Personal Information Protection in the Face of Crime and Terror: Information Sharing by Private Ente

1
Personal Information Protection in the Face of
Crime and Terror Information Sharing by Private
Enterprises for National Security and Law
Enforcement Purposes

• Centre for Innovation Law and Policy
• March 2008

2
Industries Reviewed

• Telecommunications Aba Stevens
• Retail Tamir Israel
• Banking Ali Mian
• Airlines Michelle Yau

3
Telecommunications Industry (Aba Stevens)

• Overview of Telecommunications Industry
• Nearly universal reach
• Growth concentrated in Internet and wireless
  service
• Regulation of Privacy
• CRTC under the Telecommunication Act
• PIPEDA dominates

4
Information Collected by the Telecommunications
Industry

• 2 Broad categories
• Active information collection
• Access to information that passes over the network

5
Active Information Collection

• General Principle collection limited to that
  necessary for the provision of the service
• May include
• Name
• E-mail address
• Mailing address
• Phone number
• Record of complaints
• Birth date
• Financial information
• Service and equipment
• Also known as subscriber data

6
Access to Information Passing Over Network

• May Include
• Data pertaining to transmission of communication
  (Traffic data)
• Content of communication (Content data)
• Often transient
• Costs and technical demands are disincentives to
  storage
• ISPs may store data due to
• Failure of recipient to download
• Disabling of account
• Suspension of clients account

7
Legal Regime Governing Collection

• PIPEDA (dominant statutory regime)
• Contractual Undertakings of ISPs
• Terms of Service require compliance with
  Acceptable Use Policies (AUP)
• ISPs explicitly reserve right to monitor network
  and aspects of service to ensure compliance with
  acceptable use policies
• Potentially affects reasonable expectation of
  privacy
• Implications of Buhay
• Limited recourse to Charter
• Monitoring for compliance with AUP generally does
  not involve government

8
Information of Interest to Law Enforcement

• Convention on Cybercrime Categories of
  Investigatory Information
• (from least to most intrusive of privacy)
• Subscriber data
• Traffic data
• Content data
• ? law enforcement is interested in all 3
  categories

9
Subscriber data

• Access to customer name, address and other
  identifiers without a warrant
• Modernization of Investigative Techniques Act
  (Bill C-416) stalled

10
Traffic Data

• Simplified process for acquisition (similar to
  process for Dialed Number Recorders)
• preservation orders

11
Content data

• Continued judicial authorization
• Risk of Increased Access due to
• increased access to other categories will
  increase access to content data
• Bill C-416 advocates obligation for Telecoms to
  increase intercept capability

12
Legal Mechanisms Shaping Info Sharing

• PIPEDA dominant statutory regime
• Discretionary Authority?
• Charter the agent of the state test (Weir)

13
Formal and Informal Sharing Practices

• Terms of Service and AUPs create varying
  expectations about when ISP will disclose
  information
• Emerging Practice for Child Pornography Cases
  Formal/Informal

14
Gaps and Controversies

• Legal Uncertainty
• Overlapping statutory regimes
• No formal decision from Privacy Commissioner
• lack of authoritative judicial treatment
• eg reasonable expectation of Privacy for new
  communication forms
• interpretation of s. 7(3) Do telecoms, indeed,
  have a discretionary authority?
• which legal regime best applies to computer
  monitoring?
• Search and seizure
• Electronic surveillance
• Result broad scope for telecoms to strike
  balance between privacy and law enforcement
• Controversy of Law Reform Agenda
• Industry concern ? Who will bear the cost?
• OPC and Privacy advocates believe current law
  provides sufficient access
• Constitutional implications?

15
Recommendations

• Clarification should be given to the
  discretionary authority of private entities to
  disclose information under s. 7(3) of PIPEDA
• Section 7(3) (c.1) should remain discretionary,
  and not be amended to make disclosure to law
  enforcement mandatory.
• Consideration should be given to allowing police
  to request information in the absence of a
  warrant only pursuant to tailored legislative
  provisions, namely only if the crime being
  investigated is of a serious nature, the crime is
  of such a nature that inability of the state to
  access the information will foreclose the
  investigation and the information is of a sort
  for which the privacy interest of the individual
  is relatively low.

16
Retail Industry(Tamir Israel)

• Overview of Retail Industry
• There is currently an equilibrium between privacy
  and security interests in the retail sector.
• This equilibrium is unstable and has few
  safeguards preserving it.

17
Information Collected by the Retail Industry

• Retailers cover a broad range of personal
  information.
• This information is sent with consent to data
  brokers for analysis.
• Retailers retain control of the information,
  restricting the activity of data brokers
• Forthcoming technological developments will
  encourage retailers to collect greater quantities
  of information and store it in more accessible
  form.

18
Legal Regime Governing Information Handling

• PIPEDA
• PIPEDA permits secondary uses of information only
  with consent.
• Retailers prevented from selling information to
  data brokers as acquiring requisite consent would
  alienate consumers.
• Data brokers are unable to gain control over
  large amounts of data and organize it in
  accessible ways.
• There are no explicit safeguards preventing
  extensive use of such information by law
  enforcement.

19
Information of Interest to Law Enforcement

• The type of information retailers possess is
  sensitive and very personal in nature.
• It can include age, gender, religious
  affiliation, hobbies, reading preferences, and
  travel arrangements.
• This type of information prompts predictive
  investigations and random virtue testing.
• FBI System To Assess Risk (STAR)
• Most current information sharing emerges from
  individual investigations

20
Legal Mechanisms Shaping Info Sharing

• PIPEDA
• Charter

21
PIPEDA

• s. 7 (3) For the purpose of clause 4.3 of
  Schedule 1, and despite the note that accompanies
  that clause, an organization may disclose
  personal information without the knowledge or
  consent of the individual only if the disclosure
  is
• (c) required to comply with a subpoena or
  warrant issued or an order made by a court,
  person or body with jurisdiction to compel the
  production of information, or to comply with
  rules of court relating to the production of
  records
•  
• (c.1) made to a government institution or part
  of a government institution that has made a
  request for the information, identified its
  lawful authority to obtain the information and
  indicated that
•  
• it suspects that the information relates to
  national security, the defence of Canada or the
  conduct of international affairs,
• the disclosure is requested for the purpose of
  enforcing any law of Canada, a province or a
  foreign jurisdiction, carrying out an
  investigation relating to the enforcement of any
  such law or gathering intelligence for the
  purpose of enforcing any such law, or
• the disclosure is requested for the purpose of
  administering any law of Canada or a province
• Allows for information sharing without a warrant.
• Treated by many retailers as condoning
  information sharing with law enforcement.

22
Charter

• Information will often be used at investigative
  phase
• The individual will in many cases be unaware
  their privacy has been interfered with
• Information will often not make part of formal
  legal case and effectively avoid Charter scrutiny
• Otherwise such information could only be acquired
  from an individual with a warrant or by consent.

23
Formal and Informal Sharing Practices

• Information sharing with law enforcement occurs
  primarily on an informal basis
• The permissive stance taken by PIPEDA leaves it
  to individual retailers to decide whether or not
  to comply with requests
• Retailers take this as encouragement to comply
  with information requests.
• Some formalization would be beneficial.
• Warrants
• Not PAXIS

24
Gaps and Controversies

• Given the permissive stance PIPEDA takes,
  customers cannot predict if their information
  will be shared with law enforcement or not.
• While customers retain an expectation of privacy
  in information, it can be acquired by law
  enforcement without a warrant or consent.

25
Recommendations

• Customers should be informed when the information
  that they disclose to their retailer may be
  disclosed to public investigators, perhaps
  through the inclusion of this practice in the
  retailers privacy policy.
• The Privacy Commissioner should provide greater
  guidance to retailers regarding voluntary
  information sharing with law enforcement and
  national security agencies. Given the likelihood
  of increased information sharing between public
  investigators and retailers, there should be
  clarification of the extent to which
  collaboration is permissible and desirable and
  under what circumstances it should take place. It
  may be appropriate to place certain types of
  personal information such as reading preferences
  or hobbies out of the bounds of non-consensual,
  warrantless disclosure.
• Legislation compelling retailers to contribute
  personal information of consumers to a database
  similar to the Canada Border Services Agencys
  PAXIS database should be avoided.

26
Banking Industry(Ali Mian)

• Overview of Banking Industry
• The Canadian banking industry is one of the most
  highly regulated industries in Canada

27
Information Collected by the Banking Industry

• Collected to provide products and services
• the clients name, address, e-mail address,
  telephone number, SIN, birth date, employment,
  annual income, credit history, transaction
  history, and health information.
• Banks also generally reserve the right to collect
  personal information on clients that is publicly
  available. Most banks also reserve the right to
  record and retain the content of all client
  telephone discussions with its representatives.
  Similarly, most banks reserve the right to
  collect and retain information relating to the
  use of its online services, namely the Internet
  Protocol (IP) address used by the client and the
  web pages he or she visits within the banks
  website.

28
Legal Regime Governing Collection

• The industry is governed generally by the Bank
  Act as well as the Proceeds of Crime (Money
  Laundering) and Terrorist Financing Act (PCMLTFA)
  and PIPEDA

29
Information of Interest to Law Enforcement

• The most sought after information from a bank is
  obviously financial information. Financial
  information is that of an identifiable client and
  includes bank account balances, bank account
  activity, payment history and credit history.

30
Legal Mechanisms Shaping Information Sharing

• s. 8 Charter jurisprudence
• PIPEDA
• PCMLTFA

31
Section 8 Charter

• Courts have long held that clients have a
  reasonable expectation of privacy in their bank
  records.
• However, not all information held by banks will
  constitute bank records for purposes of Charter
  protection. For instance, the following are not
  protected as no reasonable expectation of privacy
  exists in the information
• Tombstone information in the form of the
  name(s) of an account holder and its signatory
  authority
• A clients signature
• The existence of banking activity, such as a
  cheque deposit into a particular account, without
  client identification

32
PIPEDA

• The Privacy Commissioner of Canada has rarely
  discussed the law enforcement exception in the
  banking context. Where it has, discussion has
  been about banks internal security rather than
  external law enforcement or national security
  services.
• Although there are many Privacy Commissioner
  findings on the legality of banks personal
  information handling practices, several issues
  remain to be resolved
• the extent to which PIPEDA limits the collection
  of financial information when banks are giving
  clients investment advice or limits the
  collection of health information when banks are
  providing insurance products.
• whether banks can share illegally collected
  information with law enforcement and national
  security officials.
• retention of illegally collected personal
  information.

33
PCMLTFA

• The PCMLTFA requires the reporting to government
  of such things as large transactions, suspicious
  activities and terrorist property. Therefore
  banks also currently keep a record of the party
  names, date, time, amount, currency, and method
  of all transactions.

34
Formal and Informal Sharing Practices

• Formal Personal Information Sharing
• Police will deliver court-issued documents
  (warrants, subpoenas, and court orders) to bank
  branches or bank headquarters, depending on each
  banks policy.
• Banks will record all requests for bank records
  received in the form of court-issued documents.

35
Informal Sharing Practices

• a) Requests for bank records pursuant to some
  other legal authority
• Statutory powers- i.e. BIA
• Common law investigative powers
• b) Proactive Release of Bank Records i.e.
  FINTRAC

36
Gaps and Controversies

• There are few laws that limit the amount of
  information a bank can retain on its clients.
• Laws presently do not require banks to document
  informal police requests for bank records.
• There is a lack of transparency in the types of
  circumstances in which banks proactively disclose
  information to police.
• The reasonable ground to suspect standard that
  FINTRAC uses to disclose personal information to
  the police for those suspected of criminal
  activity may be unconstitutional.
• Again, on the issue of the appropriate standard
  to be applied to disclosure of bank records to
  police during criminal investigations, there are
  no laws which regulate Canadian police when they
  obtain Canadian bank records from foreign
  entities on a lower standard than credibility
  based probability.

37
Recommendations

• Recommendation 1 Banks should provide clear
  guidelines to clients on what types of personal
  information can and must be collected for
  services such as investment advice.
• Recommendation 2 All banks should keep track of
  the nature and extent of informal police requests
  for bank records, especially the authority under
  which these records are being sought, as well as
  the circumstances in which the records are
  disclosed.
• Recommendation 3 An independent and publicly
  accountable authority, such as the Office of the
  Privacy Commissioner of Canada, should be tasked
  with assessing the legality of informal police
  requests for bank records which banks document.

38
Recommendations

• Recommendation 4 Parliament should clarify
  PIPEDA terms such as lawful authority and
  national security threat by providing examples
  of when personal information such as bank records
  can be disclosed without judicial authorization.
• Recommendation 5 The Government of Canada or the
  Privacy Commissioner should bring a reference to
  the Supreme Court of Canada to inquire whether
  the standard of reasonable suspicion can ever
  be justified to disclose personal information,
  such as bank records, to police in a criminal
  context.

39
Airline Industry(Michelle Yau)

• Overview of Airline Industry
• Information sharing in this industry currently a
  hot topic
• A lot of potential for breaches of privacy or
  worse

40
Information Collected by Airline Industry

• Every time a passenger purchases a ticket,
  advance passenger information (API) and passenger
  name record (PNR) information is collected by
  airlines
• A PNR can reveal many intimate details
• with whom, for how long, and at whose expense
  someone travels
• affiliations with organizations
• religious practices

41
Airline Privacy Policies

• Airline privacy policies are vague
• may be liable to collect/provide any other
  personal information as required by a
  government authority.
• Do not mention specific government agencies
• Do not mention purposes for which personal
  information may be used or further disclosed
• Travelers not told at time of collection that
  their info may be disclosed for national security
  or law enforcement purposes

42
Legal Regime Governing Information Sharing

• Aeronautics Act
• Immigration and Refugee Protection Act (IRPA) and
  IRP Regulations
• Protection of Passenger Information Regulations,
  also created under IRPA
• Customs Act

43
Aeronautics Act

• Requires disclosure of 34 items of information on
  request to
• Department of Transport
• RCMP
• CSIS
• Also allows these agencies to share collected
  info with each other and to match collected info
  with other info
• Allows these agencies to share info collected
  with various entities
• Canadian Air Transport Security Authority (CATSA)
• air carriers
• peace officers, aircraft protective officers

44
IRPA and IRP Regulations

• Requires airlines to provide documents, written
  information, and access to reservation systems
  upon request to officers of Citizenship and
  Immigration Canada
• The Protection of Passenger Information
  Regulations, also created under IRPA, allows
  Canada Border Services Agency (CBSA) to retain
  API/PNR info and to disclose it to any Canadian
  government department if a CBSA official
  determines that the info relates to
  terrorism/transnational crimes

45
Customs Act

• Allows government officials to provide access to
  customs information to prescribed persons or
  classes of persons, in prescribed circumstances
  for prescribed purposes, solely for those
  purposes

46
Information of Interest to Law Enforcement

• Examples
• Itinerary/gaps in itinerary
• Who paid for ticket/method of payment
• Seat requests
• Travel document information (type, number,
  country of issuance)

47
Formal and Informal Sharing Practices

• Formal
• Officer presents request in writing or by other
  means
• Airline verifies officers identity, confirms
  active investigation, confirms court order,
  warrant or legislative provision authorizing
  collection of the information by the officer
• Airline discloses information
• Continuous data streaming of API/PNR info on all
  passengers entering Canada
• Informal
• Not much known
• Some anecdotal evidence that front line staff
  share info inappropriately

48
Gaps and Controversies

• Various legislation requiring disclosure on
  request without conditions makes it difficult for
  airlines to protect their customers privacy
• They also give government agencies too much
  leeway to share info amongst each other and to
  use the info for a variety of purposes
• Some airline sharing practices such as continuous
  data streaming create danger of mass violations
  of privacy without accountability

49
Gaps and Controversies

• The Passenger Protect Program, which finds its
  legislative basis in the Aeronautics Act and the
  Aeronautics Act Identity Screening Regulations,
  does not provide adequate safeguards
• false listing and false matching
• no adequate mechanisms of redress
• Little direct evidence that privacy violations
  are occurring on a regular basis
• However current legislative regime and info
  sharing practices create real danger of such
  violations
• Thus it is important that the legislation be
  amended, and that airlines and government
  agencies adopt new practices safeguarding privacy

50
Recommendations

• Legislation should be amended to specify
  conditions that must be met before an officer can
  compel an airline to disclose personal
  information of customers.
• Warrants, court orders, or at least some
  conditions
• The Customs Act provisions should be made more
  specific to minimize threat to privacy posed by
  PAXIS database.
• Continuous data streaming should not be the norm.
  
• Facilitates fishing
• Safeguards should be put in place to ensure the
  accuracy and minimize imprecision of the
  Passenger Protect Program.
• Clear listing criteria, address/phone number
  should be required to confirm match
• Airlines should adopt policies to discourage
  informal information sharing between airline
  staff and government.
• Minimize contact between officers and front line
  staff
• Requests must be in writing

51
Summary of Concerns(Andrea Slane)

• Recurring concerns include
• Lack of clarity regarding the interpretation of
  s. 7(3) of Personal Information Protection and
  Electronic Documents Act
• The impact of technological development on the
  balance of relevant interests
• Lack of transparency regarding informal
  information sharing, and
• A tendency towards collection of increasing
  amounts of personal information identified in
  some of the industries.

52
Summary of Charter Concerns

• Departure from the principal of judicial
  authorization in cases of information sharing
  without warrants, subpoenas or court orders
• Lack of certainty regarding whether there is a
  reasonable expectation of privacy in various
  contexts
• Constitutional sufficiency of the standard for
  disclosure where information is obtained
  notwithstanding a lack of reasonable probable
  grounds to believe that a crime has been
  committed. This last concern is particularly
  pressing where disclosure of information to
  national security agencies had been made
  mandatory.

53
Summary of Recommendations

• Generally respond to the concerns
• Clarify s. 7(3) of PIPEDA, especially section
  7(3)(c.1), including the term lawful authority
• Promote transparency and accountability regarding
  the extent and nature of informal information
  sharing
• Seek judicial guidance on limits on information
  sharing without judicial authorization. In the
  meantime, OPC to provide guidelines. Suggested
  limits might balance the seriousness of the crime
  being investigated, whether the nature of the
  crime is such that the inability of the state to
  access the information will foreclose the
  investigation, and whether the information is of
  a sort for which the privacy interest of the
  individual is relatively low
• Seek judicial guidance on sufficiency of the
  standard for disclosure where information is
  obtained without reasonable probable grounds,
  especially where disclosure of information to
  national security agencies had been made
  mandatory.

54
http//www.innovationlaw.org/projects/privacy.htm