Online privacy: The practical fallout from Spencer

  • August 01, 2014
  • Jason Scott Alexander

With its June ruling in R. v. Spencer, the Supreme Court of Canada confirmed that the mere fact they’re conducting an investigation does not give police “lawful authority” to gain personal information from a person or an organization without a warrant.

So what are the ruling’s practical applications for individuals and organizations, law enforcement and the legal profession?

Ask and (don’t) receive

According to David Fraser, a partner at McInnes Cooper in Halifax and one of Canada’s foremost authorities on internet privacy law, police won’t have to go to any new lengths in order to gain warrants.

“Before, they had the ability to just say ‘hey, look we’re doing a police investigation and our view is that PIPEDA gives us the authority to request the information and PIPEDA lets you disclose it to us, so why don’t you hand it over’,” says Fraser. Spencer makes it clear that is no longer the case, and that police will have to get a warrant or a production order in the vast majority of circumstances.

Canadian telecommunications companies were getting a lot of these requests – in its transparency report, released just ahead of the Spencer decision, Rogers said it received nearly 175,000 requests for personal information, mostly customer name and address checks, in 2013. The request at issue in Spencer, what is called a Child Sexual Exploitation Emergency Assistance Request, accounted for only 711 of the total.

He says many observers are wondering if Spencer will now close off what had been a significant evidence gathering avenue for police.

“I don’t think that they were able to get a lot of this information without a warrant, in the context of just pure intelligence gathering,” says Fraser. “It would actually have to be an active investigation.” In cases where the police cite PIPEDA, “I would advise my clients in all of those cases not to hand over information. And in all those cases, obviously the police would rarely tell you what it was all about, but one can infer that in some of those cases that they were simply intelligence gathering. And now that door is going to be closed.”

Tools of the trade

Sgt. Paul Batista, head of the Computer Forensics Unit of the Forensics Identification Section at the Ottawa Police Service, says he can see the dilemma for police, in terms of causing delays in investigations and increased paperwork. But he doesn’t completely disagree with the position the Supreme Court has taken.

“This is not an issue of denying access; it is simply saying that police have the obligation to reasonably believe that someone has committed an offence under the Criminal Code,” says Batista. “Creating shortcuts that turn (to) data collected by third parties to assist in police investigations without court-sanctioned support is unacceptable except for two reasons…: Matters of national security and when someone is in physical and imminent danger. Then, time is critical and the greater good to the public needs to take priority over privacy concerns.”

In fact, he says seeking a go-ahead from the courts shows good faith and confirmation from a third party that police are not just on a fishing trip. This will only strengthen a file for court purposes, he says, when so much of the conflict is based on Charter violations rather than the actual facts of the case. “And there should be increased penalties for people who hide on the Internet to commit offences just like wearing a disguise in the commission of a (physical) offence.”

In specific reference to obtaining the personal identification of the person attached to an IP address, Batista believes the government has the responsibility to step up and provide the tools necessary to enforce laws, arguing that we license drivers so that their behaviour can be accountable.

“Why is it different to ask for a valid driver’s licence but not who you are when you’re broadcasting? I fail to see the breach of anonymity as a basic right.”

Big data = big risk

Privacy advocates worry about the potential for private customer information to be gained and exploited by copyright trolls, collection agencies, and others if the government expands the categories of “lawful authority” beyond law enforcement, so that one organization can disclose personal information to another in connection with an investigation, as is being proposed in Bill S-4, the Digital Privacy Act.

Sharon Polsky, President of the Privacy and Access Council of Canada and former National Chair of the Canadian Association of Professional Access and Privacy Administrators, argues that countless laws and international agreements have eroded Canadians’ privacy rights. 

“Amassing unrelated data about Canadians in colossal databases that are difficult to secure undoubtedly offers convenience to those who want to track and analyze the minutiae of our existence,” warns Polsky.

Considering the poor track record that many public- and private-sector organizations have for privacy compliance and data governance, she says, allowing organizations to obtain personal information on the basis of an investigation reduces our ability to have any say in who examines our lives and decides our fate.

“We are concerned that Bill S-4 is only the latest attack against personal privacy and the ability of Canadians to have any say as to whether, when, and who gets access to our personal and medical information, or what they might do with it. Unfortunately, we’ve also seen the credibility of scientists, journalists, senators and politicians attacked for speaking out and their careers ruined — and those models of retribution have effectively silenced many PACC members and other Canadians who are concerned that expressing a dissenting opinion will be met with retaliatory measures that effectively make fair comment an offence and Charter protections irrelevant.”

Jason Scott Alexander is an Ottawa-based freelance writer specializing in frontier-media and technology law topics.