blogged about before). If your internet service provider hands over your information voluntarily, that's also subject to the gag order in Section 9 of PIPEDA.

For statute nerds, the particular subsections of PIPEDA referred to in Section 23 of C-30 are:

Information related to paragraphs 7(3)(c), (c.1) or (d)

9(2.1) An organization shall comply with subsection (2.2) if an individual requests that the organization

(a) inform the individual about

(i) any disclosure of information to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d), or

(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i) or (ii); or

(b) give the individual access to the information referred to in subparagraph (a)(ii).

Notification and response

(2.2) An organization to which subsection (2.1) applies

(a) shall, in writing and without delay, notify the institution or part concerned of the request made by the individual; and

(b) shall not respond to the request before the earlier of

(i) the day on which it is notified under subsection (2.3), and

(ii) thirty days after the day on which the institution or part was notified.

Objection

(2.3) Within thirty days after the day on which it is notified under subsection (2.2), the institution or part shall notify the organization whether or not the institution or part objects to the organization complying with the request. The institution or part may object only if the institution or part is of the opinion that compliance with the request could reasonably be expected to be injurious to

(a) national security, the defence of Canada or the conduct of international affairs;

(a.1) the detection, prevention or deterrence of money laundering or the financing of terrorist activities; or

*(a.1) the detection, prevention or deterrence of money laundering; or

*[Note: Paragraph 9(2.3)(a.1), as enacted by paragraph 97(1)(c) of chapter 17 of the Statutes of Canada, 2000, will be repealed at a later date.]

(b) the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law or the gathering of intelligence for the purpose of enforcing any such law.

Prohibition

(2.4) Despite clause 4.9 of Schedule 1, if an organization is notified under subsection (2.3) that the institution or part objects to the organization complying with the request, the organization

(a) shall refuse the request to the extent that it relates to paragraph (2.1)(a) or to information referred to in subparagraph (2.1)(a)(ii);

(b) shall notify the Commissioner, in writing and without delay, of the refusal; and

(c) shall not disclose to the individual

(i) any information that the organization has relating to a disclosure to a government institution or a part of a government institution under paragraph 7(3)(c), subparagraph 7(3)(c.1)(i) or (ii) or paragraph 7(3)(c.2) or (d) or to a request made by a government institution under either of those subparagraphs,

(ii) that the organization notified an institution or part under paragraph (2.2)(a) or the Commissioner under paragraph (b), or

(iii) that the institution or part objects.

Vancouver police can't use ICBC biometric database to ID Stanley Cup rioters, says Privacy Commissioner

2012-02-16T19:57:00.000-04:00

The Information and Privacy Commissioner of British Columbia, Elizabeth Denham, has rules that the Vancouver police cannot use the facial recognition database compiled by the Insurance Corporation of British Columbia without a court order or warrant. See: Police can't use ICBC facial recognition to track rioters - British Columbia - CBC News.

Lawful Access then and now: Comparing C-52 to current C-30

2012-02-14T20:47:00.000-04:00

In case you are, like me, spending the evening checking out what has changed with respect to warrantless access to subscriber data between Bill C-52 (introduced last year) and Bill C-30 introduced in Parliament today, this redline comparison may help.

Lawful access bill introduced in parliament

2012-02-14T19:54:00.000-04:00

It's baaaaack .....

Public Safety Minister Vic Toews has introduced in parliament Bill C-30 - Protecting Children from Internet Predators Act.

Here is the Minister's press release:

Harper government introduces Protecting Children from Internet Predators Act
OTTAWA, February 14, 2012 – The Honourable Vic Toews, Minister of Public Safety, and the Honourable Rob Nicholson, Minister of Justice and Attorney General of Canada, today introduced in the House of Commons the Protecting Children from Internet Predators Act, a Bill that would provide law enforcement and the Canadian Security Intelligence Service (CSIS) with the modern investigative tools they need to help fight crime and national security threats, while strengthening safeguards to protect the privacy of Canadians.
“Our Government is committed to keeping our streets and communities safe. Rapid changes in technology mean crimes and national security threats are more difficult to investigate. As a result, criminals, gangs and terrorists have found ways to exploit technological innovations to hide their illegal activities,” said Minister Toews. “This legislation would give law enforcement and CSIS the investigative tools they need to do their jobs and keep our communities safe.”
Bill C-30 would require telecommunications service providers (TSP) to:
implement and maintain systems capable of lawfully intercepting communications in order to support the police and CSIS when needed; and

provide basic subscriber information in a consistent and timely fashion to designated police, CSIS and Competition Bureau officials upon request (limited to subscriber name, address, telephone number, e-mail address, the Internet protocol address, and the name of the service provider).
The proposed legislation would help to protect the security and privacy of Canadians by imposing strict limits on the number of CSIS and law enforcement officials who are permitted to make basic subscriber information requests, and apply new requirements for recording, reporting, and auditing those requests.
In addition, the Bill would:
streamline the application process when court orders or warrants need to be issued in relation to an investigation that involves interceptions;

update existing offences in the Criminal Code to ensure that they are able to cover new ways of committing old crimes;

create new, carefully tailored investigation tools, such as production and preservation orders in the Criminal Code and the Competition Act;

enable Canada to ratify the Council of Europe’s Convention on Cybercrime and its Additional Protocol on Xenophobia and Racism; and

add the safeguards of reporting and notification for the interception of private communications in exceptional circumstances.
“New technologies provide new ways of committing crimes, making them more difficult to investigate. We must ensure that law enforcement has the investigative tools to bring to justice those who break the law,” said Minister Nicholson. “This legislation will enable authorities to keep pace with rapidly changing technology, without diminishing the legal protections currently afforded to Canadians with respect to privacy.”
The proposed legislation is consistent with that of Australia, New Zealand, the United Kingdom and the United States, and will improve Canada’s ability to work with its international partners to combat crime and terrorism.
At the January 2012 meeting of federal, provincial and territorial (FPT) ministers responsible for justice and public safety in Charlottetown, Prince Edward Island, the ministers unanimously agreed on the need to enhance and modernize the investigative capability of law enforcement and urged the federal government to move forward on enacting previously introduced legislation.
“Lawful access represents an important tool to assist policing in combatting serious criminal activity, such as organized crime, sexual predators or identity theft,” said Dale McFee, President of the Canadian Association of Chiefs of Police.
“Modernization of current legislative provisions reflects significant and obvious advancements in communications technologies, which will allow the police to lawfully and effectively investigate serious offences.”
An online version of the proposed legislation will be available at www.parl.gc.ca.
See Also:
Backgrounder: Protecting Children from Internet Predators Act

Modernizing investigative tools through the Protecting Children from Internet Predators Act

What lawful access is all about and why it matters

2012-02-12T12:46:00.000-04:00

The Canadian federal government is expected to table its latest iteration of "lawful access" legislation in Parliament this week. This is a BIG DEAL.

First, let's set the record straight: Assuming this bill is roughly the same as the last one that fell off the order paper, it will NOT allow warrantless access to the contents of any online communications. They can't read your email or watch you surf the internet, unless they get a warrant. But what it does is requires anyone who offers telecommunications services to the public (which would include Microsoft's MSN, Google Talk, Skype, etc.) to build in a backdoor so the police can wiretap it with a warrant. This involves, in many cases, compromising the security of these systems.

But it is expected to set up a system under which the police can get a huge list of non-content personal information without a warrant. And this is very bad.

Ask yourself this:

Should the police be able to get access to the names and addresses of anyone who shows up at a G20 protest? An Occupy* protest? A Stanley Cup riot? Parliament Hill? The PM's residence? An abortion clinic? A sketchy part of town? If this bill looks anything like the last, they will be able to on a whim without any judicial oversight. (All they need is an "IMSI Catcher" (here's an example of one meant for law enforcement and one made by some guy for $1500), which grabs the unique identifiers of all the cell phones within range and a request to the relevant telcos to hand over the names and addresses associated with the phones. Heck, they can ask for your e-mail address while they're at it.)
Should be police be able to get the name and address of someone who seems to be spending an inordinate amount of time perusing the Criminal Code on the Department of Justice website? They'll be able to do just that.
Should the police be able to get your name and address based on your web browsing activities without having to swear before a judge that there is any compelling reason to get it? If this bill looks anything like the last, they will be able to.
Should the police be able to get your e-mail address, IP address and phone numbers without any probable cause? Yup, they'll be able to get that too.

The Internet is not quite like the real world. When you go to a library or a book store, you don't have to provide ID or leave a record of what you looked at or that you were even there. When you step into a store in the real world, you don't necessarily leave a trace of what you perused and what you bought (if you paid cash). You can send an anonymous letter to the editor of your local newspaper to voice an unpopular opinion without giving your name or any other identifying information. (They probably will not publish it, but that's beside the point.) But the Internet doesn't work like that.

Every device on the network has an IP address. IP addresses can be tied to an individual computer or a range of computers sitting behind a firewall or a router. Every mobile device, such as a cell phone or a smart phone, has a number of unique identifiers that it chirps out to the network that it's attached to. Every interaction that you have online, you can assume is being logged in some fashion in connection with that IP address. Many e-mails you send include in the headers the IP address of the computer it was written on.

It's just the nature of how networks work. That IP can perhaps be traced to you, to your household or to your employer. In most cases, where residential internet accounts are concerned, they are connected to the name and address of the account holder. With phones, that identifier is connected to the individual who owns the phone.

Every mobile phone regularly chirps out its location so that the phone company can route calls to your device. Your phone company always knows where you are (if you have your phone with you and it's on). That chirping is also a transmission of identifying information about your phone, which can be readily intercepted by the police or national security organizations. If your phone can be connected to you personally, it's a beacon about you and under lawful access, it's readily available to them.

In short: Everywhere you go on the internet or with your mobile phone, you leave digital footprints. That's the nature of the modern, networked world. So what protects your privacy when you do anything online? The fact that whoever allocated that IP address or provides your cell phone service has to keep it confidential unless a judge decides that the public interest (or the state interest) overrides your privacy interest. That's why we have a Charter of Rights and Freedoms in Canada and why we have an independent judiciary. There is no absolute anonymity online, but there is effective privacy by obscurity because anyone who can connect your IP address to an individual is bound to keep it confidential unless a judge says otherwise.

However, lawful access takes that important balance away. It would give police forces and national security folks virtually unfettered powers to connect those otherwise anonymous footprints to an actual person (or small group of persons).

Don't get me wrong ... The police should be able to tap phones, track people and search computers, but all with a warrant. The only thing that stands in the way of police over-reaching and the destruction of civil rights is the Charter and independent judges who are called upon every day to decide where to strike the proper balance.

The government has suggested that we shouldn't sweat it, since the information the police would have access to is just like "phone book" information. That's simply not true. Only name and phone number appear in the phone book, which you can opt out of. Lawful access would permit the police to obtain any of the following:

address,
telephone number and
electronic mail address,
Internet protocol address,
mobile identification number,
electronic serial number (ESN),
local service provider identifier,
international mobile equipment identity (IMEI) number,
international mobile subscriber identity (IMSI) number and
subscriber identity module (SIM) card number that are associated with the subscriber’s service and equipment.

The phone number analogy is completely inappropriate. With a phone book, if you know the name you can get the number. If you know the number, you can get the name. Not a big deal. In this case, the police can have one piece of the above information and demand the ten other pieces of data. And they'd never be asking for it in isolation, but rather they think they've seen something sketchy and want to connect it to a person.

When lawful access was last before Parliament, it was completely devoid of any measures that could be used to protect against abuses other than a closed recordkeeping requirement and the ability of the privacy commissioner to audit. It did not require any report statistics of its usage to Parliament, as is the case for most wiretaps. No requirement to notify the subject of the investigation after the fact. No requirement that there be probable cause. No requirement that the requesting officer justify the demand. No requirement that there even be an actual investigation under the Criminal Code. No oversight whatsoever.

Supporters say "think of the children!" Or we in a war against terrorism! The law could have been tailored to only apply to actual lawful investigations of child exploitation or terrorism offenses, but the government did not do that. Instead, they designed a system that could be used to target people who -- shudder -- violate parking by-laws or engage in lawful expression. It seems purpose-built for fishing expeditions.

Some supporters suggest that getting a warrant is too cumbersome and time-consuming. This suggestion is often misleading: if it's an emergency (exigent circumstances), the cops can get this information right away. And every province has a system where warrants can be issued 24/7 over the phone from a duty judge. If it's too inefficient for most routine investigations, get more judges or streamline the process.

This is important and Canadians should educate themselves about it. Here are some great resources:

Past blog posts about lawful access
CIPPIC FAQ on lawful access
OpenMedia's Stop Online Spying campaign
Michael Geist's blog posts on lawful access and his great comprehensive guide to lawful access.
Christopher Parsons on lawful access and his report “Lawful Access and Data Preservation/Retention: Present Practices, Ongoing Harm, and Future Canadian Policies” (PDF)
BC Civil Liberties Association: Moving Towards a Surveillance Society: Proposals to Expand “Lawful Access” in Canada (PDF)
Archive of the Ontario Information and Privacy Commissioner's Symposium on "Beware of Surveillance By Design"
Legislative Summary of Bill C-51 by the Library of Parliament

Lawful access bill on the order paper for next week

2012-02-11T22:15:00.000-04:00

An anticipated bill, entitled “An Act to enact the Investigating and Preventing Criminal Electronic Communications Act and to amend the Criminal Code and others Acts” appears on the parliamentary order paper published on Friday, for introduction this coming week. More to follow ... (See: Order Paper and Notice Paper No. 79.)

The Montreal Gazette reported on its anticipated reappearance:

New law could allow police to view people's web-surfing habits
MONTREAL - Police will get much easier access to the web surfing habits and personal information of all Canadians if a new law, expected to be introduced in the House of Commons next week, passes.
Privacy watchdogs caution if the so-called Lawful Access law is passed, it would give police access to web browsing history, sensitive personal information, and it would grant greater permission to track the cellular phones of suspects, and much of it without the requirement of a warrant.
The bill, which is on the order paper for the week starting Monday, would require Internet service providers and cellular phone companies to install equipment that would monitor the activities of their users so that the information could be turned over to police when requested. It would also grant greater permission to law enforcement authorities to activate tracking mechanisms within cellular phones so they can follow the whereabouts of suspected criminals. If there is a suspicion of terrorist activity, the law would allow such tracking to go on for a year, rather than the current 60-day limit.
This isn’t the first time this law has been introduced. The most previous incarnation of the Lawful Access law died on the order paper when the most recent federal election was called last year.
Public Safety Minister Vic Toews said the law will give the tools to police to adequately deal with 21st century technology, and said anyone opposing the law favours “the rights of child pornographers and organized crime ahead of the rights of law-abiding citizens.”
However, Canada’s privacy commissioner raised a red flag about the law late last year, and wrote a letter to Toews saying she was concerned about the permissions it will grant police.
“In the case of access to subscriber data, there is not even a requirement for the commission of a crime to justify access to personal information – real names, home addresses, unlisted numbers, email addresses, IP addresses and much more – without a warrant,” Jennifer Stoddart wrote. “Only prior court authorization provides the rigorous privacy protection Canadians expect.”
Michael Geist, a law professor at the University of Ottawa, and an outspoken critic of the law, said he’s worried about all the information police will be able to obtain without a warrant.
“The ability to use that kind of information in a highly sensitive way without any real oversight is very real,” Geist said.
As an example of the new powers, Geist said authorities would be able to use equipment to find the cellular phone numbers of people attending a protest, and then be able to ask a cellular phone company to disclose personal information of the people attached to those cellular phone numbers. Police could then track their web behaviours and monitor their movements by tracking their cellular phones.
Geist said Canadians should also be concerned that the information obtained by police here could be shared with their counterparts around the world.
Geist added this could also be a tremendous waste of money, because ISPs would be required to spend a lot to put in place the advanced monitoring infrastructure proposed.
“One thing (the government) has never provided is the evidence to show how the current set of laws has stymied investigations or created a significant barrier to ensure that we’re safe in Canada,” Geist said.
He argued recent investigations into child pornography and the Sûreté du Québec’s recent tapping in of Blackberry Messenger communication to make an arrest of suspected mobsters in a murder case in Montreal show the current laws already work well.

IMSI catchers and why they matter

2012-02-10T07:02:00.001-04:00

Christopher Parsons has a very informative blog post about IMSI catchers, which includes a link to an amici curiae submission to a US court which provides a additional insights. "IMSI catchers" are a piece of surveillance technology that allows the user to impersonate a cell phone site and intercept communications between a phone and the cellular network.

This matters right now because the lawful access bill expected to be tabled in Parliament shortly is anticipated to contain a provision that allows warrantless access to customer information, including the following:

name,
address,
telephone number and
electronic mail address,
Internet protocol address,
mobile identification number,
electronic serial number (ESN),
local service provider identifier,
international mobile equipment identity (IMEI) number,
international mobile subscriber identity (IMSI) number and
subscriber identity module (SIM) card number that are associated with the subscriber’s service and equipment.

Once an IMSI catcher is set up and catches all the mobile phone IMSIs in the vicinity (of a protest or international event), the police can obtain -- without a warrant -- any of the above information connected to that phone.

Read Christopher's blog post: Amici Curiae on IMSI Catchers | Technology, Thoughts, and Trinkets.

Nova Scotia Commissioner reappointed

2012-02-09T13:14:00.000-04:00

The Nova Scotia government has extended the Freedom of Information and Protection of Privacy Review Officer Dulcie McCallum's term to February 5, 2014.

This extension encompasses the full seven year appointment contemplated by the Freedom of Information and Protection of Privacy Act for her first term as Nova Scotia's Review Officer.

The Order in Council can be found here: http://www.foipop.ns.ca/content/Publications/OIC%202012-19.pdf

US Supreme Court Justice reconsiders "third party doctrine"

2012-01-23T17:47:00.002-04:00

I linked earlier today to the important case of US v Jones (US Supreme Court says cops need a warrant to GPS track a vehicle). It's an important case, but I think it is worth noting Justice Sotomayor calls the "third party doctrine" into question. It is an aside and not the opinion of the Court, but hopefully is the first of many reconsiderations of this deplorable and outdated legal theory that states you lose any expectation of privacy if your personal information is in the hands of any third party.

Here is her discussion of this point:

More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. E.g., Smith, 442 U. S., at 742; United States v. Miller, 425 U. S. 435, 443 (1976). This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks. People disclose the phone numbers that they dial or text to their cellu- lar providers; the URLs that they visit and the e-mail addresses with which they correspond to their Internet service providers; and the books, groceries, and medi- cations they purchase to online retailers. Perhaps, as JUSTICE ALITO notes, some people may find the “tradeoff” of privacy for convenience “worthwhile,” or come to accept this “diminution of privacy” as “inevitable,” post, at 10, and perhaps not. I for one doubt that people would accept without complaint the warrantless disclosure to the Government of a list of every Web site they had visited in the last week, or month, or year. But whatever the societal expectations, they can attain constitutionally protected status only if our Fourth Amendment jurisprudence ceases to treat secrecy as a prerequisite for privacy. I would not assume that all information voluntarily disclosed to some member of the public for a limited purpose is, for that reason alone, disentitled to Fourth Amendment protection. See Smith, 442 U. S., at 749 (Marshall, J., dissenting) (“Privacy is not a discrete commodity, possessed absolutely or not at all. Those who disclose certain facts to a bank or phone company for a limited business purpose need not assume that this information will be released to other persons for other purposes”); see also Katz, 389 U. S., at 351–352 (“[W]hat [a person] seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected”). Resolution of these difficult questions in this case is unnecessary, however, because the Government’s physical intrusion on Jones’ Jeep supplies a narrower basis for decision. I therefore join the majority’s opinion.

For some discussion of this, check out A Supreme Court Justice's Radical Proposal Regarding The Privacy of Your Google Searches, Facebook Account & Phone Records - Forbes.

US Supreme Court says cops need a warrant to GPS track a vehicle

2012-01-23T13:13:00.000-04:00

The US Supreme Court has just released its unanimous decision in US v Jones [PDF], in which the Court held that law enforcement need either a warrant or the owner's permission to attach a GPS tracking device on a vehicle. This is an important decision and the fact that it was unanimous is encouraging.

Ontario recognizes tort of invasion of privacy

2012-01-18T13:10:00.000-04:00

A unanimous panel of the Ontario Court of Appeal has just released its decision in Jones v Tsige, 2012 ONCA 32. The court has recognized that there is a tort of invasion of privacy in Ontario. The decision can be found here: Jones v. Tsige, 2012 ONCA 32, but here is the gist of the tort:

2. Defining the tort of intrusion upon seclusion

a) Introduction

[65] In my view, it is appropriate for this court to confirm the existence of a right of action for intrusion upon seclusion. Recognition of such a cause of action would amount to an incremental step that is consistent with the role of this court to develop the common law in a manner consistent with the changing needs of society.

b) Rationale

[66] The case law, while certainly far from conclusive, supports the existence of such a cause of action. Privacy has long been recognized as an important underlying and animating value of various traditional causes of action to protect personal and territorial privacy. Charter jurisprudence recognizes privacy as a fundamental value in our law and specifically identifies, as worthy of protection, a right to informational privacy that is distinct from personal and territorial privacy. The right to informational privacy closely tracks the same interest that would be protected by a cause of action for intrusion upon seclusion. Many legal scholars and writers who have considered the issue support recognition of a right of action for breach of privacy: see e.g. P. Winfield, “Privacy” (1931), 47 L.Q.R. 23; D. Gibson, “Common Law Protection of Privacy: What to do Until the Legislators Arrive” in Lewis Klar (ed.), Studies in Canadian Tort Law (Toronto: Butterworths, 1977) 343; Robyn M. Ryan Bell, “Tort of Invasion of Privacy – Has its Time Finally Come?” in Todd Archibald & Michael Cochrane, Annual Review of Civil Litigation (Toronto: Thomson Carswell, 2005) 225; Peter Burns, “The Law and Privacy: the Canadian Experience” (1976), 54 Can. Bar Rev. 1; John D.R. Craig, “Invasion of Privacy and Charter Values: The Common Law Tort Awakens” (1997), 52 McGill L.J. 355.

[67] For over one hundred years, technological change has motivated the legal protection of the individual’s right to privacy. In modern times, the pace of technological change has accelerated exponentially. Legal scholars such as Peter Burns have written of “the pressing need to preserve ‘privacy’ which is being threatened by science and technology to the point of surrender”: “The Law and Privacy: the Canadian Experience” at p. 1. See also Alan Westin, Privacy and Freedom (New York: Atheneum, 1967). The internet and digital technology have brought an enormous change in the way we communicate and in our capacity to capture, store and retrieve information. As the facts of this case indicate, routinely kept electronic data bases render our most personal financial information vulnerable. Sensitive information as to our health is similarly available, as are records of the books we have borrowed or bought, the movies we have rented or downloaded, where we have shopped, where we have travelled, and the nature of our communications by cell phone, e-mail or text message.

[68] It is within the capacity of the common law to evolve to respond to the problem posed by the routine collection and aggregation of highly personal information that is readily accessible in electronic form. Technological change poses a novel threat to a right of privacy that has been protected for hundreds of years by the common law under various guises and that, since 1982 and the Charter, has been recognized as a right that is integral to our social and political order.

[69] Finally, and most importantly, we are presented in this case with facts that cry out for a remedy. While Tsige is apologetic and contrite, her actions were deliberate, prolonged and shocking. Any person in Jones’ position would be profoundly disturbed by the significant intrusion into her highly personal information. The discipline administered by Tsige’s employer was governed by the principles of employment law and the interests of the employer and did not respond directly to the wrong that had been done to Jones. In my view, the law of this province would be sadly deficient if we were required to send Jones away without a legal remedy.

c) Elements

[70] I would essentially adopt as the elements of the action for intrusion upon seclusion the Restatement (Second) of Torts (2010) formulation which, for the sake of convenience, I repeat here:

One who intentionally intrudes, physically or otherwise, upon the seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the invasion would be highly offensive to a reasonable person.

[71] The key features of this cause of action are, first, that the defendant’s conduct must be intentional, within which I would include reckless; second that the defendant must have invaded, without lawful justification, the plaintiff’s private affairs or concerns; and third, that a reasonable person would regard the invasion as highly offensive causing distress, humiliation or anguish. However, proof of harm to a recognized economic interest is not an element of the cause of action. I return below to the question of damages, but state here that I believe it important to emphasize that given the intangible nature of the interest protected, damages for intrusion upon seclusion will ordinarily be measured by a modest conventional sum.

d) Limitations

[72] These elements make it clear that recognizing this cause of action will not open the floodgates. A claim for intrusion upon seclusion will arise only for deliberate and significant invasions of personal privacy. Claims from individuals who are sensitive or unusually concerned about their privacy are excluded: it is only intrusions into matters such as one’s financial or health records, sexual practices and orientation, employment, diary or private correspondence that, viewed objectively on the reasonable person standard, can be described as highly offensive.

[73] Finally, claims for the protection of privacy may give rise to competing claims. Foremost are claims for the protection of freedom of expression and freedom of the press. As we are not confronted with such a competing claim here, I need not consider the issue in detail. Suffice it to say, no right to privacy can be absolute and many claims for the protection of privacy will have to be reconciled with, and even yield to, such competing claims. A useful analogy may be found in the Supreme Court of Canada’s elaboration of the common law of defamation in Grant v. Torstar where the court held, at para. 65, that “[w]hen proper weight is given to the constitutional value of free expression on matters of public interest, the balance tips in favour of broadening the defences available to those who communicate facts it is in the public’s interest to know.”

Police coming up empty with justification for "lawful access"

2012-01-18T12:54:00.001-04:00

Perhaps not surprising to those who have covered this issue for the past number of years, the special interest groups representing law enforcement are scrambling to come up with examples of why "lawful access" is necessary and their inquiries are drawing blanks. Check it out: Police: No ‘good examples’ of why we need Lawful Access - Jesse Brown - Macleans.ca and Police ‘scrambling’ to justify lawful access laws | FP Tech Desk | Financial Post.