Telecommunications carriers in Ontario have another weapon to fight police who want broad access to customer data.
Superior Court Justice John Sproat ruled Thursday that an order Peel Regional Police got in 2014 compelling Rogers Communications and Telus Corp. to turn over records of anyone who used a cell phone near certain towers during a robbery was too broad and violated the Charter of Rights.
The order — which Peel police abandoned and instead got a much narrower order — would have required Rogers and Telus to produce personal data on over 40,000 subscribers plus their financial information, the judge noted when all the police were really interested in was information on anyone using a cellphone near one robbery location.
“I have no hesitation in finding that the production orders required went far beyond what was reasonably necessary to gather evidence concerning commission of the crimes under investigation,” the judge wrote.
An Ontario government spokesperson said the provincial attorney general is reviewing the decision, which could be appealed.
So-called tower dumps of data around the time of a crime is a useful investigative tool, the judge acknowledged, because criminals may cellphones to communicate in the course of their activities. But in this case Peel police sought subscriber banking and credit card information.
Rogers estimated it would have had to conduct 378 searches and retrieve approximately 200,000 records related to 34,000 subscribers to comply. Telus said it would have had to disclose the personal information of at least 9,000 individuals.
Cell phone tower data is not the words or text people use in a communications. So one of the issues in the case was whether such data is private. Yes, he said firmly. “I appreciate that cell phone data is not right up there with Wikileaks and Ashely Madison in terms of information likely to be hacked and published,” the judge wrote. But he added, it is information that Canadians certainly regard as private.
More importantly for wireless carriers the judge said that from now on Ontario police have to follow seven guidelines before a court can issue an order forcing them to hand over tower data. (see below)
David Watt, Rogers’ chief privacy office issued a statement praising the decision. “This is about protecting people’s privacy and the legitimate expectation people have that their records are private.
“In this case, the original request would have involved over 30,000 Rogers customers, virtually all of whom would have had nothing to do with the investigation. We thought that crossed the line and was too broad and intrusive.
“We went to Court because we wanted to ensure our customers’ privacy rights are protected and that there are ground rules for the scope of what law enforcement is able to request and access.
“At Rogers, we will only share customer information with law enforcement when required by law, or in emergencies after careful consideration of the request. For us, this request did not meet the test and we’re glad the Court agreed.”
The ruling applies only in Ontario, but courts in other provinces and territories are sure to notice it.
Justice Sproat said that to get a tower data production order police now will have to include in a request a statement that the officer is aware of the principles of minimal privacy intrusion; explains why all the named locations or cell towers and dates and times are relevant to the investigation; explains why all the types of records being sought from a carrier (such as bank or credit card information) are relevant; gives details that might help a carrier narrow a search and produce fewer records; request specific data, rather than underlying (or metadata); and if police want the metadata it has to be justified.