Wiertz Sebastien - Privacy by Sebastien Wiertz (CC BY 2.0) https://flic.kr/p/ahk6nh

Wiertz Sebastien - Privacy by Sebastien Wiertz (CC BY 2.0) https://flic.kr/p/ahk6nh

Privacy

analog sphere of privacy by Jason Tester Guerrilla Futures (CC BY-ND 2.0) https://flic.kr/p/8Hq5GM

The Spencer Effect: No More Warrantless Access to Subscriber Info With Five Minutes of Police Work

The Canadian Press reports that the RCMP has abandoned some Internet-related investigations because it is unable to obtain warrantless access to subscriber information. The article is based on an internal memo expressing concern with the additional work needed to apply for a warrant in order to obtain access to subscriber information. The changes have arisen due to the Supreme Court of Canada’s Spencer decision, which held that there is a reasonable expectation of privacy in subscriber information. As a result, it is believed that most telecom and Internet providers have rightly stopped voluntary disclosures without a warrant (some have still not publicly stated their disclosure practices).

The article notes how easily subscriber information was disclosed prior to Spencer:

Prior to the court decision, the RCMP and border agency estimate, it took about five minutes to complete the less than one page of documentation needed to ask for subscriber information, and the company usually turned it over immediately or within one day. The agencies say that following the Supreme Court ruling about 10 hours are needed to complete the 10-to-20 pages of documentation for a request, and an answer can take up to 30 days.

The troubling aspect of the story is not that some investigations are being curtailed because law enforcement is now following due process and that telecom providers are requiring a warrant before disclosing subscriber information. It is that for millions of requests prior to Spencer, it took nothing more than five minutes to fill out a form with the information voluntarily released without court oversight and without notifying the affected subscriber.

Read more ›

November 21, 2014 8 comments News
Senate Chamber HDR by Intiaz Rahim (CC BY-NC-ND 2.0) https://flic.kr/p/5LhGZg

Choosing Between Privacy and Cyberbullying: My Appearance on Bill C-13 Before the Senate Legal and Constitutional Affairs Committee

Yesterday I appeared before the Senate Committee on Legal and Constitutional Affairs, which is studying Bill C-13, the lawful access/cyberbullying bill. The full transcript of the spirited discussion is not yet available, but my opening statement is posted below.

Appearance before the Senate Standing Committee on Legal and Constitutional Affairs, November 19, 2014

Good afternoon. My name is Michael Geist.  I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I appear today in a personal capacity representing only my own views.

Given the limited time,  I’m going to confine my remarks to three privacy-related issues: immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements.

Read more ›

November 20, 2014 5 comments Committees, News
Increased OPP Enforcement by Ryan Steele (CC BY-SA 2.0) https://flic.kr/p/dk2xn

Why Does the Ontario Provincial Police Still Not Know What is in the Lawful Access Bill?

Earlier this week, I posted on Ontario Provincial Police comments at the Standing Senate Committee on Legal and Constitutional Affairs hearing on Bill C-13 that were sharply critical of online anonymity.  The same hearing was notable for additional comments from the OPP on the lawful access bill.  The comments, which came in the opening statement, suggest that one of Canada’s largest police forces is simply unaware of the contents of the proposed legislation.

Scott Naylor of the OPP’s opening remarks included:

There is no question that some of the legislation involving technology and communication in Canada is out of date.  Under the current legislation, police can only access the very basic subscriber information – i.e., name, address, telephone number – on a totally ad hoc basis, by production order from service providers.  This means that there is an inconsistent response, which impedes investigations and, in extreme cases, may prolong victimization. Under the proposed legislation, Internet service providers would be compelled to provide this information in a timely fashion and on a consistent basis.  Access to this information would be strictly controlled and limited to law enforcement officials, who would be fully trained in these procedures and subject to auditing and report oversight.  I will repeat – auditing and report oversight.

Here is the problem: Naylor appears to think that Bill C-13 has not changed from Vic Toews’ Bill C-30. Under the lawful access bill, ISPs would not be compelled to disclose subscriber information. Indeed, the mandatory disclosure of subscriber information without a warrant was removed from the bill altogether.  The bill does include incentives for voluntary disclosure, but there are no mandatory disclosure requirements. If the OPP think the bill guarantees consistent disclosure of subscriber information, it is wrong. In fact, the Supreme Court’s Spencer decision means that subscriber information now only comes (except in emergency circumstances) through a court order.

Read more ›

November 13, 2014 3 comments News
Anonymity; and the Internet. by Stian Eikeland (CC BY-NC-SA 2.0) https://flic.kr/p/6CCWXH

Ontario Provincial Police Recommend Ending Anonymity on the Internet

The Standing Senate Committee on Legal and Constitutional Affairs began its hearings on Bill C-13, the lawful access/cyberbullying bill last week with an appearance from several law enforcement representatives. The Ontario Provincial Police was part of the law enforcement panel and was asked by Senator Tom McInnis, a Conservative Senator from Nova Scotia, about what other laws are needed to address cyberbullying. Scott Naylor of the OPP responded (official transcript not yet posted online):

If the bag was open and I could do anything, the biggest problem that I see in the world of child sexual exploitation is anonymity on the Internet. When we get our driver’s licence we’re required to get our picture taken for identification.  When you get a mortgage you have to sign and provide identification.  When you sign up for the Internet, there is absolutely no requirement for any kind of non-anonymity qualifier.  There are a lot of people who are hiding behind the Internet to do all kinds of crime, including cybercrime, fraud, sexual exploitation and things along those lines.

The Internet is moving so quickly that law enforcement cannot keep up.  If there were one thing that I would ask for discussion on is that there has to be some mechanism of accountability for you to sign on to an Internet account that makes it like a digital fingerprint that identifies it to you sitting behind the computer or something at that time.  There are mechanisms to do it, but the Internet is so big and so vast at this point, and it’s worldwide, I’m not sure how that could happen, but that would certainly assist everybody.  In that way I can make a digital qualification that that’s the person that I’m talking to.  If I had one choice, that’s what I would ask for.

Read more ›

November 10, 2014 39 comments News
DSC_0110 Minister of Canadian Heritage and Official Languages James Moore by Heather (CC BY 2.0) https://flic.kr/p/6BbzwP

Why the Digital Privacy Act Will Expand Personal Information Disclosure Without Court Oversight

My column this week on warrantless access to personal information under Canadian law noted that Bill S-4, the Digital Privacy Act, will expand the likelihood warrantless disclosures between private organizations. As I posted recently:

Bill S-4 proposes that:

“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

Unpack the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).

Read more ›

November 4, 2014 6 comments News