Bill C30 - Canada’s Spying Act

The federal government introduced Bill C-30, the online surveillance legislation, the name of which was changed after going to the printers to: “the Protecting Children from Internet Predators Act.” It should be called: “the Big Brother Act.” It breaches privacy laws and the Charter.



Its main features are that:
1. Telecommunications and Internet Service Providers (ISP’s) are required to give, without a warrant, subscriber data to police, national security agencies and the Competition Bureau , six types of identifiers from subscriber data; namely, Name, Address, Telephone number, Email address, Internet protocol (IP) address and Local service provider identifier.  This disclosure is not limited to criminal activity.
2. ISP’s are to provide a "back door" to make communications accessible to police;
3. It allows police to obtain information transmitted over the internet and data related to its transmission, including locations of individuals and transactions, by getting a warrant;
4. It allows courts to compel other parties to preserve electronic evidence;
5. An internal audit of warrantless requests that will go to a government minister and oversight review body
6. A review after Five years review is provided for.
7. Telecommunications service providers have 18 months to buy equipment that would allow police to intercept communications – these costs will be borne by these service providers and most likely passed on the consumers.
8. Changes the definition of hate propaganda to include communication targeting sex, age and gender.
The bill would be costly and increase the amount of data available for hackers: “This is going to be like the Fort Knox of information that the hackers and the real bad guys will want to go after. This is going to be a gold mine,” said Ontario Information and Privacy Commissioner Ann Cavoukian. “The government will say that they can protect the data, and they can encrypt it. Are you kidding me? The bad guys are always one step ahead.”
A major privacy concern with Bill C-30 is the mandatory disclosure of subscriber information without court oversight. Law enforcement has not shown that it needs these drastic measures since serve providers comply with the request 95% of the time. This disclosure should only be done for criminal activity and a streamline warrant procedure should be set up that can be reviewed by criminal defence lawyers etc.

Under intense pressure the federal government has stated that it is open to changes. The Bill as drafted is unconstitutional. Write your member of parliament to let your views be known!

Last Updated (Thursday, 23 February 2012 11:03)

the Privacy Commissioner of Canada launched new guidelines

On Dec. 6, 2011, the Privacy Commissioner of Canada launched new guidelines under the Personal Information Protection and Electronic Documents Act, PIPEDA for online behavioral advertising i.e. tracking users’ online activities in order to deliver targeted advertisements that are based on past activities and interests. There is a battle between web site owners desire to make increase revenue from personal information (PI) and privacy.

---

These guidelines provide that web site owners require a user’s knowledge and consent for the collection, use, or disclosure of personal information and that the purposes for which a user’s information is to be collected, used or disclosed be explained in a clear and transparent manner. Express consent (opt-in) is required when dealing with sensitive information whereas implied consent (opt-out) can be used when the information is less sensitive.

Implied consent i.e. "opt-out" consent may be used if:

First the user must be:

made aware of the purposes for the practice in a manner that is clear, obvious and understandable;

informed of these purposes at or before the time of collection and should be provided with information about the parties involved in the advertising; and

able to easily opt-out of the practice, ideally at or before the time the information is collected.

Also, the opt-out should both take effect immediately and be persistent, while the information collected and used:

must be limited, to the extent practicable, to non-sensitive information (for example, avoiding sensitive data such as health information); and

should be destroyed as soon as possible or "anonymised," so if someone gains access to it through say hacking, it can't be used to identify specific individuals.

The use of tracking techniques of which users are unaware of but can't decline such as web bugs, web beacons, and super cookies “should be avoided.”

These guidelines are consistent with the wording of PIPEDA and provide some guidance for the drafting of Canadian privacy policies. It is interesting to note that the use of web bugs and beacons was not forbidden but only “should be avoided.” Of great interest will be interesting to see how the large Internet companies such as Google and Facebook measure up to these guidelines and the Commissioner’s response.