There are now three lawsuits in Canadian courts related to the Communications Security Establishment Canada's intercept of metadata. These are:
- BC Civil Liberties Association's action for a declaration in BC Superior Court alleging that CSEC's intercept activities violate sections 8 and 2 of the Charter.
- BCCLA's class action in Federal Court, brought "in order for those persons whose private communications and/or metadata have been intercepted to have access to remedies under s.24 of the Charter once the issues of the unconstitutionality of the impugned provisions, Authorizations and Directives are resolved in the [BC Supreme Court] Declaratory Action".
- Canadian Civil Liberties Association (CCLA)'s application for a declaration in Ontario Superior Court that sections 7 and 8 of the Charter are violated by those provisions in the Federal Personal Information and Protection of Electronic Documents Act (PIPEDA) that permit government agencies (including, it is alleged, CSEC) to obtain personal information from Canadian telecommunications companies with prior judicial authorization.
These cases overlap. The BCCLA class action is intended to be derivative of its BC Superior Court declaratory action. The CCLA case seems likely to engage the question of a person's reasonable expectation of privacy of metadata in the possession of third party telecommunications providers. That question must inevitably also arise in the BCCLA declaratory action.
Meanwhile, the Supreme Court of Canada will decide the Spencer case at any time. This matter flows from a Saskatchewan Court of Appeal decision where the police identified the accused by asking a telecom provider to provide the identifying information associated with an IP address. There, a badly fractured appeal court proposed no clear rule on whether disclosure of this information violated a reasonable expectation of privacy or, if so, whether the PIPEDA provisions (that the police relied upon) were constitutional.
In deciding the case, the Supreme Court will likely pronounce on these issues, with second order, knock-on effects for the three metadata related lawsuits noted above. However, it is entirely possible -- and indeed probable -- that whatever they say on metadata here will not be the last pronouncement on the issue. As I discuss in a draft article I recently posted on the issue, the metadata appellate cases to date have often been focused on child pornography police investigations. Spencer falls into this category. In deciding these cases, the Courts have generally been careful not to over generalize the constitutional issues before them, or to lump all "metadata" together.
For instance, in R. v. Ward, the Ontario Court of Appeal decided that search of subscriber information stripped the accused of “his Internet anonymity” and had the potential “to reveal activities of a personal and private nature”. Even so, and even with a strong subjective expectation of privacy, the Court of Appeal doubted the objective reasonableness of the privacy expectation. However, the Court of Appeal also issued a caution:
the conclusion in this case is based on the specific circumstances revealed by this record and is not intended to suggest that disclosure of customer information by an ISP can never infringe the customer's reasonable expectation of privacy. If, for example, the ISP disclosed more detailed information, or made the disclosure in relation to an investigation of an offence in which the service was not directly implicated, the reasonable expectation of privacy analysis might yield a different result. Similarly, if there was evidence that the police, armed with the subscriber's name and address, could actually form a detailed picture of the subscriber's Internet usage, a court might well find that the subscriber had a reasonable expectation of privacy.
In my article, I argue that Ward suggests that metadata may, in fact, attract section 8 protections, and it implies that this likelihood increases in proportion to the sweep of the disclosure and the intimacy of the portrait that might then be painted from the disclosed information. Moreover, what is reasonable disclosure by an ISP in one instance might not be so reasonable in another. While ISPs may be equally compliant in practice, it does not follow that a court would conclude that acquiesce in a broad, search-of-the-haystack foreign surveillance effort is as reasonable as cooperation in a targeted child pornography police investigation in which the ISP’s services are used as a vessel for the crime. In other words, the average user’s believe that their metadata are not subject to intelligence trolling via cooperative ISPs may be objectively reasonable.
(If trolling is what, in fact, is happening. So much of the legal discussion on CSEC is built on factual extrapolations, interpolations and plain speculation. If a global driftnet sweeps up Canadian data by happenstance rather than by intent, does that matter for constitutional purposes? I am inclined to think not.)
All of this is to say that in the world of search and seizure rules, what is good for the law enforcement goose may not be good for the intelligence service's gander.