Thanks for having me, and thank you for this opportunity to speak before the committee regarding Bill C-13.
I'm Steve Anderson, the executive director of OpenMedia.ca. We're a community-based organization working to safeguard the open Internet.
As you may know, OpenMedia.ca works with many other groups to lead the Stop Online Spying campaign, which successfully convinced the government to shelve the lawful access legislation, Bill C-30. Nearly 150,000 Canadians took part in that campaign.
Last year we started the Protect Our Privacy coalition, which is the largest pro-privacy coalition in Canadian history, with over 50 organizations from across Canada.
You know you've hit on a common Canadian value when you have groups ranging from the Canadian Taxpayers Federation, the Council of Canadians, to small businesses, to labour unions, all joining forces on this issue of privacy. As it stands, we have a privacy deficit in Canada, and I'm afraid that Bill C-13 will only deepen that deficit.
I believe this privacy deficit is the result of a democratic deficit. If the government, including members of this committee, were listening to the concerns of Canadians, there is no way you would be paving the way for a range of authorities to have increased warrantless access to our sensitive private information.
To help bring the concerns of Canadians to this committee, I have crowd-sourced this presentation for you today. I asked Canadians online what they thought I should say, and I have done my best to incorporate their input into my presentation. I'll reference them from time to time.
I'll confine my presentation to the lawful access portion, as that is where Canadians have expressed the most concern and I think where I personally also have the most concern.
The Canadians I spoke to had three main concerns: first, immunity for activities that victimize innocent Canadians; second, accountability and oversight; and third, data security.
On immunity, which I'll talk about first, Bill C-13 in its current form provides communications companies that hand over sensitive information about innocent Canadians with absolute immunity from criminal and civil liability.
Recent revelations show that the government agencies made 1.2 million requests for customer data from telecom companies in only one year and that companies apparently complied with those voluntary requests most of the time. After learning of this, Canadians have been looking for more safeguards rather than weakening privacy safeguards.
At the moment, an unlimited swath of information can be accessed by a simple phone call to an Internet service provider. Government agencies don't even need to provide a written request, and we are told that some agencies even refuse to put their requests in writing to avoid a paper trail. This extrajudicial practice works, because there is a loophole that allows authorities to obtain voluntary warrantless access to law-abiding Canadians' sensitive information.
The disclosure immunity provided in Bill C-13 will make the privacy loophole even bigger by removing one of the few incentives for telecom companies to safeguard our data from warrantless disclosures.
Canadian citizen, Gord Tomlin, had this to say on the matter via Facebook:
If 'authorities' need information, they can get a warrant. It's not onerous, it's one of the checks and balances that is supposed to protect our system from abuse.
Danielle had this to say on the OpenMedia.ca website:
If accessing an individual's private information is not arbitrary but is justifiable, then a warrant can be obtained. Otherwise, it is expected that the law [will] protect us from privacy violations...
There were many more like that.
Providing telecom companies who engage in extrajudicial disclosure of Canadians' sensitive information is encouraging moral hazard. It's encouraging reckless and irresponsible behaviour.
I'll now move on to accountability and oversight.
Canadians find it troubling that Bill C-13 makes little effort to keep government agencies transparent and accountable. Most shockingly, there is no requirement that officials notify those innocent Canadians who have had their data stored in government databases. The lack of knowledge and consent by those victimized through surveillance and warrantless disclosure is frustrating to many Canadians.
As one Canadian put it:
I would like to see a requirement that persons whose data has been accessed, be informed of this fact and that there be a major penalty...if there is a failure to comply with this requirement.
The proposed lowering of the “reason to suspect” threshold for transition data warrants is also of concern to Canadians. We're talking about the collection of data—and let's be clear about this—that can reveal political and religious affiliations, medical conditions, the types of activities we engage in online and offline, and whom we socialize with. This is incredibly invasive stuff.
On the topic of accountability, several people also highlighted the costs associated with these data transfers and that they would have to pay for them, and that it would limit our digital economy.
On data security concerns, many Canadians are concerned with how secure data will be once authorities expand their collection through the measures in Bill C-13.
Given recent breaches at federal offices—the CRA and student loans, for example—many Canadians question if we can trust government authorities to properly protect their data from cybercriminals and identity thieves.
One person online said: The federal government, and indeed the vague category of 'public officials,' has a poor track record of protecting private information already. It's common occurrence in the Canadian news environment to hear about some government agency or officials losing the confidential information of Canadians such as last March's revelation the government had lost the student loan information of nearly 600,000 Canadians. Broadening the powers of officials to access this information only increases the danger that confidential information will end up in the wrong hands.
Bill C-13 also problematically expands the bureaucrats and agencies that can access our private information, including CSEC and CSIS, which are currently facing their own crisis of accountability, given the recent Snowden disclosures. I fail to see how that is connected to cyberbullying at all.
Bill C-13 does not, in its current form, provide effective measures to increase transparency, accountability, or reporting on warrantless access to private data.
In sum, I recommend that this committee remove the telecom immunity and weakening warrant standards, while adding new reporting and accountability measures to this bill.
I also want to join the growing numbers calling for you to split the bill up so that we can move on the cyberbullying portion, which I think there is growing consensus around, minus some reforms, and have a proper debate on lawful access.
As one person put it, “Any expansion of government powers needs to be linked to a compelling societal need.”
The lawful access section is not connected to cyberbullying. I don't think that connection has been made for Canadians in nearly enough detail.
I also think it's worth repeating what Carol Todd, the mother of cyberbullying victim Amanda Todd, told this committee. She said:
I don't want to see our children victimized again by losing privacy rights. I am troubled by some of these provisions condoning the sharing of the privacy information of Canadians without proper legal process.
I think both those on the front lines of law enforcement and Canadians want authorities to have the tools tailored to bringing a variety of criminals to justice. What this bill does at the moment is unnecessarily combine some of those tools with unpopular mechanisms that encourage mass disclosure of sensitive information.
I implore the committee to consider that just one database, the RCMP's Canadian Police Information Centre, has sensitive data on more than 420,000 Canadians. These people have no criminal record of any kind. Many have their information stored due to simply having suffered a mental health issue.
I'd also consider that a Canadian named Diane is one of more than 200 Canadians who recently came forward to say that their personal or professional lives have been ruined despite never having broken the law. Why? Because information about them has been wrongfully disclosed to third parties—in Diane's case, her employer.
Now consider the fact that in recent years federal government agencies alone have seen over 3,000 breaches of highly sensitive private information of Canadians. Consider also that this has affected an estimated 750,000 people.
In Diane's case, she was the victim of a false accusation, which was withdrawn years ago, yet it continues to affect her career. Diane's response after being victimized by this privacy intrusion and having her professional life unfairly curtailed was, unsurprisingly, disbelief, shock, and anger.
Now imagine that Diane was your family member or someone you know. You don't need to put them at risk like this. You can choose to split up the bill and make the necessary reforms whilst dealing with cyberbullying.
Why should Canadian victims be re-victimized by violations to their privacy? Why should those with mental health issues need to live in fear? They don't.
Canadians, including some of the government's biggest supporters, whom I'm working with closely on this matter, are wondering why the government is deepening our privacy deficit when other countries are beginning to rein in surveillance. They're wondering why you're mismanaging our data security.
In closing, as Jesse Kline wrote in the National Post last week, “When the Canadian public, parents of victims of cyberbullying, privacy commissioners and former cabinet ministers all voice serious concerns about a bill, it is a sure sign that something is wrong, and the government should listen.”