In the Dark

Hi and thanks for listening. This is Jenn Baptie, and you’re listening to ‘In The Dark’. Today I will investigate Canada’s evolving internet privacy laws, and how little they are actually aimed at protecting us. My plan is to uncover exactly what the two main privacy bills mean for you.

“We are inQUERY” audio intro.

So, let’s start with a little story. I assume that by now most people have heard of Amanda Todd, the 15-year-old cyberbullying victim from British Columbia. For those who don’t, she sent intimate photos to a boy over the internet, trusting that they would be kept private. The photos weren’t kept private. Schoolmates circulated the photos over the internet, and even after changing schools, her bullies followed her. She was harassed both at school and over social media, until she finally commit suicide in 2012.

Most of us know of her story. It was plastered all over the media for weeks. I myself remember being really upset when I heard that she killed herself, because I was bullied all through grade school and it wasn’t fun. If she killed herself, it must have been downright torturous. I used to think I had it bad. But the story that no news reporter ever told, was the story of how then-Prime Minister Stephen Harper made an example out of the Todd suicide, as well as a few others, and used them as reason for why lawful access laws should be passed.

What is lawful access? Basically, that means that the government would have full access to your private internet data, including what you search, what you read, watch and say on the internet, and from where, without a warrant, and without your permission, or even your knowledge that your privacy has been breached.

Bill C-13, formally known as the “Protecting Canadians from Online Crime Act” but informally known as the Cyberbullying Bill, is a lawful access law.

Harper has tried to pass lawful access laws before, starting in 2005, but until late 2014 his attempts were denied (Wikipedia). Bill C-13 was first tabled in early 2013, represented to the media as a bill that will combat cyberbullying and inspired by a few recent cyberbullying victims, like Todd, who committed suicide (Puzic 2015).

After civilians protested parts of the bill that violate personal privacy, the first attempt to pass it was denied. It was re-tabled in November 2013, and despite the Supreme Court Ruling in 2014 that “internet users have a reasonable expectation of privacy in their subscriber information” (Geist “Government Rejects”), the Harper Government kept pushing until it was eventually passed.

The cyberbullying section of Bill C-13 is actually fantastic, it makes the distribution of intimate images without permission illegal (openparliament). It also adds amendments that allow the removal of any images from the internet and allows the confiscation of the device(s) used to distribute the images (openparliament). It also puts restrictions on anyone convicted of violated the criminal code under Bill C-13 from using a computer or the internet (open parliament).

But that is just one section of the bill. The problem is, the rest of the bill focuses on giving government officials access to a suspect’s internet data, including their location and any online transactions, without a warrant (open parliament). It gives the police more investigative power than they already have. If there are “reasonable grounds for suspicion”, the police can get a warrant and, without your consent, obtain your personal internet data (Puzic 2014). Piece of cake.

Bill C-13 also gives telecom companies and internet service providers like Rogers, Bell and TekSavvy full immunity from any civil or criminal liability when giving law enforcement personal information about their customers without a warrant (Geist “Why the Government’s”). This would happen when there’s an investigation, for, say, a contract breach or alleged legal violation (Geist “Why the Government’s”).

The company can request that the police get a warrant before giving their subscriber’s information away, but Professor Michael Geist of the University of Ottawa said in an article with the Toronto Star, that companies are more likely to disclose the information without a warrant because, hey, Bill C-13 gives them the immunity (Geist “Why the Government’s”).

There are no legal risks if they don’t require a warrant, and they don’t even have to tell the individual their private information was given out (Geist “Why the Government’s”). It could be happening to you, right now, and you wouldn’t even know it.

It also creates new production orders for “transmission data” and “tracking data’, which can be accessed by authorities if there is “reasonable suspicion” (Austin, L. et al 2014). Authorities only need to suspect that an offense has or will be committed, and that the transmission data will help in the investigation, to get your personal information (Austin, L. et al 2014). These standards of suspicion are much lower than usual requirements for obtaining a search warrant (Austin, L. et al 2014).

The entire Toronto Star article, titled “Bill C-13 has little to do with cyberbullying”, is linked in my transcript below: (http://www.thestar.com/opinion/commentary/2014/11/22/bill_c13_has_little_to_do_with_cyberbullying.html).

Carol Todd, Amanda Todd’s mother, agrees with the part of the bill that addresses cyberbullying, but she openly disagrees with the sections that violate our privacy (Puzic 2015). She told a Commons Justice committee in May of 2014 that, “we should not have to choose between privacy and our safety” (Puzic 2015). She also said, “We should not have to sacrifice our children’s privacy rights to make them safe from cyberbullying, sextortion and revenge pornography” (Pedwell 2014).

And she’s right, we shouldn’t.

More troubling than this bill, though, is another bill that not many people know about. It’s had less publicity, and Harper himself tried to pass it under the radar. Bill S-4, otherwise known as the Digital Privacy Act, is troubling on its own, but even more so when paired with Bill C-13. First, let’s look at what S-4 it actually means.

Basically, Bill S-4 features, among other things, what Michael Geist calls “long overdue data breach disclosure rules” (Geist “Breach shows holes”). These rules require organizations like Rogers or Bell or TekSavvy to notify their individual subscribers when their personal information is lost or stolen through a data breach or security breach (Geist “Breach shows holes”). Sounds great, right? And if they don’t tell affected customers, there are tough penalties (Geist “Breach shows holes”). But the notification standards are so high that most of the breaches and security issues are kept confidential (Geist “Breach shows holes”).

So, of course, whenever we take two steps forward we seem to then take four steps back. Even though it was represented to the media as a bill that would protect Canadians from identity theft and privacy breaches when surfing the web and shopping online (Tencer “Bill S-4 Passes”), Bill S-4 gives telecom companies and internet service providers like Rogers, Bell and TekSavvy full immunity from any civil or criminal liability when giving not only law enforcement personal information about their customers without a warrant, but anyone (Geist “Why the Government’s”).

If there is an investigation of a breach of an agreement or legal violation, the organization can disclose their subscriber’s information without a warrant, consent or even notifying the individual (Geist “Why The Government’s”). It could be happening to you, right now, and you wouldn’t know it.

In my transcript below is a link to the full Toronto Star article, titled “Why the government’s new Digital Privacy Act puts your privacy at risk”: (http://www.thestar.com/business/2014/04/11/why_the_governments_new_digital_privacy_act_puts_your_privacy_at_risk.html).

In more detail, Bill S-4 applies amendments to PIPEDA, the Personal Information Protection and Electronic Documents Act. According to the 2013 Report of the Standing Committee on Access Information, Privacy and Ethics by M.P. Chair Pierre-Luc Dusseault, PIPEDA is the “primary piece of legislation” for protecting an individual’s privacy regarding social media companies, and other privately run organizations (1).

Within PIPEDA are ground rules for private organizations managing personal information and attempts to balance the individual’s right to privacy and an organization’s need to collect, use and disclose personal information (1). PIPEDA limits the organization’s use, collection and disclosure of personal information to what “a reasonable person would consider appropriate in the circumstances” (2). It does not, however, say what “a reasonable person would consider appropriate in the circumstances” (2). The amendments that Bill S-4 made to PIPEDA are official as of June 18th 2015.

Now, section 6.1 of PIPEDA, concerning changes to consent, is revised to clarify that an individual can only give consent to an organization for the collection, use or disclosure of their personal information if the individual giving the consent understands for what purpose their information will be used (Gratton 2015). This section aims to make sure that individuals understand the ramifications of sharing their information with organizations and why (Gratton 2015)

New sections 7 (3)(d.1) to (d.3) allow an organization to disclose their customer’s personal information without the individual’s knowledge or consent for an investigation of an agreement breach, dispute of federal or provincial law, or to detect or prevent fraud, but only when getting consent from the individual may compromise the investigation (Gratton 2015). They also don’t need consent if the disclosure is for a government institution, for their next of kin or authorized representative, or if there is reason to believe that financial abuse has occurred and getting the customer’s consent would compromise the investigation (Gratton 2015).

There are other sections on the disclosure of business transactions as well, and then there are sections on breach notification requirements that are not yet in effect (Gratton 2015).

Sections 10.1 through 10.3 all concern breach notifications. They require organizations to tell individuals as well as the Office of the Privacy Commissioner of Canada, about data breaches, if it is “reasonable in the circumstances to believe that the breach creates a real risk of significant harm to an individual” (Gratton 2015).

These sections also outline what “significant harm” is, being “bodily harm, humiliation, damage to their reputation or relationships, loss of employment, financial loss, identity theft” and more (Gratton 2015), as well as the very specific factors for deciding whether there is a “real risk” of significant harm. The sensitivity of the information, the likelihood of it being misused, and more, has to be considered (Cameron, A. and Aylwin, A. 2015). In actuality, most of the time companies will err on the side of caution in borderline cases, and not notify their customers (Geist “Breach shows holes”).

Section 10.3 of PIPEDA states that a record of all security breaches must be kept by each company like Rogers or TekSavvy, so that if the Privacy Commissioner asks, copies can be provided (PIPEDA 2015). But because organizations don’t have to notify the Privacy Commissioner of material data breaches and only provide the records if asked (Gratton 2015), the Commissioner won’t even know about borderline cases, which often leaves Canadians in the dark, unaware of data breaches or security risks (Geist “Breach shows holes”).

In my transcript below is the link to the Borden Ladner and Gervais article by Éloïse Gratton on the changes that Bill S-4 makes to PIPEDA, if you are interested in reading more: ( http://www.blg.com/en/newsandpublications/publication_4153 ).

In addition, in my transcript below is the link to the PDF version of PIPEDA, published by the Minister of Justice, last amended on June 23rd, 2015 but current to November 24th 2015 if you are interested in reading more: (http://laws-lois.justice.gc.ca/PDF/P-8.6.pdf).

Meanwhile, in California, data breaches are disclosed for “any breach of unencrypted personal information reasonably believed to have been acquired by an unauthorized person” (Geist “Breach shows holes”) – standards that are much lower than here in Canada, and seem to be aimed at keeping the individual safe from a privacy breach instead of keeping the government or the company supplying the internet service safe from a possible lawsuit.

When I asked my research class tutorial how many people had ever heard of Bill S-4, the Digital Privacy Act, only three hands went up – one of which was my professor’s. Three hands out of how many, 15 people? 20? At best, not including my professor, of course, that is 13%. We are University students, we spend a considerable amount of time on our laptops and phones both for school and on social media, etc. so how on earth did only 13% of my class know about this bill? Easy: Stephen harper tried to pass this bill quickly so as to not attract the media’s attention, knowing that lawful access bills are not an easy pass.

When looking at primary data, I Googled “Bill S-4”, and in 15 pages of results, I found roughly 25 articles either belonging to some sort of online or print newspaper, about the bill and what it means for Canadians. Results included articles with CBC, CTV, Huff Post, Smart & Biggar, the Toronto Star, and the Vancouver Sun. But that was just 25 articles.

I then googled “bill s-4 digital privacy act” and found even more results than when I just searched “bill s-4”, everything from government documents to articles to essays to blogs, like the many blogs written by Professor Michael Geist of the University of Ottawa.

So many people have written about these bills and all have similar things to say. Almost every article and blog entry I read said basically the same thing. They outlined the gist of what the bills mean, articles on Bill C-13 often mentioned Amanda Todd while some articles about Bill S-4 briefly mentioned the R.v. Spencer case, where a man’s internet privacy rights were in question when he was convicted of the possession of child pornography, then they said what parts of these bills need to be revised. They said t hat our privacy should not be the price we pay for security, and some even made suggestions, or quoted members of parliament who have commented over the last couple of years. The common denominator in every article was that these laws are unconstitutional, and infringe on our rights.

Yet not once have I seen even a 30 second story about either in the news. People can write about Bills C-13 and S-4 no problem, but for some reason no one will talk about them. And that, I think, is the problem.

It seems like no news reporter wants to tell the story that has yet to be told in the news. And nobody seems to want to hear how the government is now legally allowed to infringe on our privacy rights without us even knowing.

I knew to first look up Bills C-13 and S-4 because my criminology professor last year briefly talked about our diminishing internet privacy and told us to research “The Digital Privacy Act” if we were interested in this stuff. I, of course, started looking into it the next day and wrote a paper on it for one of my other classes. I started researching for that essay in January of 2015. It’s almost been a year, and yet, the only updates I’ve ever seen about either bill were online articles or blog posts, found only because I knew what to google. I didn’t see “Bill S-4 officially passed, makes major changes to PIPEDA” on the front of any newspaper or even in the little blurb box on CP24.

I wonder just how many other students in my criminology lecture that day listened to my professor, or even thought to look into the laws. Based on the show of hands in my research class tutorial, I would assume not many. My guess is because, as Justice Cromwell, who presided in the R.v. Spencer case in 2014 stated in his decision, “there is a reasonable expectation of privacy in the subscriber information” (CanLii 245[66]). We assume that we have a certain level of anonymity on the internet when in fact we don’t (CanLii 214).

These laws, they may be aimed at protecting us from online identity theft or security breaches but they themselves are essentially security breaches. What happened to our right to be secure against unreasonable search and seizure in section eight of the Canadian Charter of Rights and Freedoms?

I talked about Bill C-13 and S-4 with my mum a while ago because she was on her lunch at work, and I was in the process of recording this podcast. I had so much to say but no idea how to even start, and so I decided to lay it all on mum to see what kind of response I got. Rather than hear, “Jenn, you’re overloading me with information” or “Jenn, sweetie, you lost me” like I expected, what did she reply with? “Okay, but I don’t have anything to hide, I’m not doing anything wrong so why do I care if they have my personal internet data? Explain”.

She was actually genuinely interested. So, I went into more detail. I Explained that if an organization knows our IP address, all they have to do is call Rogers and ask for our personal information. Bam, they know where we live, they know our names, our phone number, whatever information they want is right there for the taking.

I told her that obviously it isn’t quite that easy, there has to be a legitimate reason for an organization to seek out our personal information, but if Rogers were to give our information out, they wouldn’t have to tell us. Between Bills C-13 and S-4, organizations can use, collect or disclose our information for any investigation without our consent, with no legal repercussions for doing so. They would have full immunity from any civil or criminal liability, and we’d be kept completely in the dark.

Suddenly my dish-towel-knitting mum who spends her free time looking up free knitting patterns on Pinterest had a problem with these laws. She proved to me that it’s not that people don’t understand, or don’t care. They haven’t even been given the option to pay attention or turn away. The media, the news channels most people rely on to keep them informed, are slacking, and the lack of coverage in anything other than online articles means that people don’t even know what to look up.

So here is my attempt at digging this issue up and reporting on it myself. I may not be on CP24, but this is a good start at trying to inform people in a way other than by online newspaper article. You can listen in while you’re driving to work in the morning, on the bus during your commute to school, or even while you’re drawing at 1am on some idle Tuesday. Wherever you are, whatever you’re doing, I hope that you’re listening.

And if, by chance, you’re like me and want to know more about another internet privacy law, the Copyright Modernization Act, please head over to my blog entry titled “Cease and Desist”, at the following link: (https://stephanie-bell-m08b.squarespace.com/blog-season1/e918c7f7-ddd3-4d7c-8d4f-00f07c426c7a ).

Now that we’re at the end of my podcast, I have one question left to answer: why should we care? Why should you care? My answer is simple:

Because it’s our right to care.

Hoping that you’re no longer in the dark about your internet privacy rights, this is Jenn Baptie. Until next time, thanks for listening to inQUERY.

Works Cited

“Bill C-13 (Historical).” *openparliament.ca http://openparliament.ca.* OpenNorth, n.d. Web. 14 Jan 2015.

“Protecting Canadians from Online Crime Act”. *Wikipedia.org. *Wikimedia Foundation, Inc., n.d. Web. 1 Dec 2015.

Austin, L., Stewart, H., and Clement, A. “Bill C-13 has little to do with cyberbullying.” The *Toronto Star *(2014): n. pag. Web. 3 Dec 2015.

Bradshaw, S., et al. “Big Data, Big Responsibilities: Recommendations to the Office of the Privacy Commissioner on Canadian Privacy Rights in a Digital Age.” Gigi Junior *Fellows Policy Brief, *8 (2013): 1-9. Web. 12 Oct 2015.

Cameron, A. and Aylwin, A. “The Digital Privacy Act: Important Amendments to Canadian Privacy Law.” *Fasken Martineau DuMoulin LLP *(2015): n. pag. Web. 5 Dec 2015.

Canada. Office of the Privacy Commissioner of Canada. *The Case for Reforming the Personal **Information Protection and Electronic Documents Act. *Ottawa: 2013. Web. 1 Oct 2015.

Canada. House of Commons. Senate. Minister of Justice. *Consolidation: Personal Information *Protection and Electronic Documents Act. S.C. 2000, C.5 [Ottawa]: Minister of Justice, 2015. Government of Canada. Web. 23 Sep 2015.

Dusseault, Pierre-Luc, Ebrary CEL - York University, Privacy and Ethics Canada. Privacy And *Social Media in the Age of Big Data: Report of the Standing Committee on Access to *Information, Privacy and Ethics. 41st Parliament, First Session. [Ottawa, Ont.]: House of Commons Canada = Chambre des communes Canada, 2013 (Beaconsfield, Quebec : Canadian Electronic Library, 2013). 1-2, 5, 97. Web. 1 Feb 2015.

Geist, Michael. “A look back at the technology battles of 2014.” *Toronto Star* (2014): B.2. ProQuest. Web. 20 Jan 2015.

_. “Breach shows holes in Digital Privacy Act.” Toronto Star (2014): B.2. ProQuest. Web. 14 Jan 2015.

_. “Government Rejects Supreme Court Privacy Decision: Claims Ruling Has No Effect on Privacy Reform.” *michaelgeist.ca http://michaelgeist.ca. *University of Ottawa, Faculty of Law. (2014). Web. 23 Sep 2015.

_. “Why the Digital Privacy Act Undermines Our Privacy: Bill S-4 Risks Widespread Warrantless Disclosure.” *michaelgeist.ca http://michaelgeist.ca. *University of Ottawa, Faculty of Law. (2014). Web. 13 Jan 2015.

_. “Why the government’s new Digital Privacy Act puts your privacy at risk.” The Toronto *Star* (2014): n. pag. Web. 10 Oct 2015.

Gratton, Éloïse. “New Requirements Of The Digital Privact Act (Bill S-4).” Borden Ladner *Gervais “BLG” *(2015): n. pag. Web. 5 Oct 2015.

Maher, Stephen. “Supreme Court delivers crucial win for online privacy rights.” Canada.org. Postmedia Network Inc., 13 Jun 2014. Web. 10 Jan 2015.

Pedwell, Terry. “Cyberbullying bill could harm privacy rights, says Amanda Todd’s mother”. Times Colonist. Glacier Community Media, 13 Mar 2014. Web. 1 Dec 2015.

Puzic, Sonja. “Anti-cyberbullying law, Bill C-13, now in effect.” *CTV News*. Bell Media, 6 Mar 2015. Web. 5 Oct 2015.

R. v. Spencer, [2014] 2 SCR 212, 2014 SCC 43 (CanLII), < http://canlii.ca/t/g7dzn> retrieved on 2015-10-10

Talbot, Lisa K., et al. “Long-Awaited PIPEDA Amendments Become Law”. *Torys LLP*. Torys LLP, 23 June 2015. Web. 10 Oct 2015.

Tencer, Daniel. “Bill S-4 Passes Senate, Despite Supreme Court Ruling Against Warrantless Access.” *The Huffington Post Canada *(2014): n. pag. Web. 10 Jan 2015.

_. “Bill S-4, Tories’ Digital Privacy Act, An Attack On Digital Privacy: Critics.” The *Huffington Post Canada* (2014): n. pag. Web. 3 Dec 2015.

Toronto Star. “Editorial Exchange: Supreme Court affirms our right to Internet privacy.” The *Canadian Press* (2014): n. pag. ProQuest. Web. 13 Jan 15.