Privacy by Sebastien Wiertz (CC BY 2.0) https://www.flickr.com/photos/wiertz/6092000030/sizes/l/
In the aftermath of the Supreme Court of Canada’s Spencer decision, I argued that the decision upholding the reasonable expectation of privacy in subscriber information contradicted the government’s claims supporting Bills C-13 and S-4, leaving the government’s lawful access strategy in tatters. I noted that it faced a choice:
The Canadian government could adopt the “bury our heads in the sand approach” by leaving the provision unchanged, knowing that it will be unused or subject to challenge. That would run counter to the spirit of the Supreme Court ruling, however, and do nothing to assist law enforcement.
Yesterday, the government did just that, as Bill C-13 passed another legislative hurdle with the reported committee version of the bill was approved by the House. During the debate, the government insisted that the legislation is consistent with the Spencer decision. While it is true that the voluntary warrantless disclosure provision does not directly contradict the Spencer decision, the reality is that it has been rendered largely moot. In other words, the government is touting a legislative solution to assist law enforcement that the police will not use and that telecom companies will ignore.
An Inconsistent Mess: Government Documents Reveal Ineffective and Inconsistent Policies Amid Widespread Demands for Subscriber Information
One day after NDP MP Charmaine Borg received a government response to her request for more data on subscriber requests and disclosures, Liberal MP Irwin Cotler received a response to his request for information. While there is some overlap between the documents, Cotler asked some important specific questions about the number of requests, which providers face requests, and the results of the information disclosed. Departments such as CSIS and CSEC unsurprisingly declined to provide much information, but several other departments were more forthcoming.
The results paint a disturbing picture: massive numbers of requests often with little or no record keeping, evidence to suggest that the disclosures frequently do not lead to charges, requests that extend far beyond telecom providers to include online dating and children’s gaming sites, and inconsistent application of the Supreme Court of Canada’s recent Spencer decision.
Earlier this year, reports indicated that the Canadian Border Services Agency had requested subscriber information over 18,000 times in a single year, with the vast majority of the requests and disclosures occuring without a warrant. The information came to light through NDP MP Charmaine Borg’s efforts to obtain information on government agencies requests for subscriber data. Borg followed up the initial request with a more detailed list of questions and earlier this week she receive the government’s response.
The latest response confirms the earlier numbers and sheds more light on CBSA practices. First, the CBSA confirms that requests for subscriber information are conducted without a court order by relying upon Section 43 of the Customs Act. It provides:
Canadian privacy law has long been reliant on the principle of “reasonable expectation of privacy.” The principle is particularly important with respect to the Charter of Rights and Freedoms, as the Supreme Court of Canada has held that the right to be free from unreasonable search and seizure is grounded in a reasonable expectation of privacy in a free and democratic society.
The reasonable expectation of privacy standard provides a useful starting point for analysis, but the danger is that privacy rights can seemingly be lost with little more than a contractual provision indicating that the user has no privacy. Indeed, if privacy rights can disappear based on a sentence in a contract that few take the time to read (much less assess whether they are comfortable with), those rights stand on very shaky ground.
My weekly technology law column (Toronto Star version, homepage version) notes the limits of the reasonable expectation of privacy standard emerged in a recent British Columbia Court of Appeal case involving the search of a courier package that contained illegal drugs. The court rejected claims of an illegal search, concluding that the defendant had no reasonable expectation of privacy despite the fact that he had no commercial relationship with the courier company and had never agreed to, or even viewed, the terms of the contract.
From Cell Towers to Credit Card Data: Telecom Privacy Case Reveals Scope of Police Demands for Subscriber Information
Last month, media reports covered a recently released Ontario court decision involving a Peel Regional Police warrant application for subscriber data from Telus and Rogers. The two telecom companies challenged the order, arguing that it was overbroad. The police withdrew the order in favour of a more limited request, but the court decided that the Charter issues raised by the request should still be examined.
The money quote from the judge – “the privacy rights of the tens of thousands of cell phone users is of obvious importance” – captured the attention, but the case is more interesting for the data it provides on police warrant applications for subscriber data. The case reveals that Telus received approximately 2,500 production orders and general warrants in 2013, while Rogers produced 13,800 files in response to production orders and search warrants that year.
Even more interesting is how the police were seeking access to a huge amount of subscriber information by asking for all records involving dozens of cell phone towers, including subscriber data, billing information, bank data, and credit card information. The specifics as described by the court: