Ann Cavoukian will be joining us at 2:30. Feel free to start leaving questions now, and we can get to them when she's online.
Welcome. Let’s start with the current situation. Right now, if law enforcement goes to an internet service provider or telecom company and asks for information about one of their customers, what happens?
The Telecommunications Service Provider (TSP) has a decision to make about whether to cooperate, and to what extent. Their cooperation will vary depending on the circumstances.
What kind of circumstances? How often are the telecom companies likely to comply?
The key difficulty here is there isn't sufficent transparency here about police and TSP practices. We do know that most TSPs have agreed to cooperate with police in the context of child exploitation investigations. Media reports indicate that in this are
a law enforcement are getting cooperation 95% of the time
The federal Personal Information Protection and Electronic Documents Act (PIPEDA) limits disclosure by TSPs to [police conducting investigations to what is reasonable under the circumstances.
An IP address is NOT like a phone number - it's much more. It's a unique personal identifier that can be linked to an individual and a broad range of their internet activities. Like the IP address, cell phone numbers and email addresses can and often are kept private.
Initially the TSPs decide what is reasonable. There is no robust oversight of these kinds of disclosures. In a specific case, the federal privacy commissioner could receive a complaint if the individual became aware of such a disclosure.
@Bruce: Great question - there are some complaint-driven controls in place.
But are customers aware if law enforcement has asked for their information? Or would complaints come from the telecom companies?
@Bruce: law enforcement in Canada has a range of enforcement protocols and discipliinary procedures, and are subject to codes of conduct and policing regulations.
@Chris: in many cases customers will NOT be aware that law enforcement has asked for and received their information so they will not be in a position to make a complaint. TSPs are more likely to seek clarification of the police requests to ensure that they are exercising their discretion appropriately, keeping in mind the need to protect their customers' privacy.
@Serge: TSPs include ISPs and telcos (which are regulated by the CRTC) but may not include many others such as social media.
@Lindsay: Generally, no: they may in fact be prohibited under the Criminal Code.
@Justin: There is a specific provision (s.19) in Bill C-30 that provides for use limitation, In addition, there are some police internal auditing provisions but we're not satisifed that these will be sufficient.
@Emily: We don't know. There is no current requirement for police or TSPs to report on this. We only know anecdotal informaiton such as what is reported in the media.
@JG: This is potentially a serious problem for law enforcement to grapple with. The consequences of misidentification could be severe, including to innocent people.
@Solo: See answer immediately below.
@Lindsay: IP addresses could potentially be linked to ANY internet activity, including time and location, your associations, and any profile information already linked to that IP address.
@Fencerman: We've been calling for comprehensive oversight of digital surveillance by law enforcement for several years. This could include judicial warrants, notification of affected parties, reports to oversight authorities including Parliament and independent regulatory agencies.
@GBT: it's fair to say that this is complicated involving transborder policing, mutual cooperation treaties and agreements, and the laws of different countries.
Great questions, everyone. We just had a bit of technical difficulty at the end. Thanks for joining us, commissioner.