Government Must Stop Lawful Access 'Online Spying' Initiative

CIPPIC spearheaded an effort, joined by several privacy experts comprised of academics and public interest organizations, and calling on the government to rethink a set of legislative proposals (innocuously dubbed 'lawful access') that threaten to seriously undermine online privacy. In doing so, the group of privacy experts have added their voices to the 46,000+ Canadians who have already signed an online petition, Charlie Angus and Jasbir Sandhu (NDP Privacy Spokesman and Public Safety Ciritic, respectively), the BC Civil Liberties Association, as well as to Canada's federal and provincial privacy Commissioners, collectively, all of whom have already stated grave concerns with respect to the proposed erosion of online privacy.

Presented as merely an application of existing powers to the evolved technological landscape, in the words of Canada's Privacy Commissioners, "it would be misleading to suggest that these bills will simply maintain capacity." In fact, as previously introduced, the legislation represents a serious increase of power that the privacy experts have referred to as 'chilling' and, in addition there is the "ever present threat of abuse." This type of expansion in surveillance power should only be undertaken with great care and where demonstrably necessary. Again, in the words of Canada's Privacy Commissioners, "at no time have Canadian authorities provided the public with any evidence or reasoning to suggest that CSIS or any other Canadian law enforcement agencies have been frustrated in the performance of their duties as a result of shortcomings attributable to current law, TSPs or the manner in which they operate."

Currently, the legislation is to be reintroduced (apparently without serious revision) as part of an omnibus crime bill and rushed through Parliament with minimal debate. The joint letter is asking the government to sever the online surveillance components of the legislation so that they can receive careful study and consideration before Parliamentary committee. While much of the other pre-election legislation the government intends to include in the omnibus crime bill had been heard in committee, the lawful access legislation has yet to undergo such scrutiny.

The letter sets out a number of concerns. First, the manner in which private Internet companies are mobilized to spy on their own customers in this legislation is concerning. The legitimate role of these online companies is not to spy on their customers. Canadians should not have to treat their own service providers, their own cellular phones, with that type of suspicion. As a starting point, the laws, as last proposed, will effectively immunize these online intermediaries (companies like your ISP, your social networking site, your smartphone provider) from any liability for handing over your information to the police. This is coming at a time when online intermediaries are under increasing pressure to take on new public policy roles the better to police the activities of their customers.

Second, in a networked world, where all of our communications and even our activities occur 'online' and are often recorded by one or another of these Internet companies, the potential for ubiquitous surveillance is becoming a reality. This increase in potential for privacy invasion should be met with _greater_ privacy protections. Instead, this legislative mandate aims to make it easier for law enforcement to get your online data by allowing police to get information. For example, police will be able to force online companies to give up their customer's location information with only a 'mere suspicion' that this data will be helpful to an investigation. The assumption underlying the use of this lower standard is that location information is less 'private'. But location information can expose a lot about an individual and using customer's own telephones to spy on them should offend notions of privacy.

More troubling than 'mere suspicion' disclosures are warrantless 'upon request' disclosures that will force ISPs and mobile service providers to provide some specific items of data upon request, without prior judicial authorization, and even where police have _no_ reason to suspect that the information will be useful to an investigation at all. Specifically, ISPs and other telecommunications service providers will be forced to identify anonymous customers 'upon request'. Identity is the key to privacy in many online contexts, and wholesale access to cyber identities can subvert many important online activities. For example, if reintroduced as is, within the scope of powers granted under this legislation, law enforcement will be able to force ISPs to identify anonymous IP addresses on a political blog, or a whistle blowing site, all without reason to suspect any of this will help solve a crime. This can chill online speech and activity, with serious additional impact for privacy.

All of these new powers will be put in place with external oversight mechanisms that are ineffective at best and illusory at worst. The federal privacy Commissioner, for example, is given the mandate to track the use (and abuse) of these powers by federal entities such as the RCMP. But the legislation fails to grant her new auditing powers, or even new resources. With respect to municipal police, who are likely to be responsible for the majority of these requests, no oversight mandate is provided at all. Worse still, the legislation paves the way to gag orders that will prevent the private companies who are forced to comply with these various cooperative efforts from disclosing, in certain circumstances, that information has been disclosed and making it impossible for anyone to know their privacy has been invaded. Without even this basic rudimentary knowledge, how will people be able to challenge wrongful or abusive surveillance?


This page was last updated August 9, 2011

Tamir Israel, Staff Lawyer, CIPPIC