Earlier today, I appeared before the Standing Committee on Justice and
Human Rights to discuss my concerns with Bill C-13, the lawful
access/cyberbullying bill. My opening statement focused exclusively on
privacy, pointing to problems with immunity for voluntary disclosure,
the low threshold for transmission data warrants, and the absence of
reporting and disclosure requirements. I'll post a link to the
transcript once available. In the meantime, I've posted my opening
statement below.
Appearance before the House of Commons Standing Committee on Justice and Human Rights, May 29, 2014
Good morning. My name is Michael Geist. I am a law professor
at the University of Ottawa, where I hold the Canada Research Chair
in Internet and E-commerce Law. I have appeared many times before
committees on various digital policy issues, including privacy. I
appear today in a personal capacity representing only my own views.
As you may know, I have been critical of the lawful access bills
that have been introduced by both Liberal and Conservative
governments. I wish to emphasize, however, that criticism of lawful
access legislation does not mean opposition to ensuring our law
enforcement agencies have the tools they need to address crime in
the online environment.
As Ms. MacDonald can attest, when her organization launched Project
Cleanfeed Canada in 2006, I publicly supported the initiative that
targets online child pornography by working to establish a system
that protects children, safeguards free speech, and contains
effective oversight. In the context of Bill C-13, there is similar
work to be done to ensure that we do not unduly and unnecessarily
sacrifice our privacy in the name of fighting online harms. As Carol
Todd told this committee, "we should not have to choose between our
privacy and our safety."
Given the limited time, let me start by saying that I support prior
witness calls to split this bill so that cyber-bullying can be
effectively addressed and we can more effectively examine lawful
access. Moreover, I support calls for a comprehensive review of
privacy and surveillance in Canada. I'm happy to discuss these
issues further during questions, but I want to focus my time on the
privacy concerns associated with this bill. In doing so, I will
leave the cyber-bullying provisions to others to discuss.
With respect to privacy, I'm going to confine my remarks to three
issues: immunity for voluntary disclosure, the low threshold for
transmission data warrants, and the absence of reporting and
disclosure requirements.
Immunity for Voluntary Disclosure
First, the creation of an immunity provision for voluntary
disclosure of personal information. I believe that this immunity
provision must be viewed within the context of five facts:
1. The law already allows intermediaries to
disclose personal information voluntarily as part of an
investigation. This is the case both for PIPEDA and the
Criminal Code.
2. Intermediaries disclose personal information on
a voluntary basis without a warrant with shocking frequency. The
recent revelation of 1.2 million requests to telecom companies for
customer information in 2011 affecting 750,000 user accounts
provides a hint of the privacy impact of voluntary disclosures.
3. Disclosures involve more than just basic
subscriber information. Indeed, this committee has heard
directly from law enforcement, where the RCMP noted that "currently
specific types of data such as transmission or tracking data may be
obtained through voluntary disclosure by a third party." In fact,
since PIPEDA is open-ended, content can also be disclosed
voluntarily so long as it does not involve an interception.
4. Intermediaries do not notify users about their
disclosures, keeping hundreds of thousands of Canadians in the dark.
Contrary to discussion at this committee earlier this week, there is
no notification requirement within the bill to address this issue.
5. This voluntary disclosure provision should be
viewed in concert with the lack of meaningful changes in Bill S-4,
that would collectively expand warrantless voluntary disclosure to
any organization.
Given this background, I would argue that the provision is a mistake
and should be removed. The provision unquestionably increases the
likelihood of voluntary disclosures at the very time that Canadians
are increasingly concerned with such activity. Moreover, it
does so with no reporting requirements, oversight, or transparency.
For those that argue that it merely codifies existing law, there are
at least two notable changes, both of concern. First, it
expands the scope of "public officer" to include the likes of CSEC,
CSIS, and other public officials. In the post-Snowden
environment, with global concerns about the lack of accountability
for surveillance activities, this would run the risk of increasing
those activities. Second, the Criminal Code currently includes
a requirement of good faith and reasonableness on the organization
voluntarily disclosing the information. This new provision does not
include those requirements, seemingly granting immunity even where
the disclosures are unreasonable.
In short, this provision is not needed to combat cyber-bullying nor
is it a provision in need of updating to combat cybercrime. In
fact, it is inconsistent with the government's claims of court
oversight. It should be removed from the bill.
Low Threshold for Transmission Data Warrants
Second, Bill C-13 contains a troubling, lower "reason to suspect"
threshold for transmission data warrants. As many have noted, the
kind of information sought by transmission data warrants is more
commonly referred to as metadata. While some have tried to argue
that metadata is non-sensitive information, that is simply not the
case.
There has been some confusion at these hearings regarding how much
metadata is included as 'transmission data'. This is far more than
who phoned who for how long. It includes highly sensitive
information relating to computer-to-computer links, as even law
enforcement has explained before this committee.
This form of metadata may not contain the content of the message,
but its privacy import is very significant. Late last year, the
Supreme Court of Canada ruled in R. v. Vu on the privacy
importance of computer generated metadata, noting:

In the context of a criminal investigation, however, it can also
enable investigators to access intimate details about a user's
interests, habits, and identity, drawing on a record that the user
created unwittingly
Security officials have also commented on the importance of
metadata. General Michael Hayden, former director of the NSA and the
CIA has stated "we kill people based on metadata." Stewart Baker,
former NSA General Counsel, has said "metadata absolutely tells you
everything about somebody's life. If you have enough metadata, you
don't really need content."
There are numerous studies that confirm Hayden and Baker's
comments. For example, some studies point to calls to
religious organizations that allow for inferences of a person's
religion. Calls to medical organizations can often allow for
inferences on medical conditions. In fact, a recent U.S. court brief
signed by some of the world's leading computer experts notes:
Telephony metadata reveals private and sensitive information about
people.
It can reveal political affiliation, religious practices, and
people's most intimate associations. It reveals who calls a suicide
prevention hotline and who calls their elected official; who calls
the local Tea Party office and who calls Planned Parenthood. The
aggregation of telephony metadata—about a single person over time,
about groups of people, or with other datasets—only intensifies the
sensitivity of the information
Further, the Privacy Commissioner of Canada has released a study on
the privacy implications of IP addresses, noting how they can be
used to develop a highly personal look at an individual.
Indeed, even the Justice ministers report that seems to serve
as the policy basis for Bill C-13 recommends the creation of new
investigative tools in which "the level of safeguards increases with
the level of privacy interest involved."
Given the level of privacy interest with metadata, the approach in
Bill C-13 for transmission data warrants should be amended by
adopting the reasonable grounds to believe standard.
Transparency and Reporting
Third, the lack of transparency, disclosure, and reporting
requirements associated with warrantless disclosures must be
addressed. This combines PIPEDA and lawful access, but one
that is made worse by Bill C-13. The stunning revelations about
requests and disclosures of personal information - the majority
without court oversight or warrant - points to an enormously
troubling weakness in Canada's privacy laws. Most Canadians
have no awareness of these disclosures and have been shocked to
learn how frequently they are used and that bills before Parliament
propose to expand their scope. In my view, this makes victims
of us all - disclosure of our personal information often without our
awareness or explicit consent.
When asked for greater transparency - as we see in other countries -
Canada's telecom companies have claimed that government rules
prohibit it. I hope that the committee will amend the provisions
that make warrantless disclosures more likely in Canada. But even if
it doesn't, it should surely increase the level of transparency by
mandating subscriber notifications, record keeping of personal
information requests, and the regular release of transparency
reports. These requirements could be added to Bill C-13 to
lessen the concern associated with voluntary warrantless
disclosures. Moreover, regular reporting would not harm
investigative activities and would hold the promise of enhancing
public confidence in both our law enforcement and communications
providers.
I'd like to conclude by pointing to a personal incident involving
one of the committee members - Mr. Dechert - that highlights the
relevance of these issues. Many will recall that several years
ago Mr. Dechert was the victim of a privacy breach, with personal
emails sent to journalists and widely reported in the media. The
incident ties together several issues I've discussed:
1. Privacy interests arise even when you have
nothing to hide and have done nothing wrong. The harm that
arose in that case - despite no wrongdoing - demonstrates the
potential victimization that can occur without proper privacy
safeguards.
2. Much of that same information runs the risk of
voluntary disclosure. Indeed, the expansion of the public officer
definition means that political opponents could seek voluntary
disclosure of such information and obtain immunity in doing so.
Moreover, there is no notification in such instances.
3. The content of the emails was largely
irrelevant. The metadata - who was being called, when they
were called, where they were called and for how long - would allow
for the same inferences that were mistakenly made during that
incident. The privacy interests was in the metadata, which is why a
low threshold is inappropriate.
This kind of privacy harm can victimize anyone. We know that
information from at least 750,000 Canadian user accounts are
voluntarily disclosed every year. It is why we need to ensure
that the law has appropriate safeguards against misuse of our
personal information and why C-13 should be amended. I'll stop there
and welcome your questions.