{ texts for nothing }

Michael Geist has reviewed a couple of recent cases here in Canada (including one I wrote about last month) with implications for the privacy of your online activity. His conclusion: As far as the courts are concerned, your ISP’s terms of service override your privacy rights. When you signed up for Internet service, you agreed to let your provider decide whether to hand over your personal information to the cops without a warrant.

These decisions place the spotlight on the fact that customer privacy on the Internet is not guaranteed by national privacy law. Rather, the law actually leaves the disclosure decision in the hands of the organization that has collected the information, which can choose whether to turn over personal information in certain circumstances without a warrant.

Moreover, most Internet-focused organizations such as ISPs have drafted user agreements in which their customers have consented to such disclosure policies. These cases confirm that courts will typically enforce user agreements regardless of whether subscribers have taken the time to read them.

While most companies are reluctant to publicize their disclosure practices, according to government documents recently obtained under the Access to Information Act, the RCMP estimates that 30 percent of Canadian organizations do not reveal personal information to law enforcement without a warrant.

The RCMP estimates did not include specific data on ISPs, but their estimates are borne out by current practices. Bell and Rogers chose to reveal customer information in the Wilson and Vasic cases, however, not all Canadian ISPs would have followed suit. For example, in Atlantic Canada, Bell Aliant requires law enforcement to obtain a warrant in an all non-emergency situations.

Privacy hint: If you use Tor, your online activity will be anonymous, even to your ISP. For other tips on how to protect your privacy when using information technology, check out the Electronic Frontier Foundation’s Surveillance Self-Defense Project.

An Ontario superior court has ruled that there is no reasonable expectation of privacy to subscriber information. If cops have your IP address, the judge says, they don’t need a warrant to get your name and physical address from your ISP.

Not surprisingly, the judge’s ruling is based on a faulty understanding of how the Internet works:

Judge Leitch accepted the arguments of Crown attorney Elizabeth Maguire that the information is similar to what is in a phone book.

“One’s name and address or the name and address of your spouse are not biographical information one expects would be kept private from the state,” Judge Leitch said.

But an IP address is not biographical information. It doesn’t identify me, it identifies my computer on a network. It’s also visible to every website I visit — and the sites I visit, like the books I check out of the library, should be kept private from the state (in the absence of a warrant). Why? Because they reveal a lot of personal information about me, including some information that I would consider no one’s business but mine. If an IP address were biographical information, that would mean you were giving your name and physical address to every website you visit … and I think most people would find that disturbing. Which means there is a reasonable expectation of privacy, quite literally: most people think, quite reasonably, that their online activities should be private.

I wonder how this decision will affect the Conservatives’ forthcoming lawful access bill.

Michael Geist reports that lawful access is back on the legislative agenda in Ottawa. And — surprise, surprise — both the Liberals and the Conservatives are backing it:

First, the Globe and Mail reports today that new Public Safety Minister Peter Van Loan has indicated that lawful access legislation is being prepared that will force ISPs to allow law enforcement to monitor Internet-based conversations.  The power to compel will apparently be subject to court order.  Second, Liberal MP Marlene Jennings has reintroduced her lawful access private member’s bill, called the Modernization of Investigative Techniques Act.  The Jennings bill is a virtual copy of a failed Liberal lawful access bill that died in 2005.

In that Globe and Mail article, Peter Van Loan justifies the proposal as follows:

“If somebody’s engaging in illegal activities on the Internet, whether it be exploitation of children, distributing illegal child pornography, conducting some kind of fraud, simple things like getting username and address should be fairly standard, simple practice. We need to provide police with tools to be able to get that information so that they can carry out these investigations.”

Mr. Van Loan said there have been situations where the police want to act quickly to stop a crime, but can’t because of the current laws.

“In some of these cases, time is of the essence,” he said. “If you find a situation where a child is being exploited live online at that time — and that situation has arisen before — police services have had good co-operation with a lot of Internet service providers, but there are some that aren’t so co-operative.”

Sure. Remember all those cases where the cops were watching some evil pedophile abuse a helpless child live on the Internet, but those dastardly ISPs were refusing to help them out because they don’t care about poor innocent children, or something?

Oh, wait. The one time that happened, the ISP gave the cops what they needed and they arrested the guy two hours later.

The Conservatives say that their bill would require cops and spies to get a court order of some kind. But there are different kinds of court orders, and it’s not yet clear what sort of evidentiary standards will be required. One of the many objections to the original lawful access proposals, way back in 2002, was that the cops and spies wanted a very low standard of evidence, which would substantially reduce our freedom from search and seizure (section 8 of the Charter of Rights and Freedoms).

What? You don’t remember the lawful access proposals of 2002? Okay, then. Here’s a brief history of lawful access in Canada:

• In the mid-1990s, cops and spies began lobbying Jean Chretien’s Liberal government for increased powers of surveillance. They said they just couldn’t keep up with all this new-fangled technology and needed “lawful access” legislation to make up for it. Critics objected that the police proposals would entail a drastic expansion of the state’s power to spy on its citizens.
• In 2002, the Liberals held a round of public consultations on lawful access. They encountered strong objections from the telcos, who hated the costs it would impose on them, and from civil society groups. The effort was postponed.
• In 2005, there was a second round of consultations. This time, the Liberals tried a divide-and-conquer strategy: they met separately with the telcos to deal with their concerns and held a laughably short two-week consultation with the general public. After all, if you can get big business on your side, who cares what civil society thinks?
• Following those consultations, the Liberals introduced the Modernization of Investigative Techniques Act, which contained less-controversial provisions like requiring telcos to make it technologically possible for cops and spies to intercept communications on their networks, and forcing them to give basic subscriber information to cops and spies without a warrant (as opposed to, say, requiring them to keep copies of actual communications for a period of time). Fortunately, the bill died when Paul Martin’s government fell.
• In 2007, Liberal MP Marlene Jennings reintroduced the Modernization of Investigative Techniques Act as a private member’s bill. As usual with such bills, it went nowhere.
• Later that year, the Conservatives launched a new consultation on lawful access — deliberately excluding the public from the process altogether. During the resulting controversy, Stockwell Day attempted to mollify public opposition by saying, “We have not and we will not be proposing legislation to grant police the power to get information from internet companies without a warrant.” Meanwhile, the National Post complains that words get in the way of saving children.
• Now, in 2009, we’ve got a Conservative government giving the same old song and dance routine about pedophiles and ticking time bombs and technologically inept cops — and Marlene Jennings reintroducing her reintroduction of a failed Liberal bill from the Paul Martin era.

In short, successive Canadian governments have been trying to pass lawful access legislation for seven years. They’ve failed, partly because electoral politics got in the way, but also because civil society groups have strongly and consistently objected to unnecessary expansions of state surveillance powers. Fundamentally, though, the Liberals and Conservatives are in agreement on this issue — which means it’s only a matter of time before the cops and spies get their way, and we lose a little more of our freedom.

I’ll be posting more about Passenger Protect, Canada’s nascent no-fly list, in the near future, but for now, here’s a CBC article suggesting that the cost of the system — estimated at $250 million — could keep it from being implemented. (The article is in French only, alas. Here’s a reasonably coherent English-language version, courtesy of Babelfish.)

Last night, in the middle of a story on real estate fraud, CTV News inexplicably threw its support behind a national identity card. The segment claimed that such a card would ameliorate the risks of fraud and identity theft.

It’s not true. When it comes to real estate fraud, a national ID card offers no advantages over other identification documents. In fact, from a security standpoint, national ID cards are a singularly bad idea. Here’s why (and I’m getting this stuff from Bruce Schneier, so you can take his word for it):

• ID cards can be forged, no matter how “unforgeable” they’re designed to be.
• In order to get a real, official, government-issued ID card, you have to present other pieces of identification, which can be forged.
• ID cards have to be checked — usually by human beings, who are error-prone and often poorly trained.
• Finally, and most importantly, a national ID card would have to be backed up by a national ID database containing identifying information on everyone in the country. This database would need to be “widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.” It would contain data pulled together from all over the place, which means the data will be weird, inconsistent, and probably unreliable. Such a database would be a massive procedural and technological challenge (and that’s putting it mildly; Charlie Stross has convincingly argued that the UK’s plans for such a database could never work). It would also be a massive security risk: imagine what could happen if malicious hackers broke into the system and started messing with people’s records!

Schneier concludes, “That’s why, when someone asks me to rate the security of a national ID card on a scale of one to 10, I can’t give an answer. It doesn’t even belong on a scale.”

And yet the idea has been floating around in Canadian politics for a while now. It’s been on the table in national security discussions pretty much since September 11. Last February, Public Safety Minister Stockwell Day said that such a card is inevitable. I’d like to think the Canadian government will pay attention to security gurus like Bruce Schneier, learn from the debacle that Britain’s ID card scheme has become, and drop whatever plans it has to implement an ID card system of its own. But governments like to be seen to be doing something — especially when it comes to national security, which is the usual context for ID card proposals — and with major media outlets are talking favorably and uncritically about the idea, I suspect Ottawa will be pushing ahead with an ID card scheme. So maybe it’s time to start thinking about how to oppose such a plan.