Over the last few months, Canadians have been presented with the sobering news of breaches of privacy committed on a massive scale. The revelation of over one million requests to telecommunications’ providers for subscriber records must provoke scrutiny of this government’s treatment of privacy. Scholars and privacy organizations are concerned that our government’s current legislative program will only make such breaches easier to carry out.
Currently, there are two bills under discussion in Parliament. Bill C-13 (Protecting Canadians from Online Crime Act) is before the Standing Committee on Justice and Human Rights; it offers incentives for disclosure of subscriber data by providing immunity to any telecommunications company that voluntarily supplies information when requested by law enforcement agencies. Bill S-4 (Digital Privacy Act) has arrived at the Senate chambers and extends that offer of immunity to any private organization that claims to be investigating a breach of contract, or a possible breach of contract.
After his participation in discussion of C-13 with the Standing Committee on 29 May 2014, Michael Geist posted his thoughts about the meeting itself, alerting Canadians to the spectacle of a bill so intertwined with privacy, moving forward without the involvement of a single privacy commissioner. Furthermore, “… leading privacy groups such as the Canadian Civil Liberties Association, the British Columbia Civil Liberties Association, and CIPPIC have all been told that there is unlikely to be spots for them at committee. … .”
Canadians may wish to know who has been permitted to speak to the Standing Committee so far. According to the records available to date, the Standing Committee began discussion of C-13 on 1 May 2014, has had six meetings so far, with one more meeting confirmed for 3 June 2014.
The first meeting was entirely given over to Peter MacKay (Minister of Justice and Attorney General of Canada) and members of his department. Through the next five meetings, law enforcement officials and families of victims were each allocated one meeting. In the remaining three meetings, the following organizations were involved: Boys and Girls Clubs of Canada, Canadian Association of University Teachers, Canadian Bar Association, Canadian Centre for Child Protection, Criminal Lawyers Association, Kids Internet Safety Alliance, and Office of the Federal Ombudsman for Victims of Crime. Interspersed among these organizations were four individuals: David Fraser, Gregory Gilhooly, Steph Guthrie and Michael Geist.
With this weighting of participants, one might have expected testimony to be resoundly in favour of the government`s proposals. Yet the second meeting defied that expectation. The transcript for 6 May 2014 makes for interesting reading.
The witnesses of the day were representatives of Boys and Girls Clubs of Canada, Steph Guthrie and David Fraser. Notably, both Guthrie and Fraser have devoted considerable effort to representing the interests of victims of cyber-assault, see here and here. If the Committee expected unqualified approbation from all three parties, the MPs were quickly disabused of that notion. All witnesses gave comprehensive statements; each witness asked that attention be brought to bear on the privacy implications of the bill.
Fraser spoke first; immunity came in for conspicuous displeasure at the end of his prepared remarks:
I find this to be gravely problematic. I think it’s a very cleverly crafted provision. We’re told that this is simply for greater certainty, but it goes beyond that. Everything we know suggests otherwise.
It says that you will not be liable for handing over any data that you’re not prohibited by law from handing over, and if you do so you’re civilly immune. Now, only the criminal law and other regulations create prohibitions against handing over information, but you can hand over information when you’re not legally prohibited and still incur civil liability. Civil liability is there for a reason. I may not be legally prohibited from accidentally driving my car into yours, but if I do that, you’re entitled to damages from that. I should be paying for the harm that is caused.
If there were an immunity provision that said you could not sue me if I did something that was not legally prohibited, that would be squelched. That would go away. So this provision, I believe, should be removed. It can’t be fixed and will only encourage overreaching by law enforcement.
In conclusion, while we don’t have Bill S-4, the digital privacy act, in front of us, that fits together with the immunity provisions. I’m concerned that the two taken together will extend the amount of information not only available to law enforcement but will extend the information available to other civil litigants and others (emphasis mine).
Fahd Alhattab, an alumnus of Boys and Girls Clubs of Canada, added a plea with his request for protection of privacy:
Young people deserve to be protected from cyberbullying, but they also deserve to be protected and respected for their privacy. Now, we’re no experts on privacy, so our only recommendation on that is to encourage you to listen, obviously, to any concerns that are brought up, any considerations that are brought up, by the experts who are dealing with privacy, to make sure that we’re protecting youth from cyberbullying but we’re also protecting our children and youth and their privacy rights (emphasis mine).
On cue, Guthrie then drew attention back to the immunity offered for warrantless disclosure in C-13, noting that C-13 claims to bring scrutiny to the issue of consent in terms of cyberbullying, yet turns around and abandons consent in terms of privacy:
Perhaps most of Bill C-13 isn’t really about cybersexual assault, but I find it interesting that it violates some of the same privacy principles, such as freely given and specific consent. Most of us do not and would not give free and specific consent for the state to access any, and potentially all, of our data by way of our Internet service providers if we had any meaningful choice in the matter.
The consent we give is to our Internet service providers. If the police want our information because they suspect we are engaged in criminal activity, well, most of us would assume that is what search warrants are for. Bill C-13 enshrines the idea of transferable consent in law, immunizing anyone who shares our information and violates our privacy without adequate legal justification for doing so (emphasis mine).
While obviously different in many ways, the limitations on personal freedom imposed by Bill C-13 bear some striking similarities to those imposed by cybersexual assault. The state could be following us into our job interviews, on our first dates, or to the laundromat. The bill’s provisions will restrict Canadians’ ability to live life normally and comfortably because they are constantly living with the idea that the state, when they encounter it, may know intimate things about them that they didn’t consent to share. Even if they know they have done nothing wrong, they must still deal with the judgments, misperceptions, and intrusions of the state.
In the question and answer period that followed, a concerted effort by MP Bob Dechert to push Fraser into agreeing that immunity was necessary to combat the harms that have been inflicted on past victims came to naught. Dechert posed the hypothetical situation of a young woman, about to be victimized by widespread dissemination of a personal photograph thereby provoking a request from the police that an ISP should help identify the offender; Dechert asked if Fraser would advise the ISP to disclose the data:
Mr. David Fraser: In this scenario—again, I can only speak for myself—I believe there is a real harm attached to the dissemination of these sorts of images. I’ve seen first-hand the harm that they can do to a young person, and I’ve seen what they can do to an adult. My inclination would be to provide that information. That would be my impulse. I would know there might be possibly some risk in doing that, but for me, given the severity of what’s going on, this is a non-trivial matter, and my inclination would be to hand over that information.
Mr. Bob Dechert: In that circumstance, you would agree that the ISP provider should not bear any civil liability if it turns out that they were incorrect; there was no crime committed or about to be committed.
Mr. David Fraser: I wouldn’t grant them immunity.
Mr. Bob Dechert: You wouldn’t grant them immunity.
Mr. David Fraser: No. I would say that they acted in good faith and they wouldn’t be liable, but I wouldn’t grant them immunity.
Mr. Bob Dechert: That would expose them to a lawsuit, would it not?
Mr. David Fraser: Certainly. Walking down the street exposes one to a lawsuit. There is a difference between not being liable and having immunity. Immunity is a blanket, saying that no matter what you do, nobody can raise an issue.
Immunity, of course, is only part of the problem of C-13.
There are significant concerns about the widening of data to be collected. What is benignly referred to as transmission data is not as innocuous as it sounds, despite the assurance of Minister MacKay at the first meeting on 1 May 2014:
… the definition of transmission is narrowly defined and captures only data that relates to the act of telecommunication. The definition of transmission data is the modern equivalent of phone-call information, not what is actually contained in the conversation, and these proposals are meant to ensure consistent treatment of similar information.
Such language is, intentionally or otherwise, misleading. Turning again to Fraser’s opening remarks, he is explicit as to what transmission data entails:
With conventional telephony, transmission data refers to the number called from, the number called to, whether the call was connected, and how long that call lasted. In the Internet context, the amount of information that’s included in the kind of out-of-band signalling information and what it reveals is dramatically different. It would include the IP address of the originating computer, the destination computer, information about the browser that’s being used, information about the computer that’s being used, information about the URL, the address being accessed, which can actually disclose content, even though the definition of transmission data is intended to exclude that.
It will also tell you what kind of communications are being done. Is it an e-mail communication? Is it an instant message? Is it peer-to-peer file sharing or otherwise? So it provides much more insight into actually what is going on than just phone number information. An interception of transmission data would tell law enforcement agencies whether the target of surveillance was visiting a search engine, an encyclopedia site, a poker site, or a medical site. Furthermore, the data would provide greater insight into the likely physical location of the surveillance target. This is a dramatic expansion of the information that’s provided and available, compared to traditional telephone communications.
As anybody in this room knows, I expect, the way we use computers today is dramatically different from the way we used telephones 15 years ago. We use them as spellcheckers. We use them to find out facts. We use them for a much wider range of activities. With the disclosure of greater information through these transmission data orders, you’re revealing much more about an individual. Even though the definition excludes content, just the transmission data tells you a lot more about really what’s going on.
Geist raises what is perhaps the most perplexing aspect of the proceedings in “Why has the Canadian government given up on protecting our privacy?”, published by the Toronto Star on 30 May 2014. He notes: “… conservative government policies are often consistent with civil libertarian views that abhor public intrusion into the private lives of its citizens.” Our Prime Minister has shown great zeal in protecting privacy in the past. A look back follows in privacy in Canada – part two.