“Privacy is Dead – Get Over It!”

“Privacy is dead – get over it!”

First uttered by former Sun Microsystems CEO Scott McNealy, these words may have been a revelation ten years ago, but are now standard in the current mainstream world. These sentiments are not uncommon to the regular Internet user, especially when transmitting sensitive information through the wireless world of cyberspace. Fear of identity theft and fraud is at the forefront of every transaction that takes place on the Web. In the midst of the Information era, the duplicitous nature of our beloved Web is clear, bringing about the advent of firewalls, anti-phishing software, encrypted pages and many more. But are these enough?

The horror stories of the complete and utter violation of individual privacy upon entering the multi-dimensional world of cyberspace have been widely publicized. The FBI’s access to anyone’s PC in the U.S., Amazon’s liberal sharing of confidential customer information, and the Hotmail debacle that allowed one to view anyone’s mailbox with a correctly worded URL incorporating the username, but not the password were some of the more notorious catastrophes. The CIBC “Faxing Incident,” although not Internet-oriented, followed a similar series of events: confidential account information of a large number of clients of the CIBC bank were mistakenly faxed to a junk yard in West Virginia and Dorval, Quebec.

Shocked? Or perhaps the constant barrage of no privacy has forced a zen-like stoicism (or, if you prefer, apathy) to manifest in us? As we look to the courts as our knights in shining armor, hoping in vain for the resolution that might save our confidential information from the embarrassing and humiliating journey towards notoriety and transmission, we consider what role the courts have taken with respect to our privacy. Have they taken steps to protect the individual user from the clutches of the web?

Two decisions stand out that reflect the almost indifferent attitude of the courts. The blatant dismissal of privacy of individuals leaves us, the customers, standing like a rabbit in the path of a hungry wolf, at the mercy of Internet scammers and even law enforcement. These cases involved the disclosure of customer information by Internet Service Providers to law enforcement. The decisions having declared that providing personal information to law enforcement without a warrant is permitted under Canadian privacy law.

“Reasonable Expectation of Privacy”

In R. v. Wilson, 2009 ONSC 4191, the court held that customer names and addresses of suspects in child pornography cases were not sensitive and could not be disclosed. The investigating officer was said to have conducted a “plain view search” by obtaining an IP address, and then requesting further information about the customer from Bell Canada, using that IP address.

The test, as set out by the court, involved balancing individual privacy with the need to protect society. Hunter v. Southam, 1984 SCC 145 further elaborated that the unreasonable search and seizure requirement only protected “a reasonable expectation” of privacy. The courts in Wilson held that to assert “reasonable expectation of privacy,” personal information over the Internet must be “biographical in nature, revealing particular and specifics about the life and interests of the individual in question.” These stringent requirements were not met in Wilson.

In a similar vein, R. v. Vasic, 2009 ONSC 685 involved the disclosure of personal information of those suspected of being inculpated in child pornography, this time from Rogers. The courts diverged from the Wilson judgment, holding that the customer name and address in conjunction with the IP address can be considered sensitive information. However, the courts upheld the precedence and concluded that Rogers was allowed to disclose the information without a warrant to law enforcement.

Corporate power, not individual power

Again, in our corporate society, the individual is left hanging without the remedy essential for their protection. Here, the courts gave the power to corporations to decide whether information is sensitive and to disclose the information to law enforcement without a warrant. Although there are many who would not consider the privacy of those involved in child pornography to be a matter of any significance, it is the consequences of this decision on the future of Canadian privacy law that has heads turning and eyes rolling. The possibility of an imposter walking into Rogers and Bell Canada and procuring confidential personal information may no longer be a far-away nightmare, but a soon advancing reality.

Another aspect to keep in mind when looking at future privacy law cases, without sounding conservative, is the slippery slope argument that asks if Internet Service Provides can disclose personal information without a warrant, then who next? The purpose of a warrant is to minimize abuse of the system by creating boundaries, limitations and rules. By bypassing these boundaries, essentially we bypass our justice system. If personal information can be procured by filling out a form, instead of the monitored warrant system, then privacy is indeed dead.