- Election 2011
- Chronology (including bills)
- Electoral District (list)
- Participate in mailing lists
News last week of a stunning data breach at a Toronto-area hospital involving information on thousands of mothers places the proposed Digital Privacy Act squarely in the spotlight. Bill S-4, which was introduced two months ago by Industry Minister James Moore, features long overdue data breach disclosure rules.
My weekly technology law column (Toronto Star version, homepage version) notes the new rules would require organizations to notify individuals when their personal information is lost or stolen through a data or security breach. Most other leading economies established similar rules years ago, recognizing that they create much-needed incentives for organizations to better protect our information and allow individuals to take action to avoid harms such as identity theft when their information has been placed at risk.
While the mandatory data breach rules can be an effective legislative privacy tool, they only work if organizations actually disclose breaches in a timely manner. Bill S-4 establishes tough penalties for failure to notify affected individuals, but unfortunately undermines its effectiveness by setting a high notification standard such that Canadians will still be kept in the dark about many breaches, security vulnerabilities, or systemic security problems.
There are two major problems with the government's proposal, which appears to have been placed on a legislative fast track. First, the standard for disclosing a data breach is set at "a real risk of significant harm to the individual." This standard is considerably higher than that found in some other jurisdictions.
For example, the California breach notification law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person. In other words, the threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm. In Europe, telecom breaches must be reported based on an "adverse affect to personal data or privacy" standard, which is also lower threshold than the Canadian plan.
Second, earlier versions of the privacy bill envisioned a two-stage approach in which organizations would be required to notify the Privacy Commissioner of Canada of material data breaches (a far lower standard), who would then work with the organization to assess whether a wider notification to all affected Canadians was warranted. The two-stage approach is increasingly common with New Zealand announcing plans for a similar approach late last month.
The Digital Privacy Act removes the notification of material breaches to the Privacy Commissioner altogether. The bill requires organizations to maintain a record of all breaches, but only to disclose them if the Commissioner asks and no one seriously expects the Commissioner to regularly ask every organization about whether they have experienced any data breaches.
The elimination of notifications of material breaches is likely to result in significant under-reporting since organizations will invariably err on the side of non-reporting in borderline cases and the Commissioner will be unaware of the situation. Rather than providing Canadians with the necessary information to take steps to mitigate against identity theft and misuse of their personal information, the bill will often leave them unaware of data breaches or security risks.
While there are other serious concerns with the Digital Privacy Act - notably the massive expansion of warrantless voluntary disclosures of personal information - the government promoted the data breach rules as the centerpiece of its effort to better protect Canadians against the misuse of their personal information. Yet the core requirements of that system actually provide less protection than earlier proposals and would be one of the weaker approaches in the developed world.
Privacy has emerged as dominant issue on Parliament Hill in recent weeks, with the focus on surveillance, lawful access, and the new Privacy Commissioner. The Digital Privacy Act has received less attention, however, its failure to keep Canadians informed about many data breaches should be added to the list of privacy disappointments.
Rogers surprised many yesterday by becoming the first major Canadian telecom provider to release a transparency report (TekSavvy, a leading independent ISP beat them by a few hours in issuing a very detailed report on its policies and activities). The company was rightly lauded for releasing the report, which seems likely to end the silence among all Canadian telecom companies. Telus now says it is working on a transparency report for release this summer and it is reasonable to guess that others will follow.
Much of the focus on the report came from its big number: nearly 175,000 requests for subscriber information last year. Yet requests for information is only part of the story. The report only contained data on requests for information with no numbers on how many times the company disclosed the information to the authorities upon request. The reason for the omission is shocking admission: Rogers says it has not tracked when it discloses subscriber information in response to these requests. When asked how often authorities' requests were granted, the company stated:
âWe donât keep track of it. Our tracking to date has really been for internal management purposes, not for creating a transparency report. So that's something weâre going to look to expand in the future and hopefully provide more information in the future."
By contrast, the TekSavvy report provides data on both requests and disclosures as do many other transparency reports (Google, Twitter, Microsoft).
The claim that Rogers only tracks in-bound requests and not out-bound data is hard to believe. The reason may be financial - the "internal management purpose" may be to charge a fee to law enforcement for the process. Further, the company says that if it considers an order too overbroad, it will "push back and, if necessary, go to court to oppose the request." Is it really possible that the company has no records of when it has gone to court to oppose a request?
[Update 7/6/14: Rogers has provided a private response in which it indicates that it does have records of individual responses to requests for subscriber information, but that it does not track aggregate numbers. Further, it does know the number of times it went to court, but did not include that information in the transparency report.]
Tracking disclosures of subscriber information should not be viewed as optional. Privacy law gives individuals a right of access to their information:
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.
The statute continues at 4.9.3:
In providing an account of third parties to which it has disclosed personal information about an individual, an organization should attempt to be as specific as possible. When it is not possible to provide a list of the organizations to which it has actually disclosed information about an individual, the organization shall provide a list of organizations to which it may have disclosed information about the individual.
If Rogers is not tracking disclosures, the approach raises privacy compliance concerns. Moreover, this helps explain why it does not notify customers that their information has been disclosed since it does not seem to track the information itself. title
Last night I appeared before the Senate Transport and Communications Committee, which is conducting hearings on Bill S-4, the Digital Privacy Act. I have posted on the bill's shocking expansion of warrantless voluntary disclosure, by pointing to a provision that would permit disclosure to any organization, not just law enforcement. This appearance provided the opportunity to discuss a broader range of issues, including positive elements in the bill (clarification of consent, expansion of the Commissioner publicly disclosing information, and a longer time period to bring a case to the federal court), the areas in need of improvement (security breach disclosure standards, voluntary warrantless disclosure, compliance agreements), and the glaring omission of stronger reporting requirements.
The surprise of the night came at the end, when the chair indicated that the committee did not plan to hear from any further witnesses. The bill will therefore move to clause-by-clause review next week.
Appearance before the Senate Transport and Communications Committee, June 4, 2014
Good evening. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I have appeared many times before committees on various digital policy issues, including privacy. I appear today in a personal capacity representing only my own views.
I'd like to structure my remarks by focusing on three welcome elements of Bill S-4, three areas in need of improvement, and one glaring omission.
The Welcome Provisions
First, the good news. Bill S-4 importantly provides additional clarification for the standard of consent. Given that meaningful consent provides the foundation for the law, the clarification is much-needed, particularly for minors. Consent is meaningless if the person does not understand to what they are consenting. By clarifying the standard of consent, businesses will have greater certainty and a clear obligation to ensure that Canadians are better informed about the collection, use and disclosure of their personal information.
Second, the expansion on publicly disclosing information is also a welcome addition and long overdue. I have long argued that the Office of the Privacy Commissioner adopted an unnecessarily conservative interpretation of the current provision that allows for naming organizations subject to complaints. The expansion of the provision sends a signal that the Commissioner should not hesitate to publicly disclose any information if it is in the public interest to do so. This would include poor organizational practices, well-founded complaints or public privacy risks.
Third, the extension of the deadline to take a complaint to the Federal Court is much needed as well, given that the current system represents an unnecessary barrier to potential pursuit of federal court review.
Areas in Need of Improvement
Let me now turn to three important aspects of the bill in need of improvement. First, the long-awaited security breach disclosure requirements. As you are aware, creating mandatory security breach disclosure requirements at the federal level is long overdue as it creates incentives for organizations to better protect our information and allows Canadians to take action to avoid risks such as identity theft. There are aspects of the Bill S-4 security breach rules that are better than those found in prior bills such as C-12 and C-29. Most notably, the inclusion of actual penalties is essential to create the necessary incentives for compliance.
However, there are problems with the standards for disclosure, some left over from the prior bill and some new to this bill.
From the prior bill, the standard for notification to individuals - "a real risk of significant harm to the individual" - should be lowered to ensure that the law captures more breaches. By comparison, the California breach notification law requires disclosure of any breach of unencrypted personal information that is reasonably believed to have been acquired by an unauthorized person. In other words, the only threshold is whether an unauthorized person acquired the information, not whether there is real risk of significant harm. In Europe, telecom breaches must be reported based on an "adverse affect to personal data or privacy" standard, which is also better than the Bill S-4 approach. These are better approaches that make it more likely that Canadians will be informed when their information is caught up in a breach.
New to this bill is the removal of a two-stage process that involved first informing the Privacy Commissioner and then the individual where circumstances warrant it. Bill S-4 puzzlingly establishes the same standard - "real risk of significant harm" - for both notifying the Commissioner and individuals. This means there may be no notification for systemic security problems within an organization or technical standard vulnerabilities. I repeat - those kinds of breaches would not be disclosed to anyone. The bill requires organizations to maintain a record of all breaches, but only to disclose them if the Commissioner asks.
Why is this a problem? Because it is likely to result in significant under-reporting of breaches since organizations will invariably err on the side of non-reporting in borderline cases and the Commissioner will be unaware of the situation since there is no reporting requirement to that office.
You have heard some suggest that all breaches should be reported to the Commissioner. This is the approach is some jurisdictions. For example, under a European Union regulation passed last year, all personal data breaches at telecom companies must reported to the national data protection authority.
I believe that the prior government bills (C-12 and C-29) offered a better, two-stage approach. The first notification to the Privacy Commissioner would occur where there is a "material breach of security safeguards". Whether the breach was material depended upon the sensitivity of the information, the number of individuals affected, and whether there was a systemic problem. It did not require a risk of significant harm. The two-stage approach was far better, since it ensured notifications first to the Commissioner, including identifying systemic problems that may not be caught by the Bill S-4 approach.
I would therefore recommend two changes to these provisions: the California-style standard for notifications to individuals and the government's own approach in C-12/C-29 to notifying the Commissioner as a first step.
The second major area for improvement involves the expansion of warrantless disclosure. At a time when many Canadians are concerned with voluntary, warrantless disclosure, the bill expands the possibility of warrantless disclosure to anyone, not just law enforcement. The bill features a provision that grants organizations the right to voluntarily disclose personal information without the knowledge of the affected person and without a court order to other non-law enforcement organizations provided they are investigating a breach of an agreement or legal violation (or the possibility of a future violation).
While the government has claimed that this provision should not concern Canadians, the reality is that the broadly worded exception will allow companies to disclose personal information to other companies or organizations without court approval. This runs counter to recent Federal Court decisions that have sought to establish clear limits and oversight over such disclosures.
Moreover, the disclosure itself is kept secret from the affected individual, who is unlikely to complain since they will be unaware that their information has been disclosed. In fact, while a House of Commons committee may have recommended a similar reform in 2006, that recommendation was rejected at the time by both the Conservative government and the Privacy Commissioner of Canada.
The reform here is clear: the provision opening the door to the massive expansion of warrantless, non-notified voluntary disclosures should be removed.
Third, given the distinct lack of powers for the Privacy Commissioner of Canada, the creation of compliance agreements is a step in the right direction, but order-making power or at least some form direct regulatory action such as administrative and monetary penalties is needed. The inability to make well-founded findings 'stick' without first navigating an inaccessible and impractical trip to the federal court has been an enormous source of frustration for many Canadians.
The creation of compliance orders would have made sense if there had been some power to issue penalties or take regulatory action, as is the case in the United States where compliance orders are commonly used. Without such a threat, however, it is difficult to see why an organization would enter into such an agreement. Avoiding the federal court is something you do when you fear you might lose. That has not been the case under PIPEDA. Reforms are needed with real penalties to ensure compliance.
The Glaring Omission
The lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures is a glaring omission from the bill and should be addressed. The stunning revelations about over 1 million requests and 750,000 disclosures of personal information - the majority without court oversight or warrant - points to an enormously troubling weakness in Canada's privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used and that bills before Parliament propose to expand their scope. In my view, this makes victims of us all - disclosure of our personal information often without our awareness or explicit consent.
This can be addressed through two reforms. First, the law should require organizations to publicly report on the number of disclosures they make to law enforcement without knowledge or consent, and without judicial warrant, in order to shed light on the frequency and use of this extraordinary exception. This information should be disclosed in aggregate every 90 days. Second, organizations should be required to notify affected individuals within a reasonable time period of the disclosure - perhaps 60 days - unless doing so would affect an active investigation.
The adoption of these provisions - which would be consistent with what we heard from Mr. Therrien yesterday - would be an important step forward in providing Canadians with greater transparency about the use and disclosure of their personal information.
In recent years, it has become fashionable to argue that Canadians no longer care about their privacy. Supporters of this position note that millions of people voluntarily post personal information and photos about themselves on social media sites, are knowingly tracked by Internet advertising giants, and do not opt-out of "targeted" advertising from telecom companies. Yet if the past few months are any indication, it is not Canadians that have given up on privacy. It is the Canadian government.
My weekly technology law column (Toronto Star version, homepage version) notes the public response to the tidal wave of stories regarding widespread surveillance, the 1.2 million government requests to telecom companies for customer information, and the growing number of security breaches suggest that many Canadians are deeply concerned about the protection of their privacy. However, many feel helpless in the face on recent revelations and wonder whether the government is prepared to tighten privacy rules and establish stronger oversight.
Unfortunately, the answer to that question is increasingly clear. Not only has the government largely abandoned stronger privacy protections, but legislative proposals currently before Parliament seem certain to weaken the current legal framework even further.
For example, Bill C-13, the lawful access and cyberbullying bill, raises such serious privacy concerns that Carole Todd, the mother of cyberbullying victim Amanda, pointedly told Members of Parliament studying the bill that "we should not have to choose between our privacy and our safety."
Much like the government's divisive approach to the last lawful access bill (in which then-Public Safety Minister Vic Toews infamously stated that people could stand with the government or with child pornographers), Justice Minister Peter McKay is again forcing Canadians to choose.
The latest bill grants telecom companies and other organizations legal immunity for the voluntary disclosure of their customers' personal information. Law enforcement officials have confirmed that this goes well beyond basic subscriber information and may include transmission and tracking data.
The bill also establishes a low threshold for warrants to access metadata, which numerous experts confirm may reveal private and sensitive information. Despite the concerns, no Canadian privacy commissioner will appear before the committee study the bill and groups such as the British Columbia Civil Liberties Association have been similarly excluded (I appeared before the committee last Thursday).
The situation is similarly grim with respect to Bill S-4, the Digital Privacy Act that is currently winding its way through the Senate. That bill expands the scope of voluntary warrantless disclosures of personal information by allowing for such disclosures to any organization, not just law enforcement.
Moreover, the law does not require telecom providers to notify customers of these disclosures, meaning that hundreds of thousands of Canadians remain in the dark when their information is voluntarily handed over to officials. In fact, telecom companies have thus far rejected calls for greater transparency on their disclosure practices, pointing to government rules that they claim prohibit them from opening up.
The government's decision to weaken privacy protection also extends to its unwillingness to rein in surveillance activities. While the U.S. has begun to reconsider its approach and to establish more effective oversight mechanisms, the state of Canadian surveillance remains shrouded in secrecy. Repeated revelations about Canadian involvement in global surveillance programs, including programs that have involved domestic interceptions, have been met with a collective shrug from elected officials.
As if to emphasize the point, last week the government named a senior Justice lawyer for the Canadian surveillance agencies as the new Privacy Commissioner of Canada. While past performance does not guarantee future policies (Chantal Bernier, Canada's interim Privacy Commissioner, came to the office from Public Safety), the decision to pass over several well-qualified privacy experts with commissioner experience sends an unmistakable message about the government's general view of privacy.
The bleak state of Canadian privacy is difficult to reconcile with a government that has prioritized a consumer perspective on telecom, broadcast, and banking issues. Further, conservative government policies are often consistent with civil libertarian views that abhor public intrusion into the private lives of its citizens.
But with Ottawa showing no signs of backtracking on its privacy reforms, Canadians can be forgiven for wondering how its government became so hostile towards their privacy at the very time that they woke up to the importance of the issue.
The federal government created the Office of the Federal Ombudsman for Victims of Crime in 2007 to ensure that victims concerns and voices were heard. Last week, Sue O'Sullivan, the current ombudsman, appeared before the committee studying Bill C-13, the lawful access/cyberbullying bill. Ms. O'Sullivan, a former Deputy Chief of Police for the Ottawa Police Service, confirmed what has become increasingly obvious. Despite the government's expectations that victims and their families would offer strong support for Bill C-13, that community is split on the bill:
I would like to touch briefly on what appears to be the most controversial aspects of the bill, those which relate to investigative tools and the balance of powers and privacy. Privacy matters and technical investigative tools do not generally fall within my mandate. It is worth noting that among the victims we have spoken to, there is no clear consensus on the element of the bill. I have spoken with victims who very much support further measures to assist law enforcement in their investigation, and find the tools included in this bill to be balanced and necessary. I have, like you, heard opposing points of views from victims who don't wish to see these elements of the bill proceed for fear they will impinge on Canadians' privacy rights. From my own perspective, I would say that there is a balance to be struck, and the dialogue that Canadians are having is a needed and valuable one.
The comments come after Carole Todd, the mother of Amanda, told the committee:
I don't want to see our children victimized again by losing privacy rights. I am troubled by some of these provisions condoning the sharing of the privacy information of Canadians without proper legal process. We are Canadians with strong civil rights and values. A warrant should be required before any Canadian's personal information is turned over to anyone, including government authorities. We should also be holding our telecommunication companies and Internet providers responsible for mishandling our private and personal information. We should not have to choose between our privacy and our safety.
The Boys and Girls Clubs of Canada, also expected to be a supporter of Bill C-13, expressed similar concerns:
We understand that Bill C-13 has also raised concerns on the respect of privacy. Young people deserve to be protected from cyberbullying, but they also deserve to be protected and respected for their privacy. Now, we're no experts on privacy, so our only recommendation on that is to encourage you to listen, obviously, to any concerns that are brought up, any considerations that are brought up, by the experts who are dealing with privacy, to make sure that we're protecting youth from cyberbullying but we're also protecting our children and youth and their privacy rights.
Despite the concerns - and the urging to listen to the privacy community - the committee will not hear from a single Canadian privacy commissioner as part of its study on the bill.
With Daniel Therrien, the government's nominee for Privacy Commissioner of Canada, scheduled to appear before the House of Commons Access to Information, Privacy and Ethics committee tomorrow, reports this morning provide new insights into the government's selection process. Josh Wingrove of the Globe reports that there was a short-list of six candidates, but that neither of the presumed leaders - Chantal Bernier and Liz Denham - made the final two short-short list. Treasury Board President Tony Clement ultimately made the final recommendation of Mr. Therrien to Prime Minister Harper, who approved the recommendation.
Stephen Maher reports that the selection committee's preferred candidate was Lisa Campbell, the Acting Senior Deputy Commissioner of Competition at the Competition Bureau. Maher reports that government officials derailed the recommendation by seeking a second finalist for the position. The report is noteworthy since it confirms that the selection committee's own recommendation was not followed. The delayed nomination means that no privacy commissioner will appear before the committee studying Bill C-13, the lawful access bill.
Yesterday I appeared before the Standing Committee on Justice and Human Rights to discuss Bill C-13, the lawful access and cyberbullying bill. My comments focused on three issues: immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements.
As Committee chair Mike Wallace discussed plans for further work on the bill, it became apparent that the government intends to move quickly without the opportunity to hear from any Canadian privacy commissioner. Only two more days of witnesses are scheduled (the committee is desperate to hear from Facebook) and then it plans to move to clause-by-clause review of the bill.
Given that lawful access has been the subject of more than a decade of debate, the likelihood that the bill will pass through the committee stage without hearing from a single privacy commissioner is shocking. In fact, leading privacy groups such as the Canadian Civil Liberties Association, the British Columbia Civil Liberties Association, and CIPPIC have all been told that there is unlikely to be spots for them at committee. The exclusion of these groups - along with the absence of any federal or provincial commissioners - undermines the entire review process. There may be differing views on the lawful access provisions (the bill is certainly far better than the prior Bill C-30 and its predecessor but still needs improvement), but a fair and effective legislative process should ensure that leading experts are given the opportunity to voice their views.
The Canadian Internet Registration Authority today announced the first round of recipients in its Community Investment Program. I ran for the CIRA board in the hope that the organization would establish this kind of program and I'm thrilled to see it come to fruition. CIRA received 149 applications (I reviewed them all as chair of the Community Investment Committee) and they provided a great illustration of the energy, excitement, and innovation for the Internet that is taking place across the country.
The committee recommended a wide range of projects for funding with CIRA investing more than one million dollars in the effort. Projects include programs to teach kids how to code, improving Internet access in rural and lower income communities, creating an Internet exchange in Halifax, developing Internet programs in First Nation and northern communities, and creating an Internet-based warning system for at-risk youth. In addition, there are research projects on many issues including surveillance, Internet routing, and consumer e-commerce rights. This is an incredibly exciting initiative as CIRA steps in to provide assistance to projects from coast-to-coast-to-coast. I am very proud to be part of the effort, grateful to the other members of the committee for their hard work in reviewing the applications, and looking forward to the results.
Earlier today, I appeared before the Standing Committee on Justice and Human Rights to discuss my concerns with Bill C-13, the lawful access/cyberbullying bill. My opening statement focused exclusively on privacy, pointing to problems with immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements. I'll post a link to the transcript once available. In the meantime, I've posted my opening statement below.
Appearance before the House of Commons Standing Committee on Justice and Human Rights, May 29, 2014
Good morning. My name is Michael Geist. I am a law professor at the University of Ottawa, where I hold the Canada Research Chair in Internet and E-commerce Law. I have appeared many times before committees on various digital policy issues, including privacy. I appear today in a personal capacity representing only my own views.
As you may know, I have been critical of the lawful access bills that have been introduced by both Liberal and Conservative governments. I wish to emphasize, however, that criticism of lawful access legislation does not mean opposition to ensuring our law enforcement agencies have the tools they need to address crime in the online environment.
As Ms. MacDonald can attest, when her organization launched Project Cleanfeed Canada in 2006, I publicly supported the initiative that targets online child pornography by working to establish a system that protects children, safeguards free speech, and contains effective oversight. In the context of Bill C-13, there is similar work to be done to ensure that we do not unduly and unnecessarily sacrifice our privacy in the name of fighting online harms. As Carol Todd told this committee, "we should not have to choose between our privacy and our safety."
Given the limited time, let me start by saying that I support prior witness calls to split this bill so that cyber-bullying can be effectively addressed and we can more effectively examine lawful access. Moreover, I support calls for a comprehensive review of privacy and surveillance in Canada. I'm happy to discuss these issues further during questions, but I want to focus my time on the privacy concerns associated with this bill. In doing so, I will leave the cyber-bullying provisions to others to discuss.
With respect to privacy, I'm going to confine my remarks to three issues: immunity for voluntary disclosure, the low threshold for transmission data warrants, and the absence of reporting and disclosure requirements.
Immunity for Voluntary Disclosure
First, the creation of an immunity provision for voluntary disclosure of personal information. I believe that this immunity provision must be viewed within the context of five facts:
1. The law already allows intermediaries to disclose personal information voluntarily as part of an investigation. This is the case both for PIPEDA and the Criminal Code.
2. Intermediaries disclose personal information on a voluntary basis without a warrant with shocking frequency. The recent revelation of 1.2 million requests to telecom companies for customer information in 2011 affecting 750,000 user accounts provides a hint of the privacy impact of voluntary disclosures.
3. Disclosures involve more than just basic subscriber information. Indeed, this committee has heard directly from law enforcement, where the RCMP noted that "currently specific types of data such as transmission or tracking data may be obtained through voluntary disclosure by a third party." In fact, since PIPEDA is open-ended, content can also be disclosed voluntarily so long as it does not involve an interception.
4. Intermediaries do not notify users about their disclosures, keeping hundreds of thousands of Canadians in the dark. Contrary to discussion at this committee earlier this week, there is no notification requirement within the bill to address this issue.
5. This voluntary disclosure provision should be viewed in concert with the lack of meaningful changes in Bill S-4, that would collectively expand warrantless voluntary disclosure to any organization.
Given this background, I would argue that the provision is a mistake and should be removed. The provision unquestionably increases the likelihood of voluntary disclosures at the very time that Canadians are increasingly concerned with such activity. Moreover, it does so with no reporting requirements, oversight, or transparency.
For those that argue that it merely codifies existing law, there are at least two notable changes, both of concern. First, it expands the scope of "public officer" to include the likes of CSEC, CSIS, and other public officials. In the post-Snowden environment, with global concerns about the lack of accountability for surveillance activities, this would run the risk of increasing those activities. Second, the Criminal Code currently includes a requirement of good faith and reasonableness on the organization voluntarily disclosing the information. This new provision does not include those requirements, seemingly granting immunity even where the disclosures are unreasonable.
In short, this provision is not needed to combat cyber-bullying nor is it a provision in need of updating to combat cybercrime. In fact, it is inconsistent with the government's claims of court oversight. It should be removed from the bill.
Low Threshold for Transmission Data Warrants
Second, Bill C-13 contains a troubling, lower "reason to suspect" threshold for transmission data warrants. As many have noted, the kind of information sought by transmission data warrants is more commonly referred to as metadata. While some have tried to argue that metadata is non-sensitive information, that is simply not the case.
There has been some confusion at these hearings regarding how much metadata is included as 'transmission data'. This is far more than who phoned who for how long. It includes highly sensitive information relating to computer-to-computer links, as even law enforcement has explained before this committee.
This form of metadata may not contain the content of the message, but its privacy import is very significant. Late last year, the Supreme Court of Canada ruled in R. v. Vu on the privacy importance of computer generated metadata, noting:â¨
In the context of a criminal investigation, however, it can also enable investigators to access intimate details about a user's interests, habits, and identity, drawing on a record that the user created unwittingly
Security officials have also commented on the importance of metadata. General Michael Hayden, former director of the NSA and the CIA has stated "we kill people based on metadata." Stewart Baker, former NSA General Counsel, has said "metadata absolutely tells you everything about somebody's life. If you have enough metadata, you don't really need content."
There are numerous studies that confirm Hayden and Baker's comments. For example, some studies point to calls to religious organizations that allow for inferences of a person's religion. Calls to medical organizations can often allow for inferences on medical conditions. In fact, a recent U.S. court brief signed by some of the world's leading computer experts notes:
Telephony metadata reveals private and sensitive information about people.
It can reveal political affiliation, religious practices, and people's most intimate associations. It reveals who calls a suicide prevention hotline and who calls their elected official; who calls the local Tea Party office and who calls Planned Parenthood. The aggregation of telephony metadataâabout a single person over time, about groups of people, or with other datasetsâonly intensifies the sensitivity of the information
Further, the Privacy Commissioner of Canada has released a study on the privacy implications of IP addresses, noting how they can be used to develop a highly personal look at an individual.
Indeed, even the Justice ministers report that seems to serve as the policy basis for Bill C-13 recommends the creation of new investigative tools in which "the level of safeguards increases with the level of privacy interest involved."
Given the level of privacy interest with metadata, the approach in Bill C-13 for transmission data warrants should be amended by adopting the reasonable grounds to believe standard.
Transparency and Reporting
Third, the lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures must be addressed. This combines PIPEDA and lawful access, but one that is made worse by Bill C-13. The stunning revelations about requests and disclosures of personal information - the majority without court oversight or warrant - points to an enormously troubling weakness in Canada's privacy laws. Most Canadians have no awareness of these disclosures and have been shocked to learn how frequently they are used and that bills before Parliament propose to expand their scope. In my view, this makes victims of us all - disclosure of our personal information often without our awareness or explicit consent.
When asked for greater transparency - as we see in other countries - Canada's telecom companies have claimed that government rules prohibit it. I hope that the committee will amend the provisions that make warrantless disclosures more likely in Canada. But even if it doesn't, it should surely increase the level of transparency by mandating subscriber notifications, record keeping of personal information requests, and the regular release of transparency reports. These requirements could be added to Bill C-13 to lessen the concern associated with voluntary warrantless disclosures. Moreover, regular reporting would not harm investigative activities and would hold the promise of enhancing public confidence in both our law enforcement and communications providers.
I'd like to conclude by pointing to a personal incident involving one of the committee members - Mr. Dechert - that highlights the relevance of these issues. Many will recall that several years ago Mr. Dechert was the victim of a privacy breach, with personal emails sent to journalists and widely reported in the media. The incident ties together several issues I've discussed:
1. Privacy interests arise even when you have nothing to hide and have done nothing wrong. The harm that arose in that case - despite no wrongdoing - demonstrates the potential victimization that can occur without proper privacy safeguards.
2. Much of that same information runs the risk of voluntary disclosure. Indeed, the expansion of the public officer definition means that political opponents could seek voluntary disclosure of such information and obtain immunity in doing so. Moreover, there is no notification in such instances.
3. The content of the emails was largely irrelevant. The metadata - who was being called, when they were called, where they were called and for how long - would allow for the same inferences that were mistakenly made during that incident. The privacy interests was in the metadata, which is why a low threshold is inappropriate.
This kind of privacy harm can victimize anyone. We know that information from at least 750,000 Canadian user accounts are voluntarily disclosed every year. It is why we need to ensure that the law has appropriate safeguards against misuse of our personal information and why C-13 should be amended. I'll stop there and welcome your questions.
The future of broadcasting has emerged as a hot issue with Canada's broadcast regulator effectively putting everything up for grabs as part of its comprehensive TalkTV review of broadcasting regulation. Acknowledging the dramatic shift in the way Canadians access and interact with broadcasting, reforms to seemingly untouchable policies such as simultaneous substitution, genre protection, and over-the-air broadcasting are all on the table.
The Canadian Radio-television and Telecommunications Commission has
effectively acknowledged that the world has changed and policies based
on a different landscape merit a review. In the current market, scarcity
has given way to abundance and broadcasters have ceded considerable
control to consumersâ demands to watch what they want, when they want.
My weekly technology law column (Toronto Star version, homepage version) notes that Canadaâs public broadcaster, the Canadian Broadcasting Corporation, is undergoing a similar review. If recent comments from its president Hubert Lacroix are any indication, however, there is no willingness to radically rethink its future. In a speech earlier this month to the Canadian Club of Montreal, Lacroix devoted much of his time to lamenting the budgetary challenges faced by CBC with unfavourable comparisons to support for public broadcasting in other countries.
Liberal MP StÃ©phane Dion adopted a similar approach in comments in the House of the Commons, focusing on budget cuts and claiming that "more than ever, Canada needs a quality public broadcaster."
Lacroix and Dion start from the position that the public broadcaster (particularly English language broadcasting) remains as important today as it did decades ago and that the challenges are primarily budgetary in nature. Yet a more ambitious review would not start with the assumption that this is primarily a debate over financing, but rather open the door to considering whether Canada really does need a public broadcaster in its current form "more than ever".
Indeed, given the many changes in the broadcast environment, the necessity for a public broadcaster that is not dramatically different from the myriad of private choices is not entirely clear. The private sector offers equally compelling news programming and strong sports coverage. The CBC frequently emphasizes the need for a domestic voice and perspective, but today Canadians are empowered to do this on their own.
What the public often needs are the "raw materials" to enhance their content and better platforms to help distribute and market it. What if the CBC saw its public role primarily through that prism? It could continue to produce news programming, but openly licence its content so that Canadians could freely use it for their own creativity and storytelling. Moreover, the CBC could provide the digital platform for those new perspectives, becoming an aggregator for Canadian voices on everything from hockey to politics.
Rethinking the role of the public broadcaster could also mean embracing "non-economic" programming such as local news. While Lacroix muses about whether the CBC should forego local news programming due to the costs, the growing challenge for the private broadcasters to offer comprehensive local news is precisely why a case can be made for public dollars to step in and fund it.
The CBC could also re-examine how it distributes its programming and what it airs during prime time. The public broadcaster could launch an English-language Netflix competitor, offering unlimited on-demand Canadian programming online at no cost. Rather than shutting down over-the-air broadcasting, it could enhance its over-the-air approach by offering mobile television services that by-pass the pricey private alternatives.
As for its conventional programming, it could drop the "me-too" reality shows and use its prime time hours to air Canadian movies and documentaries, providing far more exposure to professionally produced Canadian programming that often struggles to find widespread distribution.
There are legal restrictions that render a fundamental rethinking of the CBC enormously difficult. While no one has all the answers, starting with the view that what ails the CBC is primarily a lack of funding demonstrates a lack of vision and misses the broadcast revolution that is well underway.
With Justice Minister Peter McKay insistent that the government will not be splitting Bill C-13 into the lawful access and cyber-bullying components, the Canadian Bar Association heads to Parliament hill today to appear before the Justice Committee to discuss the bill. The CBA's submission features 19 recommendations, including the need for "an independent comprehensive review of privacy interests in the context of electronic investigations." That call echoes an NDP recommendation for a similar independent review. The brief also includes other recommendations for lawful access reform, such as raising the threshold for a transmission data warrant and establishing additional limitations on preservation orders.
For most of the past decade, many people concerned with digital rights have used the Internet and social media to raise awareness in the hope that the government might pay closer attention to their views. The Canadian experience has provided more than its fair share of success stories from copyright reform to usage based billing to the Vic Toews lawful access bill. Yet in recent weeks, there has been mounting criticism about the government's tracking of social media. This post provides a partial defence of the government, arguing that it should be tracking social media activity provided it does so for policy-making purposes.
The controversy started with news that the Privacy Commissioner of Canada has written to the government to express concern that an increasing number of government institutions are collecting publicly available personal information from social media sites such as Facebook and Twitter. The initial report generated considerable media attention with claims that the activity may violate the Privacy Act (or at least the spirit of the legislation).
Last week, Treasury Board President Tony Clement told Jesse Brown that the collection was largely in aggregate form to track public sentiment and that a full review of current practices would be undertaken. However, a later report demonstrated that government officials tracking Bill C-30 (the earlier lawful access bill) did identify specific Twitter users and their tweets (many internal documents I've obtained under Access to Information suggest that the Public Safety officials have been exceptionally defensive about lawful access and often seem to drift away from a balanced position).
As noted above, I think government tracking of social media activity - particularly where it is public and aimed at a policy issue - is a good thing. That support comes with a few caveats. First, social media activity - such as posts, likes, and tweets - are obviously personal information. The fact that they are publicly posted does not alter their status as personal information. The suggestion that the information is fair game for any use since it publicly available is simply wrong. Note that the issue involves postings that are public, not private.
Second, the Privacy Act does indeed establish some limitations on the collection of personal information. Section 4 provides:
No personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.
If the collection of social media information falls outside of this provision, it is offside the law.
Third, there are clearly dangers of misuse, as the Cindy Blackstock case demonstrated. Using social media to target a specific individual raises serious concerns.
With those caveats, I find myself supportive of the government tracking social media activity, if for the purposes of staying current with public opinion on policy, government bills or other political issues. Facebook and Twitter are excellent sources of discussion on policy issues and government policy makers should be tracking what is said much like they monitor mainstream media reports. Too often government creates its own consultation forum that attracts little attention, while the public actively discusses the issue on social media sites. It seems to me that the public benefits when the government pays attention to this discussion. Users that tweet "at" a minister or use a searchable hashtag are surely hoping that someone pays attention to their comment. To see that government officials are tracking these tweets is a good thing, representing a win for individuals that speak out on public policy.
There certainly needs to be policies that ensure that the information is used appropriately and in compliance with the law, but if the current controversy leads to warnings against any tracking of social media, I fear that would represent a huge loss for many groups that have fought to have the government to pay more attention to their concerns.
Canada has formally ratified the WIPO Copyright Treaty and the WIPO Performances and Phonograms Treaty. The ratification was a key part of the copyright reform process, leading to contentious debate over the Canadian approach to providing legal protection for digital locks. The treaties will enter into force on August 13, 2014.
As criticism of Bill C-13 mounts, the government's sales strategy for its latest lawful access bill is starting to unravel. Many will recall the immediate, visceral opposition to Bill C-30, the last lawful access bill that started with then-Public Safety Minister Vic Toews declaring the day before introduction that Canadians could either stand with the government or with the child pornographers. The bill never recovered as Toews' divisive remarks placed the spotlight on the warrantless disclosure provisions and the lack of privacy balance. Within ten days it was on placed on hiatus and formally killed a year later.
While the government has removed some of the most contentious elements from Bill C-30, many privacy concerns remain (immunity for voluntary disclosure, metadata). Indeed, it appears that its primary takeaway from the last legislative failure - an incredibly rare moment in the life of a majority government - was that it was a botched sales job. So despite a promise not to bring back lawful access legislation, it did so months later, this time armed with a new marketing strategy. Bill C-13 was framed as a cyber-bullying bill and its primary sales people were presumably supposed to be the victims of cyber-bullying and their parents.
The turning point on Bill C-13 came ten days ago when they appeared before the Justice Committee studying the bill. Carol Todd, the mother of Amanda, led off and courageously insisted that the government stop using her child's name to undermine privacy:
"While I applaud the efforts of all of you in crafting the extortion, revenge, porn, and cyberbullying sections of Bill C-13, I am concerned about some of the other unrelated provisions that have been added to the bill in the name of Amanda, Rehtaeh, and all of the children lost to cyberbullying attacks.
I don't want to see our children victimized again by losing privacy rights. I am troubled by some of these provisions condoning the sharing of the privacy information of Canadians without proper legal process. We are Canadians with strong civil rights and values. A warrant should be required before any Canadian's personal information is turned over to anyone, including government authorities. We should also be holding our telecommunication companies and Internet providers responsible for mishandling our private and personal information. We should not have to choose between our privacy and our safety.
We should not have to sacrifice our children's privacy rights to make them safe from cyberbullying, sextortion and revenge pornography."
Ms. Todd's comments effectively derailed the government's sales strategy for Bill C-13, making it clear that the failure to appropriately protect our privacy victimizes the same people the bill purports to protect. In the days since her appearance, the voices against the bill have grown louder. Ontario Privacy Commissioner Ann Cavoukian this week:
"The time for dressing up overreaching surveillance powers in the sheep-like clothing of sanctimony about the serious harms caused by child pornography and cyberbullying is long past."
Former Public Safety Minister Stockwell Day, who faced his own backlash against lawful access, yesterday:
"There can be an overreaction in terms of how you correct it. So [Cavoukian is] raising a bit of an alarm here. Let's be very careful in how we could protect someone in a situation like this, but let's also be careful in going too far and limiting even things like free speech, [or using] invasive techniques that could be employed by policing. I'm hoping they take another look at this and kind of curtail some of those powers."
Next week, the committee resumes with appearances from criminal lawyers, the Canadian Bar Association, and others (I'm currently scheduled to appear on Thursday). With the criticism likely to grow, the government should recognize that its lawful access strategy has failed yet again. The right approach would be to separate the bills, move forward on addressing cyber-bullying, and go back to the drawing board on surveillance and lawful access.
Earlier this week I was pleased to speak at the monthly Geek Girls Toronto
event. Hosted at the Mozilla offices, a sold-out audience showed yet
again that there is enormous public interest and concern with recent
privacy and surveillance developments. A video of the talk, which focused on the problems associated with lawful access, privacy reform, and surveillance, is posted below.
The Copyright Board of Canada issued its long-awaited music streaming decision late last week, setting royalties to be paid by Internet music streaming services such as Pandora for non-interactive and semi-interactive streaming for the years 2009 to 2012. This covers passive Internet radio services and services that allow users to influence what they listen to. Given that Pandora left the Canadian market over high tariff rates, the outcome of the decision was destined to be a key determinant over whether many of the missing Internet music streaming services enter the Canadian market.
For fans of Pandora or similar services, the decision brings good news. The board largely rejected the arguments of Re:Sound, the collective responsible for the tariff and settled on rates close to what the Internet services were seeking. While the collective argued for rates similar to those found in the U.S., the Board ruled that the U.S. was not a suitable comparison.
Moreover, it rejected arguments that this form of music streaming cannibalizes music sales, concluding that exposure to music through non-interactive and semi-interactive streaming may increase sales:
We are unconvinced that non-interactive and semi-interactive streaming cannibalizes sales of CDs or downloads. Though the Objectors' evidence and arguments in this respect are not without contradictions, we agree with them, for the reasons set out in paragraph 157 below, that non-interactive webcasting is similar to over-the-air radio. We find that neither over-the-air radio nor non-interactive webcasting is likely to cannibalize music sales; if anything, they are likely to stimulate them.
The same is true of semi-interactive webcasts. Pandora's American free and paying subscribers are about twice as likely to purchase CDs or downloads as are non-subscribers. Furthermore, while purchases by Pandora's subscribers are declining, the decline is not as steep as for non-subscribers.
The end result are tariff rates that the Board estimates would constitute between 4 and 5 percent of Pandora's Canadian revenues. By comparison, the board says Pandora pays about 50% of U.S. revenues as royalties. If these estimates are accurate, Canada could emerge as an attractive market for music streaming services.
If that is the good news, the bad news is that Re:Sound may well send the issue to federal court for review. Re:Sound lost on many of its points and ended with a tariff far below what it was seeking. No surprise then that its president is quoted as saying:
âWe are disappointed that the rates certified by the Board do not reflect market rates in Canada and are a small fraction of the rates payable by the same services in the U.S."
Re:Sound says it is reviewing the decision and will have more information shortly.
The ugly in this decision is the incredible length of the decision-making process. Re:Sound started this process in March 2008 - more than six years ago. In the years that followed, it adjusted its demands as the market changed. The Board finally heard arguments and evidence over a ten day period in September and October 2012.
The decision therefore comes more than 18 months after that hearing. By virtually any standard - let alone an Internet one - this is an unacceptably long period of time to address an issue. The Supreme Court of Canada has a much bigger workload, yet releases its decisions far faster. Moreover, technology and the market move much faster than the board - consider that the iPhone launched in Canada in July 2008, months after the initial Re:Sound filing. The long delays created significant commercial uncertainty and likely led to delays in new services entering the Canadian market. As I argued earlier this month, the Copyright Board is broken and a serious digital strategy should commit to fixing it.
The European Court of Justice shook up the privacy and Internet world last week by ruling that European data protection law includes a right to be forgotten with respect to search engine results that are "inadequate, irrelevant or no longer relevant." As a result of the decision, search companies such as Google will be required to remove results from its index that meet this standard upon request.
My weekly technology law column (Toronto Star version, homepage version) notes that as people flock to remove content from the Google search index - reports indicate that the company began receiving removal requests within hours of the ruling - there remains considerable uncertainty about how to implement the decision, whether it will migrate to Canada, and if a new right to be forgotten will serve the cause of privacy protection or harm free speech and access to information.
The decision arises from a 2010 complaint by a Spanish man who was upset to find that searching his name in Google yielded links to a 1998 announcement in a newspaper on a real estate auction designed to generate proceeds to pay back social security debts. The information was both factual and readily accessible online, yet the man felt that the now-outdated information was a violation of his privacy.
As the case made its way through the courts, several European countries waded into the issue. The Spanish and Italian governments sided with the confirmation of a right to be forgotten, while Austria, Greece, and Poland supported Googleâs position that it should not be required to remove lawful content from its search index.
In ruling against Google, the court reached two key conclusions.
First, it ruled that it could assert jurisdiction over the search giant, despite the fact that the processing of the data took place outside of Spain. That aspect of the decision should not have been particularly surprising, since most countries take the position that a real and substantial connection (Google has a Google.es site and actively markets its services in Spain) is sufficient to assert jurisdiction over an out-of-country entity. For example, Canada maintains that its privacy laws apply to organizations outside the country that collect, use or disclose personal information of Canadians.
Second, the court ruled that Google could be compelled to remove links to personal information that is "inadequate, irrelevant or no longer relevant." While the court suggests that this akin to a right to be forgotten, it is really a right to digital obscurity since the actual content is not removed from the Internet.
Companies may be focused on the practical costs associated with content removal, but many already remove content if served with a valid court order, notification of defamation, or copyright infringement notice. Adding privacy removals may generate additional costs, but they do not raise significant technical challenges.
The legal challenges are far more troubling, however. First, the ruling vests enormous power and responsibility in the hands of search companies and other intermediaries. Rather than leaving difficult questions on the validity or harm of information to impartial courts, the ruling requires search engines to make the call. Given the potential for liability if they refuse to remove the links, the search engines will likely err on the side of removal.
Second, the ruling does not lead to the removal of the underlying content itself, which in many instances may be both legal and accurate. If there are concerns about third party content (no one doubts the right of an individual to delete content they posted themselves), surely there is a need to address that issue, rather than targeting intermediaries such as search engines.
Third, the Supreme Court of Canada recently ruled that the law must sometimes balance important rights such as privacy and freedom of expression. Yet the European ruling suggests that privacy trumps freedom of expression and the right to information. By eliminating the need for balance, the ruling shockingly undermines important speech rights in return for a bit of online obscurity.
The Canadian Competition Bureau has filed a submission to the CRTC's wholesale mobile wireless services review in which it reaffirmed its view that the Canadian wireless market is uncompetitive and would benefit from regulation. The Bureau finds that a more competitive market would deliver $1 billion annually in benefits to the Canadian economy:
incumbents appear to have the ability and incentive to profitably raise the rates they charge their retail competitors for wholesale roaming services, and potentially other wholesale arrangements, above competitive levels. The incumbentsâ wholesale customers may be passing these price increases on to retail customers. These retail price increases may be harming competition in retail mobile wireless services markets in Canada. In particular, more competitive markets could deliver approximately $1 billion in benefits to the Canadian economy.
The submission, which includes a commissioned study on the Canadian market, also concludes that:
In light of these findings, the Bureau recommends:
To achieve these significant gains, the CRTC should adopt measures to address the incentives for the incumbents to raise their retail competitorsâ wholesale prices. Appropriate measures may include the introduction of competitive safeguards or mandated wholesale access, or targeted spectrum allocations towards non-incumbent carriers in upcoming auctions, which the Bureau may address further as additional evidence develops in this proceeding.
Last year, some commentators suggested that the Competition Bureau consider whether there is a wireless competition concern in Canada. The views of Canada's independent agency responsible for ensuring "that Canadian businesses and consumers prosper in a competitive and innovative marketplace" are now on the record and are unequivocal. There is a wireless competition problem in Canada and regulation is needed to address it.
The Trans Pacific Partnership negotiations resume next week and while an agreement does not appear imminent, reports from Japan indicate that the copyright term issue may have been resolved. Japan and Canada are two of several TPP countries whose term of copyright protection is life of the author plus 50 years. According to the Japan News, those countries (which also include New Zealand, Malaysia, Vietnam, and Brunei) are prepared to cave to U.S. pressure to extend the term of copyright to life of the author plus 70 years:
Among the 12 countries, Japan, Canada and four other countries protect an author's copyright for 50 years after their death, the United States and four other countries for 70 years and Mexico for 100 years. Following the agreement, Japan will extend its duration by 20 years.
If true, the extension represents a major loss for Canada and run counter to a government consultation that generated huge opposition on the issue. The extension in the term of copyright would mean no new works would enter the public domain in Canada until at least 2035 (assuming an agreement takes effect in 2015). â¨Many important authors would be immediately affected since their works are scheduled to enter the public domain in the 2015 - 2035 period. These include Canadians such as Marshall McLuhan, Gabrielle Roy, Donald Creighton, and Glenn Gould as well as non-Canadians such as TS Eliot, John Steinbeck, JRR Tolkein, and Ayn Rand. Given the potential to make those works more readily accessible to new generations once they enter the public domain, extending the term of copyright as potentially required by the TPP would have a dramatic negative effect on access to Canadian literature and history.
Other key sites