lawTechCamp reminds Lawful Access to consider the Charter: The Disclosure of Subscriber Information and Privacy Implications

Throughout last weekend’s second annual lawTechCamp, audience members interacted with each other using the Twitter hashtag #ltcto2012. While many participants chose not to hide their online identity behind a veil of anonymity, this possibility currently exists without privacy concerns. Sahar Zomorodi’s session, “Dissecting the term ‘lawful access’ in the proposed Online Surveillance Bill C-30,” illustrated Bill C-30’s privacy issues and its ability to pierce the anonymity veil by authorizing the disclosure of subscriber information, despite this practice arguably representing an infringement of Canadians’ right to privacy as defined by section 8 of the Charter of Rights of Freedoms.

The term “lawful access” is an investigative technique used by law enforcement agencies and involves intercepting communications and seizing information where authorized by law. Since 2005, the Canadian legislature has tabled numerous bills (C-74, C-46C-47, C-50C-51C-52) to address the issue of lawful access. Recently, Bill C-30, the Protecting Children from Internet Predators Act, has stirred the pot with regards to Public Safety Minister Vic Toews’ statements and numerous social media backlashes against the bill (e.g. #TellVicEverythingVikileaks and a video from cyber hacktivist group Anonymous).

Bill C-30 aims to enable lawful access to private communications. With substantially large estimated costs, Bill C-30 requires Telecommunication Service Providers (TSPs) to alter their networks to permit real-time surveillance. Although these costs may threaten small TSPs, Zomorodi’s session focused on the disclosure and possible invasive uses of subscriber information under Bill C-30.

Proponents of Bill C-30, such as Vic Toews and the Canadian Police Association, suggest the bill allows police the ability to respond more quickly and efficiently to criminal activity. Under sections 16 (written requests; no reasonable cause requirement) and 17 (oral requests; requires exceptional circumstances and reasonable cause) law enforcement agencies may require TSPs to disclose subscriber information. The subscriber information that may be obtained, without judicial authorization, includes: the subscriber’s name, address, telephone number, e-mail address, IP address, and local service provider identifier.

Provincial and federal privacy commissioners have critiqued Bill C-30, stating the disclosure of subscriber information goes far beyond the modern day equivalent of telephone book information  and infringes the privacy of Canadians. While dissecting the anatomy of lawful access phone records, Christopher Parsons maintains the telephone book analogy “obfuscate[s] the sheer amount of information contained in the records that authorities would collect.”

Parsons has illustrated how subscriber information assists invasive investigative tactics and can “de-anonymize a crowd.” One example, IMSI-catchers, allows authorities to catch International Mobile Subscriber Identities (IMSI) (unique identifications tied to each mobile device) and obtain the associated subscriber data from TSPs. While attendees at lawTechCamp are unlikely the target of IMSI-catchers, Michael Geist suggests law enforcement agencies could utilize this invasive tool to collect information from events such as the G20 protests or community events, such as Occupy Toronto.

The warrantless access to subscriber data is likely to be challenged as violating section 8 of the Charter. Section 8 entitles Canadians to a “reasonable expectation of privacy,” and protects a “biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state.”

As applicable to Bill C-30, the first step in a section 8 analysis is to objectively inquire into the reasonable expectation of privacy in regards to subscriber information. In R v Ballendine, the court commented on the unsettled state of the law in regards to customer-related information (para 74). Despite this, commentators such as Phillipa Lawson and Daphne Gilbert et al suggest there is an objective reasonable expectation of privacy in subscriber information, since the disclosed data can create a biographical core of information. Given the invasive investigative tactics associated with the disclosure of subscriber information, conceivably, individuals have tremendous privacy interests in subscriber data and its disclosure.

Accepting that the disclosure of subscriber information would infringe an individual’s right to privacy under section 8 of the Charter, Bill C-30 may be saved if it meets the Oakes test, and constitutes a “reasonable limit prescribed by law as can be demonstrably justified in a free and democratic society.”

The Oakes analysis’ first step requires the legislation’s objective to be related to pressing and substantial concerns. Section 3 of Bill C-30 expresses its objective as requiring “TSPs to provide subscriber and other information, without unreasonably impairing the privacy of individuals…” However, 95% of current requests for subscriber information are already met on a voluntary basis, suggesting the objective requiring TSPs to provide subscriber information is not a pressing and substantial concern. Arguably, this demonstrates Bill C-30 is simply a mechanism to facilitate police investigation while contradicting the express objective to not unreasonably impair the privacy of individuals.

Additionally, Bill C-30 is unlikely to satisfy the second requirement of the proportionality step of the Oakes test: minimal impairment. In regards to subscriber information, Bill C-30 removes the requirement for reasonable cause and judicial authorization. This approach is a divergence from the Criminal Code’s requirements for search warrants (s. 487(1)) and production orders (s, 487.012(1)). Further issues include: no limit to the number of simultaneous requests, request power is not limited to serious crimes, no possibility for the individual to challenge the request, and Bill C-30’s gag order. As for overall proportionality under the Oakes test, Lawson expresses that the legislative authority for law enforcement agencies to pierce the anonymity veil without reasonable cause or judicial authorization “strikes at the heart of free speech and is antithetical to democracy.” Subsequently, Bill C-30’s warrantless disclosure of subscriber information likely infringes Canadians’ right to privacy and cannot be saved by the Oakes test.

Simply put, the disclosure of subscriber information under the proposed Bill C-30 is fraught with privacy concerns. Despite recent assertions that Bill C-30 is dead, Toews maintains “the matter will be referred to parliamentary committee.” Given that Toews recently allocated $2.1 million to “advance lawful access legislation and regulatory initiatives,” it will be interesting to see whether Bill C-30, or its “lawful access” successor, is amended to address the privacy concerns regarding the disclosure of subscriber information.

 

Adam Jacobs is a JD candidate at Western University, Faculty of Law. The author would like to thank Lisa Di Valentino, Marisa Coggin and Tamara Zdravkovic for their contributions to “Bill C-30: Lawful Access,” a presentation given by the author and the aforementioned for Western Law’s “Media Law” course in the spring of 2012.