The controversial U.S. Patriot Act was dealt a blow last month when District Court judge Victor Marrero of New York raised the constitutionality of a provision around the issuance of national security letters.
National security letters (NSL) compel Internet and telecom service providers to provide customer information to the FBI – in the name of fighting terrorism. In that same provision is a gag order that prohibits service providers from informing their customers that their data have been turned over to authorities.
Marrero’s ruling (pending a Department of Justice appeal on the decision) ordered the FBI and the DOJ to stop issuing NSLs “in light of the seriousness of the potential intrusion into the individual’s personal affairs.”
This constitutional debate is seemingly a domestic affair best kept within the boundaries of our southern cousins, but it’s not that simple.
While the FBI can only summon customer data from U.S. companies, it can essentially direct them to provide data from other subsidiaries of a US company, which include those located in other parts of the world. Simply put: your personal data may be crossing the border and ending up in the hands of Uncle Sam. And you may never, ever know about it.
Certain sectors in Canadian industry have chosen to present the issue for what it really is: a threat to Canadian privacy and sovereignty. Yet, there are those — perhaps those with U.S. ties and protecting business interests — who say, “It’s not going to happen.”
But it will, and it has. The FBI (and reportedly other federal agencies like the CIA) has been issuing NSLs, or limited versions of them, as early as 1978 long before U.S. lawmakers even imagined any need for a Patriot Act.
The Patriot Act, however, expanded the use of NSLs, and between 2003 and 2005, more than 140,000 NSLs were allegedly issued without showing probable cause or judicial approval. That’s according to a report by the U.S. Justice Department’s inspector general.
To dismiss the NSLs’ threat to personal privacy as something that will never happen is irresponsible, especially from entities that are custodians of personal information.
The reported abuses associated with the all-too-powerful provisions of the Patriot Act have gained too much prominence that it can no longer be swept under the rug. Nor should it be.
Transparency and privacy may often belong in the opposite sides of the scale, but in the debate surrounding cross-border data transfer, the latter is threatened without the former.
It is best to keep customers in the loop especially on issues pertaining to their personal data, as they are likely to be more forgiving of their service providers should things go sour in the end. By making lawful disclosure, or the possibility of it, part of discussions with customers, service providers are doing their due diligence.
Public Safety Canada has started discussions on the possibility of giving law enforcement units “timely access” to service providers’ subscriber information. The consultation document makes no mention of a need for court order when obtaining customer name and address information.
The specifics of this initiative is far from definite, but one thing is certain: if such legislation is passed, Canadian firms — with or without American ties — may get a sneek peek of what it’s like to operate a business with the Patriot Act looming over their heads.