The David Asper Centre for Constitutional Rights held a panel today on bills C-46 and C-47, which were introduced into the House of Commons in the last session and would have made it easier for police to get access to ISP subscriber data. The panelists were Prof. David Murakami Wood (Queens), Prof. Lisa Austin (UofT), and Robert Hubbard (Crown Law Office – Criminal). The panel was moderated by Graeme Norton (CCLA).
Graeme Norton began with a quick overview of the relevant changes in the two bills. Bill C-46 would grant three powers to the police: an order requiring an ISP to preserve data (including usage and location where applicable) on a subscriber; an order requiring the ISP to turn over the data; access to real time usage data. It is important that the first two orders would be available on reasonable suspicion rather than the higher standard of reasonable and probable grounds. Bill C-47 would allow the police to obtain subscriber information (including name, phone number, address, IP address, mobile phone identifiers) from a telecommunications provider without a warrant.
David Wood views the bills as part of a larger movement to expand the definition of lawful access and determine who has control over data about individuals. We should think about the effect of our policy choices on other jurisdictions (where one country goes, others follow). He then considered regimes being put in place in other countries, placing particular emphasis where these measures were forced through despite significant opposition.
In the EU, the European Parliament is considering mandating that telecommunications companies retain traffic data (source, destination, date, duration, type) for all subscribers. The measure is being defended as necessary for security, but was raised as a commercial regulation issue. In the EU, security bills must be passed unanimously while commercial regulation bills need only a simple majority. The bill is opposed by Germany and Sweden. In Sweden itself, the police have warrantless access to international phone calls, faxes, and emails. Contrary to Swedish practice (bills are worked until there is consensus) this bill was pushed through on a slight majority (141-138, I beleive). In the UK, the government already has access to a large amount of data on its citizens. It is currently promoting a bill that will grant police access to social networking and online gaming data (at significant costs). 40% of UK citizens consulted were totally opposed (more were moderately or slightly opposed). Brazil has placed monitoring provisions inside omnibus bills intending to combat child pornography, cyber warfare, and cyber crime.
In Canada, the government points to all these developments as support for its policies. It says the measures are needed to comply with international obligations and to compete globally. Norton concluded by stating that this will lead to a chilling effect (citizens will be nervous about legal activities online) and there is a fine line between that and overt censorship. Lawful access silences debate and turns the Internet into just another broadcast channel like television.
Robert Hubbard disagreed with Norton. The legislation is no different from any other criminal legislation that touches on the privacy interest. With only one exception, the legislation requires a warrant. This is the approach taken by all other similar laws. Further, the trends globally are relevant because s. 1 of the Charter requires us to have regard to other free and democratic societies. Canada is actually far behind the curve in tackling this issue. The US and Australia, for example, have had lawful access legislation for over a decade. The United States has spent 15 years requiring telecommunications companies to create the infrastructure to provide access. Canadian companies usually follow the same procedures and use the same technology as American companies and now have all the infrastructure necessary. Canada is just recognizing that fact. Canada is out of step with international expectations, modern technology, and modern society. This legislation fixes that and all it says is go to a judge and get an order for the information.
Lisa Austin took a middle ground between the above positions. Austin said the issue is justification. The Privacy Commissioner has stated that nobody has even attempted to demonstrate that the current system does not meet the needs of law enforcement. There is no need for the increased powers, but this type of legislation keeps getting introduced, why? It used to be about terrorism, then about child pornography, but it is far too broad to really be about addressing these extraordinary crimes. What bothers Austin is the increasing collaboration between public and private actors to track citizens. So much of our daily activities are mediated by these communications companies, they have the ability to track our every move. The legislation is justified in part by the fact that courts already allow the police access to much of this information. However, the reasoning is problematic. The current trend is to justify it based on user agreements which contain provisions allowing the service providers to turn over the information. This is not right: nobody reads those agreements and the terms are non-negotiable. The options to stay offline and not have a telephone are not real options. Should our constitutional rights really be trumped by provisions inserted into contracts by commercial entities looking to avoid liability?
I largely agree with Professor Austin (and not just because she will be grading my essays). I do think that some legislation is necessary. There is a slight inconsistency in arguing that the legislation is not necessary under current law and also that the current law is wrong (though the two points may not actually be connected in Austin’s argument). I have serious misgivings about the contractual argument that is being used to justify handing over this information. Like every Canadian who has ever signed a cell phone contract, I know the terrible frustration and powerlessness one feels when presented with these contracts. The Charter should not be overcome merely by a corporation inserting a provision allowing the government to violate it. But at the same time, the police do need access in these cases. There merely needs to be limits, oversight, and accountability.
People have fought against national ID cards and mandatory fingerprinting for years. This is no different. Absolutely everything you do online has your IP address or email attached to it, but you can be anonymous because it is generally difficult to connect an individual to those piece of information. Any one of the pieces of subscriber information (name, phone, email, IP, etc) is not very revealing, but the fact that they all represent a single person is extremely revealing. It’s not too much to ask that in the majority of cases where time is not an issue the police should have to go to court to get this information (and then leave a loophole for emergencies).