- Election 2011
- Chronology (including bills)
- Electoral District (list)
- Participate in mailing lists
Rogers surprised many yesterday by becoming the first major Canadian telecom provider to release a transparency report (TekSavvy, a leading independent ISP beat them by a few hours in issuing a very detailed report on its policies and activities). The company was rightly lauded for releasing the report, which seems likely to end the silence among all Canadian telecom companies. Telus now says it is working on a transparency report for release this summer and it is reasonable to guess that others will follow.
Much of the focus on the report came from its big number: nearly 175,000 requests for subscriber information last year. Yet requests for information is only part of the story. The report only contained data on requests for information with no numbers on how many times the company disclosed the information to the authorities upon request. The reason for the omission is shocking admission: Rogers says it has not tracked when it discloses subscriber information in response to these requests. When asked how often authorities' requests were granted, the company stated:
âWe donât keep track of it. Our tracking to date has really been for internal management purposes, not for creating a transparency report. So that's something weâre going to look to expand in the future and hopefully provide more information in the future."
By contrast, the TekSavvy report provides data on both requests and disclosures as do many other transparency reports (Google, Twitter, Microsoft).
The claim that Rogers only tracks in-bound requests and not out-bound data is hard to believe. The reason may be financial - the "internal management purpose" may be to charge a fee to law enforcement for the process. Further, the company says that if it considers an order too overbroad, it will "push back and, if necessary, go to court to oppose the request." Is it really possible that the company has no records of when it has gone to court to oppose a request?
[Update 7/6/14: Rogers has provided a private response in which it indicates that it does have records of individual responses to requests for subscriber information, but that it does not track aggregate numbers. Further, it does know the number of times it went to court, but did not include that information in the transparency report.]
Tracking disclosures of subscriber information should not be viewed as optional. Privacy law gives individuals a right of access to their information:
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.
The statute continues at 4.9.3:
In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.
If Rogers is not tracking disclosures, the approach raises privacy compliance concerns. Moreover, this helps explain why it does not notify customers that their information has been disclosed since it does not seem to track the information itself. title
Last night I appeared before the Senate Transport and Communications Committee, which is conducting hearings on Bill S-4, the Digital Privacy Act. I have posted on the bill's shocking expansion of warrantless voluntary disclosure, by pointing to a provision that would permit disclosure to any organization, not just law enforcement. This appearance provided the opportunity to discuss a broader range of issues, including positive elements in the bill (clarification of consent, expansion of the Commissioner publicly disclosing information, and a longer time period to bring a case to the federal court), the areas in need of improvement (security breach disclosure standards, voluntary warrantless disclosure, compliance agreements), and the glaring omission of stronger reporting requirements.
The surprise of the night came at the end, when the chair indicated that the committee did not plan to hear from any further witnesses. The bill will therefore move to clause-by-clause review next week.
Appearance before the Senate Transport and Communications Committee, June 4, 2014
Good evening. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I have appeared many times before committees on various digital policy issues, including privacy. I appear today in a personal capacity representing only my own views.
I'd like to structure my remarks by focusing on three welcome elements of Bill S-4, three areas in need of improvement, and one glaring omission.
The Welcome Provisions
First, the good news. Bill S-4 importantly provides additional clarification for the standard of consent. Given that meaningful consent provides the foundation for the law, the clarification is much-needed, particularly for minors. Consent is meaningless if the person does not understand to what they are consenting. By clarifying the standard of consent, businesses will have greater certainty and a clear obligation to ensure that Canadians are better informed about the collection, use and disclosure of their personal information.
Second, the expansion on publicly disclosing information is also a welcome addition and long overdue. I have long argued that the Office of the Privacy Commissioner adopted an unnecessarily conservative interpretation of the current provision that allows for naming organizations subject to complaints. The expansion of the provision sends a signal that the Commissioner should not hesitate to publicly disclose any information if it is in the public interest to do so. This would include poor organizational practices, well-founded complaints or public privacy risks.
Third, the extension of the deadline to take a complaint to the Federal Court is much needed as well, given that the current system represents an unnecessary barrier to potential pursuit of federal court review.
Areas in Need of Improvement
Let me now turn to three important aspects of the bill in need of improvement. First, the long-awaited security breach disclosure requirements. As you are aware, creating mandatory security breach disclosure requirements at the federal level is long overdue as it creates incentives for organizations to better protect our information and allows Canadians to take action to avoid risks such as identity theft. There are aspects of the Bill S-4 security breach rules that are better than those found in prior bills such as C-12 and C-29. Most notably, the inclusion of actual penalties is essential to create the necessary incentives for compliance.
However, there are problems with the standards for disclosure, some left over from the prior bill and some new to this bill.
From the prior bill, the standard for notification to individuals - "a real risk of significant harm to the individual" - should be lowered to ensure that the law captures more breaches. By comparison, the California breach notification law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person. In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm. In Europe, telecom breaches must be reported based on an "adverse affect to personal data or privacy" standard, which is also better than the Bill S-4 approach. These are better approaches that make it more likely that Canadians will be informed when their information is caught up in a breach.
New to this bill is the removal of a two-stage process that involved first informing the Privacy Commissioner and then the individual where circumstances warrant it. Bill S-4 puzzlingly establishes the same standard - "real risk of significant harm" - for both notifying the Commissioner and individuals. This means there may be no notification for systemic security problems within an organization or technical standard vulnerabilities. I repeat - those kinds of breaches would not be disclosed to anyone. The bill requires organizations to maintain a record of all breaches, but only to disclose them if the Commissioner asks.
Why is this a problem? Because it is likely to result in significant under-reporting of breaches since organizations will invariably err on the side of non-reporting in borderline cases and the Commissioner will be unaware of the situation since there is no reporting requirement to that office.
You have heard some suggest that all breaches should be reported to the Commissioner. This is the approach is some jurisdictions. For example, under a European Union regulation passed last year, all personal data breaches at telecom companies must reported to the national data protection authority.
I believe that the prior government bills (C-12 and C-29) offered a better, two-stage approach. The first notification to the Privacy Commissioner would occur where there is a "material breach of security safeguards". Whether the breach was material depended upon the sensitivity of the information, the number of individuals affected, and whether there was a systemic problem. It did not require a risk of significant harm. The two-stage approach was far better, since it ensured notifications first to the Commissioner, including identifying systemic problems that may not be caught by the Bill S-4 approach.
I would therefore recommend two changes to these provisions: the California-style standard for notifications to individuals and the government's own approach in C-12/C-29 to notifying the Commissioner as a first step.
The second major area for improvement involves the expansion of warrantless disclosure. At a time when many Canadians are concerned with voluntary, warrantless disclosure, the bill expands the possibility of warrantless disclosure to anyone, not just law enforcement. The bill features a provision that grants organizations the right to voluntarily disclose personal information without the knowledge of the affected person and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation (or the possibility of a future violation).
While the government has claimed that this provision should not concern Canadians, the reality is that the broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. This runs counter to recent Federal Court decisions that have sought to establish clear limits and oversight over such disclosures.
Moreover, the disclosure itself is kept secret from the affected individual, who is unlikely to complain since they will be unaware that their information has been disclosed. In fact, while a House of Commons committee may have recommended a similar reform in 2006, that recommendation was rejected at the time by both the Conservative government and the Privacy Commissioner of Canada.
The reform here is clear: the provision opening the door to the massive expansion of warrantless, non-notified voluntary disclosures should be removed.
Third, given the distinct lack of powers for the Privacy Commissioner of Canada, the creation of compliance agreements is a step in the right direction, but order-making power or at least some form direct regulatory action such as administrative and monetary penalties is needed. The inability to make well-founded findings 'stick' without first navigating an inaccessible and impractical trip to the federal court has been an enormous source of frustration for many Canadians.
The creation of compliance orders would have made sense if there had been some power to issue penalties or take regulatory action, as is the case in the United States where compliance orders are commonly used. Without such a threat, however, it is difficult to see why an organization would enter into such an agreement. Avoiding the federal court is something you do when you fear you might lose. That has not been the case under PIPEDA. Reforms are needed with real penalties to ensure compliance.
The Glaring Omission
The lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures is a glaring omission from the bill and should be addressed. The stunning revelations about over 1 million requests and 750,000 disclosures of personal information - the majority without court oversight or warrant - points to an enormously troubling weakness in Canada's privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used and that bills before Parliament propose to expand their scope. In my view, this makes victims of us all - disclosure of our personal information often without our awareness or explicit consent.
This can be addressed through two reforms. First, the law should require organizations to publicly report on the number of disclosures they make to law enforcement without knowledge or consent, and without judicial warrant, in order to shed light on the frequency and use of this extraordinary exception. This information should be disclosed in aggregate every 90 days. Second, organizations should be required to notify affected individuals within a reasonable time period of the disclosure - perhaps 60 days - unless doing so would affect an active investigation.
The adoption of these provisions - which would be consistent with what we heard from Mr. Therrien yesterday - would be an important step forward in providing Canadians with greater transparency about the use and disclosure of their personal information.
Name your price for them -- all DRM free, and you can contribute to charity when you buy!
Posted by Sixtine Fabre, Associate Program Manager, Google Cultural Institute
On June 6, 1944, the largest air, naval and military operation in history took place on the coast of Normandy. To commemorate the 70th anniversary of D-Day, we’ve partnered with a number of cultural institutions and veterans from the U.S., U.K. and France to help share the stories of the Normandy Landings through the Cultural Institute and a Google+ Hangout on Air today.
Technology allows us to bring together information from around the world to showcase different perspectives on one moment in time. This is possible thanks to partners including The National Archives, The George C. Marshall Research Foundation, The Imperial War Museum, and Bletchley Park codebreaker center.
This collection provides an in-depth look into the Normandy Landings with 470 new documents and images ranging from photos of important preparations, meetings of leaders, and soldiers in action to documents like FDR’s D-Day Prayer and a top secret progress report from General Eisenhower to General Marshall. These pieces have been curated into digital exhibits that present a timeline of events for those who want to be guided through the content. For visitors who have a specific photo or document in mind, the search function allows users to find specific archival material.
Not only will we honor this history through archival content, but you’ll also have the chance to hear the stories of veterans who made the mission possible. Today, we’re hosting a Google+ Hangout on Air from the Caen War Memorial with American, French and British D-Day veterans. The conversation will be hosted by French journalist Gilles Bouleau and Caen Memorial historian Christophe Prime will take part as well. The Hangout will begin at 12:00 p.m. EST.
Whether it’s through the Cultural Institute or Hangouts on Air, we hope you’ll take the chance to learn more about D-Day and remember this important piece of our history.
US Amphibious Force Training for Invasion, The George C. Marshall Foundation
I made a submission to the competition bureau as part of their request for input. This was based on a submission I had made in 2003, updated to reflect new issues in the last decade including the passage of the C-11 Copyright bill.
C-11's "technological measures" components are presumed to protect encrypted media, which is better understood in a competition rather than a copyright sense. While there is no credible evidence that these measures help reduce copyright infringement, there is considerable evidence that they are being abused to manipulate separate markets as well as harm competitors in the same market.
In recent years, it has become fashionable to argue that Canadians no longer care about their privacy. Supporters of this position note that millions of people voluntarily post personal information and photos about themselves on social media sites, are knowingly tracked by Internet advertising giants, and do not opt-out of "targeted" advertising from telecom companies. Yet if the past few months are any indication, it is not Canadians that have given up on privacy. It is the Canadian government.
My weekly technology law column (Toronto Star version, homepage version) notes the public response to the tidal wave of stories regarding widespread surveillance, the 1.2 million government requests to telecom companies for customer information, and the growing number of security breaches suggest that many Canadians are deeply concerned about the protection of their privacy. However, many feel helpless in the face on recent revelations and wonder whether the government is prepared to tighten privacy rules and establish stronger oversight.
Unfortunately, the answer to that question is increasingly clear. Not only has the government largely abandoned stronger privacy protections, but legislative proposals currently before Parliament seem certain to weaken the current legal framework even further.
For example, Bill C-13, the lawful access and cyberbullying bill, raises such serious privacy concerns that Carole Todd, the mother of cyberbullying victim Amanda, pointedly told Members of Parliament studying the bill that "we should not have to choose between our privacy and our safety."
Much like the government's divisive approach to the last lawful access bill (in which then-Public Safety Minister Vic Toews infamously stated that people could stand with the government or with child pornographers), Justice Minister Peter McKay is again forcing Canadians to choose.
The latest bill grants telecom companies and other organizations legal immunity for the voluntary disclosure of their customers' personal information. Law enforcement officials have confirmed that this goes well beyond basic subscriber information and may include transmission and tracking data.
The bill also establishes a low threshold for warrants to access metadata, which numerous experts confirm may reveal private and sensitive information. Despite the concerns, no Canadian privacy commissioner will appear before the committee study the bill and groups such as the British Columbia Civil Liberties Association have been similarly excluded (I appeared before the committee last Thursday).
The situation is similarly grim with respect to Bill S-4, the Digital Privacy Act that is currently winding its way through the Senate. That bill expands the scope of voluntary warrantless disclosures of personal information by allowing for such disclosures to any organization, not just law enforcement.
Moreover, the law does not require telecom providers to notify customers of these disclosures, meaning that hundreds of thousands of Canadians remain in the dark when their information is voluntarily handed over to officials. In fact, telecom companies have thus far rejected calls for greater transparency on their disclosure practices, pointing to government rules that they claim prohibit them from opening up.
The government's decision to weaken privacy protection also extends to its unwillingness to rein in surveillance activities. While the U.S. has begun to reconsider its approach and to establish more effective oversight mechanisms, the state of Canadian surveillance remains shrouded in secrecy. Repeated revelations about Canadian involvement in global surveillance programs, including programs that have involved domestic interceptions, have been met with a collective shrug from elected officials.
As if to emphasize the point, last week the government named a senior Justice lawyer for the Canadian surveillance agencies as the new Privacy Commissioner of Canada. While past performance does not guarantee future policies (Chantal Bernier, Canada's interim Privacy Commissioner, came to the office from Public Safety), the decision to pass over several well-qualified privacy experts with commissioner experience sends an unmistakable message about the government's general view of privacy.
The bleak state of Canadian privacy is difficult to reconcile with a government that has prioritized a consumer perspective on telecom, broadcast, and banking issues. Further, conservative government policies are often consistent with civil libertarian views that abhor public intrusion into the private lives of its citizens.
But with Ottawa showing no signs of backtracking on its privacy reforms, Canadians can be forgiven for wondering how its government became so hostile towards their privacy at the very time that they woke up to the importance of the issue.
- Consumers wonder what exactly has changed when they are confronted with a new set of online terms, in a cloud-based service, website terms or software license. We reviewed this issue in an earlier post, which looked at changes to online terms in the middle of the product lifecycle. Amendments are often ...
So I explained to my daughter that there was a man who was a spy, who discovered that the spies he worked for were breaking the law and spying on everyone, capturing all their e-mails and texts and video-chats and web-clicks. My daughter has figured out how to use a laptop, phone, or tablet to peck out a message to her grandparents (autocomplete and spell-check actually make typing into an educational experience for kids, who can choose their words from drop-down lists that get better as they key in letters); she’s also used to videoconferencing with relatives around the world. So when I told her that the spies were spying on everything, she had some context for it.
Right away, we were off to the races. ‘‘How can they listen to everyone at once?’’ ‘‘How can they read all those messages?’’ ‘‘How many spies are there?’’ I told her about submarine fiber-optic taps, prismatic beam-splitters, and mass databases. Again, she had a surprising amount of context for this, having encountered digital devices whose capacity was full – as when we couldn’t load more videos onto a tablet – and whose capacities could be expanded with additional storage.
Then I talked about not reading everything in realtime, and using text-search to pick potentially significant messages out of the stream. When I explained the spies were looking for ‘‘bad words’’ in the flow, she wanted to know if I meant swear words (she’s very interested in this subject). No, I said, I mean words like ‘‘bank robbery’’ (we haven’t really talked about terrorism yet – maybe next time
Mastering by John Taylor Williams: firstname.lastname@example.org
John Taylor Williams is a audiovisual and multimedia producer based in Washington, DC and the co-host of the Living Proof Brew Cast. Hear him wax poetic over a pint or two of beer by visiting livingproofbrewcast.com. In his free time he makes "Beer Jewelry" and "Odd Musical Furniture." He often "meditates while reading cookbooks."
The federal government created the Office of the Federal Ombudsman for Victims of Crime in 2007 to ensure that victims concerns and voices were heard. Last week, Sue O'Sullivan, the current ombudsman, appeared before the committee studying Bill C-13, the lawful access/cyberbullying bill. Ms. O'Sullivan, a former Deputy Chief of Police for the Ottawa Police Service, confirmed what has become increasingly obvious. Despite the government's expectations that victims and their families would offer strong support for Bill C-13, that community is split on the bill:
I would like to touch briefly on what appears to be the most controversial aspects of the bill, those which relate to investigative tools and the balance of powers and privacy. Privacy matters and technical investigative tools do not generally fall within my mandate. It is worth noting that among the victims we have spoken to, there is no clear consensus on the element of the bill. I have spoken with victims who very much support further measures to assist law enforcement in their investigation, and find the tools included in this bill to be balanced and necessary. I have, like you, heard opposing points of views from victims who don't wish to see these elements of the bill proceed for fear they will impinge on Canadians' privacy rights. From my own perspective, I would say that there is a balance to be struck, and the dialogue that Canadians are having is a needed and valuable one.
The comments come after Carole Todd, the mother of Amanda, told the committee:
I don't want to see our children victimized again by losing privacy rights. I am troubled by some of these provisions condoning the sharing of the privacy information of Canadians without proper legal process. We are Canadians with strong civil rights and values. A warrant should be required before any Canadian's personal information is turned over to anyone, including government authorities. We should also be holding our telecommunication companies and Internet providers responsible for mishandling our private and personal information. We should not have to choose between our privacy and our safety.
The Boys and Girls Clubs of Canada, also expected to be a supporter of Bill C-13, expressed similar concerns:
We understand that Bill C-13 has also raised concerns on the respect of privacy. Young people deserve to be protected from cyberbullying, but they also deserve to be protected and respected for their privacy. Now, we're no experts on privacy, so our only recommendation on that is to encourage you to listen, obviously, to any concerns that are brought up, any considerations that are brought up, by the experts who are dealing with privacy, to make sure that we're protecting youth from cyberbullying but we're also protecting our children and youth and their privacy rights.
Despite the concerns - and the urging to listen to the privacy community - the committee will not hear from a single Canadian privacy commissioner as part of its study on the bill.
With Daniel Therrien, the government's nominee for Privacy Commissioner of Canada, scheduled to appear before the House of Commons Access to Information, Privacy and Ethics committee tomorrow, reports this morning provide new insights into the government's selection process. Josh Wingrove of the Globe reports that there was a short-list of six candidates, but that neither of the presumed leaders - Chantal Bernier and Liz Denham - made the final two short-short list. Treasury Board President Tony Clement ultimately made the final recommendation of Mr. Therrien to Prime Minister Harper, who approved the recommendation.
Stephen Maher reports that the selection committee's preferred candidate was Lisa Campbell, the Acting Senior Deputy Commissioner of Competition at the Competition Bureau. Maher reports that government officials derailed the recommendation by seeking a second finalist for the position. The report is noteworthy since it confirms that the selection committee's own recommendation was not followed. The delayed nomination means that no privacy commissioner will appear before the committee studying Bill C-13, the lawful access bill.
The current legislative situation regarding privacy confounds many Canadians, given that Prime Minister Harper and key players in his coterie have staunchly argued on the principles of privacy to dismantle past measures of data collection, even when those measures were supported by Conservative allies. Specifically, the long-form census and the long-gun registry were discarded despite opposition from prominent experts in the areas of finance and law enforcement.
In 2010, amidst a firestorm of criticism, the Prime Minister cancelled the mandatory long-form census and replaced it with an optional household survey. Objections poured forth from the provinces, municipalities, communities, businesses, educators, social advocates, health organizations, and more, including a former Bank of Canada governor.
Most telling, Munir Sheikh resigned his position as Chief Statistician of Statistics Canada, rather than acquiesce to a decision that could only damage Canadian wellbeing. Effective policy cannot be made without reliable data. (Indeed, Prime Minister Harper is likely feeling that headache now, as he tries to combat the problems of the temporary foreign worker visa program, without accurate information concerning where needs can be filled without placing Canadians at a disadvantage.)
The Prime Minister viewed the census as an intrusion into Canadian privacy, despite the rigorous controls enforced by Statistics Canada with respect to disclosure of the data. (Individual information was never revealed; only aggregate information was provided through a controlled request system.) Writing for the Progressive Economics Forum at that time, Armine Yalnizyan explored the Canadian system in detail and in comparison to other systems, and made plain that while personal data is gathered, the results are never personal. No privacy commissioner had ever seen fit to question the operations of Statistics Canada. Yet discarding the census was clearly a matter of principle, or so it must be seen. Tony Clement, then-Minister of Industry, made these remarks to the Standing Committee for Industry, Science and Technology:
Our government’s reason for replacing the mandatory census with a voluntary national survey on the long form is clear. We do not believe it is appropriate to compel Canadians to divulge extensive private and personal information.
So despite compromising effective decision making in his own government, Prime Minister Harper stood resolutely on the issue of privacy.
For those who might still have doubts, the demise of the long-gun registry offers further illustration of our Prime Minister’s formerly adamant views on privacy. A dogged six year battle (from 2006-2012) was needed to remove the registry from use. And, not content to merely end the requirement of registration, Prime Minister Harper sought to ensure that all existing data be destroyed. According to Jason Kenney, then-Minister for Citizenship and Immigration:
… we can protect the privacy rights of Canadians, and there are hundreds of thousands of law-abiding Canadians who are legitimate firearms owners who believe that database undermines their privacy rights, and our commitment was, for that reason, to get rid of that data.
When the registry was eliminated in 2012, it was over and above the objections of Canadian law enforcement agencies. For instance, an RCMP evaluation of the registry argued that it served a vital function towards public safety:
The program is often misperceived by the media and the public as being solely a registry. The administration of this national public safety program might better be compared with a provincial Motor Vehicles Branch, which is also involved in safety training, licensing and registration and is an important resource to law enforcement. … There continues to be public safety threats in Canada caused by both the deliberate and accidental misuse of firearms, mostly through non-restricted firearms (long guns). … Regulation of firearms provides for greater accountability for the firearm (p.17)
The Canadian Association of Chiefs of Police also came out forcefully in favour of the registry. Bill Blair, then head of the association, indicated that “officers use the registry up to 11,000 times a day, both to investigate and prevent crime.”
With the Prime Minister favouring a law-and-order agenda in Canada, it is more than odd that he chose to ignore the opinions of those involved in law-and-order. One can only infer that privacy reigned supreme among Prime Minister Harper’s principles and was not to be compromised, even for political gain.
Returning to current events, perhaps knowing that she would not be permitted to speak to the Standing Committee, Ontario Privacy Commissioner Dr. Ann Cavoukian does not mince words in a letter to the Committee Chair, dated to 16 May 2014. Calling for revision of the pending legislation, she concludes with:
Canadians have a constitutional right to be secure from unreasonable search and seizure, including with respect to personal information held by third parties. The expansive surveillance proposals and entrenchment of sweeping immunity for digital service providers brings this right into question.
Cavoukian, along with the Canadian Bar Association and others, have encouraged the Government to separate Bill C-13 into separate pieces of legislation, one to address cyberbullying and the other for lawful access. Minister MacKay has refused such proposals; perhaps Prime Minister Harper may yet see wisdom in such a move.
Update – June 3 Jill Clayton, Elizabeth Denham and Ann Cavoukian (privacy commissioners of Alberta, BC and Ontario, respectively) ask the Standing Committee to “… postpone hearings on Bill C-13 until such a time as the Privacy Commissioner of Canada can appear and speak to this Bill …” ; their letter (dated 2 June 2014) is available here.
Update – June 13 — a tumultuous ten days
The contested appointment of a new privacy commissioner, with a somewhat surprising outcome, the unwillingness of the government to amend either C-13 or S-4, and a timely reminder from the Supreme Court of Canada that Canadians have an expectation of privacy, means that there will be continued pressure upon the government to reconsider its actions. With unanimity, the Justices declared: “The two circumstances relevant to determining the reasonableness of … expectation of privacy in this case are the nature of the privacy interest at stake and the statutory and contractual framework governing the ISP’s disclosure of subscriber information.”
Josh Wingrove, writing for the Globe and Mail, solicited opinion from privacy expert David Fraser; he emphasizes that this alone does not “throw out” parts of S-4 and C-13, but “… adds to the ammunition critics have had with respect to a number of the provisions.” Fraser provides ongoing analysis at his blog; among his preliminary remarks was this gem: “Contrary to the views of most police agencies and the government of Canada, this information is not innocuous phone book information but, ‘rather, it was the identity of an Internet subscriber which corresponded to particular Internet usage.’”
Over the last few months, Canadians have been presented with the sobering news of breaches of privacy committed on a massive scale. The revelation of over one million requests to telecommunications’ providers for subscriber records must provoke scrutiny of this government’s treatment of privacy. Scholars and privacy organizations are concerned that our government’s current legislative program will only make such breaches easier to carry out.
Currently, there are two bills under discussion in Parliament. Bill C-13 (Protecting Canadians from Online Crime Act) is before the Standing Committee on Justice and Human Rights; it offers incentives for disclosure of subscriber data by providing immunity to any telecommunications company that voluntarily supplies information when requested by law enforcement agencies. Bill S-4 (Digital Privacy Act) has arrived at the Senate chambers and extends that offer of immunity to any private organization that claims to be investigating a breach of contract, or a possible breach of contract.
After his participation in discussion of C-13 with the Standing Committee on 29 May 2014, Michael Geist posted his thoughts about the meeting itself, alerting Canadians to the spectacle of a bill so intertwined with privacy, moving forward without the involvement of a single privacy commissioner. Furthermore, “… leading privacy groups such as the Canadian Civil Liberties Association, the British Columbia Civil Liberties Association, and CIPPIC have all been told that there is unlikely to be spots for them at committee. … .”
Canadians may wish to know who has been permitted to speak to the Standing Committee so far. According to the records available to date, the Standing Committee began discussion of C-13 on 1 May 2014, has had six meetings so far, with one more meeting confirmed for 3 June 2014.
The first meeting was entirely given over to Peter MacKay (Minister of Justice and Attorney General of Canada) and members of his department. Through the next five meetings, law enforcement officials and families of victims were each allocated one meeting. In the remaining three meetings, the following organizations were involved: Boys and Girls Clubs of Canada, Canadian Association of University Teachers, Canadian Bar Association, Canadian Centre for Child Protection, Criminal Lawyers Association, Kids Internet Safety Alliance, and Office of the Federal Ombudsman for Victims of Crime. Interspersed among these organizations were four individuals: David Fraser, Gregory Gilhooly, Steph Guthrie and Michael Geist.
With this weighting of participants, one might have expected testimony to be resoundly in favour of the government`s proposals. Yet the second meeting defied that expectation. The transcript for 6 May 2014 makes for interesting reading.
The witnesses of the day were representatives of Boys and Girls Clubs of Canada, Steph Guthrie and David Fraser. Notably, both Guthrie and Fraser have devoted considerable effort to representing the interests of victims of cyber-assault, see here and here. If the Committee expected unqualified approbation from all three parties, the MPs were quickly disabused of that notion. All witnesses gave comprehensive statements; each witness asked that attention be brought to bear on the privacy implications of the bill.
Fraser spoke first; immunity came in for conspicuous displeasure at the end of his prepared remarks:
I find this to be gravely problematic. I think it’s a very cleverly crafted provision. We’re told that this is simply for greater certainty, but it goes beyond that. Everything we know suggests otherwise.
It says that you will not be liable for handing over any data that you’re not prohibited by law from handing over, and if you do so you’re civilly immune. Now, only the criminal law and other regulations create prohibitions against handing over information, but you can hand over information when you’re not legally prohibited and still incur civil liability. Civil liability is there for a reason. I may not be legally prohibited from accidentally driving my car into yours, but if I do that, you’re entitled to damages from that. I should be paying for the harm that is caused.
If there were an immunity provision that said you could not sue me if I did something that was not legally prohibited, that would be squelched. That would go away. So this provision, I believe, should be removed. It can’t be fixed and will only encourage overreaching by law enforcement.
In conclusion, while we don’t have Bill S-4, the digital privacy act, in front of us, that fits together with the immunity provisions. I’m concerned that the two taken together will extend the amount of information not only available to law enforcement but will extend the information available to other civil litigants and others (emphasis mine).
Fahd Alhattab, an alumnus of Boys and Girls Clubs of Canada, added a plea with his request for protection of privacy:
Young people deserve to be protected from cyberbullying, but they also deserve to be protected and respected for their privacy. Now, we’re no experts on privacy, so our only recommendation on that is to encourage you to listen, obviously, to any concerns that are brought up, any considerations that are brought up, by the experts who are dealing with privacy, to make sure that we’re protecting youth from cyberbullying but we’re also protecting our children and youth and their privacy rights (emphasis mine).
On cue, Guthrie then drew attention back to the immunity offered for warrantless disclosure in C-13, noting that C-13 claims to bring scrutiny to the issue of consent in terms of cyberbullying, yet turns around and abandons consent in terms of privacy:
Perhaps most of Bill C-13 isn’t really about cybersexual assault, but I find it interesting that it violates some of the same privacy principles, such as freely given and specific consent. Most of us do not and would not give free and specific consent for the state to access any, and potentially all, of our data by way of our Internet service providers if we had any meaningful choice in the matter.
The consent we give is to our Internet service providers. If the police want our information because they suspect we are engaged in criminal activity, well, most of us would assume that is what search warrants are for. Bill C-13 enshrines the idea of transferable consent in law, immunizing anyone who shares our information and violates our privacy without adequate legal justification for doing so (emphasis mine).
While obviously different in many ways, the limitations on personal freedom imposed by Bill C-13 bear some striking similarities to those imposed by cybersexual assault. The state could be following us into our job interviews, on our first dates, or to the laundromat. The bill’s provisions will restrict Canadians’ ability to live life normally and comfortably because they are constantly living with the idea that the state, when they encounter it, may know intimate things about them that they didn’t consent to share. Even if they know they have done nothing wrong, they must still deal with the judgments, misperceptions, and intrusions of the state.
In the question and answer period that followed, a concerted effort by MP Bob Dechert to push Fraser into agreeing that immunity was necessary to combat the harms that have been inflicted on past victims came to naught. Dechert posed the hypothetical situation of a young woman, about to be victimized by widespread dissemination of a personal photograph thereby provoking a request from the police that an ISP should help identify the offender; Dechert asked if Fraser would advise the ISP to disclose the data:
Mr. David Fraser: In this scenario—again, I can only speak for myself—I believe there is a real harm attached to the dissemination of these sorts of images. I’ve seen first-hand the harm that they can do to a young person, and I’ve seen what they can do to an adult. My inclination would be to provide that information. That would be my impulse. I would know there might be possibly some risk in doing that, but for me, given the severity of what’s going on, this is a non-trivial matter, and my inclination would be to hand over that information.
Mr. Bob Dechert: In that circumstance, you would agree that the ISP provider should not bear any civil liability if it turns out that they were incorrect; there was no crime committed or about to be committed.
Mr. David Fraser: I wouldn’t grant them immunity.
Mr. Bob Dechert: You wouldn’t grant them immunity.
Mr. David Fraser: No. I would say that they acted in good faith and they wouldn’t be liable, but I wouldn’t grant them immunity.
Mr. Bob Dechert: That would expose them to a lawsuit, would it not?
Mr. David Fraser: Certainly. Walking down the street exposes one to a lawsuit. There is a difference between not being liable and having immunity. Immunity is a blanket, saying that no matter what you do, nobody can raise an issue.
Immunity, of course, is only part of the problem of C-13.
There are significant concerns about the widening of data to be collected. What is benignly referred to as transmission data is not as innocuous as it sounds, despite the assurance of Minister MacKay at the first meeting on 1 May 2014:
… the definition of transmission is narrowly defined and captures only data that relates to the act of telecommunication. The definition of transmission data is the modern equivalent of phone-call information, not what is actually contained in the conversation, and these proposals are meant to ensure consistent treatment of similar information.
Such language is, intentionally or otherwise, misleading. Turning again to Fraser’s opening remarks, he is explicit as to what transmission data entails:
With conventional telephony, transmission data refers to the number called from, the number called to, whether the call was connected, and how long that call lasted. In the Internet context, the amount of information that’s included in the kind of out-of-band signalling information and what it reveals is dramatically different. It would include the IP address of the originating computer, the destination computer, information about the browser that’s being used, information about the computer that’s being used, information about the URL, the address being accessed, which can actually disclose content, even though the definition of transmission data is intended to exclude that.
It will also tell you what kind of communications are being done. Is it an e-mail communication? Is it an instant message? Is it peer-to-peer file sharing or otherwise? So it provides much more insight into actually what is going on than just phone number information. An interception of transmission data would tell law enforcement agencies whether the target of surveillance was visiting a search engine, an encyclopedia site, a poker site, or a medical site. Furthermore, the data would provide greater insight into the likely physical location of the surveillance target. This is a dramatic expansion of the information that’s provided and available, compared to traditional telephone communications.
As anybody in this room knows, I expect, the way we use computers today is dramatically different from the way we used telephones 15 years ago. We use them as spellcheckers. We use them to find out facts. We use them for a much wider range of activities. With the disclosure of greater information through these transmission data orders, you’re revealing much more about an individual. Even though the definition excludes content, just the transmission data tells you a lot more about really what’s going on.
Geist raises what is perhaps the most perplexing aspect of the proceedings in “Why has the Canadian government given up on protecting our privacy?”, published by the Toronto Star on 30 May 2014. He notes: “… conservative government policies are often consistent with civil libertarian views that abhor public intrusion into the private lives of its citizens.” Our Prime Minister has shown great zeal in protecting privacy in the past. A look back follows in privacy in Canada – part two.
Yesterday I appeared before the Standing Committee on Justice and Human Rights to discuss Bill C-13, the lawful access and cyberbullying bill. My comments focused on three issues: immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements.
As Committee chair Mike Wallace discussed plans for further work on the bill, it became apparent that the government intends to move quickly without the opportunity to hear from any Canadian privacy commissioner. Only two more days of witnesses are scheduled (the committee is desperate to hear from Facebook) and then it plans to move to clause-by-clause review of the bill.
Given that lawful access has been the subject of more than a decade of debate, the likelihood that the bill will pass through the committee stage without hearing from a single privacy commissioner is shocking. In fact, leading privacy groups such as the Canadian Civil Liberties Association, the British Columbia Civil Liberties Association, and CIPPIC have all been told that there is unlikely to be spots for them at committee. The exclusion of these groups - along with the absence of any federal or provincial commissioners - undermines the entire review process. There may be differing views on the lawful access provisions (the bill is certainly far better than the prior Bill C-30 and its predecessor but still needs improvement), but a fair and effective legislative process should ensure that leading experts are given the opportunity to voice their views.
The Canadian Internet Registration Authority today announced the first round of recipients in its Community Investment Program. I ran for the CIRA board in the hope that the organization would establish this kind of program and I'm thrilled to see it come to fruition. CIRA received 149 applications (I reviewed them all as chair of the Community Investment Committee) and they provided a great illustration of the energy, excitement, and innovation for the Internet that is taking place across the country.
The committee recommended a wide range of projects for funding with CIRA investing more than one million dollars in the effort. Projects include programs to teach kids how to code, improving Internet access in rural and lower income communities, creating an Internet exchange in Halifax, developing Internet programs in First Nation and northern communities, and creating an Internet-based warning system for at-risk youth. In addition, there are research projects on many issues including surveillance, Internet routing, and consumer e-commerce rights. This is an incredibly exciting initiative as CIRA steps in to provide assistance to projects from coast-to-coast-to-coast. I am very proud to be part of the effort, grateful to the other members of the committee for their hard work in reviewing the applications, and looking forward to the results.
The Marrakesh Treaty to Facilitate Access to Published Works for Persons Who Are Blind, Visually Impaired, or Otherwise Print Disabled, which would make accessible-format copyright works more available, was finalized almost a year ago on June 27 2013.
Whereas 66 countries, including the EU, France, the UK, and the United States, have all signed the treaty, Canada as yet has not.
The treaty is open for signature for up to one year; that deadline is coming up soon in June. Canada should sign the treaty to indicate its support for ending the book famine affecting accessible-format works. Canada's signature belongs on the treaty, given the role that Canada reportedly played during the treaty's negotiation.
Earlier today, I appeared before the Standing Committee on Justice and Human Rights to discuss my concerns with Bill C-13, the lawful access/cyberbullying bill. My opening statement focused exclusively on privacy, pointing to problems with immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements. I'll post a link to the transcript once available. In the meantime, I've posted my opening statement below.
Appearance before the House of Commons Standing Committee on Justice and Human Rights, May 29, 2014
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I have appeared many times before committees on various digital policy issues, including privacy. I appear today in a personal capacity representing only my own views.
As you may know, I have been critical of the lawful access bills that have been introduced by both Liberal and Conservative governments. I wish to emphasize, however, that criticism of lawful access legislation does not mean opposition to ensuring our law enforcement agencies have the tools they need to address crime in the online environment.
As Ms. MacDonald can attest, when her organization launched Project Cleanfeed Canada in 2006, I publicly supported the initiative that targets online child pornography by working to establish a system that protects children, safeguards free speech, and contains effective oversight. In the context of Bill C-13, there is similar work to be done to ensure that we do not unduly and unnecessarily sacrifice our privacy in the name of fighting online harms. As Carol Todd told this committee, "we should not have to choose between our privacy and our safety."
Given the limited time, let me start by saying that I support prior witness calls to split this bill so that cyber-bullying can be effectively addressed and we can more effectively examine lawful access. Moreover, I support calls for a comprehensive review of privacy and surveillance in Canada. I'm happy to discuss these issues further during questions, but I want to focus my time on the privacy concerns associated with this bill. In doing so, I will leave the cyber-bullying provisions to others to discuss.
With respect to privacy, I'm going to confine my remarks to three issues: immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements.
Immunity for Voluntary Disclosure
First, the creation of an immunity provision for voluntary disclosure of personal information. I believe that this immunity provision must be viewed within the context of five facts:
1. The law already allows intermediaries to disclose personal information voluntarily as part of an investigation. This is the case both for PIPEDA and the Criminal Code.
2. Intermediaries disclose personal information on a voluntary basis without a warrant with shocking frequency. The recent revelation of 1.2 million requests to telecom companies for customer information in 2011 affecting 750,000 user accounts provides a hint of the privacy impact of voluntary disclosures.
3. Disclosures involve more than just basic subscriber information. Indeed, this committee has heard directly from law enforcement, where the RCMP noted that "currently specific types of data such as transmission or tracking data may be obtained through voluntary disclosure by a third party." In fact, since PIPEDA is open-ended, content can also be disclosed voluntarily so long as it does not involve an interception.
4. Intermediaries do not notify users about their disclosures, keeping hundreds of thousands of Canadians in the dark. Contrary to discussion at this committee earlier this week, there is no notification requirement within the bill to address this issue.
5. This voluntary disclosure provision should be viewed in concert with the lack of meaningful changes in Bill S-4, that would collectively expand warrantless voluntary disclosure to any organization.
Given this background, I would argue that the provision is a mistake and should be removed. The provision unquestionably increases the likelihood of voluntary disclosures at the very time that Canadians are increasingly concerned with such activity. Moreover, it does so with no reporting requirements, oversight, or transparency.
For those that argue that it merely codifies existing law, there are at least two notable changes, both of concern. First, it expands the scope of "public officer" to include the likes of CSEC, CSIS, and other public officials. In the post-Snowden environment, with global concerns about the lack of accountability for surveillance activities, this would run the risk of increasing those activities. Second, the Criminal Code currently includes a requirement of good faith and reasonableness on the organization voluntarily disclosing the information. This new provision does not include those requirements, seemingly granting immunity even where the disclosures are unreasonable.
In short, this provision is not needed to combat cyber-bullying nor is it a provision in need of updating to combat cybercrime. In fact, it is inconsistent with the government's claims of court oversight. It should be removed from the bill.
Low Threshold for Transmission Data Warrants
Second, Bill C-13 contains a troubling, lower "reason to suspect" threshold for transmission data warrants. As many have noted, the kind of information sought by transmission data warrants is more commonly referred to as metadata. While some have tried to argue that metadata is non-sensitive information, that is simply not the case.
There has been some confusion at these hearings regarding how much metadata is included as 'transmission data'. This is far more than who phoned who for how long. It includes highly sensitive information relating to computer-to-computer links, as even law enforcement has explained before this committee.
This form of metadata may not contain the content of the message, but its privacy import is very significant. Late last year, the Supreme Court of Canada ruled in R. v. Vu on the privacy importance of computer generated metadata, noting:â¨
In the context of a criminal investigation, however, it can also enable investigators to access intimate details about a user's interests, habits, and identity, drawing on a record that the user created unwittingly
Security officials have also commented on the importance of metadata. General Michael Hayden, former director of the NSA and the CIA has stated "we kill people based on metadata." Stewart Baker, former NSA General Counsel, has said "metadata absolutely tells you everything about somebody's life. If you have enough metadata, you don't really need content."
There are numerous studies that confirm Hayden and Baker's comments. For example, some studies point to calls to religious organizations that allow for inferences of a person's religion. Calls to medical organizations can often allow for inferences on medical conditions. In fact, a recent U.S. court brief signed by some of the world's leading computer experts notes:
Telephony metadata reveals private and sensitive information about people.
It can reveal political affiliation, religious practices, and people's most intimate associations. It reveals who calls a suicide prevention hotline and who calls their elected official; who calls the local Tea Party office and who calls Planned Parenthood. The aggregation of telephony metadataâabout a single person over time, about groups of people, or with other datasetsâonly intensifies the sensitivity of the information
Further, the Privacy Commissioner of Canada has released a study on the privacy implications of IP addresses, noting how they can be used to develop a highly personal look at an individual.
Indeed, even the Justice ministers report that seems to serve as the policy basis for Bill C-13 recommends the creation of new investigative tools in which "the level of safeguards increases with the level of privacy interest involved."
Given the level of privacy interest with metadata, the approach in Bill C-13 for transmission data warrants should be amended by adopting the reasonable grounds to believe standard.
Transparency and Reporting
Third, the lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures must be addressed. This combines PIPEDA and lawful access, but one that is made worse by Bill C-13. The stunning revelations about requests and disclosures of personal information - the majority without court oversight or warrant - points to an enormously troubling weakness in Canada's privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used and that bills before Parliament propose to expand their scope. In my view, this makes victims of us all - disclosure of our personal information often without our awareness or explicit consent.
When asked for greater transparency - as we see in other countries - Canada's telecom companies have claimed that government rules prohibit it. I hope that the committee will amend the provisions that make warrantless disclosures more likely in Canada. But even if it doesn't, it should surely increase the level of transparency by mandating subscriber notifications, record keeping of personal information requests, and the regular release of transparency reports. These requirements could be added to Bill C-13 to lessen the concern associated with voluntary warrantless disclosures. Moreover, regular reporting would not harm investigative activities and would hold the promise of enhancing public confidence in both our law enforcement and communications providers.
I'd like to conclude by pointing to a personal incident involving one of the committee members - Mr. Dechert - that highlights the relevance of these issues. Many will recall that several years ago Mr. Dechert was the victim of a privacy breach, with personal emails sent to journalists and widely reported in the media. The incident ties together several issues I've discussed:
1. Privacy interests arise even when you have nothing to hide and have done nothing wrong. The harm that arose in that case - despite no wrongdoing - demonstrates the potential victimization that can occur without proper privacy safeguards.
2. Much of that same information runs the risk of voluntary disclosure. Indeed, the expansion of the public officer definition means that political opponents could seek voluntary disclosure of such information and obtain immunity in doing so. Moreover, there is no notification in such instances.
3. The content of the emails was largely irrelevant. The metadata - who was being called, when they were called, where they were called and for how long - would allow for the same inferences that were mistakenly made during that incident. The privacy interests was in the metadata, which is why a low threshold is inappropriate.
This kind of privacy harm can victimize anyone. We know that information from at least 750,000 Canadian user accounts are voluntarily disclosed every year. It is why we need to ensure that the law has appropriate safeguards against misuse of our personal information and why C-13 should be amended. I'll stop there and welcome your questions.
In the first appellate decision of its kind, the D. C. Circuit Court of Appeals has dealt a death knell to the type of mass John Doe fishing expedition cases pioneered by the RIAA and carried on by pornographic filmmakers and other high volume plaintiffs seeking the identity of possible defendants.
In AF Holdings v. Does 1-1058, the appeals court overruled the district court's grant of ex parte discovery, ruling that mass John Doe cases could not be brought where there was no known basis for the assertion of personal jurisdiction over the unknown defendants, and on alternative grounds that there could be no joinder merely because defendants allegedly downloaded the same file through BitTorrent and therefore possibly in the same "swarm".
(Ed. note: A cynic might argue that the key difference in this case was that, for a change, the ISP's, and not merely defendants, were challenging the subpoenas; but of course we all know that justice is 'blind'. An ingrate might bemoan the Court's failure to address the key underlying fallacy in the "John Doe" cases, that because someone pays the bill for an internet account that automatically makes them a copyright infringer; but who's complaining over that slight omission? A malcontent like myself might be a little unhappy that it took the courts ten (10) years to finally come to grips with the personal jurisdiction issue, which would have been obvious to 9 out of 10 second year law students from the get go, and I personally have been pointing it out and writing about it since 2005; but at least they finally did get there. And a philosopher might wonder how much suffering might have been spared had the courts followed the law back in 2004 when the John Doe madness started; but of course I'm a lawyer, not a philosopher. :) Bottom line, though: this is a good thing, a very good thing. Ten (10) years late in coming, but good nonetheless. - R.B. )
Other key sites