John Lawford, lawyer and counsel for the Public Interest Advocacy Centre, a national non-profit organization that provides legal and research services on behalf of average and vulnerable consumers, particularly on issues involving the provision of important public services. John has been with PIAC since July 2003. The reports that he has researched and written involve national security, consumer privacy and a review of the consumer experience under the private sector data protection legislation. Before joining PIAC John was research counsel at a major national law firm specializing in medical legal research. He was also research director at another prominent Ottawa-based litigation firm. He also worked before that as special projects director and Web master for a legal database company, now known as Nexis Canada. John is active in the areas of electronic commerce, privacy, financial services and health laws from the consumers and civil liberty’s perspective. He has an undergraduate degree in English and a law degree from Queen’s University. John gives us the consumer and civil liberties perspective on the Canadian lawful access proposals.
I’m here to give you the left wing of this conversation. Obviously, from the title of my paper, Lawful Access = Aw(e)ful Access, the first sense is I don’t like this particular initiative that came around in 2002 and we beat it back. It’s come around again.
Aw(e)ful access is referring to the breathtaking scope of this. It is something that I think everyone should be concerned about.
The excuse for this particular initiative is that, we need to modernize the law, we need to intercept things like voice calls, get into people’s e-mail records, their Web surfing habits. That is true. But we must keep in mind that this came all of a sudden, in the wake of that awful incident in 2001, and as part of the excuse given for this particular project, due to terrorist concerns.
As Michael (Lawyer Michael Power was previous speaker) pointed out, it is very much sold as “an apple pie” situation rather than a simple clean-up of the legislation. And what difference does that make? It means that we can see situations where the rules are being infringed.
I’m going to concentrate today on discussing the new production orders under the proposed legislation and trying to explain to you why that matter.
First point I’d like to make is that these proposals suggest that we have changed. And how we changed? Well, apparently as Canadians we now expect less in terms of privacy than we used to.
In this regard, these are concerns that we have:
– Why a lower standard?
– What is a reasonable expectation of privacy under this regime?
– What are included in this particular order – transmission and tracking information?
– What are we going to end up with as an implementation of this new attitude?
– Who is gonna (going to) get access to the information once these have been provided?
– Who is going to oversee the overseers?
– Who is going to pay for all these?
The key production orders, which are suggested by the proposed legislation are: One, for tracking information, which deals with where you access certain electronic services that leave a record. So, if you’re on your cell-phone and your cell-phone beeps in every 3 seconds, or something, and gives your location to your cell-phone provider – that sort of information. Or when you use your bankcard, for example, with lawful access material, the last time I accessed the machine, they would know that.
The other one is transmission information and that information has to do with…when you send an e-mail, for example, you’ll see the headers of e-mails, they’ll have X sender and it goes through a number of different servers, and all that information is called transmission information. It also applies, of course, in the telecom world with lots more detail.
Usual standard for any sort of information interception in terms of telephony, usually, a wiretap standard, which is a reasonable belief that crime has been committed or will be.
These new production orders, again, we’ve been brought to a lower standard. It’s been suggested that – as in the case of the money laundering legislation, which was brought about a couple of years ago – that these changes are necessary, this lowering of standards is necessary in order to avoid a bigger problem.
The excuse given, in fact, we have now a highly technical society and that we will have difficulty intercepting these messages without a lower standard of access. I thought it was interesting that some of the speakers have spoken of the challenges of going from analog to digital. And we seem to survive at that time without lawful access proposals. Now, suddenly the spectrum of VoIP has made it very difficult.
This has led us to questioning whether we should have a lower standard on expectation of privacy for electronic interactions among Canadians, and that means – largely for average people – electronic mail and Web site browsing, and now I am seeing people sign up for VoIP services as well.
We haven’t seen a lot of evidence that Canadians expect less privacy in these areas. In fact, the only evidence that we are aware of at PIAC so far is from a national poll we conducted in preparing our report on national security and privacy. In that, the question that was asked was: Do you want the government to get a warrant before accessing your e-mail or looking at what Web pages you have visited? Eighty six per cent of Canadians responded with ‘Yes, we want them to get a warrant.’
Now it’s difficult to word that question such that, for example, ‘Would it be ok if there was a lower standard of reasonable suspicion?’ And so on and so forth. That is the only indication we have so far. And yet, to this point, all the government’s documents from the Department of Justice have suggested that average Canadians have a lower expectation of privacy in their e-mail and Web communications, than in their telephone conversations, which we find just contrary to the evidence that we do have.
The trouble with that…if you say that someone has a lesser expectation in certain elements of their communications and that is either passed into legislation or found by courts, the next situation that comes up… the courts would say or legislation would say, ‘you have no reasonable expectation of privacy in that area anymore. Therefore you couldn’t possibly have a reasonable expectation of privacy in this slightly changed situation.’ Eventually we come to the point where it’s unreasonable to have an expectation of privacy at all.
So, we think this attitude has come out…in particular in one of the cases in the Supreme Court of Canada… a case where there was a beeper put on a car and someone was tracked with this tracking device and it wasn’t a proper one, the courts said it was ok because there was minimal intrusion into someone’s privacy. The end justified the means, in effect.
The second was, a plane flying over someone’s house, it was probably a marijuana growing operation. And that, the court found, was a gathering of mundane information. In other words, the technology wasn’t very sophisticated and the information that was gathered wasn’t very interesting – heat profile of someone’s house.
The trouble is, those inputs that they’ve drawn from mundane information and the very minimal intrusion, when you put those two together what you get is a lot of suspicion. And what we are talking about here is going from suspicion to searching. So, we’re concerned that those two cases and the attitude that came out of them will wiggle down our privacy to the point where this sort of lawful access initiative can have some sort of intellectual precedent.
Now, what is tracking or transmission of information? We feel it’s hard to separate the two. The time and place that you are at – for example if you are found to be with a cell-phone because you have your cell-phone on in the middle of a field somewhere at three in the morning, and then it turns out, later on, the police wants to arrest everyone having an illegal rave concert somewhere out there. That is content. It tells them what you do…and all these suspicions come up over that. It’s not necessarily non-content.
What is the medium of the message with regards to tracking information transmission and the content of message? So it didn’t matter that I didn’t call anyone on my cell-phone. It didn’t matter that they didn’t have the words that I spoke because they knew I was there and when I was there.
Other problems are that the tracking information and the transmission information, especially, tells more actually about the person than the content, in some situations that occurred.
If you’re looking at someone’s Web browsing habits, it will reveal in lots of pages, not only Web sites visited but, often, the path you took to view that Web site. Which pages you looked at, for how long. These sorts of things show you more about the choices that these people make. It tells you more about who they are, what their outlook is on life. And that’s the core of privacy right there.
The proposals are suggesting that telecom service providers are required to provide information on their subscribers if the police come to them with certain information, as part of the preservation order. You’ve heard about these preservation orders where they can call up and say, ‘oh please, hold on to this database because we don’t want it to be erased, there is a problem.’
In that context, in the lawful access paper there is a tucked away area that says, we’re going to allow any police officer, whether through oral or written request, to ask for information by giving a person’s name, then ask for their logging information, they can ask for their dynamic IP address. Or if it’s the other way around, they know that person only by logging information and then go to the TSP and ask for that person’s name.
And that has no judicial control. The two orders I was speaking of before, the two production orders are judicial – you have to go to a judge and you say, ‘I have information that this person is doing something bad. Please give me the order to get more information on them.’
However, this subscriber info request can be made directly from a designated person, who can be a police officer or CSIS agent, and they have no particular oversight of this ability. It’s not limited to certain crimes. It’s not reported upon. There’s going to be no central logging of who makes these requests. That is real risky in our view because an officer can look up any Canadian. I’m not saying that’s likely to happen, but there are people who will use this ability to spy on folks for their own purpose.
In part 6 of the Criminal Code for wiretap, there’s a report that goes to Parliament. To date, the Justice Department has suggested they might do the same thing for lawful access request, but they haven’t guaranteed that. There’s no responsible body if complaints of improper access were posed. You could go to the privacy commissioner. You could go to the police complaints commissioner. But then the burden is on the complainant, rather than there being a burden on the institutions involved to report on what they are doing.
Finally, it is cost. Who is going pay for all of this surveillance, if you will? It’s going to be Canadians. It’s going to be us, whether we’re in our customer shoes or whether we’re in a citizen’s shoes.
But I guess our real concern is that, there’s not necessarily much in the accounting of this. If all the cost will be passed, as been said, to the telecom service providers, we won’t have a general accounting of how much that has been.
Already, the auditor general has complained about the amount of money spent on terrorism. And the lawful access cost will not be rolled into the general auditor’s report but will be hidden in the telecom providers’ budgets, and then will be passed on to consumers.
There will probably be some slippage of cost that telecom service providers will have to eat (bear). And that means in the end, long-term cost for them and less efficient business. Now, perhaps it is something that we need to do but we’ve got no way of knowing if it’s value for the money.