Thursday, October 25, 2007
National Post's views on lawful access
I wrote a piece last year called 7 reasons why warrants aren't needed in response to some of the discussion on police investigations and ISP cooperation and related matters.One of the questions raised last year had been "what laws need to be changed" and my posting carried a response from prosecutor David Butt that said the current laws were fine, if ISPs would cooperate.
Yesterday's National Post had an article that prominently featured my KINSA colleague, Paul Gillespie. The article suggests that a single legislative word change in PIPEDA - the Personal Information Protection and Electronic Documents Act - would rectify inconsistencies in ISP responses to police investigations. Just changing the word "may" to "shall" in Section 7(2) is said to be the magic bullet to aid investigations.
(2) For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization may, without the knowledge or consent of the individual, use personal information only ifSuch a change would impact the operational response from the telecom industry to police requests. Will the industry support it or fight it?
- in the course of its activities, the organization becomes aware of information that it has reasonable grounds to believe could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for the purpose of investigating that contravention; ...
Technorati Tags:
National Post, KINSA, pedophiles
Posted by Mark Goldberg @ 10/25/2007 07:53:00 AM 
Comments:
<< Home
This is a preposterously bad idea, and an oversimplification of the legal points involved.
First, we start off on the wrong foot by concluding that the word "may" makes s.7(3) about discretion. 7(3) lists a number of situations. Organizations "may only" disclose in those circumstances. The overall thrust of the section is to create limited expections allowing disclosure, not to create broad discretions.
There are some situations in s.7(3) where clearly there is no discretion ... like where disclosure is "required by law" or "to comply with a subpoena or warrant". Surely they're not suggesting that an organization can choose not to comply with a warrant, just because s.7(3) says they "may" disclose?
Of course, there is some discretion created. That's a good and necessary part of s.7(3). Some of the situations include "collecting a debt owed to the organization," or "information that is publicly available". Do we really want to say organizations shall disclose in those situations? What would that even mean?
That's by way of showing that the equation "may"="discretion" is a silly oversimplification of the point, and distracts from the real issue.
The real issue is what "lawful authority" means under s.7(3)(c.1). Paul Gillespie would, I guess, have you believe that every time the police ask for information, they have lawful authority even without a warrant. I don't think many Canadians would agree with that. On the other hand, some organizations interpret it to mean a warrant is required, and maybe that's too far in the other direction.
The point is, there's a lot of flexibility in those two words "lawful authority"--lots of potential for abuse of power on the one hand, and maybe some potential for interference in legitimate investigations, on the other hand. That's the part of the statute that needs to be fixed if this issue is going to be resolved.
And I'd be remiss if I didn't repeat what organizations have been saying all through this debate about lawful access ... which is, show us that there's actually a problem that needs to be fixed here. Warrants can be--and are--obtained in less than 24 hours when the need is that urgent. And if there's a risk to someone's life or safety , you don't even need a warrant, PIPEDA has a special exception for that. Why isn't that enough?
So far what I hear from Paul Gillespie et al is "It's the Internet, it moves fast" ... which really doesn't show that the current process isn't working. Or else I hear a lot about how warrants are inconvenient to the police ... which I'm sure they see as hampering investigations, but if it protects privacy of citizens, then it's a good form of inconvenience. Otherwise, we could just abandon warrants altogether and let the police do what they want unfettered.
I really haven't heard anyone tell of a case where someone was harmed or some other tragedy occurred because the police couldn't get a warrant in time. I think we--Mark Goldberg included--need take a much more critical look at what the police are saying here, before we presume there's a need to lower privacy protections.
Whatever the answer, it has nothing to do with the word "may". Even the government's response to the PIPEDA Report rejected that suggestion, in favour of clarifying "lawful authority".
First, we start off on the wrong foot by concluding that the word "may" makes s.7(3) about discretion. 7(3) lists a number of situations. Organizations "may only" disclose in those circumstances. The overall thrust of the section is to create limited expections allowing disclosure, not to create broad discretions.
There are some situations in s.7(3) where clearly there is no discretion ... like where disclosure is "required by law" or "to comply with a subpoena or warrant". Surely they're not suggesting that an organization can choose not to comply with a warrant, just because s.7(3) says they "may" disclose?
Of course, there is some discretion created. That's a good and necessary part of s.7(3). Some of the situations include "collecting a debt owed to the organization," or "information that is publicly available". Do we really want to say organizations shall disclose in those situations? What would that even mean?
That's by way of showing that the equation "may"="discretion" is a silly oversimplification of the point, and distracts from the real issue.
The real issue is what "lawful authority" means under s.7(3)(c.1). Paul Gillespie would, I guess, have you believe that every time the police ask for information, they have lawful authority even without a warrant. I don't think many Canadians would agree with that. On the other hand, some organizations interpret it to mean a warrant is required, and maybe that's too far in the other direction.
The point is, there's a lot of flexibility in those two words "lawful authority"--lots of potential for abuse of power on the one hand, and maybe some potential for interference in legitimate investigations, on the other hand. That's the part of the statute that needs to be fixed if this issue is going to be resolved.
And I'd be remiss if I didn't repeat what organizations have been saying all through this debate about lawful access ... which is, show us that there's actually a problem that needs to be fixed here. Warrants can be--and are--obtained in less than 24 hours when the need is that urgent. And if there's a risk to someone's life or safety , you don't even need a warrant, PIPEDA has a special exception for that. Why isn't that enough?
So far what I hear from Paul Gillespie et al is "It's the Internet, it moves fast" ... which really doesn't show that the current process isn't working. Or else I hear a lot about how warrants are inconvenient to the police ... which I'm sure they see as hampering investigations, but if it protects privacy of citizens, then it's a good form of inconvenience. Otherwise, we could just abandon warrants altogether and let the police do what they want unfettered.
I really haven't heard anyone tell of a case where someone was harmed or some other tragedy occurred because the police couldn't get a warrant in time. I think we--Mark Goldberg included--need take a much more critical look at what the police are saying here, before we presume there's a need to lower privacy protections.
Whatever the answer, it has nothing to do with the word "may". Even the government's response to the PIPEDA Report rejected that suggestion, in favour of clarifying "lawful authority".
Posted by 
: 10:54 AM, October 25, 2007
: 10:54 AM, October 25, 2007
Wait, are they talking about 7(2) or 7(3)? Gotta be 7(3)? 7(2) has nothing to do with disclosure, just use by the organization.
Posted by : 1:06 PM, October 25, 2007
: 1:06 PM, October 25, 2007
Why anonymous?
(a) To avoid responsibility for bombast and incivility
(b) To permit the author and/or his or her organization to take disingenuously inconsistent positions without adverse repurcussions
(c) both (a) and (b)
Law enforcement agencies make the requests referred to in the course of executing their duties to investigate crime, which is plainly part of their lawful authority. They request only what is not "core biographical" information, so a warrant is not, or should not be, necessary. In the internet child abuse investigations Paul Gillespie is referring to, they make these requests at a stage where frequently there is not enough information to get a warrant in any event. There is usually not even enough information to figure out which law enforcement agency should be investigating. And behind every such request there is a real possibility of hands on child abuse. However because the legislation is permissive ("may"), corporate response is inconsistent: some cooperate very well and some do not. Why should child safety in this narrow and minimally intrusive context be subject to the vagaries of private business choices? That is the question to which there is no good answer.
(a) To avoid responsibility for bombast and incivility
(b) To permit the author and/or his or her organization to take disingenuously inconsistent positions without adverse repurcussions
(c) both (a) and (b)
Law enforcement agencies make the requests referred to in the course of executing their duties to investigate crime, which is plainly part of their lawful authority. They request only what is not "core biographical" information, so a warrant is not, or should not be, necessary. In the internet child abuse investigations Paul Gillespie is referring to, they make these requests at a stage where frequently there is not enough information to get a warrant in any event. There is usually not even enough information to figure out which law enforcement agency should be investigating. And behind every such request there is a real possibility of hands on child abuse. However because the legislation is permissive ("may"), corporate response is inconsistent: some cooperate very well and some do not. Why should child safety in this narrow and minimally intrusive context be subject to the vagaries of private business choices? That is the question to which there is no good answer.
Posted by : 2:01 PM, October 26, 2007
: 2:01 PM, October 26, 2007
I never did well with multiple choice questions. :)
But seriously, spend your energy on the "lawful authority" question, not the "may/shall" question. Making the statute say "shall" really isn't going to solve that issue.
You actually illustrate my point well--in your view "lawful authority" means "in the course of executing their duties to investigate crime". Furthermore, you're admitting that law enforcement would want information in cases where there's not enough evidence to get a warrant--which I assume means, there's not enough evidence to convince a court that a crime has likely been committed by the anonymous internet user in question.
If you think about it, that's setting the threshold very, very low. Whenever the police are investigating a crime, an organization must give them whatever information they are asking for, whether or not they have a warrant? That should make citizens uncomfortable.
I don't think that's what you really want to achieve, but based on your interpretation of "lawful authority," and based on your desire to change "may" to "shall," I really don't see any other way to interpret your position. Your point about "core biographical information" may or may not be valid in its own right, but I don't think you can point to anything in PIPEDA that uses that language or really gives any room for that kind of analysis.
Maybe it actually makes sense to have language in PIPEDA that distinguishes between exactly what kinds of information can and can't be disclosed without a warrant. Maybe some clear rules should be put before parliament for exploration and debate. But all of that would require a change much more subtle than "may" to "shall".
Post a Comment
But seriously, spend your energy on the "lawful authority" question, not the "may/shall" question. Making the statute say "shall" really isn't going to solve that issue.
You actually illustrate my point well--in your view "lawful authority" means "in the course of executing their duties to investigate crime". Furthermore, you're admitting that law enforcement would want information in cases where there's not enough evidence to get a warrant--which I assume means, there's not enough evidence to convince a court that a crime has likely been committed by the anonymous internet user in question.
If you think about it, that's setting the threshold very, very low. Whenever the police are investigating a crime, an organization must give them whatever information they are asking for, whether or not they have a warrant? That should make citizens uncomfortable.
I don't think that's what you really want to achieve, but based on your interpretation of "lawful authority," and based on your desire to change "may" to "shall," I really don't see any other way to interpret your position. Your point about "core biographical information" may or may not be valid in its own right, but I don't think you can point to anything in PIPEDA that uses that language or really gives any room for that kind of analysis.
Maybe it actually makes sense to have language in PIPEDA that distinguishes between exactly what kinds of information can and can't be disclosed without a warrant. Maybe some clear rules should be put before parliament for exploration and debate. But all of that would require a change much more subtle than "may" to "shall".
Posted by : 6:20 PM, October 29, 2007
: 6:20 PM, October 29, 2007 << Home
Syndicate
