In “Twitter’s Response to WikiLeaks Subpoena Should Be the Industry Standard” , Ryan Singel of Wired.com’s Threat Level writes,
To Twitter’s credit, the company didn’t just open up its database, find the information the feds were seeking (such as the IP and e-mail addresses used by the targets) and quietly continue on with building new features. Instead the company successfully challenged the gag order in court, and then told the targets their data was being requested, giving them time to try and quash the order themselves.
Twitter and other companies, notably Google, have a policy of notifying a user before responding to a subpoena, or a similar request for records. That gives the user a fair chance to go to court and try and quash the subpoena. That’s a great policy. But it has one fatal flaw. If the records request comes with a gag order, the company can’t notify anyone. And it’s quite routine for law enforcement to staple a gag order to a records request.
Some might believe that if Twitter, Facebook or Google were Canadian companies (with servers located within Canadian jurisdiction), then the risk of similar disclosure of personal IP and email addresses or other private electronic information by court order or subpoena would be less likely.
On May 25, 2010, the Government of Canada introduced amendments to the legislation protecting the personal information of Canadians in a Bill entitled An Act to amend the Personal Information Protection and Electronic Documents Act (PIPEDA). Bill C-29 has reached debates at second reading stage in the House of Commons.
According to the Industry Canada website:
“The PIPEDA amendments fulfill a commitment made by the Minister of Industry, The Honourable Tony Clement, to update Canada’s federal private sector privacy legislation as a key step towards Canada taking leadership in the digital economy. This Bill, which supports privacy in the digital age, is an important element of a modern, information-based economy, or “digital economy”, together with the new anti-spam legislation, Fighting Internet and Wireless Spam Act (FISA).
The Bill implements the Government Response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics: Statutory Review of PIPEDA. It responds to issues raised during the parliamentary review of the Act that resulted in a number of recommendations to fine-tune the legislation.
Bill C-29 includes amendments aimed at protecting and empowering consumers, clarifying and streamlining rules for business, and supporting effective law enforcement. This Bill will ensure that PIPEDA continues to be a world-class model for the protection of personal information in the private sector.” [emphasis added]
Two of Bill C-29’s features are noteworthy:
“This Bill will clarify that the Act permits organizations to collaborate with government institutions that have requested personal information, in the absence of a warrant, subpoena, or order.
[and in order to] protect the secrecy and integrity of investigations by law enforcement and security agencies, organizations will be prohibited from notifying an individual about the disclosure of his or her personal information, where the government institution to whom the information was disclosed objects.”
Lawful authority is “defined” in the new Section 7(3)(c.1) as follows:
(3.1) For greater certainty, for the purpose of paragraph (3)(c.1)
(a) lawful authority refers to lawful authority other than
(i) a subpoena or warrant issued, or an order made, by a court, person or body with jurisdiction to compel the production of information, or(ii) rules of court relating to the production of records; and
(b) the organization that discloses the personal information is not required to verify the validity of the lawful authority identified by the government institution or the part of a government institution.
Section 7(3)(c.1), further empowers the government acting with ” lawful authority” to obtain information without consent, to facilitate the performance of policing services not otherwise included under ss. 7(3)(c.1).
As updated by Glen Greenwald at salon.com the original Order of federal Magistrate Judge Theresa Buchanan (pdf) made pursuant to 18 USC 2703(d) was ordered unsealed on January 5, 2011 (copy of unsealing order available here).
What if Twitter were a Canadian company with servers located in Canada? Would Twitter’s policy of notifying its users be allowed?
Section 7.4 of Bill C-29 will effectively operate as a statutory “super-injunction”, prohibiting an organization from informing an individual of any disclosure of his or her personal information to a government institution or part thereof, including:
(ii) the existence of any information that the organization has relating to a disclosure referred to in subparagraph (i), to a subpoena, warrant or order referred to in paragraph 7(3)(c) or to a request made by a government institution or a part of a government institution under subparagraph 7(3)(c.1)(i), (ii) or (v); or
(b) giving an individual access to the information referred to in subparagraph (a)(ii). [emphasis added]
Notwithstanding the foregoing, any subpoena, injunction or sealing order made under Canadian law is subject to judicial review. However, if the information were to be disclosed, Canadian courts would likely not exclude such information in criminal proceedings which otherwise were instituted under “lawful authority”. The “fruit of the poisoned tree” has never sprouted roots in the Canadian law of evidence. It is also cold comfort to think that Canadian privacy rights and freedom of speech have less protection than afforded our neighbours to the South (and I don’t mean Mexico).