[R-G] Online Privacy Snatched by Courts

[Anthony Fenton]

http://thetyee.ca/Mediacheck/2009/03/17/OnlinePrivacy/

Mediacheck
Today: Tuesday, March 17, 2009
Online Privacy Snatched by Courts
No guarantees under national law.
Decisions OK giving personal info to police without warrants.
By Michael Geist
Published: March 17, 2009


Scott McNealy, the former CEO of Sun Microsystems, has achieved  
considerable notoriety for having warned Internet users 10 years ago  
that "you have no privacy, get over it." Recent headlines suggest that  
the Ontario courts have adopted those sentiments, as two recent  
decisions involving the disclosure of subscriber information by  
Internet service providers confirmed that revealing personal  
information to law enforcement without a warrant is permitted under  
Canadian privacy law.

While some view these cases as providing conclusive evidence that  
Canadians enjoy little privacy in identifying data such as customer  
name and address information, a closer look at the decisions and  
industry practices reveal that the issue is not entirely settled.

Both recent decisions involved disclosures of customer name and  
address information in suspected child pornography cases. In one case,  
R. v. Wilson, the court ruled that the data was not particularly  
sensitive and that the customer had no reasonable expectation of  
privacy. Moreover, the customer had agreed to Bell Canada's Privacy  
Policy that permits the disclosure of personal information in certain  
circumstances.

In the second case, R. v. Vlasic, the court arrived at a different  
conclusion on the sensitivity of the data. It ruled that combining  
customer name and address information with IP address data could  
render the information sensitive. Nevertheless, it upheld the  
disclosure of the information without a warrant, since the customer  
had consented to the Rogers Acceptable Use Policy, which warns of  
possible disclosure to law enforcement without a court order.

No legal guarantees

These decisions place the spotlight on the fact that customer privacy  
on the Internet is not guaranteed by national privacy law. Rather, the  
law actually leaves the disclosure decision in the hands of the  
organization that has collected the information, which can choose  
whether to turn over personal information in certain circumstances  
without a warrant.

Moreover, most Internet-focused organizations such as ISPs have  
drafted user agreements in which their customers have consented to  
such disclosure policies. These cases confirm that courts will  
typically enforce user agreements regardless of whether subscribers  
have taken the time to read them.
ADVERTISEMENT
Help grow The Tyee and spread the word to your friends.

While most companies are reluctant to publicize their disclosure  
practices, according to government documents recently obtained under  
the Access to Information Act, the RCMP estimates that 30 per cent of  
Canadian organizations do not reveal personal information to law  
enforcement without a warrant.

The RCMP estimates did not include specific data on ISPs, but their  
estimates are borne out by current practices. Bell and Rogers chose to  
reveal customer information in the Wilson and Vlasic cases, however  
not all Canadian ISPs would have followed suit. For example, in  
Atlantic Canada, Bell Aliant requires law enforcement to obtain a  
warrant in all non-emergency situations.

Slippery slope?

The disclosure issue is not limited to ISPs. Similar questions arose  
last year when the Canadian Internet Registration Authority crafted  
its who is policy, which governs public access to domain name  
registrant information. CIRA initially adopted a position that would  
have required a warrant for all access to such personal information,  
but intense pressure from the RCMP and Industry Canada led to an  
exception for law enforcement access without court oversight.

Few Canadians will have any sympathy for the privacy rights of those  
facing child pornography allegations. Yet these cases provide an  
important reminder about the limits of Canadian privacy law, which  
invariably leaves privacy subject to policies that subscribers rarely  
bother to read.