Earlier today, I appeared before the Standing Committee on Justice and Human Rights to discuss my concerns with Bill C-13, the lawful access/cyberbullying bill. My opening statement focused exclusively on privacy, pointing to problems with immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements.
Appearance before the House of Commons Standing Committee on Justice and Human Rights, May 29, 2014
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I have appeared many times before committees on various digital policy issues, including privacy. I appear today in a personal capacity representing only my own views.
As you may know, I have been critical of the lawful access bills that have been introduced by both Liberal and Conservative governments. I wish to emphasize, however, that criticism of lawful access legislation does not mean opposition to ensuring our law enforcement agencies have the tools they need to address crime in the online environment.
As Ms. MacDonald can attest, when her organization launched Project Cleanfeed Canada in 2006, I publicly supported the initiative that targets online child pornography by working to establish a system that protects children, safeguards free speech, and contains effective oversight. In the context of Bill C-13, there is similar work to be done to ensure that we do not unduly and unnecessarily sacrifice our privacy in the name of fighting online harms. As Carol Todd told this committee, “we should not have to choose between our privacy and our safety.”
Given the limited time, let me start by saying that I support prior witness calls to split this bill so that cyber-bullying can be effectively addressed and we can more effectively examine lawful access. Moreover, I support calls for a comprehensive review of privacy and surveillance in Canada. I’m happy to discuss these issues further during questions, but I want to focus my time on the privacy concerns associated with this bill. In doing so, I will leave the cyber-bullying provisions to others to discuss.
With respect to privacy, I’m going to confine my remarks to three issues: immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements.
Immunity for Voluntary Disclosure
First, the creation of an immunity provision for voluntary disclosure of personal information. I believe that this immunity provision must be viewed within the context of five facts:
1. The law already allows intermediaries to disclose personal information voluntarily as part of an investigation. This is the case both for PIPEDA and the Criminal Code.
2. Intermediaries disclose personal information on a voluntary basis without a warrant with shocking frequency. The recent revelation of 1.2 million requests to telecom companies for customer information in 2011 affecting 750,000 user accounts provides a hint of the privacy impact of voluntary disclosures.
3. Disclosures involve more than just basic subscriber information. Indeed, this committee has heard directly from law enforcement, where the RCMP noted that “currently specific types of data such as transmission or tracking data may be obtained through voluntary disclosure by a third party.” In fact, since PIPEDA is open-ended, content can also be disclosed voluntarily so long as it does not involve an interception.
4. Intermediaries do not notify users about their disclosures, keeping hundreds of thousands of Canadians in the dark. Contrary to discussion at this committee earlier this week, there is no notification requirement within the bill to address this issue.
5. This voluntary disclosure provision should be viewed in concert with the lack of meaningful changes in Bill S-4, that would collectively expand warrantless voluntary disclosure to any organization.
Given this background, I would argue that the provision is a mistake and should be removed. The provision unquestionably increases the likelihood of voluntary disclosures at the very time that Canadians are increasingly concerned with such activity. Moreover, it does so with no reporting requirements, oversight, or transparency.
For those that argue that it merely codifies existing law, there are at least two notable changes, both of concern. First, it expands the scope of “public officer” to include the likes of CSEC, CSIS, and other public officials. In the post-Snowden environment, with global concerns about the lack of accountability for surveillance activities, this would run the risk of increasing those activities. Second, the Criminal Code currently includes a requirement of good faith and reasonableness on the organization voluntarily disclosing the information. This new provision does not include those requirements, seemingly granting immunity even where the disclosures are unreasonable.
In short, this provision is not needed to combat cyber-bullying nor is it a provision in need of updating to combat cybercrime. In fact, it is inconsistent with the government’s claims of court oversight. It should be removed from the bill.
Low Threshold for Transmission Data Warrants
Second, Bill C-13 contains a troubling, lower “reason to suspect” threshold for transmission data warrants. As many have noted, the kind of information sought by transmission data warrants is more commonly referred to as metadata. While some have tried to argue that metadata is non-sensitive information, that is simply not the case.
There has been some confusion at these hearings regarding how much metadata is included as ‘transmission data’. This is far more than who phoned who for how long. It includes highly sensitive information relating to computer-to-computer links, as even law enforcement has explained before this committee.
This form of metadata may not contain the content of the message, but its privacy import is very significant. Late last year, the Supreme Court of Canada ruled in R. v. Vu on the privacy importance of computer generated metadata, noting:â€¨
In the context of a criminal investigation, however, it can also enable investigators to access intimate details about a user’s interests, habits, and identity, drawing on a record that the user created unwittingly
Security officials have also commented on the importance of metadata. General Michael Hayden, former director of the NSA and the CIA has stated “we kill people based on metadata.” Stewart Baker, former NSA General Counsel, has said “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”
There are numerous studies that confirm Hayden and Baker’s comments. For example, some studies point to calls to religious organizations that allow for inferences of a person’s religion. Calls to medical organizations can often allow for inferences on medical conditions. In fact, a recent U.S. court brief signed by some of the world’s leading computer experts notes:
Telephony metadata reveals private and sensitive information about people.
It can reveal political affiliation, religious practices, and people’s most intimate associations. It reveals who calls a suicide prevention hotline and who calls their elected official; who calls the local Tea Party office and who calls Planned Parenthood. The aggregation of telephony metadataâ€”about a single person over time, about groups of people, or with other datasetsâ€”only intensifies the sensitivity of the information
Further, the Privacy Commissioner of Canada has released a study on the privacy implications of IP addresses, noting how they can be used to develop a highly personal look at an individual.
Indeed, even the Justice ministers report that seems to serve as the policy basis for Bill C-13 recommends the creation of new investigative tools in which “the level of safeguards increases with the level of privacy interest involved.”
Given the level of privacy interest with metadata, the approach in Bill C-13 for transmission data warrants should be amended by adopting the reasonable grounds to believe standard.
Transparency and Reporting
Third, the lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures must be addressed. This combines PIPEDA and lawful access, but one that is made worse by Bill C-13. The stunning revelations about requests and disclosures of personal information – the majority without court oversight or warrant – points to an enormously troubling weakness in Canada’s privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used and that bills before Parliament propose to expand their scope. In my view, this makes victims of us all – disclosure of our personal information often without our awareness or explicit consent.
When asked for greater transparency – as we see in other countries – Canada’s telecom companies have claimed that government rules prohibit it. I hope that the committee will amend the provisions that make warrantless disclosures more likely in Canada. But even if it doesn’t, it should surely increase the level of transparency by mandating subscriber notifications, record keeping of personal information requests, and the regular release of transparency reports. These requirements could be added to Bill C-13 to lessen the concern associated with voluntary warrantless disclosures. Moreover, regular reporting would not harm investigative activities and would hold the promise of enhancing public confidence in both our law enforcement and communications providers.
I’d like to conclude by pointing to a personal incident involving one of the committee members – Mr. Dechert – that highlights the relevance of these issues. Many will recall that several years ago Mr. Dechert was the victim of a privacy breach, with personal emails sent to journalists and widely reported in the media. The incident ties together several issues I’ve discussed:
1. Privacy interests arise even when you have nothing to hide and have done nothing wrong. The harm that arose in that case – despite no wrongdoing – demonstrates the potential victimization that can occur without proper privacy safeguards.
2. Much of that same information runs the risk of voluntary disclosure. Indeed, the expansion of the public officer definition means that political opponents could seek voluntary disclosure of such information and obtain immunity in doing so. Moreover, there is no notification in such instances.
3. The content of the emails was largely irrelevant. The metadata – who was being called, when they were called, where they were called and for how long – would allow for the same inferences that were mistakenly made during that incident. The privacy interests was in the metadata, which is why a low threshold is inappropriate.
This kind of privacy harm can victimize anyone. We know that information from at least 750,000 Canadian user accounts are voluntarily disclosed every year. It is why we need to ensure that the law has appropriate safeguards against misuse of our personal information and why C-13 should be amended. I’ll stop there and welcome your questions.