China Enacting a High-Tech Plan to Track People

Today's New York Times has an interesting article on new surveillance technologies being built by American companies for use in China:

China Enacting a High-Tech Plan to Track People - New York Times

... Starting this month in a port neighborhood and then spreading across Shenzhen, a city of 12.4 million people, residency cards fitted with powerful computer chips programmed by the same company will be issued to most citizens.

Data on the chip will include not just the citizen’s name and address but also work history, educational background, religion, ethnicity, police record, medical insurance status and landlord’s phone number. Even personal reproductive history will be included, for enforcement of China’s controversial “one child” policy. Plans are being studied to add credit histories, subway travel payments and small purchases charged to the card.

Security experts describe China’s plans as the world’s largest effort to meld cutting-edge computer technology with police work to track the activities of a population and fight crime. But they say the technology can be used to violate civil rights....

Cell phone info increasingly used as investigative tool

Today's NYT has an article on the amount of information collected by cell phone operators and how it is increasingly being used in police investigations: When the Trill of a Cellphone Brings the Clang of Prison Doors.

Oshawa second-hand store bylaw invades privacy

Earlier this week, the Ontario Court of Appeal, in Cash Converters Canada Inc. v. Oshawa (City) (July 4, 2007) (an appeal from Cash Converters Canada Inc. v. Oshawa (City), 2006 CanLII 3469 (ON S.C.)), overturned a City of Oshawa Bylaw that required sellers of second hand goods to collect detailed personal information about those who sell second hand goods to the stores. The bylaw was inconsistent with the Municipal Freedom of Information and Protection of Privacy Act.

Here's what the Toronto Star had to say about it:

TheStar.com - News - Oshawa second-hand store bylaw invades privacy: Court

Tracey Tyler

LEGAL AFFAIRS REPORTER

The Ontario Court of Appeal has struck down sections of a controversial Oshawa bylaw that require second-hand dealers to collect detailed personal information from people who sell them goods and transmit the data to police.

The bylaw conflicts with provincial privacy legislation, which requires the collection and retention of personal information to be strictly controlled, the court ruled Wedneday, The 3-0 decision could influence challenges to similar bylaws in other parts of the country, including Alberta and British Columbia.

“This decision comes at a time when cities are gaining broader law-making powers,” said David Sterns, a lawyer representing the Oshawa franchise of Cash Converters Canada Inc., a second-hand store that challenged the bylaw.

“The court has sent a strong signal that all forms of information gathering and surveillance by municipalities are subject to the public’s overriding right to privacy.”

Under the Oshawa bylaw, passed by the city in 2004 as part of a new licensing system for second-hand dealers, stores were required to record the name, address, sex, date of birth, phone number and height of their vendors, who also had to produce three pieces of identification, such as a driver’s licence, birth certificate or passport.

“This information is then transmitted and stored in a police data base and available for use and transmissions by the police without any restriction and without any judicial oversight,” said Justice Kathryn Feldman said, writing on behalf of Associate Chief Justice Dennis O’Connor and Justice Paul Rouleau.

Store owners were required to send reports to police at least daily, in some cases at the time of purchase. The city argued the bylaw was meant to protect consumers from purchasing stolen goods.

But the municipality offered no evidence of a growing problem involving the sale of stolen goods to second-hand dealers, said Feldman.

Nor is there evidence that unscrupulous people are more likely to be deterred by the electronic collection and transmission of personal information, she said.

In 2003, Cash Converters purchased more than 28,000 used items from people in 2003. About 30 of those were seized by police in connection with criminal investigations.

It’s unknown whether any were confirmed as stolen, the court said.

The bylaw did not apply to pawn shops, which are provincially regulated.

See, also, James Daw's column: TheStar.com - columnists - New ruling stands up for privacy.

FBI audit finds widespread abuse in data collection

I find this article to be very interesting. An audit of the FBI's has revealed "widespread abuse" in connection with FBI collection of information in the course of investigations. Many would not be surprised. But read a litte further and you happen upon this nugget:

The vast majority of newly discovered violations were instances in which telephone companies and Internet providers gave agents phone and e-mail records the agents did not request and were not authorized to collect, the Post said.

While the FBI is seen as the bad guy in most of these articles, it's interesting that the ISPs and phone companies have been handing over loads of data about customers that law enforcement didn't even ask for nor were they authorized to ask for it. Shame on the FBI for keeping it, but worse for the ISPs and telcos.

See: FBI audit finds widespread abuse in data collection - Yahoo! News .

Fact sheet on the Terrorist Identities Datamart Environment

Interested to know more about US terrorism watch lists and how they are managed? The National Counterterrorism Center has produced the following fact sheet:

Fact sheet on the Terrorist Identities Datamart Environment

The Terrorist Identities Datamart Environment (TIDE) is the US Government’s (USG)
central repository of information on international terrorist identities. TIDE supports the
USG’s various terrorist screening systems or “watchlists” and the US Intelligence
Community’s overall counterterrorism mission. The Terrorist Identities Group (TIG),
located in NCTC’s Information Sharing & Knowledge Development Directorate (ISKD), is
responsible for building and maintaining TIDE.

The TIDE database includes, to the extent permitted by law, all information the U.S.
government possesses related to the identities of individuals known or appropriately
suspected to be or have been involved in activities constituting, in preparation for, in aid of,
or related to terrorism, with the exception of purely domestic terrorism information.

FRONTLINE: Spying on the home front

Update: The video of the full show is available online: http://www.pbs.org/wgbh/pages/frontline/homefront/view/.

Check out tonight's Frontline on PBS:

FRONTLINE: coming soon: spying on the home front PBS

Spying on the Home Front
coming May. 15, 2007 at 9pm (check local listings)

(60 minutes) FRONTLINE addresses an issue of major consequence for all Americans: Is the Bush administration's domestic war on terrorism jeopardizing our civil liberties? Reporter Hedrick Smith presents new material on how the National Security Agency's domestic surveillance program works and examines clashing viewpoints on whether the president has violated the Foreign Intelligence Surveillance Act (FISA) and infringed on constitutional protections. In another dramatic story, the program shows how the FBI vacuumed up records on 250,000 ordinary Americans who chose Las Vegas as the destination for their Christmas-New Year's holiday, and the subsequent revelation that the FBI has misused National Security Letters to gather information. Probing such projects as Total Information Awareness, and its little known successors, Smith discloses that even former government intelligence officials now worry that the combination of new security threats, advances in communications technologies, and radical interpretations of presidential authority may be threatening the privacy of Americans. (read the press release)

PRESS RELEASE

"So many people in America think this does not affect them. They've been convinced that these programs are only targeted at suspected terrorists. ... I think that's wrong. ... Our programs are not perfect, and it is inevitable that totally innocent Americans are going to be affected by these programs," former CIA senior attorney Suzanne Spaulding tells FRONTLINE correspondent Hedrick Smith in Spying on the Home Front, airing Tuesday, May 15, 2007, at 9 P.M. ET on PBS (check local listings) and available for viewing after broadcast at www.pbs.org/frontline.

9/11 has indelibly altered America in ways that people are now starting to earnestly question: not only perpetual orange alerts, barricades and body frisks at the airport, but greater government scrutiny of people's records and electronic surveillance of their communications. The watershed, officials tell FRONTLINE, was the government's shift after 9/11 to a strategy of pre-emption at home--not just prosecuting terrorists for breaking the law, but trying to find and stop them before they strike.

President Bush described his anti-terrorist measures as narrow and targeted, but a FRONTLINE investigation has found that the National Security Agency (NSA) has engaged in wiretapping and sifting Internet communications of millions of Americans: The FBI conducted a data sweep on 250,000 Las Vegas vacationers, and along with more than 50 other agencies, they are mining commercial-sector data banks to an unprecedented degree, and they have even been assigning suspicion ratings to anyone who travels across a U.S. border.

Even government officials with experience since 9/11 are nagged by anxiety about the jeopardy that a war without end against unseen terrorists poses to our way of life, our personal freedoms. "I always said, when I was in my position running counterterrorism operations for the FBI, `How much security do you want, and how many rights do you want to give up?'" Larry Mefford, former assistant FBI director, tells correspondent Smith. "I can give you more security, but I've got to take away some rights. ... Personally, I want to live in a country where you have a common-sense, fair balance, because I'm worried about people that are untrained, unsupervised, doing things with good intentions but, at the end of the day, harm our liberties."

Although the president told the nation that his NSA eavesdropping program was limited to known Al Qaeda agents or supporters abroad making calls into the U.S., comments of other administration officials and intelligence veterans indicate that the NSA cast its net far more widely. AT&T technician Mark Klein inadvertently discovered that the whole flow of Internet traffic in several AT&T operations centers was being regularly diverted to the NSA, a charge indirectly substantiated by John Yoo, the Justice Department lawyer who wrote the official legal memos legitimizing the president's warrantless wiretapping program. Yoo told FRONTLINE: "The government needs to have access to international communications so that it can try to find communications that are coming into the country where Al Qaeda's trying to send messages to cell members in the country. In order to do that, it does have to have access to communication networks."

Spying on the Home Front also looks at a massive FBI data sweep in December 2003. On a tip that Al Qaeda "might have an interest in Las Vegas" around New Year's 2004, the FBI demanded records from all hotels, airlines, rental car agencies, casinos and other businesses on every person who visited Las Vegas in the run-up to the holiday. Stephen Sprouse and Kristin Douglas of Kansas City, Missouri, object to being caught in the FBI dragnet in Las Vegas just because they happened to get married there at the wrong moment. Says Douglas, "I'm sure that the government does a lot of things that I don't know about, and I've always been OK with that--until I found out that I was included."

A check of all 250,000 Las Vegas visitors against terrorist watch lists turned up no known terrorist suspects or associates of suspects. The FBI told FRONTLINE that the records had been kept for more than two years, but have now all been destroyed.

"To simply say, you know, `as a matter of national security we need to know the name of every single person checking into your hotel at any given moment,'" says Alan Feldman, vice president of MGM Mirage, "that seems extremely unusual and, I think, extremely troubling."

In the broad reach of NSA eavesdropping, the massive FBI data sweep in Las Vegas, access to records gathered by private database companies that allows government agencies to avoid the limitations provided by the Privacy Act, and nearly 200 other government data-mining programs identified by the Government Accounting Office, experienced national security officials and government attorneys see a troubling and potentially dangerous collision between the strategy of pre-emption and the Fourth Amendment's protections against unreasonable search and seizure.

Peter Swire, a law professor and former White House privacy adviser to President Clinton, tells FRONTLINE that since 9/11 the government has been moving away from the traditional legal standard of investigations based on individual suspicion to generalized suspicion. The new standard, Swire says, is: "Check everybody. Everybody is a suspect."

Spying on the Home Front is a FRONTLINE co-production with Hedrick Smith Productions, Inc. Hedrick Smith is correspondent and senior producer. The program is produced and directed by Rick Young. FRONTLINE is produced by WGBH Boston and is broadcast nationwide on PBS. Funding for FRONTLINE is provided through the support of PBS viewers. Additional funding for FRONTLINE is provided by The Park Foundation. Additional funding for Spying on the Home Front is provided by The JEHT Foundation. FRONTLINE is closed-captioned for deaf and hard-of-hearing viewers and described for people who are blind or visually impaired by the Media Access Group at WGBH. FRONTLINE is a registered trademark of WGBH Educational Foundation. The FRONTLINE executive producer for special projects for is Michael Sullivan. The executive producer for FRONTLINE is David Fanning.

Narcotics diary of FBI agent on EBay

If you were smoking dope in New York between 1931 and 1959, your comings and goings may be detailed in a surveillance diary of a former FBI agent, which is being sold on EBay. It is apparently complete and unredacted. No name have been changed to protect the innocent or guilty. More: Boing Boing: EBay find: Narcotics diary of FBI agent, NYC, 1931-1959

Offsite surveillance in Halifax bar may set precedent

I was interviewed the other day by Chris Lambie of the Halifax Chronicle Herald in response to the recent decision to restore the liquor license of a well-known Halifax bar on the condition that it double its surveillance cameras and allow the feeds to be reviewed off-site by the police (See: Canadian Privacy Law Blog: Halifax bar gets liquor license back on condition that cops have off-site access to surveillance system). I didn't realize that my comments would form its own article ...

Dome agreeing to let cops monitor patrons via in-house cameras could set precedent, privacy expert fears - Nova Scotia News - TheChronicleHerald.ca

By CHRIS LAMBIE Staff Reporter

Sun. Dec 30 - 5:27 AM

The decision to give law enforcement officials access to surveillance cameras at the Dome bar complex in downtown Halifax could mean other bars will be forced to do the same if they want to keep selling booze, says a privacy expert.

Authorities closed the Dome after a brawl early on Dec. 24 resulted in 38 arrests. The bar is back in business now, but only after it agreed to implement a long list of security measures, which include giving police and liquor inspectors full access to surveillance cameras at the premises or via the Internet.

"The biggest risk is this can become more common, and once you start doing that it’s very easy to extend it further and extend it further," said David Fraser, a privacy lawyer in Halifax.

"They see it work in once place and they extend it all over the place. And then it’s impossible to go out and have a drink without actually being watched by the police. A lot of people would get freaked out by that."

Once police and liquor inspectors get access to surveillance cameras in bars with a history of violence, authorities could make it mandatory in establishments with potential for problems, Mr. Fraser said.

"As these things become more normal or more standard, the less jarring it is for those who actually care about privacy.

"If you put a frog in a pot of cold water and you turn up the heat, it’s not going to jump out because it doesn’t notice the incremental changes."

There would be few limits on what authorities could do with the information they gather from surveillance cameras, Mr. Fraser said.

"It’s really no different than, theoretically, having a cop sitting at the bar or walking around the establishment. It’s just a whole lot more convenient and probably more pervasive."

Mr. Fraser said he’d be less likely to have a drink in a bar if he knew authorities could be watching.

"The idea of being watched at all has a psychological kind of a factor. For some people, it adds enough of a creep-out factor that, if you’re given the choice of two places that are otherwise identical, one has video surveillance which you know is being watched by cops and the other one doesn’t, regardless of whether or not you intend to do anything unlawful, you’d probably go to the place that was slightly less creepy. At least that would be my own inclination."

The more people watching surveillance cameras in bars, the more room there is for abuse, Mr. Fraser said.

"Sometimes on cable (TV) you’ll see these shows of weird things caught on surveillance," he said.

"Many of them come from the United Kingdom, where there’s pervasive surveillance by law enforcement. And people are making copies of these tapes when they see funny things. And you can tell, when you see how the cameras zoom, that they follow attractive women’s bottoms and things like that. Stuff like that really has the potential to be abused."

Police aren’t sure yet how they’ll use 64 surveillance cameras at the Dome.

"This is something new to us. We’ve never had access to their cameras, other than, as in any establishment, you would have after (a crime) for the purpose of investigation," Halifax Regional Police Supt. Don Spicer said after Friday’s Utility and Review Board hearing that reinstated the Dome’s liquor licence.

"So we really have to look at what we really will be doing with the access that we will be gaining."

There are signs outside the Dome indicating the bar is under video surveillance.

"When you go to a public place, which a bar is, and the signs are posted, I don’t think there will be any problems," said Environment and Labour Minister Mark Parent, who is responsible for the alcohol and gaming division.

The new camera system means liquor inspectors will be able to monitor the bar without being there, Mr. Parent said.

"That was something that the bar owner offered voluntarily and it makes our job that much easier," he said.

It does set a precedent "for bars like the Dome," Mr. Parent said.

"It clearly sends a signal to any other establishment that’s having problems that they need to take some dramatic steps."

At first, Mr. Parent said it’s not akin to the all-seeing Big Brother in George Orwell’s novel Nineteen Eighty-four.

"I guess Big Brother if you want to put it in that sense, if you’re out to do something wrong," he said. "If you’re not out to do something wrong, then I think you’d see it as a safeguard."

The cameras are "an effective low-cost tool because we don’t have the staffing to be everywhere at once," Mr. Parent said. "So I think the important thing is that notices are up so people know, so that it’s not a surprise to them."

Surveillance video could be used to both indict and clear people of any wrongdoing, he said.

"Certainly there are privacy concerns that need to be addressed," Mr. Parent said. "The tapes would need to be used only by official people. You’d have to be very careful how you used them and they would have to make sure that there was no abuse of that in any way. . . . It’s always a balance between public safety and public privacy."

Update: I was just interviewed by CBC Radio News here in Halifax on the story. Here's the piece:

Here, also, is the order of reinstatement from the Utility and Review Board of Nova Scotia.

Update: Here's a CBC online report: Police plans for Halifax bar surveillance cameras cause concerns.

Halifax bar gets liquor license back on condition that cops have off-site access to surveillance system

Early on Christmas Eve a huge brawl at one of Halifax's largest bars resulted in the suspension of the property's liquor license. After a hearing yesterday, the license was restored on a number of conditions. Among them, the bar has to double the number of surveillance cameras on the premises and has to provide liquor regulators and the police with real-time access via the internet.

This is a first in Nova Scotia, but likely not the last time we'll hear of this. Why not have them mandatory in all licensed establishments? In all hotels? Hmm. Drinking takes place in university residences, so maybe we should require police surveillance of those places? The thin edge of the wedge.

See: Buck-a-drink binge nights bite the dust: Dome gets liquor licence back with vow to hike prices, beef up security

Does the SWIFT incident expose PIPEDA's loopholes?

IT Business is running an article entitled SWIFT scandal exposes PIPEDA holes, in which the Privacy Commissioner of Canada and Phillipa Lawson of the Canadian Internet Policy and Public Interest Clinic lament that PIPEDA allows the disclosure of personal information without consent in response to a foreign subpoena.

(For some background, see my previous posts on SWIFT.)

Is this a loophole or something that should be remedied? Certainly the European Union thinks that disclosing European info in this way is not OK.

I'm not sure there is really anything that can be done about this, other than to keep data out of jurisdictions with laws that you consider offensive. Certainly, we have seen that the EU and some Canadian provinces think that the USA Patriot Act is overbroad and a threat to privacy. Unlike some public sector laws in Canada, PIPEDA is completely silent with respect to the export of personal information. But if data is in a jurisdiction with a lawful power to compel the production of that information, the practical impact of a foreign law is virtually nil. Particularly if the foreign law is as toothless as PIPEDA.

Practically speaking, the solution is really to keep those data warehouses out of those jurisdictions. While SWIFT is a European outfit, they had a data centre in the US that was within the lawful jurisdiction of the US authorities armed with subpoenas. As an international clearing system, it would obviously have to transmit some data back and forth between HQ and the US. But there doesn't seem to be any compelling argument to suggest that all that data should have been kept there.

Canada, with it's European-accepted privacy laws, would have been an ideal place to locate the SWIFT data centre. Miliseconds from New York and Brussels, but a world away from the US as far as privacy laws go. Any international company doing business with personal information in the United States really should think about this. What SWIFT did may have been completely lawful in the US, but it certainly has caused more than its fair share of headaches and has opened it up to potential liability in the EU.

FBI aims for world's largest biometrics database

This sort of stuff no longer surprises me, but this bit of the story on Yahoo! News is interesting:

FBI aims for world's largest biometrics database - Yahoo! News

... At an employer's request, the FBI will also retain the fingerprints of employees who have undergone criminal background checks, the paper said....

Federal Commissioner: SWIFT did not violate PIPEDA

Canada's Privacy Commissioner has wrapped up her investigation of the SWIFT information sharing fuss and has concluded that SWIFT is subject to PIPEDA but did not violate the law when it handed over Canadian information in response to US subpoenas.

From the Commissioner:

News Release: Privacy Commissioner concludes investigation of SWIFT (April 2, 2007)

Privacy Commissioner concludes investigation of SWIFT

Ottawa, April 2, 2007 —The Privacy Commissioner of Canada, Jennifer Stoddart, today announced the conclusion of her Office’s investigation of the Society for Worldwide Interbank Financial Telecommunication (SWIFT), a European-based financial cooperative, that supplies messaging services and interface software to a large number of financial institutions in more than 200 countries, including Canada.

In her Report of Findings, made public today, the Commissioner confirmed that SWIFT is subject to the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private sector privacy law, and that the organization did not contravene the Act when it complied with lawful subpoenas served outside the country and disclosed personal information about Canadians to foreign authorities. However, she emphasized that making use of existing information-sharing regimes, with built-in privacy protections, would allow for greater transparency for citizens.

Since her appointment, Ms. Stoddart has raised concerns about the personal information of Canadians flowing across borders. In her Report, the Commissioner stressed that organizations operating and connected in a substantial way to Canada are subject to PIPEDA and they must abide by the Act. “Simply because companies might operate in two or more jurisdictions does not relieve them of their obligations to comply with Canadian law,” said Ms. Stoddart.

It was alleged that SWIFT inappropriately disclosed to the US Department of Treasury (UST) personal information originating from or transferred to Canadian financial institutions. Ms. Stoddart launched a commissioner-initiated investigation into the matter to determine if there was a breach of PIPEDA, the federal law which covers the collection, use and disclosure of personal information in the course of commercial activities.

Following September 2001, the UST began issuing subpoenas to SWIFT for certain data held in SWIFT’s US-based operating centre. SWIFT obtained a series of privacy protections for the data it transferred to the UST.

In her Report, the Commissioner explained that PIPEDA allows an organization such as SWIFT to abide by the laws of other countries in which it operates. An organization that is subject to PIPEDA and that has moved personal information outside the country for business reasons may be required at times to disclose it to the legitimate authorities of that country. It is clear that in response to a valid subpoena issued by a court, person or body with jurisdiction to compel the production of information, an organization must disclose personal information and PIPEDA makes it permissible to comply with this obligation. The Commissioner stressed that multi-national organizations must comply with the laws of those jurisdictions in which they operate.

The Commissioner noted, however, that if US authorities need to obtain information about financial transactions that have a Canadian component, they should be encouraged to use existing information mechanisms that have some degree of transparency and built-in privacy protections. Accordingly, she signaled her intent to ask Canadian officials to work with their US counterparts to persuade them to use Canadian anti-money laundering and anti-terrorism financing mechanisms instead of the subpoena route.

“These alternate avenues would allow far greater Canadian involvement in the scrutiny of personal information and would better respect the value we give privacy protection,” said Ms. Stoddart. “Democratic societies must ensure that the fundamental rights and freedoms of the individual are respected to the extent possible, including the right to the protection of personal information.”

In addition to its investigation of SWIFT, the Privacy Commissioner’s Office also received complaints against six Canadian financial institutions and conducted an investigation into their involvement in the matter.

The Office reviewed the contractual documentation that exists between SWIFT and the banks, and concluded that the banks are meeting their obligations under the PIPEDA, noting that when an organization that contracts with a firm that operates both within and outside of Canada, it must respond to lawfully issued subpoenas in other jurisdictions as well as in Canada, and PIPEDA permits this.

Moreover, she found that each of the banks has very clear language in their privacy policies. These policies inform customers that the banks may send their personal information out of the country for certain purposes and that while such information is out of the country, it is subject to the laws of the country in which it is held.

The Privacy Commissioner of Canada is mandated by Parliament to act as an ombudsman, advocate and guardian of the privacy and protection of personal information rights of Canadians.

View the Executive Summary.

View the Commissioner’s full Report of Findings.

View the PIPEDA case summary relating to the investigations of the banksView the Commissioner’s June 2006 news release and August 2006 news release on this issue.

Atlantic Canadian RCMP say search warrants are a time consuming hurdle

The Royal Canadian Mounted Police in Atlantic Canada are complaining that the two major internet service providers in the region are requiring that police get a warrant before handing over customer information. The ISPs are of the view (correctly in my opinion) that the Personal Information Protection and Electronic Documents Act prevents them from disclosing subscriber information without a warrant.

CBC: Search warrants for child porn too slow, say RCMP

Child pornography investigations in Atlantic Canada are being held up by internet service providers who require search warrants before providing customer information, say RCMP.

In some parts of Canada, internet service providers will hand over information such as the name, address and phone number of a customer being investigated by police.

Const. Blair Ross, who works on child pornography cases on P.E.I., told CBC News Tuesday RCMP are short-staffed already, and getting a search warrant can take days or even weeks.

"As it stands here now in Atlantic Canada, the internet providers will not provide that unless we obtain judicial authorization, in other words, a warrant," said Ross.

"So before we even begin to investigate we have that hurdle to jump over, which is time consuming."

Protecting customer privacy

But the region's two main internet companies say they are concerned about customer privacy, and particularly legislation they are required to operate under. Both Aliant and Eastlink say if someone is in imminent danger the company will provide its customers' information right away, but most of the time police must have a warrant. Eastlink spokeswoman Paula Sibley said her company is aware some other Canadian ISPs require only a letter of request from police.

"We're not necessarily opposed to seeing things move in that direction," said Sibley.

"However, with the existing legislation that's in place, and also privacy legislation that we have to operate under, we've chosen to continue to ask for a warrant." Ross said RCMP could spend more time finding people involved with child pornography if ISPs provided information more quickly.

Then there's also the issue of the Canadian Charter of Rights and Freedoms, which at least in a recent case from Ontario, prevents law enforcement from using the information if it was obtained without a warrant. (See yesterday's post: Canadian Privacy Law Blog: Ontario Court considers warrantless requests for subscriber information.)

From my understanding of how child exploitation and child pornography investigations are usually carried out, the first contact with a suspected offender yields more than enough information to get a warrant. In R. v. Kwok (referred to in Ontario Court considers warrantless requests for subscriber information), the defendant sent the police officer photos that were clearly child pornography. There was no suggestion that the defendant was currently abusing a child, so no exigent circumstances existed. Had a warrant been sought, I have no doubt it would have been issued in that case. That information would probably have been enough to secure the ultimate conviction of the offender.

I have a serious concern with the following statement:

"So before we even begin to investigate we have that hurdle to jump over, which is time consuming."

To begin with, the Charter is not a "hurdle". It's there for a reason and that reason isn't to make life more convenient for agents of the state to get into people's personal information. And secondly, this suggests the police are looking for personal information before they begin an investigation. I appreciate the importance of investigations of this type, but it seems they should always have reasonable grounds to believe an offence has taken place and that the information they are seeking will lead to the identity of the offender before seeking personal information. The alternative is an unacceptable fishing expedition.

Note: The above are my own opinions and not those of any organization I may be associated with or represent.

Ontario Court considers warrantless requests for subscriber information

There's been a lot of debate over whether PIPEDA permits a commercial entity, such as an ISP, to provide certain identifying information to law enforcement without a warrant. Most of the debate centers around section 7(3)(c.1) of PIPEDA, which reads:

(3) For the purpose of clause 4.3 of Schedule 1, and despite the note that
accompanies that clause, an organization may disclose personal information
without the knowledge or consent of the individual only if the disclosure
is ...

(c.1) made to a government institution or part of a
government institution that has made a request for the information, identified
its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the
defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law, or

(iii) the disclosure is requested for the purpose of administering
any law of Canada or a province;

Some are of the view that "lawful authority" means a lawful investigation and that an organization is able to disclose certain information without consent under PIPEDA. Some take the erroneous view that PIPEDA actually authorizes the disclosure, which is not the case at all. This error is compounded by law enforcement who refer to "PIPEDA letters" demanding information from internet service providers in connection with child exploitation investigations.

The Ontario Court of Justice, in an unpublished decision that I understand is under appeal, recently considered the impact of a request by law enforcement for ISP subscriber information. In R. v. Kwok, police officers went online and convinced an unidentified person to provide child pornography to the undercover officer. Using usual techniques, the cops determined the IP address of the suspect and sent a letter to the ISP requesting the billing information associated with the account. The officer testified that he had not read PIPEDA, but understood from an e-mail from the RCMP Commissioner that PIPEDA authorizes such disclosures and these letters should be used to facilitate access to information. Prior to PIPEDA, the officer testified, they routinely sought warrants for this sort of information. The letter used in this case, not surprisingly, cited PIPEDA. The ISP provided the information and an arrest was subsequently made.

The defendant made an application to have the evidence thrown out as it was unlawfully obtained and the Court agreed. The Court held that even if PIPEDA permits access to this information by law enforcement, it is contrary to the Charter for the police to obtain it in this manner.

From Paragraph 35 of the decision:

"The subscriber, in this case, in my view, and based on my reading of the authorities, has an expectation of privacy in respect of this personal information [name and address]. The investigation of these types of crimes is essential and important, but there must always be the proper balancing of the procedures used by the police and the right of citizens to be free from unreasonable search and seizure. Shortcuts, such as set out in s. 7(3)(c) of PIPEDA in the circumstances of this case must be used with great caution, given the notions of freedom and democracy we come to expect in our community. In my view, the police should have procured a warrant to obtain the subscriber information, that is the name and address of the Applicant, in this case, as I have found the name and address is information from which intimate personal details of lifestyle and choices can be obtained. I therefore find there has been a s. 8 violation."

The copy of the decision that I've obtained (R. v. Kwok) is marked "draft" and I haven't been able to find it online. I understand it is under appeal and hopefully the Court of Appeal can clarify what s. 7(3)(c) actually means and whether companies can provide the police with customer information without a warrant. I also hope that the Court will clarify that PIPEDA does not give anyone -- agents of the state in particular -- increased access to personal information, but the reverse.

Note: I've blogged about this topic on a number of occasions. For some background, see http://www.privacylawyer.ca/blog/labels/warrants.html.

Law enforcement access to personal information

Today I had the privilege of speaking at the annual professional development event of the Nova Scotia Criminal Lawyers Association, in association with the Nova Scotia Barristers' Society. The theme of the conference was very privacy-centric: Listening, Snooping and Searching: What's Right, What's Wrong.

I was also privileged to speak alongside S/Sgt Al Langille of the RCMP's integrated technology crime unit. He is a thirty-year veteran of law enforcement, including fifteen in technology crimes and computer forensics. A great guy and very privacy conscious.

My presentation, for those who may be interested, is here: http://docs.google.com/Presentation?id=ddpx56cg_48hcdnqv.

Cellphone Tracking Powers on Request

The Washington Post has an article on how, in some cases, law enforcement in the US is getting access to real-time tracking information about suspects' cell phones, without warrants or without probable cause. I was particularly reminded of some of the debate over lawful access in Canada:

Cellphone Tracking Powers on Request - washingtonpost.com

Cellphone Tracking Powers on RequestSecret Warrants Granted Without Probable Cause

By Ellen Nakashima

Washington Post Staff Writer

Friday, November 23, 2007; A01

Federal officials are routinely asking courts to order cellphone companies to furnish real-time tracking data so they can pinpoint the whereabouts of drug traffickers, fugitives and other criminal suspects, according to judges and industry lawyers.

In some cases, judges have granted the requests without requiring the government to demonstrate that there is probable cause to believe that a crime is taking place or that the inquiry will yield evidence of a crime. Privacy advocates fear such a practice may expose average Americans to a new level of government scrutiny of their daily lives.

Such requests run counter to the Justice Department's internal recommendation that federal prosecutors seek warrants based on probable cause to obtain precise location data in private areas. The requests and orders are sealed at the government's request, so it is difficult to know how often the orders are issued or denied.

The issue is taking on greater relevance as wireless carriers are racing to offer sleek services that allow cellphone users to know with the touch of a button where their friends or families are. The companies are hoping to recoup investments they have made to meet a federal mandate to provide enhanced 911 (E911) location tracking. Sprint Nextel, for instance, boasts that its "loopt" service even sends an alert when a friend is near, "putting an end to missed connections in the mall, at the movies or around town."

With Verizon's Chaperone service, parents can set up a "geofence" around, say, a few city blocks and receive an automatic text message if their child, holding the cellphone, travels outside that area.

"Most people don't realize it, but they're carrying a tracking device in their pocket," said Kevin Bankston of the privacy advocacy group Electronic Frontier Foundation. "Cellphones can reveal very precise information about your location, and yet legal protections are very much up in the air."

In a stinging opinion this month, a federal judge in Texas denied a request by a Drug Enforcement Administration agent for data that would identify a drug trafficker's phone location by using the carrier's E911 tracking capability. E911 tracking systems read signals sent to satellites from a phone's Global Positioning System (GPS) chip or triangulated radio signals sent from phones to cell towers. Magistrate Judge Brian L. Owsley, of the Corpus Christi division of the Southern District of Texas, said the agent's affidavit failed to focus on "specifics necessary to establish probable cause, such as relevant dates, names and places."

Owsley decided to publish his opinion, which explained that the agent failed to provide "sufficient specific information to support the assertion" that the phone was being used in "criminal" activity. Instead, Owsley wrote, the agent simply alleged that the subject trafficked in narcotics and used the phone to do so. The agent stated that the DEA had " 'identified' or 'determined' certain matters," Owsley wrote, but "these identifications, determinations or revelations are not facts, but simply conclusions by the agency."

Instead of seeking warrants based on probable cause, some federal prosecutors are applying for orders based on a standard lower than probable cause derived from two statutes: the Stored Communications Act and the Pen Register Statute, according to judges and industry lawyers. The orders are typically issued by magistrate judges in U.S. district courts, who often handle applications for search warrants.

In one case last month in a southwestern state, an FBI agent obtained precise location data with a court order based on the lower standard, citing "specific and articulable facts" showing reasonable grounds to believe the data are "relevant to an ongoing criminal investigation," said Al Gidari, a partner at Perkins Coie in Seattle, who reviews data requests for carriers.

Another magistrate judge, who has denied about a dozen such requests in the past six months, said some agents attach affidavits to their applications that merely assert that the evidence offered is "consistent with the probable cause standard" of Rule 41 of the Federal Rules of Criminal Procedure. The judge spoke on condition of anonymity because of the sensitivity of the issue.

"Law enforcement routinely now requests carriers to continuously 'ping' wireless devices of suspects to locate them when a call is not being made . . . so law enforcement can triangulate the precise location of a device and [seek] the location of all associates communicating with a target," wrote Christopher Guttman-McCabe, vice president of regulatory affairs for CTIA -- the Wireless Association, in a July comment to the Federal Communications Commission. He said the "lack of a consistent legal standard for tracking a user's location has made it difficult for carriers to comply" with law enforcement agencies' demands.

Gidari, who also represents CTIA, said he has never seen such a request that was based on probable cause.

Justice Department spokesman Dean Boyd said field attorneys should follow the department's policy. "We strongly recommend that prosecutors in the field obtain a warrant based on probable cause" to get location data "in a private area not accessible to the public," he said. "When we become aware of situations where this has not occurred, we contact the field office and discuss the matter."

The phone data can home in on a target to within about 30 feet, experts said.

Federal agents used exact real-time data in October 2006 to track a serial killer in Florida who was linked to at least six murders in four states, including that of a University of Virginia graduate student, whose body was found along the Blue Ridge Parkway. The killer died in a police shooting in Florida as he was attempting to flee.

"Law enforcement has absolutely no interest in tracking the locations of law-abiding citizens. None whatsoever," Boyd said. "What we're doing is going through the courts to lawfully obtain data that will help us locate criminal targets, sometimes in cases where lives are literally hanging in the balance, such as a child abduction or serial murderer on the loose."

In many cases, orders are being issued for cell-tower site data, which are less precise than the data derived from E911 signals. While the E911 technology could possibly tell officers what building a suspect was in, cell-tower site data give an area that could range from about three to 300 square miles.

Since 2005, federal magistrate judges in at least 17 cases have denied federal requests for the less-precise cellphone tracking data absent a demonstration of probable cause that a crime is being committed. Some went out of their way to issue published opinions in these otherwise sealed cases.

"Permitting surreptitious conversion of a cellphone into a tracking device without probable cause raises serious Fourth Amendment concerns especially when the phone is in a house or other place where privacy is reasonably expected," said Judge Stephen William Smith of the Southern District of Texas, whose 2005 opinion on the matter was among the first published.

But judges in a majority of districts have ruled otherwise on this issue, Boyd said. Shortly after Smith issued his decision, a magistrate judge in the same district approved a federal request for cell-tower data without requiring probable cause. And in December 2005, Magistrate Judge Gabriel W. Gorenstein of the Southern District of New York, approving a request for cell-site data, wrote that because the government did not install the "tracking device" and the user chose to carry the phone and permit transmission of its information to a carrier, no warrant was needed.

These judges are issuing orders based on the lower standard, requiring a showing of "specific and articulable facts" showing reasonable grounds to believe the data will be "relevant and material" to a criminal investigation.

Boyd said the government believes this standard is sufficient for cell-site data. "This type of location information, which even in the best case only narrows a suspect's location to an area of several city blocks, is routinely generated, used and retained by wireless carriers in the normal course of business," he said.

The trend's secrecy is troubling, privacy advocates said. No government body tracks the number of cellphone location orders sought or obtained. Congressional oversight in this area is lacking, they said. And precise location data will be easier to get if the Federal Communication Commission adopts a Justice Department proposal to make the most detailed GPS data available automatically.

Often, Gidari said, federal agents tell a carrier they need real-time tracking data in an emergency but fail to follow up with the required court approval. Justice Department officials said to the best of their knowledge, agents are obtaining court approval unless the carriersprovide the data voluntarily.

To guard against abuse, Congress should require comprehensive reporting to the court and to Congress about how and how often the emergency authority is used, said John Morris, senior counsel for the Center for Democracy and Technology.

Staff researcher Richard Drezen contributed to this report.

FBI confirms contracts with telcos for providing customer info

This is interesting.... From WIRED Blogs: 27B Stroke 6

FBI Confirms Contracts with AT&T, Verizon and MCI

The FBI's general counsel, Valerie Caproni, testified today on Capitol Hill that the FBI entered into contracts with AT&T, Verizon and MCI to harvest phone records on American citizens under a national security letter program that has come under fire from Congress and the Justice Department's Office of Inspector General for circumventing privacy laws.

Caproni confirmed during a House Judiciary hearing that AT&T and Verizon, which bought MCI in 2005, had and continue to have contracts with the FBI that compensate phone companies for turning over the toll records of customers connected to counterterroism investigations. The telecoms entered into the contracts in May 2003, according to the report issued last week by the DoJ Inspector General.

"The contract essentially pays for the man hours or the personnel cost for the people who have to do the work," said FBI Assistant Director John Miller in an interview with Wired News last night. "We want dedicated people who handle our requests or do nothing else."

Librarians to talk about Patriot Act challenge in Vermont

Seven Days, the Vermont alternative web weekly is running a preview of a presentation to be given by Peter Chase and George Christian later this month. Both are librarians who were on the receiving end of national security letters under the USA Patriot Act and fought them with the assistance of the ACLU.

If I get my hands on the presentation materials, I'll post them here.

Seven Days: Librarians, No Longer Gagged, Detail Patriot Act Abuses

WINDSOR, CT — In September 2003, then-U.S. Attorney General John Ashcroft ridiculed the American Library Association for its “breathless reports and baseless hysteria” about a USA PATRIOT Act provision that allows FBI agents to search library records without a warrant. Until he left office in early 2005, Ashcroft repeatedly denied that the feds were snooping into Americans’ reading habits and computer activities.

In July 2005, Peter Chase and George Christian discovered firsthand that Ashcroft was lying. They couldn’t tell anyone, though — not friends, co-workers or family members — even as Congress debated the Patriot Act’s reauthorization.

Christian is executive director of the Library Connection, a nonprofit consortium in Windsor, Connecticut. Chase is president of the group’s executive committee and director of one of its 27 member libraries. An eight-month gag order prevented them from disclosing that they’d received a “national security letter” from the FBI seeking confidential library computer records.

“We were shocked,” Chase recalls. “None of us had ever heard of a national security letter before.”

....

Chase and Christian, along with fellow committee members Barbara Bailey and Janet Nocek, decided to fight the warrantless search. Though the librarians were never told why the FBI wanted their files, a federal prosecutor later disclosed that it was a matter of “domestic surveillance.”

The Connecticut librarians have since been released from their gag order. On March 20, they’ll speak at the University of Vermont about how they fought the Patriot Act — and won. Civil libertarians say their case is a chilling example of the threats to privacy rights in the post-9/11 era.

“My initial twinge in opposing [the FBI] was that I was aiding and abetting a catastrophe,” recalls Christian. “But right away, I could glean that they weren’t worried that someone was going to cause a catastrophic event tomorrow.” The letter, he notes, was dated two months earlier, and the records the FBI wanted were six months old. In Connecticut, as in 47 other states, library records are protected by law.

Vermont’s own protections for library records aren’t as strong as those in other states, notes Trina Magi, who chairs Vermont’s Intellectual Freedom Committee. Though library records are exempt from the open-records law, she says, nothing explicitly prevents librarians from disclosing them. Moreover, last year’s Patriot Act reauthorization did nothing to alleviate librarians’ concerns.

“What people read at libraries is confidential,” Chase argues. “People should feel free to come to the library and look up whatever information they need, without thinking that Big Brother is looking over their shoulder.”

In August 2005, the Connecticut librarians sued the federal government, with help from the ACLU. Initially, they were collectively known as “John Doe.” However, because of sloppy redacting of court records by government attorneys, Christian’s and Chase’s identities were made public, and reporters soon came calling.

...

Even after the librarians’ names were known, the gag order still barred them from discussing their case. Those restrictions reached absurd proportions. When the government asserted that the librarians’ presence in federal court in Bridgeport raised a “national security issue,” they had to watch the proceedings on closed-circuit TV from a locked courtroom in Hartford. When an appeal was heard in federal court in Manhattan, the librarians were allowed to attend but were prohibited from entering the courtroom together, sitting together, speaking to each other, or making eye contact with their attorneys.

Tellingly, the librarians were released from the document request and gag order shortly after the Patriot Act was reauthorized in March 2006. Once the government dropped its appeal, the librarians lost their legal standing to challenge the statute’s constitutionality.

Today, Christian is troubled by how many Americans have apparently complied with NSL requests. “I’m trying to figure out in my mind how 30,000 NSLs can be issued each year,” he says, “and in five years only two people have said, ‘I don’t think so.’”

Peter Chase and George Christian give a lecture titled "Gagged by the Government: Two Librarians Tell How They Resisted the USA PATRIOT Act." Tuesday, March 20, 3:30-5 p.m. Bailey Howe Library, University of Vermont. Free. Info, 656-5723.

The Shocking Truth! Comcast manual suggests it takes privacy seriously

I thought this was interesting and a sign of the times in the US ...

It is now newsworthy that a confidential manual from Comcast written to assist law enforcement in properly requesting customer information suggests they take privacy seriously! I'll repeat: they appear to take customer privacy seriously. Declan McCullagh has more: Secret manual shows Comcast (gasp!) protects customers' privacy The Iconoclast - politics, law, and technology - CNET News.com.

US DOJ audit discloses abuses of National Security Letter powers

This probably isn't a big surprise to a lot of people, but I'm surprised to see it publicly disclosed:

Mueller Admits Fault in FBI Intrusions

Mar 9, 8:33 PM EST

By LARA JAKES JORDAN

Associated Press Writer

WASHINGTON (AP) -- The nation's top two law enforcement officials acknowledged Friday the FBI broke the law to secretly pry out personal information about Americans. They apologized and vowed to prevent further illegal intrusions.

Attorney General Alberto Gonzales left open the possibility of pursuing criminal charges against FBI agents or lawyers who improperly used the USA Patriot Act in pursuit of suspected terrorists and spies.

The FBI's transgressions were spelled out in a damning 126-page audit by Justice Department Inspector General Glenn A. Fine. He found that agents sometimes demanded personal data on people without official authorization, and in other cases improperly obtained telephone records in non-emergency circumstances.

The audit also concluded that the FBI for three years underreported to Congress how often it used national security letters to ask businesses to turn over customer data. The letters are administrative subpoenas that do not require a judge's approval.

"People have to believe in what we say," Gonzales said. "And so I think this was very upsetting to me. And it's frustrating."

"We have some work to do to reassure members of Congress and the American people that we are serious about being responsible in the exercise of these authorities," he said.

Under the Patriot Act, the national security letters give the FBI authority to demand that telephone companies, Internet service providers, banks, credit bureaus and other businesses produce personal records about their customers or subscribers. About three-fourths of the letters issued between 2003 and 2005 involved counterterror cases, with the rest for espionage investigations, the audit reported.

...

FBI Director Robert S. Mueller said many of the problems were being fixed, including by building a better internal data collection system and training employees on the limits of their authority. The FBI has also scrapped the use of "exigent letters," which were used to gather information without the signed permission of an authorized official.

...

The American Civil Liberties Union said the audit proves Congress must amend the Patriot Act to require judicial approval anytime the FBI wants access to sensitive personal information.

...

Both Gonzales and Mueller called the national security letters vital tools in pursuing terrorists and spies in the United States. "They are the bread and butter of our investigations," Mueller said.

...

In 2000, for example, the FBI issued an estimated 8,500 requests. That number peaked in 2004 with 56,000. Overall, the FBI reported issuing 143,074 requests in national security letters between 2003 and 2005.

But that did not include an additional 8,850 requests that were never recorded in the FBI's database, the audit found. A sample review of 77 case files at four FBI field offices showed that agents had underreported the number of national security letter requests by about 22 percent.

Additionally, the audit found, the FBI identified 26 possible violations in its use of the letters, including failing to get proper authorization, making improper requests under the law and unauthorized collection of telephone or Internet e-mail records.

The FBI also used exigent letters to quickly get information - sometimes in non-emergency situations - without going through proper channels. In at least 700 cases, these letters were sent to three telephone companies to get billing records and subscriber information, the audit found.

---

On the Net:

The report is at: http://www.usdoj.gov/oig/reports/FBI/index.htm

Justice Department: http://www.usdoj.gov

FBI: http://www.fbi.gov