Consider the biggest privacy concern with Bill C-30: the mandatory disclosure of subscriber information without court oversight. With ISPs and telecom companies complying with law enforcement requests roughly 95 percent of the time, at issue are a relatively small number of cases that to date have required warrants prior to any disclosure. I still think law enforcement has failed to produce a compelling series of examples where the current law has proven problematic. Further, it is not clear whether law enforcement was able to obtain the sought-after information through a warrant in the remaining five percent of cases, though anecdotal evidence suggests they typically were. Regardless, law enforcement wants greater assurances that the information will be available expeditiously in appropriate circumstances.
Bill C-30 actually addresses two significant concerns associated with this issue. First, the prior lawful access bill included a very broad list of data points that could be disclosed, raising serious security concerns and the potential for misuse (eg. the IMEI disclosure that could allow cellphone users to be tracked without a warrant). The number of data points has shrunk from 11 to six, with some of the cellphone data removed. While some of the data points still constitute potentially sensitive personal information (particularly IP and email addresses), a smaller list is better than a larger one. The decision to remove the cellphone identifiers confirms the legitimacy of privacy and civil society criticisms and reminds us that every bill benefits from scrutiny and potential reforms.
Second, with ISPs and telcos providing subscriber data without a warrant 95 percent of the time, there is a huge information disclosure issue with no reporting and no oversight. This is a major issue on its own, particularly since it is not clear whether these figures also include requests to Internet companies like Google and social media sites such as Facebook and Twitter. The RCMP alone made over 28,000 requests for customer name and address information in 2010. These requests go unreported – subscribers don’t know their information has been disclosed and the ISPs and telecom companies aren’t talking either. Bill C-30 would add new reporting requirements to these disclosures, which should allow for insights into what ISPs and police are doing with subscriber information.
In order to make these two reforms effective, however, two loopholes should be closed. First, the legislation should expressly prevent law enforcement from bypassing the reporting regime by continuing to voluntarily collect some of this information. Second, while the latest changes to Bill C-30 prevent police from forcing telecom companies to hand over mobile device identifiers, they will still be able to collect such identifiers using IMSI catchers. Whether telecom companies will be forced to identify customers associated with mobile device numbers acquired in this manner will depend on the regulations. This is a potential loophole that must be closed, or it will facilitate potential real-world tracking of Canadians that could lead to abuse.
The remaining issue is the inclusion of warrantless disclosure of the six data points. This strikes at a bedrock principle of privacy law and will be rightly opposed by the privacy and civil society community. Yet in talking with law enforcement, it is clear what they want is timely, guaranteed access in appropriate circumstances. They argue the current warrant system does not meet this standard nor do the current privacy rules. But what if a new warrant specific to subscriber information could be developed? Such a warrant could feature a low threshold along with rapid authorization and lower costs. For law enforcement, it would provide the access they want, while for privacy advocates it would maintain the oversight principle.
Mandatory disclosure isn’t the only issue with the bill – the oversight of surveillance capabilities remains underdeveloped, the costs associated with surveillance equipment is a giant question mark, and the fears of surveillance misuse based on the experience in other jurisdictions continues to cause concern. There are also issues related to the easy access some of the new production orders provide to potentially sensitive data such as GPS data or transmission data generated during our communications. None of these issues will be easy to solve, but the starting point must surely be a moratorium on the inflammatory us vs. them rhetoric from the government which fosters alienation rather than cooperation.