The Supreme Court of Canada issued its ruling in R. v. Telus Communications Company, 2013 SCC 16, in which it was called upon to decide the extent to which important privacy protections offered for the interception of private communications should apply to advanced communications delivery mechanisms. Normally, a special interception warrant (called a Part VI authorization) is required before police are authorized to access private communications that have not yet occurred. In this case, however, the government argued it should be able to bypass the critical privacy protections found in Part VI because one company, TELUS, decides to temporarily store these as part of its message delivery process. The premise for this argument was that Part VI only protects against 'interceptions', and you cannot 'intercept' something that is not in motion, including TELUS' temporarily stored text messages. Therefore, the government can gain access to future messages that have not yet been sent, and no 'interception' occurs since the messages are taken from TELUS' stored databases.
The problem is that, while real-time voice was the predominant form of electronic communications in the late 70s when Part VI protections were enacted, many forms of electronic communications, including SMS and email, employ temporary storage as part of the delivery process. The question then arises: do we throw away a critical set of privacy protections just because private communications are being transmitted by new techniques? In our intervention in this case, we argued against an overly narrow definition of Part VI that would defeat its ultimate purpose -- the protection of private communications. Today's decision saw a 5-3 majority of the Supreme Court rejecting the argument that police can do what is effectively and practically the type of 'electronic conversation' that Part VI was intended to protect. Access to text messages that have not yet been sent normally requires Part VI authorization. Just because TELUS stores its messages for a short period of time as part of the delivery process does not mean Part VI can be ignored.
Data Privacy Day and its European counterpart, Data Protection Day, commemorates the signing of the world's first international treaty on data protection -- the Council of Europe's Convention 108. Data protection is rapidly becoming an international norm, as recent developments have brought the number of countries with data protection legislation to 89, globally. Additionally, 2012 saw an unprecedented commitment by lawmakers in one of the largest data markets -- the United States, a long-time adherence of a sectoral approach to privacy protection -- committing to the enactment of data protection laws. Our courts have similarly advanced the cause of privacy with landmark decisions that recognized the right to anonymity in judicial proceedings, a constitutional right to individual notification when police intercept communications in an emergency, and the right to privacy in our work computers. In addition, our Federal Privacy Commissioner released a sweeping (but yet to be enforced) Finding on the privacy practices of a youth-based social networking site, Nexopia. Finally, advances in transparency have helped us better understand how our information is being accessed by the government, as more organizations began publishing statistics on government access, and Google, who pioneered the transparency reporting model, has increased the scope of their own reports so that the public can better assess the nature of government requests.
At the same time, the challenges have never been greater with online surveillance legislation, long over-due updates to our federal privacy statutes (PIPEDA and the Privacy Act) still nowhere in sight, and legislative inititiatives that will allow our online service providers to hand over our data to litigants and copyright trolls alike -- all on the horizon. More after the jump.
UPDATE: These hearings will be live streamed beginning at 9:30 a.m. on January 22, 2012
CIPPIC has filed its intervention in two joint appeals before the Supreme Court of Canada: Chehil v. Her Majesty the Queen, S.C.C. File No. 34524 and MacKenzie v. Her Majesty the Queen, Supreme Court File No. 34397. These appeals call on our highest court to clarify the parameters of what constitutes a 'reasonable suspicion'. The reasonable suspicion standard forms the basis of an increasing panoply of state surveillance powers. The crown is seeking a 'reasonable suspicion' standard that effectively rubber stamps law enforcement 'intuition'. If adopted, courts will need to defer to law enforcement 'expertise' in assessing whether suspicions are reasonable. In addition, police will be able to systematically apply 'suspicious' profiles to mine data repositories and invade the privacy of many Canadians.
The cases under appeal involve sniffer dogs. Individuals were deemed 'suspicious' on the basis of a confluence of innocuous factors such as: travelling from known drug centres (Vancouver and Calgary, respectively), purchasing a last minute ticket (Chehil), travelling two kilometres above the speed limit (MacKenzie), checking just one bag on a flight (Chehil), appearing nervous (MacKenzie) and buying a plane ticket with cash (Chehil). The ultimate constituent elements of this standard will have far-reaching implications, as what is considered 'reasonably suspicious' will form the basis of many surveillance powers. Under Bill C-30 alone, if it passes, the government will be able to force service providers to hand over cell phone location data, traffic data (such as what websites you visit), and interaction data (such as who you speak to or who you interact with online) if they are able to convince a judge that they have 'reasonable suspicion'. For more, see http://cippic.ca/sniffer_dogs.
The Supreme Court of Canada has granted CIPPIC leave to intervene in R. v. Chehil & R. v. MacKenzie (SCC File Nos. 34524 & 34397, respectively), two now joint appeals in which the SCC that will examine the 'reasonable suspicion' standard in the context of sniffer dog searches. The 'reasonable suspicion' standard forms the basis for a rapidly increasing number of privacy-invasive state powers including several electronic surveillance powers currently being proposed by the Government in an attempt to increase its online spying capacities.
As stated in its motion for leave to intervene, CIPPIC intends to argue for a reasonable suspicion standard that cannot be marshalled in order to conduct mass surveillance of individual citizens. CIPPIC is particularly concerned that an overly permissive standard will be used to justify privacy infringements by means of a vast array of police-assisted tools. Many have noted this potential for sniffer dog judgements to be applied more broadly to other means of technological surveillance, most recently in the context of an upcoming Supreme Court of the United States hearing on sniffer dogs. For more information and resources, see CIPPIC's project page for this intervention: http://www.cippic.ca/sniffer_dogs.
Today, the Supreme Court of Canada will hear Telus Communications Company v. Her Majesty the Queen, SCC File No. 34252. The case will decide whether police will be permitted to bypass special privacy protections the Criminal Code provides against the interception of text messages. The argument is that because TELUS stores text messages passing through its system for the purpose of ensuring delivery, these messages are no longer 'in transit' and, hence, acquiring them is not an 'interception' and does not warrant the special Criminal Code protections in question.
In its intervention in this case, CIPPIC argues that courts should not let narrow interpretations of provisions defeat important protections offered to constitutional rights such as privacy. Such provisions should be interpreted in a flexible manner that accounts for evolutions in communications delivery mechanisms. Temporary storage is a natural feature of evolved communications mechanisms such as text messaging, Email, and other web-based interactions. Temporary storage of this nature, particularly when undertaken by communications intermediaries such as TELUS, is typically considered part and parcel of the communications process. Storage for the purpose of message delivery should, therefore, be considered part of the message delivery process. While this may not provide special protection for communications that is in storage and in control of the user (a voice message, for example, or archived email), it does provide protection for communications stored by communications companies solely as part of the delivery process.
CIPPIC has been granted leave to intervene before the Supreme Court of Canada in Telus Communications Company v. Her Majesty the Queen, SCC No. 34252. The case involves the application of the general warrant power in order to force TELUS to hand over text messages not yet in its possession. TELUS' appeal challenges the use of general warrants in a manner that effectively amounts to an 'interception' and bypasses the special protections provided for 'interceptions' in Part VI of the Criminal Code, while the government argued that, since TELUS stores text messages on its servers for a number of weeks, access to these messages should not be considered a 'real-time interception'.
In its motion for leave to intervene, CIPPIC argued that law enforcement should not be permitted to bypass important privacy safeguards designed to protect Canadian communications against unauthorized interception. The purpose of Part VI Criminal Code protections is to ensure that police co not leverage the mechanisms by which private communications are delivered to spy on Canadians unless there is strong reason to do so and other methods have been tried and have failed. Text messages are cached as part of the communications delivery process and caching, in general, is widely used in Internet transactions. If courts permitted superfluous caching to defeat the special protections provided against interception, it could have wide-ranging implications for the privacy of online interactions.
In a submission filed with the Senate Committee on Legal and Constitutional Affairs in May 2007 on Bill C-31, CIPPIC objected to the expansion of personal information used for secondary purposes without the consent of electors. Under the Act, Elections Canada is required to share names and addresses from the National Register of Electors with political parties for fundraising and other campaign purposes. Bill C-31 would have added date of birth to the lists of electors shared for these purposes. As a result of opposing to this proposal by the Privacy Commissioner of Canada and CIPPIC, sharing of date of birth was removed from the bill before it was passed by the House of Commons.
Privacy in domain name registration (CIRA & ICANN)
In response to planned outsourcing by the British Columbia government of certain database administrative duties to a U.S.-linked company, the British Columbia Privacy Commissioner invited public input by August 6, 2004 on the extent to which the USA Patriot Act allows US authorities to access the personal information of British Columbians, and the implications of such access for public body compliance with privacy legislation.
New information and communication technologies such as the Internet, email, cellphones, and encryption offer individuals new ways to communicate, organize, and engage in criminal behaviours, creating challenges for law enforcement agencies in their efforts to investigate and prosecute criminal activity. On the other hand, these same technologies provide authorities with access to potentially vast amounts of personal information on individuals.
Chehil/MacKenzie v. Her Majest the Queen, S.C.C. FIle Nos. 34524 & 34397
Telus Communications Company v. Her Majesty the Queen, S.C.C. File No. 34252
PIPEDA complaint that Canada.com's decision to outsource storage of customer emails to the United States failed to provide an adequate level of protection by exposing those emails to the risk of police access through invasive surveillance powers.
On February 14, 2012, the federal government once more introduced a legislative package of lawful access bills: Bill C-30, Protecting Children from Internet Predators Act.
Government reintroduces online spying legislation (Winter 2010)
CIPPIC joined a group of privacy experts comprised of academics and public interest organizations today in calling on the government to rethink a set of legislative proposals (innocuously dubbed 'lawful access') that threaten to seriously undermine online privacy. In doing so, the group of privacy experts have added their voices to the 46,000+ Canadians who have already signed an online petition, Charlie Angus and Jasbir Sandhu (NDP Privacy Spokesman and Public Safety Ciritic, respectively), the BC Civil Liberties Association, as well as to Canada's federal and provincial privacy Commissioners, collectively, all of whom have already stated grave concerns with respect to the proposed erosion of online privacy.
Presented as merely an application of existing powers to the evolved technological landscape, in the words of Canada's Privacy Commissioners, "it would be misleading to suggest that these bills will simply maintain capacity." In fact, as previously introduced, the legislation represents a serious increase of power that the privacy experts have referred to as 'chilling' and, in addition there is the "everpresent threat of abuse." This type of expansion in surveillance power should only be undertaken with great care and where demonstrably necessary. Again, in the words of Canada's Privacy Commissioners, "at no time have Canadian authorities provided the public with any evidence or reasoning to suggest that CSIS or any other Canadian law enforcement agencies have been frustrated in the performance of their duties as a result of shortcomings attributable to current law, TSPs or the manner in which they operate."
In an open letter to the House of Commons Standing Committee on Access to Information, Privacy and Ethics, CIPPIC and a number of civil society organizations voice serious concerns with respect to Bill C-29, currently before the House and scheduled for second reading early next week. The Bill, ironically dubbed the 'Safeguarding Canadians' Personal Information Act', proposes a number of amendments to Canada's federal privacy protection statute, PIPEDA. Far from improving privacy, the Bill threatens to erode civil liberties in serious ways. Even where it attempts to improve privacy, it falls short by failing to provide any incentive for compliance.
The most troubling elements of the Bill pave the way to a dramatic expansion in the ways in which private businesses can be used in investigations against their own customers. While privacy should never be a bar to legitimate investigations of actual wrongs, the law provides mechanisms such as warrants, production orders, mandatory disclosure laws, and discovery processes that ensure investigations can occur with proper safeguards in place. This Bill essentially bypasses all of these safeguards by adding and expanding exceptions that permit organizations to simply give away their customer's information and includes elements evocative of the US PATRIOT Act and all the civil liberties violations that accompanied it.
Bills C-46 & C-47, collectively the 'lawful access' or 'online surveillance' legislation, introduced on June 18, 2009.
Public Safety Canada consultations on online surveillance legislation (Fall 2007)
On November 15, 2005, the federal government introduced Bill C-74, the Modernization of Investigative Techniques Act (MITA), "an act to compel all telephone and Internet companies to create and maintain infrastructures that are intercept capable and to provide access to basic subscriber contact information such as a name, address or telephone number." Note that this bill does not introduce new Production Orders, Preservation Orders, or other Criminal Code amendments that are described below as part of the broader package of "Lawful Access" proposals on which the government has been consulting.
Department of Justice consultations on electronic surveillance legislation, March 2005