The House of Commons engaged in active debate on privacy this week, spurred by an NDP motion from MP Charmaine Borg. The motion reads:
That, in the opinion of the House, the government should follow the advice of the Privacy Commissioner and make public the number of warrantless disclosures made by telecommunications companies at the request of federal departments and agencies; and immediately close the loophole that has allowed the indiscriminate disclosure of the personal information of law-abiding Canadians without a warrant.
The government voted down the motion on Tuesday, but the Monday debate provided new insights into the government’s thinking on privacy. Unfortunately, most of its responses to concerns about warrantless disclosures were either wrong or misleading. In particular, Steven Blaney, the Minister of Public Safety, raised at least four issues in his opening response that do not withstand closer scrutiny.
First, he says:
Only the most basic information, such as the name and phone number, may be released. In all cases, this is done voluntarily, meaning that a company could decide not to co-operate at any time if it did not feel a certain request met the expectations of its customers.
In fact, the voluntary disclosure provision in PIPEDA is not limited to basic information. PIPEDA features several exceptions to disclosure without consent (including disclosures made pursuant to a court order), including:
an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that
(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or
(iii) the disclosure is requested for the purpose of administering any law of Canada or a province;
While some providers may limit their warrantless disclosures to basic subscriber information, this statute does not contain that limitation. When asked about their practices, providers such as Shaw merely state that they “rely on the standards and definitions set out in the Personal Information Protection and Electronic Documents Act”. Similarly, MTS Allstream states that “does not release customer information unless permitted or required by law, such as a valid law enforcement demand.”
Second, even Blaney’s claim of “basic subscriber information” is incomplete. The so-called basic subscriber information also includes IP addresses, data that is not found in any typical directory. Last year, the Privacy Commissioner of Canada released a study that found that an IP address that can be highly revealing. The study concluded:
Referring to such data as being on par with what one would find in the white pages of a phone book grossly misconstrues and underestimates what can ultimately be gleaned from such information. As such, it is truly more than just “phone book” information.
Third, Blaney emphasizes the voluntary nature of the disclosures:
Let me be clear. What we are talking about today is voluntary disclosure by private businesses to law enforcement.
What Blaney does not say is that the government is seeking to expand the frequency of voluntary disclosure. Bill C-13, the lawful access bill, will expand warrantless disclosure of subscriber information to law enforcement by including an immunity provision from any criminal or civil liability (including class action lawsuits) for companies that preserve personal information or disclose it without a warrant.
Fourth, the government is also seeking to expand the scope of voluntary disclosure. Bill S-4, the Digital Privacy Act, proposes extending the ability to disclose subscriber information without a warrant from law enforcement to private sector organizations. The bill includes a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This despite the fact that Roxanne James, the Parliamentary Secretary to the Minister of Public Safety, later states in the debate:
We expect that telecommunication service providers only release basic subscriber information when it is for reasons of public good, such as to help police investigating a crime or, for example, identifying the next of kin.
Given the provisions in Bill S-4, the government’s expectations are that warrantless disclosures will increase in the future. In fact, there are other responses from government MPs that are similarly problematic, including attempts to equate government requests for subscriber information with collection of information by Internet companies and an absurd claim that if the Privacy Commissioner had found any of 1.2 million requests out of line, she would have said so.
The NDP motion should not have been particularly controversial. If the information being disclosed is as innocuous as the the government maintains, disclosing aggregate data should not pose any concerns. Indeed, there are many steps that should be taken (including government and telecom transparency reports, notifications to subscribers of disclosures, reforms to Bills C-13 and S-4, and regular audits by the Privacy Commissioner of Canada) that would better address the balance of privacy with maintaining public safety. Unfortunately, the government’s current position is to respond with assurances that fail to address public concern over their privacy.