For the past several months, many Canadians have been debating privacy reform, with the government moving forward on two bills: lawful access (C-13) and PIPEDA reform (S-4). One of the most troubling aspects of those bills has been the government’s effort to expand the scope of warrantless, voluntary disclosure of personal information.
Bill C-13 proposes to expand warrantless disclosure of subscriber information to law enforcement by including an immunity provision from any criminal or civil liability (including class action lawsuits) for companies that preserve personal information or disclose it without a warrant. Meanwhile, Bill S-4, proposes extending the ability to disclose subscriber information without a warrant from law enforcement to private sector organizations. The bill includes a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. I appeared before both committees in recent weeks (C-13, S-4), but Conservative MPs and Senators were dismissive of the concerns associated with voluntary disclosures.
This morning another voice entered the discussion and completely changed the debate. The Supreme Court of Canada issued its long-awaited R. v. Spencer decision, which examined the legality of voluntary warrantless disclosure of basic subscriber information to law enforcement. In a unanimous decision written by (Harper appointee) Justice Thomas Cromwell, the court issued a strong endorsement of Internet privacy, emphasizing the privacy importance of subscriber information, the right to anonymity, and the need for police to obtain a warrant for subscriber information except in exigent circumstances or under a reasonable law.
I discuss the implications below, but first some of the key findings. First, the Court recognizes that there is a privacy interest in subscriber information. While the government has consistently sought to downplay that interest, the court finds that the information is much more than a simple name and address, particular in the context of the Internet. As the court states:
the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users. Browsing logs, for example, may provide detailed information about users’ interests. Search engines may gather records of users’ search terms. Advertisers may track their users across networks of websites, gathering an overview of their interests and concerns. â€œCookiesâ€ may be used to track consumer habits and may provide information about the options selected within a website, which web pages were visited before and after the visit to the host website and any other personal information provided. The user cannot fully control or even necessarily be aware of who may observe a pattern of online activity, but by remaining anonymous – by guarding the link between the information and the identity of the person to whom it relates – the user can in large measure be assured that the activity remains private.
Given all of this information, the privacy interest is about much more than just name and address.
Second, the court expands our understanding of informational privacy, concluding that there three conceptually distinct issues: privacy as secrecy, privacy as control, and privacy as anonymity. It is anonymity that is particularly notable as the court recognizes its importance within the context of Internet usage. Given the importance of the information and the ability to link anonymous Internet activities with an identifiable person, a high level of informational privacy is at stake.
in the totality of the circumstances of this case, there is a reasonable expectation of privacy in the subscriber information. The disclosure of this information will often amount to the identification of a user with intimate or sensitive activities being carried out online, usually on the understanding that these activities would be anonymous. A request by a police officer that an ISP voluntarily disclose such information amounts to a search.
Fourth, having concluded that obtaining subscriber information was a search with a reasonable expectation of privacy, the information was unconstitutionally obtained therefore led to an unlawful search. Addressing the impact of the PIPEDA voluntary disclosure clause, the court notes:
Since in the circumstances of this case the police do not have the power to conduct a search for subscriber information in the absence of exigent circumstances or a reasonable law, I do not see how they could gain a new search power through the combination of a declaratory provision and a provision enacted to promote the protection of personal information.
There are several important implications that flow from this decision. First, with a finding that police need a warrant for subscriber information (except in exigent circumstances), the practice of obtaining information on a voluntary basis should come to an end.
Second, the government’s plans for expanded voluntary, warrantless disclosure under Bill C-13 must surely be reformed as it is unconstitutional. Just yesterday, Conservative MP Bob Dechert relied on R. v. Ward to support the C-13 approach with respect to immunity for voluntary disclosure. The court has effectively rejected the Ward decision and Dechert’s defence of the provision no longer stands.
Third, the government should remove the expansion of voluntary disclosure in S-4. With the Supreme Court emphasizing the privacy importance of subscriber information, the government should not be seeking to expand warrantless disclosures. In fact, immediate reports indicate that the Senate has delayed debate on the bill to consider the ruling.
Fourth, Internet providers need radical reform of their current approach to disclosure of subscriber information. The Supreme Court examined Shaw’s terms of service policy and found it provided “a confusing and unclear picture of what Shaw would do when faced with a police request for subscriber information.” The same can be said for virtually every ISP in Canada. While ISPs have been regularly disclosing this information hundreds of thousands of times, the Court ruled:
Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure â€œof personal information in a manner that recognizes the right of privacy of individuals with respect to their personal informationâ€ (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.
The court notes that ISPs are not required to disclose this information and this case reaches the conclusion that they are not permitted to do so absent a warrant either. This means ISPs must change their practices on voluntary warrantless disclosure. Much more to come on a decision that seems likely to define Internet privacy for many years to come.
High level perspective – courts are starting to better understand how technology and privacy intersect – legislators not so much.
This made my day. It’s sad that we need to rely on the Supreme Court to protect our rights.
Lalala, I can’t hear you!
from @jpress on Twitter: Carignan told #SenCA that early look at SCC ruling shows “it does not have an impact and that it confirms our views on this matterâ€
The Toronto Star just reported that:
It said there is no obligation under the Personal Information Protection and Electronic Documents Act for telecoms to turn over subscriber data, and that the act did not give police new search and seizure powers. However the ruling does allow telecoms that become aware of criminal activity to turn data over to the police; they just cannot be compelled to without a warrant.
So can telecoms turn over data without warrants or not? Michael’s analysis seems contradictory with the Star’s…
In this case, the court still admitted the illegally obtained evidence because failure to do so would bring the administration of justice into disrepute. Given the conflicting guidance that existed prior to this decision, that seems reasonable. Now that the court has determined that voluntary disclosure in response to law enforcement requests is unconstitutional, what happens next time an ISP makes such a disclosure?
I’m also curious about the implications of p 64:
“I also note with respect to an ISP’s legitimate interest in preventing crimes committed through its services that entirely different considerations may apply where an ISP itself detects illegal activity and of its own motion wishes to report this activity to the police. Such a situation falls under a separate, broader exemption in PIPEDA, namely s. 7(3)(d)….”
Does this permit ISPs to monitor customer usage when there may be illegal activity in the opinion of the ISP, who could then turn over otherwise private data to law enforcement?
So, one wonders what this could mean for Teksavvy’s cynical strategy in the Voltage case.
You seem to have been on an anti-Teksavvy bender recently.
Teksavvy did everything reasonable & practicable to protect their client’s privacy.
Perhaps your meds need adjusting.
I suggest consulting with your doctor before you post any more tirades.
Harper in sheeps clothing
Fantastic. People should not get confused of why a majority of conservative supreme court justices went against Harper again and again. People have to remember that Harper is not a Conservative, he’s a Preston Manning Reformer in sheep’s clothing.
I wonder if this affects digital rights holders fishing attempts against downloaders.
It’s interesting how  tries to justify non-exclusion of the evidence. If the evidence is “reliable” and it’s “for the children”, then who cares about the constitutionality of its gathering, but it’s hardly a principled rationale. That poisoned tree makes yummy fruit sometimes.
The complete text of the ruling directly contradicts what government supporters have been saying
Government MPs responded to criticism over privacy concerns by saying that all that was being requested was subscriber information. The ruling, however, states that that is not the point. Rather, it was what can be inferred by that information that is of concern.
C-13 is gutted, as it relates to privacy.
This is not to say that the police cannot get subscriber information at all, but that this ruling spells the end of fishing expeditions.
I don’t understand how the SOC has said the search was unconstitutional but that because of the severity of the crime committed has admitted the evidence.
Are they saying that the constitution doesn’t apply to crimes of sufficient severity?
Does this mean that police can unconstitutionally obtain warrant-less subscriber info and have it later judged as admissible in the case of severe crimes?
A very broad decision, but not bulletproof
This will take a 2nd or 3rd reading before all of its implications become clear, but it seems to be a very broad, and generally positive decision.
However, it seems to me that the protections the court upholds can be knocked down by the government by legislation which alters the expectation of privacy. Arguably, C-13 does that. If C-13 were in place, the government could argue that there is no reasonable expectation of privacy given that the law allows disclosure. They may seek to bolster that argument by mandating Terms of Service for Canadian ISPs which include language that waters down or eliminates the expectation of privacy.
So while this decision is a win for Internet privacy, it’s a battle won, not the end of the war.
At least the court is doing it’s job
We could have a situation like the US has where they continually issue very narrow judgements that don’t answer basic question about the subject matter, leaving everyone to fight it out in the lower courts over and over.
Good job SOC!
doing its job
Brian, you’re partly right – but here they make a broad ruling, then immediately excempt the current case from its core findings. Not sure that’s much better.
CSES, this judgement and metadata from phone.
One more question. How does this,if it does, affect CSES when it claims to only collect Metadata from your phone, considering all the info that can be correlated similar to an Ip address.
The federal government should hire some decent lawyers, or start listening to the ones who are providing excellent advice for free such as Dr. Geist! On the other hand, it is quite obvious that “listening” is not something this govt does well.
The SCoC is all that stands between us and a dictatorship. Thank you Supremes!
And in related news
I find it ironic that the federal Liberals are busy pumping up their proposed changes to the access to (government) information act. I think Canadians are much more concerned about government access to “their” information.
THANKS FOR PUTTING UP WITH US MICHAEL GEIST
Thanks for all your persistance Michael Geist. I don’t see how you have time for all that you do. You’re a machine 🙂 . The Supreme Court Of Canada is great. We contacted them also. They understand what Harper is trying to do to Canada. My family and I are still trying to get our MP Don Davies to help us get our information released from The Justice Department Of Canada so we can move forward with our law suite against the RCMP CSIS and CSEC. We have emailed our MP and our MLA Adrian Dix numerous times about the abuse against us by the RCMP CSIS and CSEC but they never got back to us, so we went down to visit them at their offices and they won’t even see us, at least their secretaries recorded the details of our case. We were told by Don Davies that he does not have the resources to help us. Adrian Dix’s office said they can’t help us even though most of the abuse to us happened in British Columbia. Kristy Clark got back to us and said they can’t get involved in policing or security matters and referred our case to some branch of The Justice Department Of B.C. that we never heard of. Don Davies told us the same thing as The B.C. Civil Liberties Office said, we told them the details of our case against the RCMP CSIS and CSEC and they said they could take our case and then when we told them our names they turned us down because they said our case is to large and they don’t have the resources to handle such a large lawsuit. They said no once they realized who we were. The most important thing for us is to find out whether our daughters have been murdered or not. No one even wants to help us find them. We would at least like to find out how they were murdered and where they are buried so we can visit their graves. We hope it is just some sick joke but they were working for Canadian Intelligence and an agent told us they had been murdered but he didn’t give us any details. When we went to look for them they tried to murder us but we evaded the gunman. A week after the murder attempt on my wife and kids and I in Windsor Ontario in January of 2013 they tried to get the police to arrest me so they could keep me in Ontario. When the police came they knew what was going on and they took my side and let me come back to B.C. They were good honest cops, the kind you could trust with your personal information. I still can’t believe Canadian Intelligence tried to murder my wife and kids and I just a day before the 30-08 warrants against us were to expire. They wanted us murdered while we were still under the warrants for some reason. They couldn’t even wait one more day. Thanks for reading.
1.2 million requests per year, one every six seconds during business hours. Must have cost a fortune. Both admin and technician labour at the telcos, but government folks spinning their wheels. Hundreds of millions of dollars, to what end? The utter waste.
Why not write an e-Warrant App, and enable it with legislation? Officer completes a form, clicks a button. Server forwards it to an actual Judge who clicks Approved or Rejected. Total time, ten minutes. Total cost per e-Warrant, maybe $75. Done competently it would protect rights and be perfectly efficient.
Thank You, SCC!
About the only office in the country that could have stopped the bill, did!
Bad data – entropy
“the Internet has exponentially increased both the quality and quantity of information that is stored about Internet users.”
The internet has also vastly increased the risk of detrimental wrong information kept on people who don’t know what it is and who cannot review or correct it.
“Unlisted” IP number
All the nonsense certain politicians are feeding you about subscriber information of an IP address being akin to looking a phone number up in the phonebook can be easily fixed by an ISP Coalition of the Willing by offering “unlisted” IP numbers just like you can have an “unlisted” phone number (or “voluntary disclosure opt-out”). Since having unlisted phone numbers is perfectly legal and accepted, I don’t see why unlisted IP addresses would suddenly be a problem.
“I don’t understand how the SOC has said the search was unconstitutional but that because of the severity of the crime committed has admitted the evidence.
Are they saying that the constitution doesn’t apply to crimes of sufficient severity?”
From my understanding of the situation, in this specific case the SOC decided not to apply the constitutional standard because police were acting in good faith, and thought they were following the law. The SOC clarified the law going forward so that in similar circumstances the police would need a warrant in a similar case from this day forward in order for the evidence to stand.
Essentially the SOC said (paraphrasing): We’ll let this one through because we believe police were acting within their understanding of the law which we clarified today, but if another case like this goes before the courts where no warrants were issued, the evidence will be thrown out on constitutional grounds.
We’re not out of the woods by any means. The Conservatives have a chance to play with the legal language in this decision to obtain warrants based on an accusation and no proof, and they could cap the liability for private companies who do hand over information without a warrant. Really depends on what direction the government will take, and if there will be enough political pressure on government regarding privacy. We’re still probably a decade away from getting all of this sorted out in the courts. This decision is a very important first step forward.
Curius about the Telephone Book of IPs and Names Collected
Do Government authorities have to destroy the rather large amount of information they’ve collected without a judge’s consent? I wonder if there was a strategy to collect as much information as possible in the event they Bills didn’t pass..
One has to wonder whether this decision will just drive the practice further underground. It’s not like governments are forthcoming with their more nefarious activities in the first place…
Not just the government
The SCC decision may impact commercial collectors of personal information as much as it does those in government. Google and a host of other tracking companies monitor most of what we do on the Internet and can easily produce and sell detailed profiles of individuals, including their names, addresses, buying habits and credit ratings. It’s just a matter of joining databases together.
There are no warrants required. We blithely give them critical pieces of information–unique identifiers like cell numbers–when we subscribe to their ‘free’ services.
Instead of writing bills to enhance their access to our personal information, governments should be writing them to protect our on-line privacy.
this is outrageous. somebody has to put a stop to this american style judicial review. this is the ghost of trudeau haunting canadians
this is outrageous. somebody has to put a stop to this american style judicial review. this is the ghost of trudeau haunting canadians
It can get trickier when information is stored outside the country. US facilities including those in the cloud are subject to US law, and that is not limited by Canadian law. Trade and investment agreements require national treatment for foreign firms. Failure to grant them access to information on Canadians can result in penalties from international tribunals, even when granting that access is contrary to Charter rights.