Thank you, Mr. Chair.
Good morning. As you heard, my name is Michael Geist. I'm a law professor at the University of Ottawa. I have appeared many times before committees on digital policy issues, including privacy, but I appear today in a personal capacity, representing only my own views.
As you may know, I've been critical of the lawful access bills that have been introduced by both Liberal and Conservative governments. But I want to start by emphasizing that criticism of lawful access legislation does not mean opposition to ensuring that law enforcement agencies have the tools they need to address crime in the online environment.
As Ms. McDonald can attest, when her organization launched Project Cleanfeed Canada in 2006 I publicly supported that initiative, which targets child pornography by working to establish a system that protects children, safeguards free speech, and contains effective oversight.
In the context of Bill C-13 there is similar work to be done to ensure that we do not unduly and unnecessarily sacrifice our privacy in the name of fighting online harms. As Ms. O'Sullivan just stated, there is a balance to be struck, and as Carol Todd told this committee, we should not have to choose between our privacy and our safety.
Given the limited time, let me start by saying that I support previous witnesses' calls to split this bill so that cyberbullying can be effectively addressed in the way that we have just heard and that we can more effectively examine lawful access. Moreover, I support the calls we've heard for a comprehensive review of privacy and surveillance in Canada.
I'm happy to discuss these issues further during questions, but I want to focus my time on the privacy concerns associated with this bill. In doing so, I'll leave the cyberbullying provisions for others, such as those we've just heard, to discuss.
With respect to privacy, I want to focus on three issues: the immunity for voluntary disclosure provision; the low threshold for transmission data warrants; and the absence of reporting and disclosure requirements.
First is the creation of an immunity provision for voluntary disclosure of personal information. I believe this immunity provision must be viewed within the context of five facts. Firstly, the law already allows intermediaries to disclose personal information voluntarily as part of an investigation. That's the case for both PIPEDA and the Criminal Code.
Secondly, intermediaries disclose personal information on a voluntary basis without a warrant with shocking frequency. The recent revelation of 1.2 million requests to telecom companies for customer information in 2011 alone, affecting at least 750,000 user accounts, provides a hint of the privacy impact of voluntary disclosures.
Thirdly, disclosures involve more than just basic subscriber information. Indeed, this committee has heard testimony directly from law enforcement, in which the RCMP noted:
Currently specific types of data such as transmission or tracking data may be obtained through voluntary disclosure by a third party....
In fact, since PIPEDA is so open-ended, content can also be disclosed voluntarily, so long as it does not involve an interception.
Fourthly, intermediaries do not notify users about their disclosures, keeping hundreds of thousands of Canadians in the dark. Contrary to some of the discussion we have heard, there is no notification requirement within the bill to address this issue.
Fifthly, this voluntary disclosure provision should also, I think, be viewed in concert with the lack of meaningful changes to Bill S-4, which would collectively expand the warrantless voluntary disclosure provisions to any organization.
Given this background, I would argue that the provision is a mistake and should be removed. It unquestionably increases the likelihood of voluntary disclosures at the very time that Canadians are increasingly concerned about such activity. Moreover, it does so with no reporting requirements, oversight, or transparency.
To those who argue that it merely codifies existing law, let me say that there are at least two notable changes, both of concern.
The first is that it expands the scope of “public officer” to include the likes of CSEC's and CSIS's employees and other public officials. In the post-Snowden environment, with global concerns about the lack of accountability for surveillance activities, this would run the risk of increasing those activities.
The second is that the Criminal Code currently includes a requirement of good faith and reasonableness on the part of the organization voluntarily disclosing the information. This new immunity provision does not include those requirements, potentially granting immunity even when disclosures are unreasonable.
In short, this provision isn't needed to combat cyberbullying; nor is it a provision in need of updating to combat cybercrime. In fact, I'd argue it is inconsistent with the government's claims of court oversight. I believe it should be removed from the bill.
The second issue I want to focus on is the low threshold for transmission data warrants. As you know, Bill C-13 contains a lower “reason to suspect” threshold for transmission data warrants, and as many have noted, the kind of information sought by transmission data warrants is more commonly referred to as metadata. Some have tried to argue that metadata is non-sensitive information, but that is simply not the case.
There has been some confusion at these hearings regarding how much metadata is included as transmission data. I want to state that this is far more than the question of who phoned whom for how long. It includes highly sensitive information relating to computer-to-computer links, as even law enforcement explained before this committee.
This form of metadata may not contain the content of the message, but its privacy import is very significant. Late last year, the Supreme Court of Canada ruled in R. v. Vu on the privacy importance of computer-generated metadata, noting:
In the context of a criminal investigation, however, it can also enable investigators to access intimate details about a user’s interests, habits, and identity, drawing on a record that the user created unwittingly....
Security officials have also commented on the importance of metadata.
General Michael Hayden, the former director of the NSA and of the CIA, has stated, “We kill people based on metadata.”
Stewart Baker, the former NSA general counsel, has stated:
Metadata absolutely tells you everything about somebody’s life. If you have enough metadata, you don’t really need content.
There are numerous studies that confirm Hayden's and Baker's comments. For example, some studies point to calls to religious organizations that allow for inferences about a person's religion, and calls to medical organizations that can allow for inferences on medical conditions. In fact, a recent U.S. court brief signed by some of the world's leading computer experts notes:
Telephony metadata reveals private and sensitive information about people. It can reveal political affiliation, religious practices, and people’s most intimate associations. It reveals who calls a suicide prevention hotline and who calls their elected official; who calls the local Tea Party office and who calls Planned Parenthood. The aggregation of telephony metadata—about a single person over time, about groups of people, or with other datasets—only intensifies the sensitivity of the information.
These are their comments—the comments of security experts in the area.
Further, the Privacy Commissioner of Canada has released a study on the privacy implications of IP addresses, noting how they can be used to develop a highly personal look at individuals.
Indeed, even the justice minister's report, which seems to serve as the policy basis for Bill C-13, recommends the creation of new investigative tools in which “the level of safeguards increases with the level of privacy interest involved”.
Given the level of privacy interest that is involved with metadata, the approach in Bill C-13 for transmission data warrants should be amended by adopting the “reasonable grounds to believe” standard.
My third issue is transparency in reporting. The lack of transparency, disclosure, and reporting requirements associated with warrantless disclosures should be addressed. This combines both PIPEDA and lawful access, but it is made worse by Bill C-13. The stunning revelations we have seen about requests and disclosures of personal information—the majority without court oversight or warrant—point to an enormously troubling weakness in Canada's privacy laws.
Most Canadians have had no awareness of these disclosures and have been shocked to see how frequently they are used. The bills before Parliament seek or propose to expand their scope. In my view, this makes victims of us all, through disclosure of our personal information often without our awareness or explicit consent. When asked for greater transparency, such as we see in other countries, Canada's telecom companies have claimed that government rules prohibit it.
I hope the committee will amend the provisions that make warrantless disclosures more likely. But even if it doesn't, it should surely increase the level of transparency by mandating subscriber notifications, record-keeping of personal information requests, and regular release of transparency reports. These requirements could be added to Bill C-13 to lessen the concern associated with voluntary warrantless disclosure. Moreover, such reporting would not harm investigative activities and would hold the promise of enhancing public confidence in both law enforcement and communications providers.
Finally, I'd like to conclude, with all respect, by pointing to a personal incident involving one of the committee members, Mr. Dechert, that highlights the relevance of these issues.
Many will recall that several years ago Mr. Dechert was himself the victim of a privacy breach, with personal emails that were sent to journalists and were then widely reported in the media. This incident ties together several issues, which I have tried to highlight.
First, privacy interests arise even when you have nothing to hide and when you have done nothing wrong. The harm that arose in that case, despite no wrongdoing, demonstrates the potential victimization that can occur without proper privacy safeguards.
Second, much of that same information runs the risk of voluntary disclosure. Indeed, the expansion of the police officer definition means that in theory even political opponents could seek voluntary disclosure of such information and obtain immunity in doing so. Moreover, there is no notification in such instances.
Third and perhaps most important, the content of the emails that were disclosed was largely irrelevant. It was the metadata—who was being called or contacted, when they were being contacted, where they were being contacted, and for how long—that would itself allow for the same inferences that were mistakenly made during that incident. The privacy interest was in the metadata, which is why a low threshold is so inappropriate.
This kind of privacy harm can victimize anyone. As I've mentioned, we know that at least 750,000 Canadian user accounts are voluntarily disclosed every year—one every 27 seconds. It's why we need to ensure that the law has appropriate safeguards against the misuse of our personal information and why Bill C-13 should be amended.