Top Canadian court: Cops need warrant to get names from ISPs

Canadian ISPs can no longer simply hand over customer information without a warrant after the country’s Supreme Court ruled that internet users were entitled to a "reasonable" expectation of privacy.
The decision means that internet service providers can no longer disclose the names, addresses and phone numbers of their customers to law enforcement voluntarily, and cops will instead be required to get a warrant for the data.
The ruling stems from the case of Matthew David Spencer, who appealed his conviction for possession of child pornography after police officers tracked him down through an IP address. The cops knew the IP address associated with the illegal files and went to Spencer’s ISP to ask it for the associated name and address. Once they got his details, they were able to search his computer, where they found the downloaded files.
Spencer argued that the search of his computer had been unconstitutional and that his right to privacy had been violated, pursuing the case through the court of appeal and on to the Supreme Court. The top court ruled that internet users had a "reasonable expectation of privacy" from their ISPs, but did not overturn Spencer’s conviction.
Supreme Court Justice Thomas Cromwell said in the ruling that the police should have obtained a warrant before getting Spencer’s information. But he said that the police had acted in good faith at the time, so the administration of justice would be impaired if the evidence they acquired at Spencer’s house was to be thrown out.
“It would be reasonable for an internet user to expect that a simple request by police would not trigger an obligation to disclose personal information or defeat (the Personal Information Protection and Electronic Documents Act) PIPEDA’s general prohibition on the disclosure of personal information without consent,” he said.
“The police, however, were acting by what they reasonably thought were lawful means to pursue an important law enforcement purpose. The nature of the police conduct in this case would not tend to bring the administration of justice into disrepute.
“Society has a strong interest in the adjudication of the case and also in ensuring the justice system remains above reproach in its treatment of those charged with these serious offences. Balancing the three factors, the exclusion of the evidence rather than its admission would bring the administration of justice into disrepute.”

Further implications

The Canadian Civil Liberties Association (CCLA) said in a statement that the ruling clarified a longstanding dispute over whether PIPEDA allowed police to obtain subscriber info without a warrant. The association is trying to get parts of PIPEDA declared unconstitutional for privacy reasons.
“The implications of the decision are substantial, and may play a significant role in CCLA’s ongoing Charter challenge to PIPEDA,” the association said. “In particular, the Court’s decision confirms CCLA’s view that PIPEDA is legislation to protect privacy, and cannot be used to undermine it.”
The decision may also affect two government bills, one intended to crack down on cyberbullying (C-13) and the other designed to update PIPEDA. The bill updating the privacy act currently includes provision that would make it easier for police to get subscriber info without a warrant, which could now be unlawful.
The cyberbullying bill has elements that would give law enforcement easier access to the metadata that ISPs and phone companies keep on calls and emails.
The Canadian government said in its parliament on Friday that it was reviewing the decision. Opposition MP Peter Julian (New Democratic Party) challenged the sitting Conservative Party of Canada government on the ruling, saying that it showed that his party and privacy experts had been right all along.
“This morning, the Supreme Court ruled what the NDP and privacy experts had been warning all along, that allowing police to pull private information from telephone companies without warrant was unconstitutional. Yet the Conservatives are steamrolling ahead with (the cyberbullying) Bill C-13, which also allows unconstitutional spying on Canadians,” he said.
“With yet another bill struck down by the Supreme Court, when will the Conservatives finally take a balanced approach that keeps Canadians secure without infringing on constitutional rights?” he asked.
Bob Dechert, parliamentary secretary to the minister of justice, said the government was looking at the ruling.
“We have just received the decision and we will review it. In addition, we will continue to crack down on cyberbullies and online criminals who work against and make our children and all Canadians unsafe. We will keep Canadians safe,” he said.

CISP uncovers 215,000 malicious IP addresses every day

The UK Cyber Security Information Sharing Partnership (CISP) is successfully helping businesses detect and block more than 215,000 malicious IP addresses every day, according to Cabinet Office minister Francis Maude.
Maude revealed the figure during a speech at the opening dinner of the IA14 cyber security conference, citing it as proof of the CISP initiative's success.
"Cyberspace is simply too big for any organisation to have sight on everything that's going on and so there is a massive need to pool our information for mutual benefit. CISP enables government and business partners to exchange information on threats and vulnerabilities as they occur in real time," he said.
"Every day they notify members of around 215,000 abused IP addresses, so they can be blocked or dealt with. The secret of its success is very simple. It's about trust. CISP works because it has government involvement, but it's business-led. Companies are under no compulsion. Information is shared voluntarily."
CISP is an information-sharing initiative launched by the government in March 2013, which is currently managed by the UK's recently launched Computer Emergency Response Team (CERT).
Despite Maude's comments many industry experts have questioned CISP's effectiveness in helping small to medium sized-businesses (SMBs). Maude said the government has launched a wave of SMB-focused initiatives, such as the newly launched Cyber Essentials scheme, to help smaller businesses deal with cyber threats.
"We've also developed the new Cyber Essentials scheme, launched on 5 June. It gives businesses clarity on good basic cyber security practice and will provide protection against the most common threats," he said.
"After going through a certification process, businesses will be able to show they have the right measures in place by displaying the Cyber Essentials badge, which we hope becomes the cyber equivalent of the MoT certificate."
Maude added: "From October, the government will require all suppliers bidding for certain personal and sensitive information-handling contracts to be Cyber Essentials certified."
The Cabinet Office is one of many government departments working to improve the UK's cyber security. The GCHQ revealed new threat intelligence and intellectual property-sharing initiatives earlier at IA14.

GCHQ to share cyber threat intelligence with industry

THE UK GOVERNMENT Communications Headquarters (GCHQ) has promised to share cyber threat intelligence and "select" intellectual property (IP) with industry to support the government's growth plans.
A GCHQ spokesperson announced the plans at a briefing attended by The INQUIRER, listing the rollout as a key step in the government's ongoing economic growth and attack mitigation strategies.
The cyber intelligence sharing partnership will initially be limited to a select number of firms with ongoing government contracts, though the spokesman said the GCHQ plans to expand the pilot scheme to include critical infrastructure businesses in the future.
"The new pilot will see GCHQ commit to release certain cyber security threat intelligence at pace and scale to help communications service providers (CSPs) to the government. Later on the pilot will expand to help certain other parties involved in national infrastructure," said the spokesperson.
"This is a groundbreaking initiative that will see us use and share the information we glean using our global intelligence network to mitigate the threats and allow affirmative action to be taken."
The GCHQ also pledged to release bring your own device (BYOD) and cloud security best practices in the near future to further aid businesses.
Details of how the IP-sharing initiative will work remain vague, though the spokesman said that the project will have a commercial element.
"We're committing to a formal programme called 'Promoting Innovation in the Digital Economy', which will explore how we can work better with HMRC and what limited steps we can take to declassify some of our intellectual property for joint ventures into the wider commercial domain."
Building the UK's cyber security industry has been a key part of the government's growth strategy.
UK Cabinet Office minister Francis Maude pledged to make the nation a leader in the security industry during the launch of the Cyber Security Information Sharing Partnership (CISP) in March 2013.
Maude said the new initiatives will help continue this endeavour, announcing plans to double the UK's cyber security exports by 2016, during a speech at IA14.
"Cyber security demands technical innovation and entrepreneurial ambition, backed by world-class skills and research – all of which the UK has in spades. In the past year, I've discussed cyber security with my counterparts from as far afield as India and Israel, Spain and South Korea and it's clear that the phrase ‘made in Britain' has enormous resonance," he said.
"Cyber has the potential to create new businesses, and to turn small companies into large ones. We aim to be exporting £2bn worth of products and services by 2016 - that's a sharp increase on the £850m we sold last year."
The cyber threat intelligence and IP-sharing programmes are two of many initiatives designed to help improve the nation's cyber defences that have been launched by government agencies in recent months.
The Communications Electronics Security Group (CESG) issued updated security guidance to help companies safely deploy Blackberry 10.2.1, Android 4.4 and Chrome OS devices earlier in June.

International Universities Graduate and Post Graduate Programs