Untitled by kris krüg (CC BY-NC-ND 2.0) https://flic.kr/p/bsty4b

Untitled by kris krüg (CC BY-NC-ND 2.0) https://flic.kr/p/bsty4b

Columns

Why Canadian Telecom Companies Must Defend Your Right to Privacy

In today’s communications driven world, no one collects as much information about its customers as telecom companies. As subscribers increasingly rely on the same company for Internet connectivity, wireless access, local phone service, and television packages, the breadth of personal data collection is truly staggering.

Whether it is geo-location data on where we go, information on what we read online, details on what we watch, or lists identifying with whom we communicate, telecom and cable companies have the capability of pulling together remarkably detailed profiles of millions of Canadians.

My weekly technology law column (Toronto Star version, homepage version) notes that how that information is used and who can gain access to it has emerged as one the most challenging and controversial privacy issues of our time. The companies themselves are tempted by the prospect of “monetizing” the information by using it for marketing purposes, law enforcement wants easy access during criminal investigations, and private litigants frequently demand that the companies hand over the data with minimal oversight.

As a result, courts and privacy commissioners have regularly faced questions about the rights and responsibilities associated with subscriber information. For example, the Privacy Commissioner of Canada ruled last year that Bell’s “relevant advertising program”, which provided advertisers with the ability to target ads based on subscriber personal information, ran afoul of Canadian privacy law because the company simply presumed that it could use the information without an explicit, opt-in consent.

The Canadian courts have similarly grappled with a myriad of privacy issues, including whether basic subscriber information carries with it a reasonable expectation of privacy (the Supreme Court of Canada ruled that it does) or if an Internet provider can be required to reveal the identities of Internet subscribers in a copyright infringement lawsuit (it can subject to conditions limiting how the information is used).

Earlier this month, an Ontario court escalated the privacy rights of subscribers in a high-profile case involving Rogers and Telus, who were asked by police to provide “tower dump” records that would have revealed information on thousands of cellphone users. The two telecom companies rejected the request, noting that the disclosure would affect tens of thousands of people who were merely located in the vicinity of a cellphone tower during the specified period.

Given the detailed information that would have been available (including billing and credit card information), the lack of safeguards over the information, and the over breadth of the request, the companies argued that an order to produce the information would breach the reasonable expectation of privacy of the affected cellphone users. The court proceeded to establish a series of guidelines aimed at forcing law enforcement to provide detailed justifications for disclosures in similar circumstances.

While that alone would be a notable ruling, the court went further by ruling that the companies had a positive obligation to defend the privacy interests of their subscribers.

Lawyers representing the police had questioned whether the telecom companies were entitled to raise the privacy rights of their subscribers. The court noted that individual cellphone users were unlikely to appear in court to defend their privacy interests, meaning their concerns would be unaddressed unless the companies took it upon themselves to question the production order. Moreover, since customer contracts reference privacy rights, the court reasoned that the companies were contractually obligated to assert the privacy interests of their subscribers.

The confirmation that telecom and Internet providers are obligated to defend the privacy interests of their subscribers represents a sea change in approach. For years, companies have been largely content to remain on the sidelines, arguing that they are merely intermediaries without the ability to step into the shoes of their customers. In fact, even in the Telus and Rogers tower dump case, Bell was conspicuously absent.

The courts are now sending the unmistakable message that the privacy interests of subscribers are too important to be left without representation. Companies promise privacy protection in their contracts and that includes stepping up to defend customers to ensure that personal information is properly safeguarded, that appropriate justifications for disclosure are provided, and the information is not misused in any way.

5 Comments

  1. This must be a great relief to TekSavvy, who had visible concern that they wouldn’t get standing to notify their customers and give the customers and the Samuelson-Glushko Canadian Internet Policy and Public Interest clinic a chance to get a copyright troll before the courts. If they’d failed, the troll would have been able to “speculatively invoice” (a politer term that “defraud”) the customers.

  2. Devil's Advocate says:

    From the beginning, I have always asserted that all forms of gathering personal info and logging user activity should never have been allowed to happen.

    The gathered information, in itself, immediately creates too many conflicts on too many levels, and unnecessarily creates too many forms of “stakeholders” – both the unintentional variety, or otherwise (by design or opportunism).

    Additionally, providers should never have been allowed to have any interest to or influence in the content being transmitted. The infrastructure should have been limited to “dumb pipes” that simply complete the connection process, and providers should have been limited to making that happen, rather than allowing them to own the pipes and run content services and media companies as well. That’s a huge conflict to a fair system right there.

    There’s no reason why info needs to be collected, even with regard to law enforcement. (I’d say *especially* for law enforcement.) Providers already have what they need to know about us, tied to our account records. And, there are quite enough resources to do proper, targeted investigations without creating “data banks”.

    Law enforcers really should, first and foremost, know what they’re investigating and what they need to find, and from where it is justified to search. From there, they can target these investigations and get proper warrants for activities that blatantly infringe upon our rights.

    The only purpose served by hoarding our information would be to look through it for something to look for, in order to control, manipulate or subvert someone or something.

    We’ve already allowed too many corporate and government interests to *attempt* to “shape the Internet”. Governments want to create a spy-and-control mechanism from it, while Big Business wants to completely own the whole damned thing and saturate it with advertising and profit ventures.

    Due to the decentralized nature of “the Internet”, and its ever-changing players, that “shape” they’re going for will never be attained. However, there’s much damage being done to our rights and freedoms, by their efforts.

  3. @David Collier-Brown – I value your comments especially on my blog, but dude couldn’t you be less obvious. Get with the program, rather than repeating old TSI troll lines.

  4. It’s not practical to expect what was yesterday just a “dumb pipe” to now become the critical adjudicator of the appropriateness of a justification for disclosure. Can you imagine how quickly Rogers would have coughed up that data had the crime been the theft of “Intellectual Property” rather than merely of personal property?

    The only workable solution is to make it impossible for police to get any data, ever. Stop trying to find a “reasonable middle ground” on a technological issue that can only be black or white. Surveillance only works for as long as criminals don’t know they’re being surveilled, then they adopt new technology.

    This pits us against them in a game of spy vs. spy that can only end with a balkanized Internet, where no one ever dares say anything controversial because every packet is stamped with your DNA and is stored forever. I’m sure this kind of Internet would have never gotten off the ground in the first place.

  5. This is what I’m talking about. Yes, our laws all apply on the internet as well as in real life interactions, but much is invisible to law enforcement online. I want standards for privacy protection by online services set by gov’t so at least I know what their damn policy and responsibilities are.