Appeared in the Toronto Star on October 17, 2005 as Say No To Giving Police Carte Blanche to E-Snoop
Appeared in the Ottawa Citizen on October 20, 2005 as Deeds Not Words

In the face of growing public concern about Ottawa’ s plans to grant law enforcement authorities vast new Internet surveillance powers, Prime Minister Paul Martin last week tried to assure Canadians that their privacy and civil rights would be respected.  Responding to questions about the so-called lawful access initiative, Martin remarked that "when the government brings forth this kind of legislation obviously the question of civil rights is first and foremost in our minds and they will be protected."

While Canadians undoubtedly want to take Mr. Martin at his word, the state of Canadian privacy reveals another story.  In the days preceding Mr. Martin’ s comments, the Privacy Commissioner of Canada released two annual reports that paint a bleak picture of Canadian privacy – illustrating that Canadian policies are ill-equipped to deal with emerging technologies and cross-border trade practices.  When combined with the lawful access initiative, it is clear that a robust privacy framework requires action rather than rhetoric.

Lawful access is the most troubling development on the short-term horizon. The term itself unsettles many; it sounds benign while its purpose is not – the legislation would grant new, intrusive powers of surveillance to law-enforcement authorities without matching judicial oversight.

If enacted, it would compel Internet service providers to install new interception capabilities as they upgrade their networks. The country’ s major ISPs, who provide service to the majority of Canadians, would eventually be capable of intercepting data, isolating specific subscribers, and removing any encryption or other changes that they make to data transmissions.   

The legislation would also provide law enforcement authorities with a wide range of new powers.  For example, authorities could apply for new "production orders" with which they could compel disclosure of tracking data such as cell phone usage and transmission data, including telecommunications and Internet usage information.

Law enforcement maintains that these new powers are necessary to ensure that Canada’ s legal framework rises to the challenges posed by the Internet and emerging technologies.  While additional powers may be warranted, law enforcement has failed to marshall specific evidence about how the current rules hamper criminal investigations or prosecutions.  

Moreover, should Canada establish new surveillance powers, the effective protection of civil rights would depend upon matching oversight.  The most troubling aspect of the lawful access proposals is that they take the opposite approach by increasing surveillance but reducing oversight, thereby permitting police to obtain access to personal information without any judicial involvement in certain circumstances.

If lawful access presents the most immediate privacy threat, the Privacy Commissioner’ s annual reports – one for each of Canada’ s federal privacy laws – leaves little doubt that this is only the tip of a dangerous iceberg. The Commissioner’ s concerns include inadequate statutory enforcement powers, the challenges created by new technologies such as radio frequency identification devices (RFIDs), and a cross-border trade environment that often results in the transfer of personal information across borders with limited accountability and oversight.

The Privacy Commissioner’ s insufficient enforcement powers include both the Privacy Act, which governs the collection and use of personal information by the federal government, and the Personal Information Protection and Electronic Documents Act (PIPEDA), the national private sector privacy law.

In each case, the Privacy Commissioner is limited to an ombuds role that seeks to settle disputes through moral persuasion.  Unlike many of her provincial counterparts, the federal commissioner does not possess order making power, limiting the office to non-binding findings that carry little weight in federal courts.

The Commissioner used the annual reports to send a clear signal that the ombuds approach should be reconsidered, noting that "models in several other jurisdictions, both in Canada and abroad, give the overseer the tools to compel respect for the law. Parliament may wish to review the merits of such powers for the Privacy Commissioner of Canada."

New technologies also pose a significant challenge to the current privacy framework.  The Commissioner singles out RFIDs, tiny tracking devices that use radio waves to read a serial number stored on a microchip, as particularly problematic. While RFIDs have been innocuously used for inventory management with containerized shipping in the past, some retailers have recently begun experimenting with them in consumer products such as razor blades in order to deter theft.

The Commissioner notes that the combination of the grain-of-rice sized devices with advanced computer systems creates "enormous economic incentives to introduce RFID technology."  Since few consumers are even aware of this new technology, there is an equally enormous potential for the invasion of personal privacy.

The transborder flow of information is a longtime concern – experts identified the issue as early as the 1960s – that has gained increasing prominence with data outsourcing and the Internet.  Last year, British Columbia Privacy Commissioner David Loukidelis conducted a much-discussed inquiry into the implications of the transfer of provincial health information to the United States.

Critics feared that U.S. law enforcement authorities could use the USA Patriot Act – the statute enacted immediately after 9/11 – to access Canadians’ personal health information without disclosure or effective judicial oversight.  The B.C. Commissioner agreed, leading to new provincial legislation to safeguard cross-border disclosures.

Given the popularity of outsourcing, the B.C. experience may be replicated at the national level.  With limited protections in PIPEDA, the Privacy Commissioner laments in the annual report that "there is a loss of control over what a foreign jurisdiction might do with that information and our Office has no oversight authority."

Given these challenges, it appears that Canada is facing a privacy crisis that can only be resolved by instituting statutory reform that creates adequate privacy safeguards. If the Prime Minister of Canada is serious about prioritizing civil rights, then decisive action must follow his strong words.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.