News

The ISP Privacy Pledge

The ISP Privacy Pledge, an initiative from CIPPIC and Online Rights Canada, has generated some interesting debate this week.  Mark Goldberg criticizes the pledge, arguing that it encourages ISPs to look the other way as part of police investigations, fails to address corporate abuses of personal information, and supports a "digital exemption" to laws and justice.  I think that Alec Saunders does a great job of rebutting Goldberg's position by focusing on the potential for law enforcement abuse, but I wanted to add two additional comments.

First, the ISP Privacy Pledge does not in any way suggest that there is a digital exception nor do I believe that it encourages ISPs to look the other way.  The law currently grants ISPs considerable flexibility in determining how to respond to law enforcement requests.  For example, under PIPEDA, an ISP (or any organization for that matter) can rely on an exception in the Act to provide law enforcement with subscriber information simply upon request (with no court order or oversight).  Alternatively, it is entitled to demand that law enforcement first obtain a court order.  Given the ease with which personal information can be demanded and potentially misused, the Privacy Pledge simply asks ISPs to follow the law by demanding a court order.  To argue that this hinders law enforcement or asks ISPs to look the other way is simply wrong.  Rather, it is an approach that is included within PIPEDA that provides the right balance between law enforcement needs and subscriber privacy interests.

Second, the ISP Privacy Pledge is not about trying to publicly humiliate Canadian ISPs nor about making life more difficult for law enforcement.  It is about the need for Canadians to know how their ISPs will protect their privacy.  Simply put, most ISPs do not disclose how they respond to law enforcement requests (other than generic statements that they will comply with all laws and regulations).  Given the sensitivity of the personal information at stake, the privacy pledge effectively says that ISPs should be disclosing their policies and that subscribers can then decide for themselves if their ISPs have struck a balance that they find appropriate.  I believe that Canada's ISPs should take the pledge or, if they are uncomfortable with its terms, publicly disclose precisely how they address these disclosure issues.

5 Comments

  1. Mark Goldberg says:

    http://www.mhgoldberg.com/blog
    Michael – You say that the pledge does not encourage ISPs to look the other way. The pledge itself doesn’t, but the cover letter says “You will also be sending a signal to the government that you are in the business of internet service, not law enforcement.” Your pointing to Alec Saunders concurs with this. He says “In a civil society, we are not tasked with policing our neighbours.”

    I respectfully disagree. I think we can see a number of tragedies that might have been averted had people been more proactive in letting authorities investigate suspicious behaviour. If you are concerned about police misbehaviour, in a democratic society we have oversight. If you believe that oversight is lacking – jump and scream about that – don’t stop reporting trouble.

    Life used to be a lot simpler when we could leave our front door unlocked.

    I fully agree that there is a need to inform Canadians how their ISPs will protect their privacy. But there is nothing in the pledge nor the cover letter calling on ISPs to develop a policy on how they will respond to requests and clearly inform subscribers – not bury it in their terms of service. If this is important, use the electronic equivalent of billing inserts.

    The problem I have with the ISP pledge is that it doesn’t say anything about disclosure. There are 3 points in the pledge – all are specific actions and conform to one political agenda. Write a new pledge that calls for disclosure, not civil disobedience, and I’ll help carry it forward.

  2. Troll
    ah here we go again… Mr. Canadian Net Censor himself who won’t be satisfied till we can only access pokemon.com

  3. Pippa Lawson says:

    Executive Director, CIPPIC
    Mark – I take your point about concentrating more on disclosure, and perhaps we should. But I’m concerned that you are interpreting our pledge as calling for “civil disobedience” (it is not proposing any illegal acts, as Michael points out), and as not allowing for ISP reporting of apparently illegal behaviour online. In fact, the pledge does explicitly allow ISPs to report trouble – it states: “If we see evidence of illegal activity, we may notify law enforcement authorities for further action.”

    Like you, we believe that ISPs should not be restricted from voluntarily reporting suspicious behaviour to the police. That is a civic duty that we all carry. Where we perhaps differ is on the level of energy and resources that ISPs put into detecting and reporting. Once ISPs are acting like private police, we think the line has been crossed, and the societal dangers outweigh the societal benefits.

  4. Mark Goldberg says:

    Long way from impeding an investigation
    The document calls for says ISP to pledge to not respond to law enforcement requests unless the request is supported by warrant or court order or made explicitly under 2 specific sections of the criminal code. Perhaps better language would be for ISPs to pledge to only respond to lawful requests for information. Are ISPs looking for a release from liability for improper release of information? Is that the long term solution?

    Rather than state that ISPs pledge to not collect personally identifying information for law enforcement, which is perhaps the portion that Pippa views as ‘acting like private police’, perhaps better language would be for ISPs to pledge to clearly disclose to subscribers the nature of information that is collected about them.

    For example, ISPs possess information that associates an IP address with a customer billing and service address. It is used for network maintenance and customer care purposes. It is analogous to a phone number association with a customer. This information isn’t collected for law enforcement, but it would certainly help an investigation.

    If ISPs don’t want to assist law enforcement, that is certainly their right. I’m suggesting that they don’t get in the way.

  5. consumer-choice
    When is this list of the ISP’s who took the pledge and those that didn’t going to be released.

    I looking for a new Internet provider now and WILL definately base my consumer choice on WHO took the pledge.

    This will also base MY consumer choice of alternate DSL providers and who’s network they use. Example, IF Bell doesn’t take the pledge, I definately won’t go with a reseller like teksavvy who use Bell networks services.