Yesterday I appeared before the Senate Committee on Legal and Constitutional Affairs, which is studying Bill C-13, the lawful access/cyberbullying bill. The full transcript of the spirited discussion is not yet available (webcast here), but my opening statement is posted below.
Appearance before the Senate Standing Committee on Legal and Constitutional Affairs, November 19, 2014
Good afternoon. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I appear today in a personal capacity representing only my own views.
Given the limited time, I’m going to confine my remarks to three privacy-related issues: immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements.
First let me emphasize that criticism of lawful access legislation does not mean opposition to ensuring our law enforcement agencies have the tools they need to address crime in the online environment. As Carol Todd, Amanda’s mother, told the House of Commons committee studying C-13, “we should not have to choose between our privacy and our safety.” Similarly, Sue O’Sullivan, the federal ombuds for victims, told the committee that victims were divided on Bill C-13 due to the privacy concerns.
Immunity for Voluntary Disclosure
First, the creation of an immunity provision for voluntary disclosure of personal information. I believe that this immunity provision must be viewed within the context of five facts:
1. The Supreme Court of Canada’s Spencer decision confirms that there is a reasonable expectation of privacy in subscriber information and clearly indicates that absent exigent circumstances, disclosures should involve a warrant.
2. Pre-Spencer, intermediaries disclosed personal information on a voluntary basis without a warrant with shocking frequency. The recent revelation of 1.2 million requests to telecom companies for customer information in 2011 affecting 750,000 user accounts provides a hint of the privacy impact of voluntary disclosures.
3. Disclosures have involved more than just basic subscriber information. Indeed, the House of Commons committee studying this bill heard directly from law enforcement, where the RCMP noted that “currently specific types of data such as transmission or tracking data may be obtained through voluntary disclosure by a third party.”
4. Intermediaries do not notify users about their disclosures, keeping hundreds of thousands of Canadians in the dark. Contrary to some discussion on Bill C-13 this committee heard, there is no notification requirement within the bill nor any auditing mechanism.
5. This voluntary disclosure provision should also be viewed in concert with the lack of meaningful changes in Bill S-4, that would collectively expand warrantless voluntary disclosure to any organization.
Given this background, I would argue that the provision is a mistake and should be removed. The provision unquestionably increases the likelihood of voluntary disclosures at the very time that Canadians and the courts are increasingly concerned with such activity. Moreover, it does so with no reporting requirements, oversight, or transparency.
Low Threshold for Transmission Data Warrants
Second, Bill C-13 contains a troubling, lower “reason to suspect” threshold for transmission data warrants. The kind of information sought by transmission data warrants is more commonly referred to as metadata. While some have tried to argue that metadata is non-sensitive information, that is simply not the case.
There has been some confusion regarding how much metadata is included as ‘transmission data’. This is far more than who phoned who for how long. It includes highly sensitive information relating to computer-to-computer links. This form of metadata may not contain the content of the message, but its privacy import is very significant. Late last year, the Supreme Court of Canada ruled in R. v. Vu on the privacy importance of computer generated metadata, noting:
In the context of a criminal investigation, however, it can also enable investigators to access intimate details about a user’s interests, habits, and identity, drawing on a record that the user created unwittingly
Security officials have also commented on the importance of metadata. General Michael Hayden, former director of the NSA and the CIA has stated “we kill people based on metadata.” Stewart Baker, former NSA General Counsel, has said “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”
There are numerous studies that confirm Hayden and Baker’s comments. For example, some studies point to calls to religious organizations that allow for inferences of a person’s religion. Calls to medical organizations can often allow for inferences on medical conditions. In fact, a recent U.S. court brief signed by some of the world’s leading computer experts notes:
Telephony metadata reveals private and sensitive information about people. It can reveal political affiliation, religious practices, and people’s most intimate associations. It reveals who calls a suicide prevention hotline and who calls their elected official; who calls the local Tea Party office and who calls Planned Parenthood. The aggregation of telephony metadata – about a single person over time, about groups of people, or with other datasets – only intensifies the sensitivity of the information
Further, the Privacy Commissioner of Canada has released a study on the privacy implications of IP addresses, noting how they can be used to develop a highly personal look at an individual.
Indeed, even the Justice ministers report that seems to serve as the policy basis for Bill C-13 recommends the creation of new investigative tools in which “the level of safeguards increases with the level of privacy interest involved.”
Given the level of privacy interest with metadata, the approach in Bill C-13 for transmission data warrants should be amended by adopting the reasonable grounds to believe standard.
Transparency and Reporting
Third, the lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures must be addressed. The stunning revelations about requests and disclosures of personal information – the majority without court oversight or warrant – points to an enormously troubling weakness in Canada’s privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used and that bills before Parliament propose to expand their scope. In my view, this makes victims of us all – disclosure of our personal information often without our awareness or explicit consent.
I’ll stop there and welcome your questions.