Michael Geist Law RSS Feed

Syndicate content Some Rights Reserved
Updated: 57 min 13 sec ago

Carol Todd on Bill C-13: “What Happened to Democracy?”

Wed, 2014/11/26 - 10:00

The Senate Committee on Justice and Human Rights continues its study later today on Bill C-13, the cyber-bullying/lawful access bill that has already passed the House of Commons and seems certain to clear the Senate shortly. I appeared before the committee last week, but one person who will not appear is Carol Todd, the mother of cyber-bullying victim Amanda Todd. Ms. Todd wrote to me yesterday to express her dismay at the committee process with Conservative Senators mischaracterizing her views and the committee declining to offer her an invitation to appear, likely due to her criticisms of the privacy-related provisions in the bill.

Ms. Todd did appear before the House of Commons committee studying Bill C-13, telling Members of Parliament:

“While I applaud the efforts of all of you in crafting the extortion, revenge, porn, and cyberbullying sections of Bill C-13, I am concerned about some of the other unrelated provisions that have been added to the bill in the name of Amanda, Rehtaeh, and all of the children lost to cyberbullying attacks.

I don’t want to see our children victimized again by losing privacy rights. I am troubled by some of these provisions condoning the sharing of the privacy information of Canadians without proper legal process. We are Canadians with strong civil rights and values. A warrant should be required before any Canadian’s personal information is turned over to anyone, including government authorities. We should also be holding our telecommunication companies and Internet providers responsible for mishandling our private and personal information. We should not have to choose between our privacy and our safety.

We should not have to sacrifice our children’s privacy rights to make them safe from cyberbullying, sextortion and revenge pornography.”

The comments generated considerable media attention as it pointed to the divide even among cyberbullying victims about legislation that the lumps together provisions designed to address cyberbullying with lawful access rules with serious implications for the privacy of Canadians.

Since her testimony, the government has tried to downplay her concerns. Justice Minister Peter MacKay told the committee that he met with Ms. Todd and that “she came away with a much better sense of comfort and confidence in what the government was attempting to do.” When I raised Ms. Todd’s views during my Senate appearance, Senator Denise Batters responded that she had since “clarified her views on the bill.”

Yet the reality is that Ms. Todd is more troubled than ever with the government’s approach. In October, she wrote to me hours after the bill passed the House of Commons:

“I was stunned at how the government is going to push it forward considering the discussion and what was said at the hearings last spring.” 

As the Senate hearings continue, she has now expressed surprise and disappointment that she has been excluded from the process, noting that the government does not want her voice to be included and asking “what happened to democracy?”

What happened is that the government no longer wants to hear from one of the country’s most prominent voices on cyberbullying given her concerns that “we should not have to choose between our privacy and our safety.”

The post Carol Todd on Bill C-13: “What Happened to Democracy?” appeared first on Michael Geist.

Why Uber Has a Canadian Privacy Problem

Mon, 2014/11/24 - 10:37

The mounting battle between Uber, the popular app-based car service, and the incumbent taxi industry has featured court dates in Toronto, undercover sting operations in Ottawa, and a marketing campaign designed to stoke fear among potential Uber customers. As Uber enters a growing number of Canadian cities, the ensuing regulatory fight is typically pitched as a contest between a popular, disruptive online service and a staid taxi industry intent on keeping new competitors out of the market.

My weekly technology law column (Toronto Star version, homepage version) notes that if the issue was only a question of choosing between a longstanding regulated industry and a disruptive technology, the outcome would not be in doubt. The popularity of a convenient, well-priced alternative, when contrasted with frustration over a regulated market that artificially limits competition to maintain pricing, is unsurprisingly going to generate enormous public support and will not be regulated out of existence.

While the Uber regulatory battles have focused on whether it constitutes a taxi service subject to local rules, last week a new concern attracted attention: privacy. Regardless of whether it is a taxi service or a technological intermediary, it is clear that Uber collects an enormous amount of sensitive, geo-locational information about its users.  In addition to payment data, the company accumulates a record of where its customers travel, how long they stay at their destinations, and even where they are located in real-time when using the Uber service.

Reports indicate that the company has coined the term “God View” for its ability to track user movements. The God View enables it to simultaneously view all Uber cars and all customers waiting for a ride in an entire city. When those mesh – the Uber customer enters an Uber car – they company can track movements along city streets.  Uber says that use of the information is strictly limited, yet it would appear that company executives have accessed the data to develop portfolios on some of its users.

In fact, Uber blogged in 2012 about “Rides of Glory”, which it characterized as “anyone who took a ride between 10pm and 4am on a Friday or Saturday night, and then took a second ride from within 1/10th of a mile of the previous nights’ drop-off point 4-6 hours later.” The blog posting identified which cities had the largest number of such rides.

Canadian Uber users can be forgiven for wondering whether the company takes their privacy rights seriously since it does not even have a Canada-specific privacy policy. The Uber website features three privacy policies: one for the United States, one for South Korea, and a global catch-all policy for users in 48 other countries. That approach effectively lumps Canadians into a privacy policy shared by users everywhere from Beirut to Beijing to Bogota.

The policy identifies certain privacy rights (and seeks to bring global users under a European Union privacy umbrella), but does nothing to ensure that it is fully compliant with Canadian privacy law standards. Interestingly, the company does have a Canada-specific user agreement, so the company’s legal rights are designed to comply with Canadian law.

Geo-location privacy is frequently invoked within the context of online marketing, with some concerned about the prospect of being “followed” as they walk down a city street, receiving coupons or real-time offers from nearby stores. Yet the Uber situation provides an important reminder that geo-locational privacy issues extend far beyond just marketing as they allow for tracking and inferences about user behaviour that is not otherwise publicly available.

Providing locational information is a trade-off that many are prepared to make, particularly if backed by privacy rules that safeguard misuse and provide some measure of oversight. In the case of Uber, the failure to develop Canada-specific protections raises serious questions about whether the company sees itself as outside the scope of more than just local taxi regulations.

The post Why Uber Has a Canadian Privacy Problem appeared first on Michael Geist.

Why Uber Has a Canadian Privacy Problem

Mon, 2014/11/24 - 10:35

Appeared in the Toronto Star on November 22, 2014 as Why Uber has a Canadian Privacy Problem

The mounting battle between Uber, the popular app-based car service, and the incumbent taxi industry has featured court dates in Toronto, undercover sting operations in Ottawa, and a marketing campaign designed to stoke fear among potential Uber customers. As Uber enters a growing number of Canadian cities, the ensuing regulatory fight is typically pitched as a contest between a popular, disruptive online service and a staid taxi industry intent on keeping new competitors out of the market.

If the issue was only a question of choosing between a longstanding regulated industry and a disruptive technology, the outcome would not be in doubt. The popularity of a convenient, well-priced alternative, when contrasted with frustration over a regulated market that artificially limits competition to maintain pricing, is unsurprisingly going to generate enormous public support and will not be regulated out of existence.

While the Uber regulatory battles have focused on whether it constitutes a taxi service subject to local rules, last week a new concern attracted attention: privacy. Regardless of whether it is a taxi service or a technological intermediary, it is clear that Uber collects an enormous amount of sensitive, geo-locational information about its users.  In addition to payment data, the company accumulates a record of where its customers travel, how long they stay at their destinations, and even where they are located in real-time when using the Uber service.

Reports indicate that the company has coined the term “God View” for its ability to track user movements. The God View enables it to simultaneously view all Uber cars and all customers waiting for a ride in an entire city. When those mesh – the Uber customer enters an Uber car – they company can track movements along city streets.  Uber says that use of the information is strictly limited, yet it would appear that company executives have accessed the data to develop portfolios on some of its users.

In fact, Uber blogged in 2012 about “Rides of Glory”, which it characterized as “anyone who took a ride between 10pm and 4am on a Friday or Saturday night, and then took a second ride from within 1/10th of a mile of the previous nights’ drop-off point 4-6 hours later.” The blog posting identified which cities had the largest number of such rides.

Canadian Uber users can be forgiven for wondering whether the company takes their privacy rights seriously since it does not even have a Canada-specific privacy policy. The Uber website features three privacy policies: one for the United States, one for South Korea, and a global catch-all policy for users in 48 other countries. That approach effectively lumps Canadians into a privacy policy shared by users everywhere from Beirut to Beijing to Bogota.

The policy identifies certain privacy rights (and seeks to bring global users under a European Union privacy umbrella), but does nothing to ensure that it is fully compliant with Canadian privacy law standards. Interestingly, the company does have a Canada-specific user agreement, so the company’s legal rights are designed to comply with Canadian law.

Geo-location privacy is frequently invoked within the context of online marketing, with some concerned about the prospect of being “followed” as they walk down a city street, receiving coupons or real-time offers from nearby stores. Yet the Uber situation provides an important reminder that geo-locational privacy issues extend far beyond just marketing as they allow for tracking and inferences about user behaviour that is not otherwise publicly available.

Providing locational information is a trade-off that many are prepared to make, particularly if backed by privacy rules that safeguard misuse and provide some measure of oversight. In the case of Uber, the failure to develop Canada-specific protections raises serious questions about whether the company sees itself as outside the scope of more than just local taxi regulations.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

The post Why Uber Has a Canadian Privacy Problem appeared first on Michael Geist.

The Spencer Effect: No More Warrantless Access to Subscriber Info With Five Minutes of Police Work

Fri, 2014/11/21 - 10:48

The Canadian Press reports that the RCMP has abandoned some Internet-related investigations because it is unable to obtain warrantless access to subscriber information. The article is based on an internal memo expressing concern with the additional work needed to apply for a warrant in order to obtain access to subscriber information. The changes have arisen due to the Supreme Court of Canada’s Spencer decision, which held that there is a reasonable expectation of privacy in subscriber information. As a result, it is believed that most telecom and Internet providers have rightly stopped voluntary disclosures without a warrant (some have still not publicly stated their disclosure practices).

The article notes how easily subscriber information was disclosed prior to Spencer:

Prior to the court decision, the RCMP and border agency estimate, it took about five minutes to complete the less than one page of documentation needed to ask for subscriber information, and the company usually turned it over immediately or within one day. The agencies say that following the Supreme Court ruling about 10 hours are needed to complete the 10-to-20 pages of documentation for a request, and an answer can take up to 30 days.

The troubling aspect of the story is not that some investigations are being curtailed because law enforcement is now following due process and that telecom providers are requiring a warrant before disclosing subscriber information. It is that for millions of requests prior to Spencer, it took nothing more than five minutes to fill out a form with the information voluntarily released without court oversight and without notifying the affected subscriber.

Moreover, the change in practice points to how the government’s claims that Spencer does not change anything with respect to Bills C-13 and S-4 is simply not credible. Those bills rely heavily on expanding voluntary disclosure at the very time that the approach has been discredited by the courts and abandoned by the telecom and Internet providers.

If the government were serious about providing law enforcement with effective investigative tools, it would drop the emphasis on warrantless voluntary disclosure and rethink its approach to new Internet warrants. As the Privacy Commissioner of Canada argued yesterday at a Senate committee, the threshold for a metadata warrant should be raised consistent with the privacy importance of the information. Meanwhile, the government could explore a new basic subscriber information warrant that would ensure court oversight but allow for access on an expedited basis. By maintaining that Spencer has no effect on its legislative proposals, it leaves everyone unhappy: police do not get the information they need (with appropriate oversight), the public is concerned with the privacy implications of lawful access, and the government’s hand-picked Privacy Commissioner criticizes it for failing to strike the right balance.

The post The Spencer Effect: No More Warrantless Access to Subscriber Info With Five Minutes of Police Work appeared first on Michael Geist.

Choosing Between Privacy and Cyberbullying: My Appearance on Bill C-13 Before the Senate Legal and Constitutional Affairs Committee

Thu, 2014/11/20 - 11:08

Yesterday I appeared before the Senate Committee on Legal and Constitutional Affairs, which is studying Bill C-13, the lawful access/cyberbullying bill. The full transcript of the spirited discussion is not yet available (webcast here), but my opening statement is posted below.

Appearance before the Senate Standing Committee on Legal and Constitutional Affairs, November 19, 2014

Good afternoon. My name is Michael Geist.  I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I appear today in a personal capacity representing only my own views.

Given the limited time,  I’m going to confine my remarks to three privacy-related issues: immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements.

First let me emphasize that criticism of lawful access legislation does not mean opposition to ensuring our law enforcement agencies have the tools they need to address crime in the online environment. As Carol Todd, Amanda’s mother, told the House of Commons committee studying C-13, “we should not have to choose between our privacy and our safety.”  Similarly, Sue O’Sullivan, the federal ombuds for victims, told the committee that victims were divided on Bill C-13 due to the privacy concerns.

Immunity for Voluntary Disclosure

First, the creation of an immunity provision for voluntary disclosure of personal information. I believe that this immunity provision must be viewed within the context of five facts:

1.    The Supreme Court of Canada’s Spencer decision confirms that there is a reasonable expectation of privacy in subscriber information and clearly indicates that absent exigent circumstances, disclosures should involve a warrant.
2.    Pre-Spencer, intermediaries disclosed personal information on a voluntary basis without a warrant with shocking frequency. The recent revelation of 1.2 million requests to telecom companies for customer information in 2011 affecting 750,000 user accounts provides a hint of the privacy impact of voluntary disclosures.
3.    Disclosures have involved more than just basic subscriber information.  Indeed, the House of Commons committee studying this bill heard directly from law enforcement, where the RCMP noted that “currently specific types of data such as transmission or tracking data may be obtained through voluntary disclosure by a third party.”
4.    Intermediaries do not notify users about their disclosures, keeping hundreds of thousands of Canadians in the dark. Contrary to some discussion on Bill C-13 this committee heard, there is no notification requirement within the bill nor any auditing mechanism.
5.    This voluntary disclosure provision should also be viewed in concert with the lack of meaningful changes in Bill S-4, that would collectively expand warrantless voluntary disclosure to any organization.

Given this background, I would argue that the provision is a mistake and should be removed. The provision unquestionably increases the likelihood of voluntary disclosures at the very time that Canadians and the courts are increasingly concerned with such activity.  Moreover, it does so with no reporting requirements, oversight, or transparency.

Low Threshold for Transmission Data Warrants

Second, Bill C-13 contains a troubling, lower “reason to suspect” threshold for transmission data warrants. The kind of information sought by transmission data warrants is more commonly referred to as metadata. While some have tried to argue that metadata is non-sensitive information, that is simply not the case.

There has been some confusion regarding how much metadata is included as ‘transmission data’. This is far more than who phoned who for how long. It includes highly sensitive information relating to computer-to-computer links. This form of metadata may not contain the content of the message, but its privacy import is very significant. Late last year, the Supreme Court of Canada ruled in R. v. Vu on the privacy importance of computer generated metadata, noting:

In the context of a criminal investigation, however, it can also enable investigators to access intimate details about a user’s interests, habits, and identity, drawing on a record that the user created unwittingly

Security officials have also commented on the importance of metadata. General Michael Hayden, former director of the NSA and the CIA has stated “we kill people based on metadata.” Stewart Baker, former NSA General Counsel, has said “metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.”

There are numerous studies that confirm Hayden and Baker’s comments.  For example, some studies point to calls to religious organizations that allow for inferences of a person’s religion.  Calls to medical organizations can often allow for inferences on medical conditions. In fact, a recent U.S. court brief signed by some of the world’s leading computer experts notes:

Telephony metadata reveals private and sensitive information about people. It can reveal political affiliation, religious practices, and people’s most intimate associations. It reveals who calls a suicide prevention hotline and who calls their elected official; who calls the local Tea Party office and who calls Planned Parenthood. The aggregation of telephony metadata – about a single person over time, about groups of people, or with other datasets – only intensifies the sensitivity of the information

Further, the Privacy Commissioner of Canada has released a study on the privacy implications of IP addresses, noting how they can be used to develop a highly personal look at an individual.

Indeed, even the Justice ministers report that seems to serve as the policy basis for Bill C-13 recommends the creation of new investigative tools in which “the level of safeguards increases with the level of privacy interest involved.”

Given the level of privacy interest with metadata, the approach in Bill C-13 for transmission data warrants should be amended by adopting the reasonable grounds to believe standard.

Transparency and Reporting

Third, the lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures must be addressed. The stunning revelations about requests and disclosures of personal information – the majority without court oversight or warrant – points to an enormously troubling weakness in Canada’s privacy laws.  Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used and that bills before Parliament propose to expand their scope.  In my view, this makes victims of us all – disclosure of our personal information often without our awareness or explicit consent.

I’ll stop there and welcome your questions.

The post Choosing Between Privacy and Cyberbullying: My Appearance on Bill C-13 Before the Senate Legal and Constitutional Affairs Committee appeared first on Michael Geist.

The Importance of Online Anonymity

Tue, 2014/11/18 - 11:15

Appeared in the Toronto Star on November 15, 2014 as The Importance of Online Anonymity

If you could change or enact one Internet law, what would it be?  For some Canadians, it might be new rules to promote greater competition among Internet providers or increased copyright flexibilities matching the U.S. fair use provision.  For others, it would mean toughening online privacy protection or examining whether Canadian net neutrality rules are sufficient.

When Scott Naylor, a detective inspector with the Ontario Provincial Police was asked the question during a Senate hearing earlier this month on the government’s lawful access legislation, he responded that he would eliminate anonymity on the Internet. Naylor likened Internet access to obtaining a driver’s licence or a marriage licence, noting that we provide identification for many different activities, yet there is no requirement to identify yourself (or be identified) when using the Internet.

While acknowledging that a universal identification system is impractical, he said would ideally like a mandatory digital fingerprint for Internet users that would identify them sitting behind the computer. Naylor’s comments were quickly greeted with support from Conservative Senator Tom McInnis, who lamented the use of assumed names and agreed that identifying the identity of online users would be a good thing.

Law enforcement support for the elimination or erosion of online anonymity is particularly ironic since the Supreme Court of Canada just emphasized its importance in a landmark ruling on Internet privacy. The Spencer decision is best known for affirming that Internet users have a reasonable expectation of privacy in their subscriber information.

The implications of that ruling are that law enforcement officials now have little choice but to obtain a court order to obtain subscriber information from Internet providers. Moreover, Internet providers who were previously willing to voluntarily disclose basic subscriber information without court oversight have abandoned the practice.

While the decision altered the landscape of Internet privacy, it is important to recognize that the court pointed to online anonymity as particularly important in the context of Internet use. In fact, it identifies precisely the kinds of cases of importance to law enforcement as the reason to preserve online anonymity.

For example, it notes that there may be situations where police want the list of names that correspond to identification numbers on a survey. In such situations, “the privacy interest at stake…is not simply the individual’s name, but the link between the identified individual and the personal information provided anonymously.”

Anonymity can create a challenge for law enforcement (though one that is frequently surmountable through digital detective work), but it also plays an important positive role for the police. Anonymous tip lines or information from anonymous individuals are frequently an important source of information for investigators. Eliminating anonymity would run the risk of hampering age-old investigative techniques.

The importance of online anonymity extends far beyond law enforcement, however. Corporate whistleblowers, women in abusive relationships, visible minorities, and a myriad of other people are emboldened by anonymity to speak out in a manner that would otherwise be unavailable if they were forced to identify themselves.

The Supreme Court’s recognition of anonymity as a particularly important component of Internet privacy will not come as a surprise to millions of Internet users to rely upon it to varying degrees to exercise free speech rights and to preserve their privacy. What is surprising – or at least discouraging – is that the OPP and a Canadian Senator would seemingly jump at the chance to bring it to an end.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

The post The Importance of Online Anonymity appeared first on Michael Geist.

Why Does the Ontario Provincial Police Still Not Know What is in the Lawful Access Bill?

Thu, 2014/11/13 - 11:01

Earlier this week, I posted on Ontario Provincial Police comments at the Standing Senate Committee on Legal and Constitutional Affairs hearing on Bill C-13 that were sharply critical of online anonymity.  The same hearing was notable for additional comments from the OPP on the lawful access bill.  The comments, which came in the opening statement, suggest that one of Canada’s largest police forces is simply unaware of the contents of the proposed legislation.

Scott Naylor of the OPP’s opening remarks included:

There is no question that some of the legislation involving technology and communication in Canada is out of date.  Under the current legislation, police can only access the very basic subscriber information – i.e., name, address, telephone number – on a totally ad hoc basis, by production order from service providers.  This means that there is an inconsistent response, which impedes investigations and, in extreme cases, may prolong victimization. Under the proposed legislation, Internet service providers would be compelled to provide this information in a timely fashion and on a consistent basis.  Access to this information would be strictly controlled and limited to law enforcement officials, who would be fully trained in these procedures and subject to auditing and report oversight.  I will repeat – auditing and report oversight.

Here is the problem: Naylor appears to think that Bill C-13 has not changed from Vic Toews’ Bill C-30. Under the lawful access bill, ISPs would not be compelled to disclose subscriber information. Indeed, the mandatory disclosure of subscriber information without a warrant was removed from the bill altogether.  The bill does include incentives for voluntary disclosure, but there are no mandatory disclosure requirements. If the OPP think the bill guarantees consistent disclosure of subscriber information, it is wrong. In fact, the Supreme Court’s Spencer decision means that subscriber information now only comes (except in emergency circumstances) through a court order.

In fact, a different OPP representative said much the same thing to the House of Commons committee hearing on Bill c-13. Operating from the same script, Carson Pardy, Director of Operation for the East Region, stated:

Under the current legislation, police can only access the very basics of subscriber information – name and address, maybe a phone number – on a totally ad hoc basis from Internet service providers. This means there is an inconsistent response which impedes investigations and many times prolongs victimization. Under the proposed legislation, ISPs will be compelled to provide this information in a timely fashion and on a consistent basis. Access to this information will be strictly controlled and limited to law enforcement officials who would be fully trained in these procedures and subject to auditing and/or reporting processes. The outcome will be that the police can quickly and consistently gain access to information that makes a difference to our effectiveness in investigating and preventing criminal activity and victimization.

This means that both the House of Commons and Senate committee studying Bill C-13 have received inaccurate information from law enforcement about the impact of the proposed bill. Moreover, it suggests that the police are supporting a bill that at worst they have not read or at best have misinterpreted.

The post Why Does the Ontario Provincial Police Still Not Know What is in the Lawful Access Bill? appeared first on Michael Geist.

Competition Matters: New Study Supports Government Policy Focused on Fourth Wireless Player

Wed, 2014/11/12 - 11:17

Last year’s explosive battle over the potential entry of wireless giant Verizon into the Canadian market may be a distant memory, but the debate over the state of wireless competition remains very much alive. Industry Minister James Moore has pointed to a modest decline in consumer pricing and complaints as evidence that government policies aimed at fostering a more competitive market are working.

The big three wireless carriers remain adamant that the Canadian market is competitive and that while pricing may be high relative to some other countries, that is a function of the quality of their networks. In other words, you get what you pay for.

There is seemingly no major international entrant on the horizon, but the Canadian Radio-television and Telecommunications Commission is currently grappling with an assortment of policy measures aimed at improving the competitiveness of new entrants and facilitating the development of a more robust market for virtual operators who could enhance consumer choice. Moreover, the government is planning another spectrum auction early next year that would benefit new entrants.

My weekly technology law column (Toronto Star version, homepage version) notes that at the heart of the debate is whether creating a fourth national carrier is a legitimate policy goal or a mirage that will do little to decrease pricing or create market innovation. The major carriers argue that the Canadian market is too small to support a fourth national carrier and that competitiveness is not directly correlated to the number of national operators.

Conversely, the government, supported by independent analysis from the Competition Bureau, believes that more competition is needed given the “market power” wielded by the big three incumbents. The creation of fourth national wireless carrier is often cited as an important target that would alter the competitive dynamic.

The government’s position received a major boost last week with the release of a new study by the Organization for Economic Co-operation and Development, a leading international governmental body that counts most developed economy countries as members. The OECD report focused specifically on whether the number of carriers within member countries is linked to consumer pricing or marketplace innovation.

After reviewing the recent experience in eleven OECD countries, it concluded that a fourth carrier makes a difference. The study finds that with four or more competitors “there is a higher likelihood of more competitive and innovative services being introduced and maintained.”

For example, France and Israel experienced price reductions and the introduction of unlimited usage plans with the entry of a fourth carrier. In the Netherlands, the study finds that the imminent launch of a fourth carrier has led to more competitive consumer offers, including Europe-wide roaming.

The study also identifies other areas where new competitors have had a significant impact on marketplace dynamics. Fourth carriers have often the been source of better international roaming offers, forcing the established players to respond by reducing their own prices or enhancing their plans. Similarly, virtual operators have targeted niche markets by expanding access to pre-paid plans more aggressively than established carriers.

Just as more competition helps, reduced competition can hurt. For example, the study notes that a 2009 Australian merger that decreased the number of wireless competitors has led to less vigorous retail competition.

Notwithstanding fears that new entrants or virtual operators might reduce earnings and thereby the incentives to invest in new networks, the OECD data suggests those concerns are largely unfounded. Reviewing nearly 15 years of data, the study finds that investments in telecommunications networks has remained remarkably stable.

In other words, competition works. This finding will not come as surprise to most observers, but in the contentious world of Canadian telecom, where incumbents seemingly fear the prospect of new competitors as much as actual competition, the OECD report provides yet another reason for the government to maintain its policy approach and for the CRTC use its regulatory powers to foster a more competitive marketplace.

The post Competition Matters: New Study Supports Government Policy Focused on Fourth Wireless Player appeared first on Michael Geist.

Net Neutrality and Netflix Taxes: The Tension Between Government and Regulatory Agencies on Digital Policy

Tue, 2014/11/11 - 10:26

U.S. President Barack Obama yesterday came out strongly in favour of net neutrality, urging the U.S. Federal Communications Commission to uphold core net neutrality principles. Obama’s comments were unsurprisingly welcomed by net neutrality activists throughout the U.S., though some caution that the ultimate decision still lies with the regulatory agency. Obama focused on the need for greater transparency along with rules to ensure no blocking, throttling, and paid prioritization. I wrote earlier this year on how Canada passed net neutrality regulations (termed Internet traffic management practices) in 2009, which address many of the issues raised by Obama.

Obama’s decision to wade into the net neutrality debate highlights how politicians can no longer simply avoid telecom, broadcast, and Internet issues by claiming that the matter is solely for regulators to determine. Policy issues such as net neutrality and Internet regulation have profound importance for millions and we should not be content to leave the issue exclusively to unelected regulators (no matter transparent their processes).

The question of the appropriate role for politicians on policies being considered by regulators has attracted attention on both sides of the border. For example, the involvement of elected officials in telecom and Internet policy captured headlines in Canada in September when the federal government declared that it would not support a “Netflix tax” as an outcome from the CRTC’s TalkTV hearings. The Netflix issues comes in the aftermath of a “mandate letter” to the CRTC on the appointment on CRTC Chair Jean-Pierre Blais that identified top priorities as well as active involvement on issues such as usage based billing.

The public comments on the Netflix tax sparked a backlash from some opposition parties, who claimed the government was “playing politics” with the CRTC. Blais was also clearly unhappy with the interventions both during the hearing and in the weeks that followed. Last Friday, he delivered a talk in Vancouver in which he pointedly criticized outside commentary and emphasized that CRTC decisions would only be based on the evidence raised in submissions and during the hearing.

Blais suggested that government comments will have no impact on the outcome of the policy process, which seems somewhat unrealistic. An independent agency must obviously be free to make its own decisions, but the notion that governmental comments – whether President Obama’s on net neutrality in the U.S. or the Canadian government’s on Netflix here – can be ignored because they are not offered directly through the formal policy process only breeds further uncertainty since it is elected officials, not regulators, that ultimately have the final say on these matters. Indeed, much of the recent criticism appears to be an effort to mask criticism with the substance of policies by focusing on process. There is a danger that politicians can overstep the boundaries with independent agencies, but digital policies are too important to be left solely to the CRTC or FCC.

The post Net Neutrality and Netflix Taxes: The Tension Between Government and Regulatory Agencies on Digital Policy appeared first on Michael Geist.

Competition Matters: New Study Supports Government Policy Focused on Fourth Wireless Player

Tue, 2014/11/11 - 09:38

Appeared in the Toronto Star on November 8, 2014 as Why Canada Needs a Fourth Wireless Player

Last year’s explosive battle over the potential entry of wireless giant Verizon into the Canadian market may be a distant memory, but the debate over the state of wireless competition remains very much alive. Industry Minister James Moore has pointed to a modest decline in consumer pricing and complaints as evidence that government policies aimed at fostering a more competitive market are working.

The big three wireless carriers remain adamant that the Canadian market is competitive and that while pricing may be high relative to some other countries, that is a function of the quality of their networks. In other words, you get what you pay for.

There is seemingly no major international entrant on the horizon, but the Canadian Radio-television and Telecommunications Commission is currently grappling with an assortment of policy measures aimed at improving the competitiveness of new entrants and facilitating the development of a more robust market for virtual operators who could enhance consumer choice. Moreover, the government is planning another spectrum auction early next year that would benefit new entrants.

At the heart of the debate is whether creating a fourth national carrier is a legitimate policy goal or a mirage that will do little to decrease pricing or create market innovation. The major carriers argue that the Canadian market is too small to support a fourth national carrier and that competitiveness is not directly correlated to the number of national operators.

Conversely, the government, supported by independent analysis from the Competition Bureau, believes that more competition is needed given the “market power” wielded by the big three incumbents. The creation of fourth national wireless carrier is often cited as an important target that would alter the competitive dynamic.

The government’s position received a major boost this week with the release of a new study by the Organization for Economic Co-operation and Development, a leading international governmental body that counts most developed economy countries as members. The OECD report focused specifically on whether the number of carriers within member countries is linked to consumer pricing or marketplace innovation.

After reviewing the recent experience in eleven OECD countries, it concluded that a fourth carrier makes a difference. The study finds that with four or more competitors “there is a higher likelihood of more competitive and innovative services being introduced and maintained.”

For example, France and Israel experienced price reductions and the introduction of unlimited usage plans with the entry of a fourth carrier. In the Netherlands, the study finds that the imminent launch of a fourth carrier has led to more competitive consumer offers, including Europe-wide roaming.

The study also identifies other areas where new competitors have had a significant impact on marketplace dynamics. Fourth carriers have often the been source of better international roaming offers, forcing the established players to respond by reducing their own prices or enhancing their plans. Similarly, virtual operators have targeted niche markets by expanding access to pre-paid plans more aggressively than established carriers.

Just as more competition helps, reduced competition can hurt. For example, the study notes that a 2009 Australian merger that decreased the number of wireless competitors has led to less vigorous retail competition.

Notwithstanding fears that new entrants or virtual operators might reduce earnings and thereby the incentives to invest in new networks, the OECD data suggests those concerns are largely unfounded. Reviewing nearly 15 years of data, the study finds that investments in telecommunications networks has remained remarkably stable.

In other words, competition works. This finding will not come as surprise to most observers, but in the contentious world of Canadian telecom, where incumbents seemingly fear the prospect of new competitors as much as actual competition, the OECD report provides yet another reason for the government to maintain its policy approach and for the CRTC use its regulatory powers to foster a more competitive marketplace.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

The post Competition Matters: New Study Supports Government Policy Focused on Fourth Wireless Player appeared first on Michael Geist.

Ontario Provincial Police Recommend Ending Anonymity on the Internet

Mon, 2014/11/10 - 10:31

The Standing Senate Committee on Legal and Constitutional Affairs began its hearings on Bill C-13, the lawful access/cyberbullying bill last week with an appearance from several law enforcement representatives. The Ontario Provincial Police was part of the law enforcement panel and was asked by Senator Tom McInnis, a Conservative Senator from Nova Scotia, about what other laws are needed to address cyberbullying. Scott Naylor of the OPP responded (official transcript not yet posted online):

If the bag was open and I could do anything, the biggest problem that I see in the world of child sexual exploitation is anonymity on the Internet. When we get our driver’s licence we’re required to get our picture taken for identification.  When you get a mortgage you have to sign and provide identification.  When you sign up for the Internet, there is absolutely no requirement for any kind of non-anonymity qualifier.  There are a lot of people who are hiding behind the Internet to do all kinds of crime, including cybercrime, fraud, sexual exploitation and things along those lines.

The Internet is moving so quickly that law enforcement cannot keep up.  If there were one thing that I would ask for discussion on is that there has to be some mechanism of accountability for you to sign on to an Internet account that makes it like a digital fingerprint that identifies it to you sitting behind the computer or something at that time.  There are mechanisms to do it, but the Internet is so big and so vast at this point, and it’s worldwide, I’m not sure how that could happen, but that would certainly assist everybody.  In that way I can make a digital qualification that that’s the person that I’m talking to.  If I had one choice, that’s what I would ask for.

Naylor’s comment was approved by Senator McInnis, who stated that he “absolutely agreed” with the recommendation.

Leaving aside the deeply troubling inference of requiring licences to the use the Internet in the same manner as obtaining a driver’s licence, the police desire to stop online anonymity suggests that the OPP has not read the Supreme Court of Canada Spencer decision very carefully. If it had, it would know that not only does the court endorse a reasonable expectation of privacy in subscriber information, but it emphasizes the importance of online anonymity in doing so. Justice Cromwell, speaking for unanimous court:

There is also a third conception of informational privacy that is particularly important in the context of Internet usage. This is the understanding of privacy as anonymity. In my view, the concept of privacy potentially protected by s. 8  must include this understanding of privacy.
The notion of privacy as anonymity is not novel. It appears in a wide array of contexts ranging from anonymous surveys to the protection of police informant identities. A person responding to a survey readily agrees to provide what may well be highly personal information. A police informant provides information about the commission of a crime. The information itself is not private – it is communicated precisely so that it will be communicated to others. But the information is communicated on the basis that it will not be identified with the person providing it.

Consider situations in which the police want to obtain the list of names that correspond to the identification numbers on individual survey results or the defence in a criminal case wants to obtain the identity of the informant who has provided information that has been disclosed to the defence. The privacy interest at stake in these examples is not simply the individual’s name, but the link between the identified individual and the personal information provided anonymously. As the intervener the Canadian Civil Liberties Association urged in its submissions, “maintaining anonymity can be integral to ensuring privacy.”

Cromwell adds:

Recognizing that anonymity is one conception of informational privacy seems to me to be particularly important in the context of Internet usage. One form of anonymity, as Westin explained, is what is claimed by an individual who wants to present ideas publicly but does not want to be identified as their author. Here, Westin, publishing in 1970, anticipates precisely one of the defining characteristics of some types of Internet communication. The communication may be accessible to millions of people but it is not identified with its author.

The recognition of anonymity as a particularly important component of Internet privacy will not come as a surprise to millions of Internet users to rely upon it to varying degrees to exercise free speech right and to preserve their privacy. It lies at the heart of posts from abuse victims, whistleblowers, and people who cannot otherwise speak out for fear of a backlash.  What is surprising – or at least discouraging – is that the OPP and a Canadian Senator would seemingly jump at the chance to bring it to an end.

The post Ontario Provincial Police Recommend Ending Anonymity on the Internet appeared first on Michael Geist.

The CCTS Report on Wireless Code Violations: When Is Data on a Data Stick an “Add On”?

Wed, 2014/11/05 - 09:11

The Commissioner for Complaints for Telecommunications Services released his annual report yesterday resulting in a wide range of interpretations with some citing improved customer service due to an overall decline in complaints, others focusing on declining customer service owing to an increase in complaints from misleading contractual terms, and yet others pointing to the CRTC Wireless Code as the reason behind the overall decline in complaints.

Despite some improvement in service, the most notable aspect of the report is a review of compliance with the wireless code. With the code now fully operational, there is simply no excuse for carrier non-compliance. Yet the data suggests that there are numerous confirmed breaches. Bell is easily the most notable company when it comes to failure to comply with the code: when you combine Bell Canada, Virgin Mobile (which it owns), and Northern Tel (which it now also owns), 2/3 of the confirmed breaches all come from the same source. In other words, every few weeks, Bell Canada or one of its companies had a confirmed breach of the wireless code.

Moreover, some of the CCTS case studies are astonishing for the reluctance of the carriers to address relatively minor customer concerns or by the adoption of clearly untenable positions.  For example, the report cites a customer who subscribed to an unlimited data package for a wireless data stick. The carrier switched the customer to a 10 GB usage cap without obtaining express consent. When confronted on the issue, carrier argued that the data plan was not a “key term and condition” in the contract but rather an “add on.” As the CCTS notes, “we found this odd since the customer was using a data stick and the only service he required for this purpose was data.”

The report also highlights how some carriers are still reluctant to unlock devices (as required by the wireless code). One case study notes that a carrier refused to unlock a device, arguing that the customer was not subject to the wireless code. The CCTS ruled in favour of the customer and the carrier ultimately provided an unlock code. From a customer service perspective, however, it is hard to understand why a carrier would force a consumer to complain to the CCTS in order to unlock their phone. Complaints may be declining, but the CCTS report makes it clear that there is still room for improvement.

The post The CCTS Report on Wireless Code Violations: When Is Data on a Data Stick an “Add On”? appeared first on Michael Geist.

Why the Digital Privacy Act Will Expand Personal Information Disclosure Without Court Oversight

Tue, 2014/11/04 - 10:36

My column this week on warrantless access to personal information under Canadian law noted that Bill S-4, the Digital Privacy Act, will expand the likelihood warrantless disclosures between private organizations. As I posted recently:

Bill S-4 proposes that:

“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

Unpack the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).

Yet despite the plain language of the provision and the concerns from the Privacy Commissioner of Canada, Industry Minister James Moore’s office continues to insist that the concerns are unfounded. In response to the column, Jake Enwright, Moore’s press secretary responded with a tweet that the concerns were “false.”

Enwright Tweet https://twitter.com/JakeREnwright/status/528566471623204864?cn=cmVwbHk%3D

I debunked many of the government claims on S-4 in this post. With respect to Enwright’s comment, it bears repeating that the Privacy Commissioner of Canada has stated:

we believe that the grounds for disclosing to another organization are overly broad and need to be circumscribed, for example, by defining or limiting the types of activities for which the personal information could be used

As for the impact of S-4 on warrantless disclosures, the bill plainly expands the ability of organizations to voluntarily disclose personal information without a warrant or court oversight. While some organizations will decline to voluntarily disclose such information, when combined with Bill C-13′s grant of full immunity for voluntary disclosures, it seems likely that others will provide subscriber information without a warrant or court oversight.  That will lead to an increase in warrantless disclosures. Simply put, government claims that such concerns are false do not stand up to even mild scrutiny.

The post Why the Digital Privacy Act Will Expand Personal Information Disclosure Without Court Oversight appeared first on Michael Geist.

Warrantless Access to Subscriber Information: Has the Tide Turned on Canada’s Privacy Embarrassment?

Mon, 2014/11/03 - 10:45

In a year in which privacy issues have captured near weekly headlines, one concern stands out: warrantless access to Internet and telecom subscriber information. From revelations that telecom companies receive over a million requests each year to the Supreme Court of Canada’s landmark decision affirming that there is a reasonable expectation of privacy in subscriber information, longstanding law enforcement and telecom company practices have been placed under the microscope for the first time.

Last week, the Privacy Commissioner of Canada released a report that shed further light on the law enforcement side of warrantless disclosure requests, raising disturbing questions about the lack of record keeping and politically motivated efforts to drum up data on the issue.

My weekly technology law column (Toronto Star version, homepage version) notes that the Office of the Privacy Commissioner of Canada notified the Royal Canadian Mounted Police last October that it was planning to conduct preliminary investigative work on the collection of warrantless subscriber information from telecom companies. The plan was to assess RCMP policies and to determine the frequency and justification for warrantless requests.

Despite interviewing dozens of personnel, investigators were unable to obtain specific numbers as the RCMP simply did not compile the requested information. When asked why the information was not collected, law enforcement officials noted that its information management system was never designed to capture access requests.

While that may help explain the absence of data, investigators also found that the RCMP issued an internal memorandum in 2010 instructing officers to begin collecting such information. Why the change in approach?

It would appear that the new policy was directly linked to lawful access legislation that was facing public criticism over provisions that would have required telecom and Internet companies to disclose subscriber information without a warrant (the law at the time permitted voluntary disclosure but left discretion over whether to disclose to the telecom or Internet provider). Critics of the lawful access bill noted that there was little evidence that mandated disclosure was needed. In response, the RCMP attempted to pull together the missing data, but later abandoned the effort when the lawful access bill died on the order paper.

When combined with non-transparent telecom provider policies and government legislative initiatives seeking to expand disclosure, the RCMP revelations should give all Canadians concerned with their informational privacy pause. We now know that entering this year, law enforcement and government departments were requesting access to subscriber information without a warrant over a hundred thousand times every month. We also know that telecom companies were keeping their responses to the requests secret, that law enforcement was not tracking its access requests, and that the government was determined to expand the system by encouraging voluntary disclosure of personal information through a pair of bills that are still before Parliament.

Despite the sorry state of subscriber privacy at the start of 2014, the situation has improved in recent months. Pressure on the telecom companies to offer greater transparency on their practices has led both Rogers and Telus to regularly disclose aggregated data on subscriber requests. Moreover, the Supreme Court of Canada’s Spencer decision confirmed that there is a reasonable expectation of privacy in telecom and Internet subscriber information.

Those are positive steps, yet at least three major issues remain unresolved. First, there are still some telecom companies that have not issued transparency reports, most notably Bell Canada, the country’s largest telecom provider.

Second, the RCMP remains somewhat coy about how it plans to address warrantless disclosure requests in the future. As part of the Privacy Commissioner of Canada investigation, it undertook only to study mechanisms for reporting requests. Potential recommendations are not due until April 2015.

Third, the government remains committed to encouraging voluntary warrantless disclosure of subscriber information. Justice Minister Peter MacKay’s Bill C-13, which is now at the Senate, grants full civil and criminal immunity for organizations that voluntarily disclose personal information to law enforcement, while Industry Minister James Moore’s Bill S-4, which will be studied later this month by the House of Commons Industry Committee, expands voluntary warrantless disclosure between private sector organizations.

The post Warrantless Access to Subscriber Information: Has the Tide Turned on Canada’s Privacy Embarrassment? appeared first on Michael Geist.

Warrantless Access to Subscriber Information: Has the Tide Turned On Canada’s Privacy Embarrassment?

Mon, 2014/11/03 - 10:27

Appeared in the Toronto Star on November 1, 2014 as Had the Tide Turned on Canada’s Privacy Embarrassment

In a year in which privacy issues have captured near weekly headlines, one concern stands out: warrantless access to Internet and telecom subscriber information. From revelations that telecom companies receive over a million requests each year to the Supreme Court of Canada’s landmark decision affirming that there is a reasonable expectation of privacy in subscriber information, longstanding law enforcement and telecom company practices have been placed under the microscope for the first time.

Last week, the Privacy Commissioner of Canada released a report that shed further light on the law enforcement side of warrantless disclosure requests, raising disturbing questions about the lack of record keeping and politically motivated efforts to drum up data on the issue.

The Office of the Privacy Commissioner of Canada notified the Royal Canadian Mounted Police last October that it was planning to conduct preliminary investigative work on the collection of warrantless subscriber information from telecom companies. The plan was to assess RCMP policies and to determine the frequency and justification for warrantless requests.

Despite interviewing dozens of personnel, investigators were unable to obtain specific numbers as the RCMP simply did not compile the requested information. When asked why the information was not collected, law enforcement officials noted that its information management system was never designed to capture access requests.

While that may help explain the absence of data, investigators also found that the RCMP issued an internal memorandum in 2010 instructing officers to begin collecting such information. Why the change in approach?

It would appear that the new policy was directly linked to lawful access legislation that was facing public criticism over provisions that would have required telecom and Internet companies to disclose subscriber information without a warrant (the law at the time permitted voluntary disclosure but left discretion over whether to disclose to the telecom or Internet provider). Critics of the lawful access bill noted that there was little evidence that mandated disclosure was needed. In response, the RCMP attempted to pull together the missing data, but later abandoned the effort when the lawful access bill died on the order paper.

When combined with non-transparent telecom provider policies and government legislative initiatives seeking to expand disclosure, the RCMP revelations should give all Canadians concerned with their informational privacy pause. We now know that entering this year, law enforcement and government departments were requesting access to subscriber information without a warrant over a hundred thousand times every month. We also know that telecom companies were keeping their responses to the requests secret, that law enforcement was not tracking its access requests, and that the government was determined to expand the system by encouraging voluntary disclosure of personal information through a pair of bills that are still before Parliament.

Despite the sorry state of subscriber privacy at the start of 2014, the situation has improved in recent months. Pressure on the telecom companies to offer greater transparency on their practices has led both Rogers and Telus to regularly disclose aggregated data on subscriber requests. Moreover, the Supreme Court of Canada’s Spencer decision confirmed that there is a reasonable expectation of privacy in telecom and Internet subscriber information.

Those are positive steps, yet at least three major issues remain unresolved. First, there are still some telecom companies that have not issued transparency reports, most notably Bell Canada, the country’s largest telecom provider.

Second, the RCMP remains somewhat coy about how it plans to address warrantless disclosure requests in the future. As part of the Privacy Commissioner of Canada investigation, it undertook only to study mechanisms for reporting requests. Potential recommendations are not due until April 2015.

Third, the government remains committed to encouraging voluntary warrantless disclosure of subscriber information. Justice Minister Peter MacKay’s Bill C-13, which is now at the Senate, grants full civil and criminal immunity for organizations that voluntarily disclose personal information to law enforcement, while Industry Minister James Moore’s Bill S-4, which will be studied later this month by the House of Commons Industry Committee, expands voluntary warrantless disclosure between private sector organizations.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

The post Warrantless Access to Subscriber Information: Has the Tide Turned On Canada’s Privacy Embarrassment? appeared first on Michael Geist.

Canada’s New “Anti-Terrorism” Bill: Responding to the Courts, Not the Attacks

Tue, 2014/10/28 - 08:30

The government yesterday introduced Bill C-44, the Protection of Canada from Terrorists Act. While some were expecting significant new surveillance, decreased warrant thresholds, and detention measures, this bill is a response to several court decisions, not to the attacks last week in Ottawa and Quebec. A second bill – which might use the U.K. legislative response to terror attacks as a model – is a future possibility, but policy decisions, cabinet approval, legal drafting, and constitutional reviews take time.

Bill C-44, which was to have been tabled on the day of the Ottawa attack, responds to two key issues involving CSIS, Canada’s domestic intelligence agency.  The first involves a federal court case from late last year in which Justice Richard Mosley, a federal court judge, issued a stinging rebuke to Canada’s intelligence agencies (CSEC and CSIS) and the Justice Department, ruling that they misled the court when they applied for warrants to permit the interception of electronic communications. Mosley’s concern stemmed from warrants involving two individuals that were issued in 2009 permitting the interception of communications both in Canada and abroad using Canadian equipment. At the time, the Canadian intelligence agencies did not disclose that they might ask their foreign counterparts (namely the “five eyes” partners in the U.S., U.K., Australia, and New Zealand) to intercept the foreign communications.

The federal government appealed the ruling, but the appellate court decision has not been publicly revealed. It seems likely that the government lost, since Bill C-44 seeks address the issue by removing territorial restrictions on CSIS. The bill includes clauses that state that CSIS may conduct investigations within or outside Canada and seek a warrant to allow for foreign investigations. Moreover, it opens the door to warrants that apply outside the country regardless of the law in Canada or elsewhere. It provides:

Without regard to any other law, including that of any foreign state, a judge may, in a warrant issued under subsection (3), authorize activities outside Canada to enable the Service to investigate a threat to the security of Canada.

That is remarkably broad provision as it allows the federal court to issue warrants that violate the laws of other countries, including foreign privacy laws.

The second issue involves the anonymity of CSIS human sources.  Earlier this year, the Supreme Court of Canada confirmed that CSIS human sources are not protected by class privilege. That decision upheld an earlier Federal Court of Appeal decision which arrived at a similar conclusion. The case stemmed from a 2008 security certificate naming Mohamed Harkat as a person inadmissable to Canada on national security grounds. Bill C-44 reverses the court rulings by granting anonymity to CSIS sources (though it adds a limitation where disclosure “is essential to establish the accused’s innonence”).

Bill C-44 may reverse the courts on both issues, but what it does not do is address ongoing concerns regarding the accountability and transparency of Canada’s security intelligence agencies. Indeed, the Mosley case in particular raised troubling questions about the adequacy of oversight over Canada’s surveillance activities. Rather than address those concerns, the government has instead simply reversed the court rulings through legislative reform, leaving the current inadequate oversight system untouched.

The post Canada’s New “Anti-Terrorism” Bill: Responding to the Courts, Not the Attacks appeared first on Michael Geist.

Responding to the Attacks: Why We Need to Resist Quick-Fix Anti-Terrorism Measures

Mon, 2014/10/27 - 09:53

Two shocking terror attacks on Canadian soil, one striking at the very heart of the Canadian parliament buildings and both leaving behind dead soldiers. Office buildings, shopping centres, and classrooms placed under lockdown for hours with many confronting violence first hand that is rarely associated with Canada.

Last week’s terror events will leave many searching for answers and seeking assurances from political and security leaders that they will take steps to prevent it from happening again. There will be an obvious temptation to look to the law to “fix” the issue, and if the past is a guide, stronger anti-terror legislation and warnings that Canadians may need to surrender more of their privacy and civil liberties in the name of greater security will soon follow.

My weekly technology law column (Toronto Star version, homepage version) notes that if there are legal solutions that would help foster better security, they should unquestionably be considered. Yet Canada should proceed with caution and recognize that past experience suggests that the unintended consequences that may arise from poorly analyzed legislation may do more harm than good.

The Canadian experience with lawful access reform provides an instructive lesson in how knee-jerk legislative responses rarely provide the desired solutions. Lawful access bills began appearing soon after the events of 9-11 with the initial bills envisioning the creation of a massive surveillance infrastructure. It featured provisions mandating that Internet providers disclose detailed personal information on subscribers and requiring them to install extensive surveillance equipment on their networks.

The public expressed disapproval with the proposals, raising serious questions about the lack of evidence to support claims the legislation would address actual law enforcement problems, the associated costs, and the implications for striking a reasonable balance between security needs and privacy safeguards.

Lawful access has remained a hot button issue, but successive bills have gradually retreated from those early plans. Bill C-13, the latest lawful access bill (labelled as cyber-bullying legislation), has generated well-deserved criticism, yet many of the most invasive provisions have been removed. As the bill heads for Senate review, there is still room for improvement, but even the fiercest critic must acknowledge that many of the biggest privacy concerns have been addressed.

New anti-terrorism legislation is next on the legislative docket. The forthcoming bill is ostensibly a response to last year’s federal court decision that rebuked Canada’s intelligence agencies (CSEC and CSIS) and the Justice Department for misleading the court when they applied for warrants to permit the interception of electronic communications.

Justice Mosley, a former official with the Justice Department who was involved with the creation of the Anti-Terrorism Act, expressed concern about warrants involving two individuals that were issued in 2009 permitting the interception of communications both in Canada and abroad using Canadian equipment. At the time, the Canadian intelligence agencies did not disclose that they might ask their foreign counterparts (namely the “five eyes” partners in the U.S., U.K., Australia, and New Zealand) to intercept the foreign communications.

The government appealed Mosley’s decision, but the Federal Court of Appeal ruling has not been publicly released. Many observers suspect that the government lost the appeal and plans to use legislative changes to address issues related to interceptions and information sharing.

In the aftermath of the Canadian terror attacks, there will likely be calls to go even further, granting police and intelligence agencies more powers. But before we look to the law to address our security concerns, a better understanding of the possible security and intelligence failures that may have contributed to the terror attacks is needed. If agencies are not effectively using their current powers, more powers will do little to remedy the current situation.

Moreover, legislative reforms must also address Canada’s weak oversight and accountability mechanisms. One of the glaring problems with Canada’s current system is the lack of oversight: limited Parliamentary review, long delays in issuing reports from the CSEC Commissioner, and sporadic public revelations about the operations of Canada’s security and intelligence agencies.

Notwithstanding the urge to “do something”, Canada should be cautious about looking to more laws as the primary means to prevent a repeat of this week’s tragic events and ensure that any reforms that emerge be accompanied by effective oversight and accountability.

The post Responding to the Attacks: Why We Need to Resist Quick-Fix Anti-Terrorism Measures appeared first on Michael Geist.

Responding to the Attacks: Why We Need to Resist Quick-Fix Anti-Terrorism Measures

Mon, 2014/10/27 - 09:29

Appeared in the Toronto Star on October 25, 2014 as Why We Need To Resist Quick-Fix Anti-Terrorism Measures

Two shocking terror attacks on Canadian soil, one striking at the very heart of the Canadian parliament buildings and both leaving behind dead soldiers. Office buildings, shopping centres, and classrooms placed under lockdown for hours with many confronting violence first hand that is rarely associated with Canada.

This week’s terror events will leave many searching for answers and seeking assurances from political and security leaders that they will take steps to prevent it from happening again. There will be an obvious temptation to look to the law to “fix” the issue, and if the past is a guide, stronger anti-terror legislation and warnings that Canadians may need to surrender more of their privacy and civil liberties in the name of greater security will soon follow.

If there are legal solutions that would help foster better security, they should unquestionably be considered. Yet Canada should proceed with caution and recognize that past experience suggests that the unintended consequences that may arise from poorly analyzed legislation may do more harm than good.

The Canadian experience with lawful access reform provides an instructive lesson in how knee-jerk legislative responses rarely provide the desired solutions. Lawful access bills began appearing soon after the events of 9-11 with the initial bills envisioning the creation of a massive surveillance infrastructure. It featured provisions mandating that Internet providers disclose detailed personal information on subscribers and requiring them to install extensive surveillance equipment on their networks.

The public expressed disapproval with the proposals, raising serious questions about the lack of evidence to support claims the legislation would address actual law enforcement problems, the associated costs, and the implications for striking a reasonable balance between security needs and privacy safeguards.

Lawful access has remained a hot button issue, but successive bills have gradually retreated from those early plans. Bill C-13, the latest lawful access bill (labelled as cyber-bullying legislation), has generated well-deserved criticism, yet many of the most invasive provisions have been removed. As the bill heads for Senate review, there is still room for improvement, but even the fiercest critic must acknowledge that many of the biggest privacy concerns have been addressed.

New anti-terrorism legislation is next on the legislative docket. The forthcoming bill is ostensibly a response to last year’s federal court decision that rebuked Canada’s intelligence agencies (CSEC and CSIS) and the Justice Department for misleading the court when they applied for warrants to permit the interception of electronic communications.

Justice Mosley, a former official with the Justice Department who was involved with the creation of the Anti-Terrorism Act, expressed concern about warrants involving two individuals that were issued in 2009 permitting the interception of communications both in Canada and abroad using Canadian equipment. At the time, the Canadian intelligence agencies did not disclose that they might ask their foreign counterparts (namely the “five eyes” partners in the U.S., U.K., Australia, and New Zealand) to intercept the foreign communications.

The government appealed Mosley’s decision, but the Federal Court of Appeal ruling has not been publicly released. Many observers suspect that the government lost the appeal and plans to use legislative changes to address issues related to interceptions and information sharing.

In the aftermath of the Canadian terror attacks, there will likely be calls to go even further, granting police and intelligence agencies more powers. But before we look to the law to address our security concerns, a better understanding of the possible security and intelligence failures that may have contributed to the terror attacks is needed. If agencies are not effectively using their current powers, more powers will do little to remedy the current situation.

Moreover, legislative reforms must also address Canada’s weak oversight and accountability mechanisms. One of the glaring problems with Canada’s current system is the lack of oversight: limited Parliamentary review, long delays in issuing reports from the CSEC Commissioner, and sporadic public revelations about the operations of Canada’s security and intelligence agencies.

Notwithstanding the urge to “do something”, Canada should be cautious about looking to more laws as the primary means to prevent a repeat of this week’s tragic events and ensure that any reforms that emerge be accompanied by effective oversight and accountability.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

The post Responding to the Attacks: Why We Need to Resist Quick-Fix Anti-Terrorism Measures appeared first on Michael Geist.

About That Copyright Exception for Political Advertising. . .Never Mind

Fri, 2014/10/24 - 09:06

Earlier this month, a political storm hit in Canada when it was revealed that the government was considering including a new copyright exception for political advertising in its forthcoming omnibus budget bill. The reports sparked claims of fascism, censorship, expropriation, and more, yet as I argued, the commentary bore almost no relationship to reality. There were legitimate concerns about an exception made solely available to politicians and political parties as well as doubts about the need for such an exception given the breadth of the current fair dealing exception that already permits most uses of video clips.

Yesterday, the government tabled its omnibus budget bill, which contains changes to the Patent Act (to bring Canada into compliance with the Patent Law Treaty), effectively ban paper billing charges for telecom and broadcast services, and grant new enforcement powers to the CRTC. As for the copyright reform provision, perhaps the public outcry had an impact. It is nowhere to be found.

The post About That Copyright Exception for Political Advertising. . .Never Mind appeared first on Michael Geist.

The Expansion of Personal Information Disclosure Without Consent: Unpacking the Government’s Weak Response to Digital Privacy Act Concerns

Tue, 2014/10/21 - 11:03

Bill S-4, the government’s Digital Privacy Act, was sent for review to the Industry Committee yesterday. The committee review, which comes before second reading, represents what is likely to be the last opportunity to fix a bill that was supposed to be a good news story for the government but has caused serious concern within the Canadian privacy community. While there are several concerns (I raised them in my appearance before the Senate committee that first studied the bill), the chief one involves the potential expansion of voluntary disclosure of personal information without consent or court oversight. Bill S-4 proposes that:

“an organization may disclose personal information without the knowledge or consent of the individual… if the disclosure is made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

Translate the legalese and you find that organizations will be permitted to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. Moreover, the disclosure occurs in secret without the knowledge of the affected person (who therefore cannot challenge the disclosure since they are not aware it is happening).

The government is clearly aware that this is a major concern as it attempted to answer the critics during debate over Bill S-4 in the House of Commons yesterday. Unfortunately, the responses were incredibly weak. I’ve identified at least six responses from government sources below.

1. Expanded Disclosure Without Consent is Needed for Investigations by Regulatory Bodies

Conservative MP Cheryl Gallant claimed that there is a need for the provision since there are regulatory bodies such as the College of Physicians and Surgeons of Ontario, the Law Society of Alberta, or the Association of Professional Engineers of Nova Scotia that may need to obtain personal information as part of an investigation into member conduct. Yet the three organizations are all already included in a list of organizations that qualify as investigative bodies and therefore can rely on an exception that permits disclosure. In fact, the list already includes nearly 100 organizations that ranges from the Association of Professional Geoscientists of Ontario to the Board of Funeral Services to the College of Midwives of Ontario. The law has been in effect for over 10 years, providing plenty of time for dozens of organizations to obtain regulatory approval. Opening the disclosures to any private organization is simply not needed as there is no problem for regulatory bodies that conduct member investigations.

2. Expanded Disclosure Without Consent is Consistent with a 2006 Committee Recommendation

Government MPs claim that the provision is merely implementing a 2006 recommendation from the last committee to consider Canadian private sector privacy law. But while the Standing Committee on Access to Information, Privacy and Ethics may have recommended a similar reform in 2006, that recommendation was rejected by both the Conservative government and the Privacy Commissioner of Canada. The committee recommendation appears to have come from a single submission from the Canadian Bar Association. The CBA appeared before the committee but was not questioned about the proposal. The CBA proposal focused specifically on personal information legally available to a party to a legal proceeding. That is much narrower than the Bill S-4 provision.

In fact, even that narrower proposal was rejected by the Conservative government in its response to the committee recommendations:

The government notes the Committee’s recommendation and acknowledges that it was made in response to concerns expressed by certain stakeholders regarding the need to ensure that PIPEDA does not impede litigation procedures.  However, the government does not share the Committee’s view that such an amendment is necessary at this time.

The Privacy Commissioner of Canada also publicly opposed the recommendation, which she included among the six issues about which she had particular concerns:

The Canadian Bar Association recommended that the AB and BC Acts both provide clarity in regard to information legally available in a legal proceeding. I do not believe that this issue has posed any great difficulty over the past five years. The OPC has stated in complaints that the access provisions of PIPEDA may be broader than the requirements of discovery, depending on the breadth of documents relevant to a proceeding.

In other words, Bill S-4 contains an expanded version of a provision that one group asked for without facing any questions, that the government rejected when it was proposed, and about which the Privacy Commissioner of Canada expressed particular concern.

3. The Privacy Commissioner of Canada Supports Bill S-4

Government MPs claimed that the Privacy Commissioner of Canada supports Bill S-4. However, the Privacy Commissioner’s submission to the Senate committee specifically identified expanding voluntary disclosure without consent to private organizations as a concern:

While we understand the challenges created by the existing investigative body regime, we have some reservations about the proposed amendments. First, we believe that the grounds for disclosing to another organization are overly broad and need to be circumscribed, for example, by defining or limiting the types of activities for which the personal information could be used...Finally, there is the issue of transparency. These disclosures will be invisible to the individuals concerned and to our Office. In order to provide greater accountability, we recommend that the Committee consider ways to require organizations to be more transparent about the disclosures they would make under this provision.

4. Canadians Expect Businesses to Disclose Their Personal Information

Conservative MP Joan Crockatt implausibly argued that Canadians expect that businesses will share their personal information in this manner:

The provisions in the bill would allow businesses to share information in the normal course of business in a very limited way. They are things that would actually be required for that business to be conducted. It would not involve something like a major search through data to look for information on a large number of consumers. This would be something that would be more specific to being able to conduct day-to-day business, something that consumers would expect when they are doing business with a corporation.

The reality is that the provision has nothing to do with day-to-day business operations. Indeed, businesses can easily obtain consent for that form of use. The provision in question involves disclosure without consent.

5. PIPEDA Already Includes Information Sharing Provisions

Industry Minister James Moore’s press secretary Jake Enright argued on Twitter that PIPEDA has always permitted information sharing. However, as Enright surely knows, PIPEDA does not currently include a blanket exception for disclosure to private sector organizations. There are an assortment of exceptions for disclosure without consent, but the broad permission found in Bill S-4 is not there. This is not a case of implementing strict rules, but rather expanding the scope of disclosure without consent or court oversight.

6. Bill S-4 Is Consistent With the Supreme Court of Canada Spencer Decision

Enright also maintained that Supreme Court of Canada’s Spencer decision, which found that there is a reasonable expectation of privacy in subscriber information, does not mean that Bill S-4 is unconstitutional. But the constitutionality argument is wholly beside the point given the emphasis on reasonable expectation of privacy. Moreover, when Moore appeared before the Senate committee, he argued that consumers may have agreed to the voluntary disclosures in their user agreements:

Well, if you agree to a contract, for example, with a telecommunications company, and as part of that contract you can surrender some of your capacity to have your information shared under certain circumstances, that can exist in a number of contractual situations, but that’s an individual signing a contract and agreeing to that openness in the case of a criminal investigation.

But the Supreme Court was dismissive of arguments that consumers had consented to the disclosure of their information in the ISP user agreements:

Whether or not disclosure of personal information by Shaw is “permitted” or “required by law” in turn depends on an analysis of the applicable statutory framework. The contractual provisions, read as a whole, are confusing and equivocal in terms of their impact on a user’s reasonable expectation of privacy in relation to police initiated requests for subscriber information.

The Court added:

Given that the purpose of PIPEDA is to establish rules governing, among other things, disclosure “of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information” (s. 3), it would be reasonable for an Internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat PIPEDA’s general prohibition on the disclosure of personal information without consent.

The reality is that the expansion of voluntary disclosure of personal information without consent or court oversight is both overbroad and a serious threat to the privacy of Canadians. Indeed, when coupled with the expansion of voluntary warrantless disclosure to law enforcement in Bill C-13 (through full legal immunity) and the revelations of more than a million annual disclosures of subscriber information to law enforcement, it paints a picture of the government undermining privacy while claiming to protect it.

The post The Expansion of Personal Information Disclosure Without Consent: Unpacking the Government’s Weak Response to Digital Privacy Act Concerns appeared first on Michael Geist.