Title: Personal Information Protection in the Face of Crime and Terror: Information Sharing by Private Ente
1Personal Information Protection in the Face of
Crime and Terror Information Sharing by Private
Enterprises for National Security and Law
Enforcement Purposes
- Centre for Innovation Law and Policy
- March 2008
2Industries Reviewed
- Telecommunications Aba Stevens
- Retail Tamir Israel
- Banking Ali Mian
- Airlines Michelle Yau
3Telecommunications Industry (Aba Stevens)
- Overview of Telecommunications Industry
- Nearly universal reach
- Growth concentrated in Internet and wireless
service - Regulation of Privacy
- CRTC under the Telecommunication Act
- PIPEDA dominates
4Information Collected by the Telecommunications
Industry
- 2 Broad categories
- Active information collection
- Access to information that passes over the network
5Active Information Collection
- General Principle collection limited to that
necessary for the provision of the service - May include
- Name
- E-mail address
- Mailing address
- Phone number
- Record of complaints
- Birth date
- Financial information
- Service and equipment
- Also known as subscriber data
6Access to Information Passing Over Network
- May Include
- Data pertaining to transmission of communication
(Traffic data) - Content of communication (Content data)
- Often transient
- Costs and technical demands are disincentives to
storage - ISPs may store data due to
- Failure of recipient to download
- Disabling of account
- Suspension of clients account
7Legal Regime Governing Collection
- PIPEDA (dominant statutory regime)
- Contractual Undertakings of ISPs
- Terms of Service require compliance with
Acceptable Use Policies (AUP) - ISPs explicitly reserve right to monitor network
and aspects of service to ensure compliance with
acceptable use policies - Potentially affects reasonable expectation of
privacy - Implications of Buhay
- Limited recourse to Charter
- Monitoring for compliance with AUP generally does
not involve government
8Information of Interest to Law Enforcement
- Convention on Cybercrime Categories of
Investigatory Information - (from least to most intrusive of privacy)
- Subscriber data
- Traffic data
- Content data
- ? law enforcement is interested in all 3
categories
9Subscriber data
- Access to customer name, address and other
identifiers without a warrant - Modernization of Investigative Techniques Act
(Bill C-416) stalled
10Traffic Data
- Simplified process for acquisition (similar to
process for Dialed Number Recorders) - preservation orders
11Content data
- Continued judicial authorization
- Risk of Increased Access due to
- increased access to other categories will
increase access to content data - Bill C-416 advocates obligation for Telecoms to
increase intercept capability
12Legal Mechanisms Shaping Info Sharing
- PIPEDA dominant statutory regime
- Discretionary Authority?
- Charter the agent of the state test (Weir)
13Formal and Informal Sharing Practices
- Terms of Service and AUPs create varying
expectations about when ISP will disclose
information - Emerging Practice for Child Pornography Cases
Formal/Informal
14Gaps and Controversies
- Legal Uncertainty
- Overlapping statutory regimes
- No formal decision from Privacy Commissioner
- lack of authoritative judicial treatment
- eg reasonable expectation of Privacy for new
communication forms - interpretation of s. 7(3) Do telecoms, indeed,
have a discretionary authority? - which legal regime best applies to computer
monitoring? - Search and seizure
- Electronic surveillance
- Result broad scope for telecoms to strike
balance between privacy and law enforcement - Controversy of Law Reform Agenda
- Industry concern ? Who will bear the cost?
- OPC and Privacy advocates believe current law
provides sufficient access - Constitutional implications?
15Recommendations
- Clarification should be given to the
discretionary authority of private entities to
disclose information under s. 7(3) of PIPEDA - Section 7(3) (c.1) should remain discretionary,
and not be amended to make disclosure to law
enforcement mandatory. - Consideration should be given to allowing police
to request information in the absence of a
warrant only pursuant to tailored legislative
provisions, namely only if the crime being
investigated is of a serious nature, the crime is
of such a nature that inability of the state to
access the information will foreclose the
investigation and the information is of a sort
for which the privacy interest of the individual
is relatively low.
16Retail Industry(Tamir Israel)
- Overview of Retail Industry
- There is currently an equilibrium between privacy
and security interests in the retail sector. - This equilibrium is unstable and has few
safeguards preserving it.
17Information Collected by the Retail Industry
- Retailers cover a broad range of personal
information. - This information is sent with consent to data
brokers for analysis. - Retailers retain control of the information,
restricting the activity of data brokers - Forthcoming technological developments will
encourage retailers to collect greater quantities
of information and store it in more accessible
form.
18Legal Regime Governing Information Handling
- PIPEDA
- PIPEDA permits secondary uses of information only
with consent. - Retailers prevented from selling information to
data brokers as acquiring requisite consent would
alienate consumers. - Data brokers are unable to gain control over
large amounts of data and organize it in
accessible ways. - There are no explicit safeguards preventing
extensive use of such information by law
enforcement.
19Information of Interest to Law Enforcement
- The type of information retailers possess is
sensitive and very personal in nature. - It can include age, gender, religious
affiliation, hobbies, reading preferences, and
travel arrangements. - This type of information prompts predictive
investigations and random virtue testing. - FBI System To Assess Risk (STAR)
- Most current information sharing emerges from
individual investigations
20Legal Mechanisms Shaping Info Sharing
21PIPEDA
- s. 7 (3) For the purpose of clause 4.3 of
Schedule 1, and despite the note that accompanies
that clause, an organization may disclose
personal information without the knowledge or
consent of the individual only if the disclosure
is -
- (c) required to comply with a subpoena or
warrant issued or an order made by a court,
person or body with jurisdiction to compel the
production of information, or to comply with
rules of court relating to the production of
records -
- (c.1) made to a government institution or part
of a government institution that has made a
request for the information, identified its
lawful authority to obtain the information and
indicated that -
- it suspects that the information relates to
national security, the defence of Canada or the
conduct of international affairs, - the disclosure is requested for the purpose of
enforcing any law of Canada, a province or a
foreign jurisdiction, carrying out an
investigation relating to the enforcement of any
such law or gathering intelligence for the
purpose of enforcing any such law, or - the disclosure is requested for the purpose of
administering any law of Canada or a province - Allows for information sharing without a warrant.
- Treated by many retailers as condoning
information sharing with law enforcement.
22Charter
- Information will often be used at investigative
phase - The individual will in many cases be unaware
their privacy has been interfered with - Information will often not make part of formal
legal case and effectively avoid Charter scrutiny - Otherwise such information could only be acquired
from an individual with a warrant or by consent.
23Formal and Informal Sharing Practices
- Information sharing with law enforcement occurs
primarily on an informal basis - The permissive stance taken by PIPEDA leaves it
to individual retailers to decide whether or not
to comply with requests - Retailers take this as encouragement to comply
with information requests. - Some formalization would be beneficial.
- Warrants
- Not PAXIS
24Gaps and Controversies
- Given the permissive stance PIPEDA takes,
customers cannot predict if their information
will be shared with law enforcement or not. - While customers retain an expectation of privacy
in information, it can be acquired by law
enforcement without a warrant or consent.
25Recommendations
- Customers should be informed when the information
that they disclose to their retailer may be
disclosed to public investigators, perhaps
through the inclusion of this practice in the
retailers privacy policy. - The Privacy Commissioner should provide greater
guidance to retailers regarding voluntary
information sharing with law enforcement and
national security agencies. Given the likelihood
of increased information sharing between public
investigators and retailers, there should be
clarification of the extent to which
collaboration is permissible and desirable and
under what circumstances it should take place. It
may be appropriate to place certain types of
personal information such as reading preferences
or hobbies out of the bounds of non-consensual,
warrantless disclosure. - Legislation compelling retailers to contribute
personal information of consumers to a database
similar to the Canada Border Services Agencys
PAXIS database should be avoided.
26Banking Industry(Ali Mian)
- Overview of Banking Industry
- The Canadian banking industry is one of the most
highly regulated industries in Canada
27Information Collected by the Banking Industry
- Collected to provide products and services
- the clients name, address, e-mail address,
telephone number, SIN, birth date, employment,
annual income, credit history, transaction
history, and health information. - Banks also generally reserve the right to collect
personal information on clients that is publicly
available. Most banks also reserve the right to
record and retain the content of all client
telephone discussions with its representatives.
Similarly, most banks reserve the right to
collect and retain information relating to the
use of its online services, namely the Internet
Protocol (IP) address used by the client and the
web pages he or she visits within the banks
website.
28Legal Regime Governing Collection
- The industry is governed generally by the Bank
Act as well as the Proceeds of Crime (Money
Laundering) and Terrorist Financing Act (PCMLTFA)
and PIPEDA
29Information of Interest to Law Enforcement
- The most sought after information from a bank is
obviously financial information. Financial
information is that of an identifiable client and
includes bank account balances, bank account
activity, payment history and credit history.
30Legal Mechanisms Shaping Information Sharing
- s. 8 Charter jurisprudence
- PIPEDA
- PCMLTFA
31Section 8 Charter
- Courts have long held that clients have a
reasonable expectation of privacy in their bank
records. - However, not all information held by banks will
constitute bank records for purposes of Charter
protection. For instance, the following are not
protected as no reasonable expectation of privacy
exists in the information - Tombstone information in the form of the
name(s) of an account holder and its signatory
authority - A clients signature
- The existence of banking activity, such as a
cheque deposit into a particular account, without
client identification
32PIPEDA
- The Privacy Commissioner of Canada has rarely
discussed the law enforcement exception in the
banking context. Where it has, discussion has
been about banks internal security rather than
external law enforcement or national security
services. - Although there are many Privacy Commissioner
findings on the legality of banks personal
information handling practices, several issues
remain to be resolved - the extent to which PIPEDA limits the collection
of financial information when banks are giving
clients investment advice or limits the
collection of health information when banks are
providing insurance products. - whether banks can share illegally collected
information with law enforcement and national
security officials. - retention of illegally collected personal
information.
33PCMLTFA
- The PCMLTFA requires the reporting to government
of such things as large transactions, suspicious
activities and terrorist property. Therefore
banks also currently keep a record of the party
names, date, time, amount, currency, and method
of all transactions.
34Formal and Informal Sharing Practices
- Formal Personal Information Sharing
- Police will deliver court-issued documents
(warrants, subpoenas, and court orders) to bank
branches or bank headquarters, depending on each
banks policy. - Banks will record all requests for bank records
received in the form of court-issued documents.
35Informal Sharing Practices
- a) Requests for bank records pursuant to some
other legal authority - Statutory powers- i.e. BIA
- Common law investigative powers
- b) Proactive Release of Bank Records i.e.
FINTRAC
36Gaps and Controversies
- There are few laws that limit the amount of
information a bank can retain on its clients. - Laws presently do not require banks to document
informal police requests for bank records. - There is a lack of transparency in the types of
circumstances in which banks proactively disclose
information to police. - The reasonable ground to suspect standard that
FINTRAC uses to disclose personal information to
the police for those suspected of criminal
activity may be unconstitutional. - Again, on the issue of the appropriate standard
to be applied to disclosure of bank records to
police during criminal investigations, there are
no laws which regulate Canadian police when they
obtain Canadian bank records from foreign
entities on a lower standard than credibility
based probability.
37Recommendations
- Recommendation 1 Banks should provide clear
guidelines to clients on what types of personal
information can and must be collected for
services such as investment advice. - Recommendation 2 All banks should keep track of
the nature and extent of informal police requests
for bank records, especially the authority under
which these records are being sought, as well as
the circumstances in which the records are
disclosed. - Recommendation 3 An independent and publicly
accountable authority, such as the Office of the
Privacy Commissioner of Canada, should be tasked
with assessing the legality of informal police
requests for bank records which banks document.
38Recommendations
- Recommendation 4 Parliament should clarify
PIPEDA terms such as lawful authority and
national security threat by providing examples
of when personal information such as bank records
can be disclosed without judicial authorization. - Recommendation 5 The Government of Canada or the
Privacy Commissioner should bring a reference to
the Supreme Court of Canada to inquire whether
the standard of reasonable suspicion can ever
be justified to disclose personal information,
such as bank records, to police in a criminal
context.
39Airline Industry(Michelle Yau)
- Overview of Airline Industry
- Information sharing in this industry currently a
hot topic - A lot of potential for breaches of privacy or
worse
40Information Collected by Airline Industry
- Every time a passenger purchases a ticket,
advance passenger information (API) and passenger
name record (PNR) information is collected by
airlines - A PNR can reveal many intimate details
- with whom, for how long, and at whose expense
someone travels - affiliations with organizations
- religious practices
41Airline Privacy Policies
- Airline privacy policies are vague
- may be liable to collect/provide any other
personal information as required by a
government authority. - Do not mention specific government agencies
- Do not mention purposes for which personal
information may be used or further disclosed - Travelers not told at time of collection that
their info may be disclosed for national security
or law enforcement purposes
42Legal Regime Governing Information Sharing
- Aeronautics Act
- Immigration and Refugee Protection Act (IRPA) and
IRP Regulations - Protection of Passenger Information Regulations,
also created under IRPA - Customs Act
43Aeronautics Act
- Requires disclosure of 34 items of information on
request to - Department of Transport
- RCMP
- CSIS
- Also allows these agencies to share collected
info with each other and to match collected info
with other info - Allows these agencies to share info collected
with various entities - Canadian Air Transport Security Authority (CATSA)
- air carriers
- peace officers, aircraft protective officers
44IRPA and IRP Regulations
- Requires airlines to provide documents, written
information, and access to reservation systems
upon request to officers of Citizenship and
Immigration Canada - The Protection of Passenger Information
Regulations, also created under IRPA, allows
Canada Border Services Agency (CBSA) to retain
API/PNR info and to disclose it to any Canadian
government department if a CBSA official
determines that the info relates to
terrorism/transnational crimes
45Customs Act
- Allows government officials to provide access to
customs information to prescribed persons or
classes of persons, in prescribed circumstances
for prescribed purposes, solely for those
purposes
46Information of Interest to Law Enforcement
- Examples
- Itinerary/gaps in itinerary
- Who paid for ticket/method of payment
- Seat requests
- Travel document information (type, number,
country of issuance)
47Formal and Informal Sharing Practices
- Formal
- Officer presents request in writing or by other
means - Airline verifies officers identity, confirms
active investigation, confirms court order,
warrant or legislative provision authorizing
collection of the information by the officer - Airline discloses information
- Continuous data streaming of API/PNR info on all
passengers entering Canada - Informal
- Not much known
- Some anecdotal evidence that front line staff
share info inappropriately
48Gaps and Controversies
- Various legislation requiring disclosure on
request without conditions makes it difficult for
airlines to protect their customers privacy - They also give government agencies too much
leeway to share info amongst each other and to
use the info for a variety of purposes - Some airline sharing practices such as continuous
data streaming create danger of mass violations
of privacy without accountability
49Gaps and Controversies
- The Passenger Protect Program, which finds its
legislative basis in the Aeronautics Act and the
Aeronautics Act Identity Screening Regulations,
does not provide adequate safeguards - false listing and false matching
- no adequate mechanisms of redress
- Little direct evidence that privacy violations
are occurring on a regular basis - However current legislative regime and info
sharing practices create real danger of such
violations - Thus it is important that the legislation be
amended, and that airlines and government
agencies adopt new practices safeguarding privacy
50Recommendations
- Legislation should be amended to specify
conditions that must be met before an officer can
compel an airline to disclose personal
information of customers. - Warrants, court orders, or at least some
conditions - The Customs Act provisions should be made more
specific to minimize threat to privacy posed by
PAXIS database. - Continuous data streaming should not be the norm.
- Facilitates fishing
- Safeguards should be put in place to ensure the
accuracy and minimize imprecision of the
Passenger Protect Program. - Clear listing criteria, address/phone number
should be required to confirm match - Airlines should adopt policies to discourage
informal information sharing between airline
staff and government. - Minimize contact between officers and front line
staff - Requests must be in writing
51Summary of Concerns(Andrea Slane)
- Recurring concerns include
- Lack of clarity regarding the interpretation of
s. 7(3) of Personal Information Protection and
Electronic Documents Act - The impact of technological development on the
balance of relevant interests - Lack of transparency regarding informal
information sharing, and - A tendency towards collection of increasing
amounts of personal information identified in
some of the industries.
52Summary of Charter Concerns
- Departure from the principal of judicial
authorization in cases of information sharing
without warrants, subpoenas or court orders - Lack of certainty regarding whether there is a
reasonable expectation of privacy in various
contexts - Constitutional sufficiency of the standard for
disclosure where information is obtained
notwithstanding a lack of reasonable probable
grounds to believe that a crime has been
committed. This last concern is particularly
pressing where disclosure of information to
national security agencies had been made
mandatory.
53Summary of Recommendations
- Generally respond to the concerns
- Clarify s. 7(3) of PIPEDA, especially section
7(3)(c.1), including the term lawful authority - Promote transparency and accountability regarding
the extent and nature of informal information
sharing - Seek judicial guidance on limits on information
sharing without judicial authorization. In the
meantime, OPC to provide guidelines. Suggested
limits might balance the seriousness of the crime
being investigated, whether the nature of the
crime is such that the inability of the state to
access the information will foreclose the
investigation, and whether the information is of
a sort for which the privacy interest of the
individual is relatively low - Seek judicial guidance on sufficiency of the
standard for disclosure where information is
obtained without reasonable probable grounds,
especially where disclosure of information to
national security agencies had been made
mandatory.
54http//www.innovationlaw.org/projects/privacy.htm