Judge Heather Lamoureux of the Provincial Court of Alberta considered "whether Internet access should form part of police resources provided to detainees in order to facilitate a reasonable opportunity to exercise the constitutional right to counsel." After acknowledging that many teenagers view their smartphone, iPad and other devices as essential parts of their daily lives, she noted that Google is the primary source of information for everything from maps to medical care to access to lawyers.

In fact, the judge conducted a Google search for "Calgary criminal defence lawyer" and found that within seconds there was provided with a long list of potential local lawyers. Moreover, the judge noted that police routinely use the Internet for investigations and evidence gathering.

The Charter of Rights and Freedoms grants anyone arrested or detained the right "to retain and instruct counsel without delay and to be informed of that right." For this judge, the failure to provide Internet access meant that the Charter rights had been violated, concluding:

"In the year 2013 it is the Court's view that all police stations must be equipped with Internet access and detainees must have the same opportunities to access the Internet to find a lawyer as they do to access the telephone book to find a lawyer."

The decision will undoubtedly raise eyebrows among criminal lawyers and law enforcement officials, yet it continues a growing trend around the world that elevates Internet access to a quasi-legal right. In 2010, Finland became the first country in the world to make broadband Internet access a legal right for all citizens. A year later, a United Nations report concluded that disconnecting people from the Internet is a human rights violation.

For police, the decision may have resource implications, since providing Internet access will be more costly and cumbersome than pointing to a nearby telephone. It also points to how the Internet and new technologies force the continued rethinking of longstanding rules and practices as even Hollywood films may someday feature police directing an accused to an Internet-connected computer in order to exercise their right to counsel.

Businesses claim the changes will be costly and out-of-step with the rest of the world, but the reality is that Canada is playing catch-up years after most other developed countries implemented similar safeguards.  The opt-in approach can be found in many countries including Australia, the United Kingdom, the European Union, and Japan, who have all recognized that weaker opt-out models (that permit marketing until a consumer proactively asks for it to stop) simply don't provide effective protection.

Moreover, the government has added numerous safeguards for business to the law. The general requirement may be opt-in consent, but there are many exceptions that allow for softer, implied consent. These include exceptions for existing business relationships, personal and family relationships, business-to-business emails, and third-party referrals. 

In fact, there is even an exception for email addresses that have been posted online without a notice that the poster does not wish to receive unsolicited commercial email. For companies seeking to develop lists of potential contacts, this exception ensures that will remain a possibility.

In addition to the exceptions, the business community has been granted years to comply with a transition period that could run to 2017 before a business must switch to opt-in consent for its existing customers.

Despite the numerous carve outs, the business groups claim that the law will result in significant new expenditures, including the need to maintain a database of opt-in consents and a website to allow for easy access to contact information and unsubscribe mechanisms. Yet those businesses are already required to maintain databases with opt-out information and electronic marketing without a website seems somewhat pointless.

Perhaps the most surprising demand from business groups is an expansive exception to a new requirement to obtain express consent prior to the installation of computer software.  The groups have asked the government to delay implementation of this rule indefinitely. Alternatively, they are seeking at least ten additional exceptions, including one that would permit surreptitious surveillance for private enforcement purposes.

The business groups' proposed provision would remove the need for express consent for the installation of any program designed "to prevent, detect, investigate, or terminate activities" such as the unauthorized use of a computer or the contravention of any law, whether Canadian or foreign. Once operational it would effectively legalize spyware in Canada on behalf of these industry groups and create a new mechanism for enforcing foreign laws in Canada.

The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception. So too would programs designed to block access to certain websites, attempts to access wireless networks without authorization, or even key-logger programs that track unsuspecting users.

The anti-spam law was enacted with the promise of increasing consumer confidence in e-commerce by providing protections commonly found in other countries. With the latest round of lobbying, however, business groups are pressuring Industry Minister Christian Paradis to turn the law upside down by shifting from protecting consumers to protecting businesses.

Despite the praise for Bill C-11 last year, the groups are right back in criticism mode and demanding reforms. The IIPA is now unsure if the enabler provision will help stop sites that facilitate infringement (despite the fact that its members have yet to use the provision) and concerned with the prospect of new exceptions to the digital lock rules. In fact, its criticisms of the rules for Internet providers (it wants a notice-and-takedown system, tougher rules on search engines that link to infringing content, and new rules to target repeat infringers) are so strong that the organization implausibly claims possible non-compliance with the WIPO Internet treaties.

Moreover, the IIPA wants to undo many of the Bill C-11 changes. It criticizes the new non-commercial caps on statutory damages, the expansion of fair dealing, the non-commercial user generated content provision, the educational exception for publicly available materials on the Internet, and the new exception for temporary copies for technological processes. In other words, the groups are wary of virtually anything designed to provide some balance in the law. There are other targets as well including copyright term extension and more criminal copyright provisions. The Canadian government is unlikely to cave this quickly on copyright, but these demands highlight the pressure that will emerge during the Trans Pacific Partnership negotiations and in bi-lateral discussions with the U.S.

In light of these developments, Borg asks Paradis to respond to the following questions:

1.    What caused Industry Canada to change its mind about the inclusion of said exception between November 2010 and January 2013? 
2.    And, what example does this set for future legislative and corresponding regulatory processes? Will we see the Conservative government continue to use regulations to regulate around the will of Parliament?

As discussed in several posts on this blog, business groups have been actively lobbying for extensive changes to the anti-spam legislation. Borg's letter provides a timely reminder that further watering down the legislation may cause a significant Parliamentary backlash.

I think there are at least four takeaways from the lawful access failure of 2012-13.  The first is that bad policy is hard to defend.  Successive governments (both Liberal and Conservative) have introduced lawful access legislation and consistently struggled to identify actual examples where the current laws are inadequate. Moreover, the rationale for these laws has constantly shifted - from terrorism to spam to child pornography to (most recently) cyber-bullying. The public can sense a failed policy and the current version of lawful access - with no real attempt to address legitimate privacy and oversight concerns as well as silence on who was going to pay the hundreds of millions in surveillance technology costs - was so bad that even supporters were forced to admit its overreach. In fact, even as the bill was declared dead, the director of CSIS acknowledged that "it's not absolutely critical for us to do our work."

Second, the lawful access experience in Canada becomes part of the growing number of Internet advocacy success stories. From the massive petition on usage based billing that spurred the government to effectively order the CRTC to reconsider the issue, to the gradual shift in copyright reform that resulted in more user-oriented provision than any comparable law in the world, Canadians have demonstrated that they are concerned with digital policies and will not hesitate to use social media and the Internet to speak out. To the government's credit, it paid attention to the lawful access backlash as Nicholson acknowledged the strong public opposition and the decision to respond to it.

Third, even with Bill C-30 dead, there is a problem with the current system of voluntary disclosure of customer information by ISPs. The lawful access debate placed the spotlight on the fact that ISPs disclose customer information tens of thousands of times every year without court oversight. The law permits these disclosures, but there are no reporting requirements or accountability mechanisms built into the process. Those are needed and the government should move swiftly to add this to the law, either within Bill C-12 (the PIPEDA reform bill) or Bill C-55, which was introduced yesterday.

Fourth, Bill C-30 may be dead, but lawful access surely is not.  On the same day the government put the bill out its misery, it introduced Bill C-55 on warrantless wiretapping. Although the bill is ostensibly a response to last year's R v. Tse decision from the Supreme Court of Canada, much of the bill is lifted directly from Bill C-30.  Moreover, there will be other ways to revive the more troublesome Internet surveillance provisions. Christopher Parsons points to lawful intercept requirements in the forthcoming spectrum auction, while many others have discussed Bill C-12, which includes provisions that encourage personal information disclosure without court oversight.  Of course, cynics might also point to the 2007 pledge from then-Public Safety Minister Stockwell Day to not introduce mandatory disclosure of personal information without a warrant. That position was dropped soon after Peter Van Loan took over the portfolio. 

Lawful access opponents should rightly celebrate the defeat of Bill C-30 and the government's recognition that it was a bad bill that was poorly justified. That said, lawful access will return. Law enforcement will continue to lobby for the reforms and Public Safety officials, who have shown little pretense of balance on this issue, will keep the file alive in the hope that it can be revived. Perhaps it will come as a single bill, though more likely the policies will be found in smaller pieces of legislation or non-legislative policies that are more difficult to identify and oppose.  Bill C-30 is dead, but the fight over Internet surveillance and foundational privacy principles such as court oversight for mandatory disclosure of personal information will continue for the foreseeable future.

Second, Distributel argues that NGN failed to meet the requirements for disclosure established in the BMG Canada v. Doe case by failing to demonstrate a bona fide claim. In support of its argument, Distributel points to "numerous errors, inconsistencies, and missing links" in the evidence. Geographic information included in the evidence was often erroneous and there was little evidence about how the information on Distributel subscribers was obtained.  Further, Distributel argues that significant evidence was not provided: no information on how much of the work was copied, no evidence that a substantial portion of a film was infringed, no evidence of which P2P networks were used, and no information on the subscribers' P2P pseudonyms.

Third, Distributel expresses concern with the targeting of smaller, independent ISPs. This particular case involves two other small ISPs (Access Communications, ACN) and the company argues that pursuing independent ISPs is unfair as it may affect consumer choice for Internet services.

Fourth, Distributel raises privacy concerns, including the lengthy delay from data collection until the time when this motion was raised. Moreover, NGN did not provide evidence that there are no other ways to obtain this information.

Fifth, Distributel cites the Voltage - TekSavvy case for the need for reasonable compensation for the expenses incurred by the ISP.  Distributel says that NGN has not provided for reasonable compensation in the draft order it presented to the court.

Distributel's decision to oppose the motion points to mounting ISP frustration with file sharing lawsuits that come after the government send clear signals that such actions were unwelcome.  While Bell, Cogeco, and Videotron did not oppose or challenge a case involving Voltage Pictures in 2011, more recently TekSavvy has fought for the right to notify its customers and to allow CIPPIC to intervene in a case involving thousands of subscriber names.  Distributel has taken the next step of reversing a prior position by opposing a motion for disclosure of subscriber names, sending a strong message that it will carefully examine the evidence and motives of rights holders before standing aside in the quest for subscriber information and inevitable settlement demands that follow.

Despite the enduring need to combat nuisance messages and malware, the multitude of compliance problems introduced through the "opt-in" approach to regulating commercial electronic messages and software needs further scrutiny.

The business lobby group therefore argues that opt-in should be dropped for business-to-business email altogether, that the government hold another round of consultations (thereby further delaying the law), and that the law be delayed for at least a year after the final regulations are published.

The opposition to the opt-in approach permeates throughout the organization, its affiliates, and members. For example, earlier this week the Niagara Falls Chamber of Commerce reacted to concern from a member about the spyware provisions by pointing to the law's opt-in requirements and asked "you don't think obligating business to get consent prior to sending a CEM is wrong"? (the complainant said no). Similarly, Graham Henderson, the CEO of CRIA/Music Canada, a Chamber supporter, claims that the law will pose an "immense threat to independent labels and young bands."

Despite these persistent claims that the opt-in approach found in the anti-spam law will greatly harm business (or apparently young music bands), the reality is that opt-in is the standard in most major developed countries.  For example, the Australian anti-spam law is based on an opt-in express consent model, with exceptions for opt-out consent based on an existing business relationship or a published email address (Canada has the same exceptions). As for the oft-repeated concerns that this will prevent cold calling via email, Australia has had this prohibition in place for nearly five years (along with a more restrictive third party referral system).

Similarly, Japan switched from an opt-out system to opt-in in 2009, after it found that the opt-out system simply doesn't work. The Japanese system is described as follows:

The legislation is clear: Full auditable and trackable permission to receive email marketing messages must be received prior to any send. Even though there is a clause that states that for-profit entities who publicly announce their own email addresses or who have a preexisting business relationship with the sender can receive commercial email, there is still a requirement for an affirmative act prior to receipt.

The European Union has had an opt-in consent model for a decade. It describes its own system as:

Article 13(1) of the Privacy and Electronic Communications Directive requires Member States to prohibit the sending of unsolicited commercial communications by fax or e-mail or other electronic messaging systems such as SMS and MMS unless the prior consent of the addressee has been obtained (opt-in system).

This requirement has been implemented throughout Europe.  For example, the Privacy and Electronic Communications (EC Directive) Regulations 2003 in the United Kingdom provides the following on the use of electronic mail for direct marketing purposes:

Except in the circumstances referred to in paragraph (3), a person shall neither transmit, nor instigate the transmission of, unsolicited communications for the purposes of direct marketing by means of electronic mail unless the recipient of the electronic mail has previously notified the sender that he consents for the time being to such communications being sent by, or at the instigation of, the sender.

3) A person may send or instigate the sending of electronic mail for the purposes of direct marketing where—
(a) that person has obtained the contact details of the recipient of that electronic mail in the course of the sale or negotiations for the sale of a product or service to that recipient;
(b)the direct marketing is in respect of that person’s similar products and services only; and
(c) the recipient has been given a simple means of refusing (free of charge except for the costs of the transmission of the refusal) the use of his contact details for the purposes of such direct marketing, at the time that the details were initially collected, and, where he did not initially refuse the use of the details, at the time of each subsequent communication.

In other words, Canada is not an outlier in adopting an opt-in model. The only major trading partner with an opt-out model is the United States, whose CAN-Spam Act is widely regarded as a failure. While there are variations in the specifics between countries, the opt-in approach has been implemented around the world without email marketing grinding to a halt. As noted yesterday, the comment period on the draft regulations may have closed, but it is not too late to tell Industry Minister Christian Paradis or your local Member of Parliament to reject demands from groups like the Canadian Chamber of Commerce that would gut the anti-spam bill.

a program that is installed by or on behalf of a person to prevent, detect, investigate, or terminate activities that the person reasonably believes (i) present a risk or threatens the security, privacy, or unauthorized or fraudulent use, of a computer system, telecommunications facility, or network, or (ii) involves the contravention of any law of Canada, of a province or municipality of Canada or of
a foreign state;

The last five words of this provision could prove to be the most important, since they permit the installation of computer programs without express consent based on the belief of a contravention of the law of a foreign state. After years of fighting for a made-in-Canada copyright approach, this provision would create the prospect of enforcement of U.S. or other foreign laws through surreptitious installation of computer programs. Beyond copyright law, the same provision could presumably be used to justify Chinese spyware supposedly seeking to prevent violation of Chinese laws (perhaps involving groups targeted by that government).

What makes this provision particularly ironic is that elsewhere in the business lobby group document, the organizations complain that the law:

applies to computer programs that are installed on computers anywhere in the world by or acting on the direction of a person located in Canada. This wide extra-territorial reach runs counter to CASL's stated objective to promote the efficiency and adaptability of the Canadian economy.

In response to this concern, the groups call for an exception for all computer programs installed on a computer system outside of Canada. Leaving aside the potential for this loophole to turn Canada into a base for spyware activities (so long as they avoid installing on Canadian computers), it is incredible to find these groups arguing against applying the law for Canadian-originated spyware outside of the country but simultaneously arguing for a provision to allow for the installation of such programs in Canada to enforce foreign laws.

As for who these groups are, a reminder that the group of 13, led by the Canadian Chamber of Commerce, consists of:

• Association of International Automobile Manufacturers of Canada
• Canadian Bankers Association
• Canadian Chamber of Commerce
• Canadian Federation of Independent Business
• Canadian Marketing Association
• Canadian Wireless Telecommunications Association
• Canadian Vehicle Manufacturers' Association
• Electro-Federation of Canada
• Entertainment Software Association of Canada
• Information Technology Association of Canada
• Interactive Advertising Bureau of Canada
• Magazines Canada
• Retail Council of Canada

The comment period on the draft regulations may have closed, but it is not too late to tell Industry Minister Christian Paradis or your local Member of Parliament to reject demands that would gut the anti-spam bill and legalize spyware.

The lack of information is a concern that forms the foundation of the draft CRTC code. Yet the Bureau focuses first on industry practices that have a negative impact on consumer choice. In particular, the "Bureau supports measures to limit contract length and to ensure that consumers maintain the ability to move from one service provider to another." The Bureau also wants a ban on device locking:

Locked handsets are a powerful block to consumers who want to switch service providers. The Bureau believes that device locking should be prohibited in the marketplace, and that service providers should be required to unlock any previously locked devices free of charge.

and a prohibition on tying wireless service contracts with device subsidy contracts.  I posted my column on the issue earlier this week with many of the same recommendations.

8. (1) A person must not, in the course of a commercial activity, install or cause to be installed a computer program on any other person's computer system or, having so installed or caused to be installed a computer program, cause an electronic message to be sent from that computer system, unless
(a) the person has obtained the express consent of the owner or an authorized user of the computer system and complies with subsection 11(5); or
(b) the person is acting in accordance with a court order.

The law adds several wrinkles to this general requirement, including the need for clear and prominent descriptions of the functionality of the software in certain circumstances (including the collection of personal information, changing user settings, or interfering with user control over their computer) and exemptions for programs such as cookies, HTML code, and javascripts.

The industry groups are now demanding that the government overhaul these requirements. Its preferred approach is to simply kill the provision altogether by referring it to a "Review Body", which it says could be a task force or another public consultation, before taking effect. In other words, despite considerable debate and approval on this specific provision by Members of Parliament from all parties, these industry groups still want it placed in legislative limbo. 

Alternatively, the groups want at least ten kinds of computer programs excluded from the express consent requirement. The very first should set off alarm bells for all Canadians:

a program that is installed by or on behalf of a person to prevent, detect, investigate, or terminate activities that the person reasonably believes (i) present a risk or threatens the security, privacy, or unauthorized or fraudulent use, of a computer system, telecommunications facility, or network, or (ii) involves the contravention of any law of Canada, of a province or municipality of Canada or of a foreign state;

This provision would effectively legalize spyware in Canada on behalf of these industry groups. The potential scope of coverage is breathtaking: a software program secretly installed by an entertainment software company designed to detect or investigate alleged copyright infringement would be covered by this exception. This exception could potentially cover programs designed to block access to certain websites (preventing the contravention of a law as would have been the case with SOPA), attempts to access wireless networks without authorization, or even keylogger programs tracking unsuspecting users (detection and investigation). Ensuring compliance with the law is important, but envisioning private enforcement through spyware without the involvement of courts, lawful authorities, and due process should be a non-starter.

The Canadian Chamber of Commerce and other business groups want to ensure that the anti-spam law does not block their ability to secretly install spyware on personal computers for a wide range of purposes. In doing so, these groups are proposing to turn the law upside down by shifting from protecting consumers to protecting businesses. The comment period on the draft regulations may have closed, but it is not too late to tell Industry Minister Christian Paradis or your local Member of Parliament to reject demands that would gut the anti-spam bill and legalize spyware for private enforcement purposes.