A recent arrest has police looking for more subscriber information from Canada's ISPs.
Police Want More Subscriber Info from ISPs
6 Comments
Recent Posts
The Law Bytes Podcast, Episode 199: Boris Bytensky on the Criminal Code Reforms in the Online Harms Act 
AI Spending is Not an AI Strategy: Why the Government’s Artificial Intelligence Plan Avoids the Hard Governance Questions 
The Law Bytes Podcast, Episode 198: Richard Moon on the Return of the Section 13 Hate Speech Provision in the Online Harms Act 
Tweets Are Not Enough: Why Combatting Relentless Antisemitism in Canada Requires Real Leadership and Action 
The Law Bytes Podcast, Episode 197: Divest, Ban or Regulate? – Anupam Chander on the Global Fight Over TikTok
As someone who has dealt with the police on the ISP side of things for items like this, it’s astonishing how variable and non-specific the requests are when they come in. Inevitably it means that clarifications are required on the request which takes time. Minor changes in wording can add 10x-20x more data (and time to retrieve the data) that’s basically useless to investigators. We know what they want, we just want it on paper so no laws are broken.
Most of this is due to the fact that some investigators don’t want to show their inability to deal with the technical nitty-gritty of the internet/networks. If someone doesn’t want to get a court order, then generally it means that they don’t want to do the paperwork. But the paperwork keeps the data clean in the eyes of the court and everyone is happier when a criminal can’t get off on a technicality.
The idea of the “letter of authority” is a good initial step as it gives the consistency of request, but in reality it shouldn’t be accepted without a warrant, as the courts/government have not made it blatently clear as to what is public and/or private information. And these days it means if you help out an investigation, you’ll get sued. A warrant is the only real protection these days for the liability involved.
As to the technical spoofing/anonymizing issues that were mentioned in the article, it’s mostly there to raise the fear of the readers. If there’s two way communications, there is _always_ 2 end points involved that can be tracked out.
So what information can the police elicit without a warrant, from a third party, about me?
Can they go to my bank and get my banking transactions without a warrant?
Can they go to my car dealer and get my car’s service history without a warrant?
Can they go to my phone company and get my phone records without a warrant?
“He said a customer’s name and address – which can usually be found in the phone book or in an online database – wouldn’t normally be considered personal or private information, and often that’s all police need.”
I don’t consider my name and address private information; I do consider the link between an IP address and my name and address private information and I expect my ISP to keep it private. I also expect that my ISP would co-operate fully with the police once the police have produced a search warrant.
The reality is that most of us no longer trust the authorities. As a result we increasingly place their every action under scrutiny. Mistakes are less tolerated and the politicos (attorney general’s and police commissioners) feel the pressure. They in turn reward those who put ‘criminals’ behind bars and punish those who don’t or make mistakes. So now the constables and prosecuters are pressured to keep digging for dirt (rather than admit they made a mistake) until someone goes to jail. To facilitate this behaviour they need bigger and broader search warrants, because everyone is quilty of something, you just have to find it. Since the public knows that they are just like us, we know the are quilty too (they just hide behind the law). No wonder we don’t trust them.
PIPEDA already provides legal articulation for a quick access to subscriber information. Unfortunatly, its not applied evenly across the board. When ISPs specificaly ask for a search warrant, it means a full day of work for the best case scenario, sometime it can take 2 or 3 days to draft a warrant, get it read by a judge, signed, endorsed, sent, get results. A PIPEDA request takes an hour at most to send.
Its not that police don’t like paperwork, they live in paperwork. But when a legal process is in place and that the process could potentially save precious time, why not use it.
As for spoofing/anonymizing, its not just for the fear of the readers. Agreed, there is always 2 verifiable end-points. But when the connections goes through 5 anonymizers in thailand, korea, south africa, congo and wonderland, it effectivly makes it impossible to trace.
A PIPEDA request, as mentioned above, is a flawed concept where certain ISPs have agreed to follow a RCMP interpretation of PIPEDA clause 7(3)(c) inorder to disclose private information.
PIPEDA clause 7(3)(c) states:
(c) required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information, or to comply with rules of court relating to the production of records;
(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,
(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or
(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;
The key point is within (c.1) which states \”made to a government institution or part of a government institution that has made a request for the information, identified its LAWFUL AUTHORITY to obtain the information\”.
Outside of specific National Security laws, LAWFUL AUTHORITY means a court supported order. It is crystal clear.
Does anyone know if I have a right to any disclosure of information from an ISP if I need to track down a malicious user (in this case, a forum troll)?