A "landmark" privacy didn't outlaw tower dumps completely, but it did raise the threshold for requests.
Last Thursday, the Ontario Superior Court ruled that a 2014 police request for tens of thousands of cellphone subscriber records—also known as "tower dumps"—was overly broad, and thus unconstitutional.
The case, which The Globe and Mail had previously called a "landmark ruling" for cell phone users' privacy rights, didn't outlaw tower dumps completely. But what it did do was establish public guidelines for what a reasonable tower dump should look like—information which has been largely elusive in Canada and the US.
In the United States, for example, the American Civil Liberties Union has engaged in numerous efforts in recent years to clarify the legal standards surrounding tower dumps with little success.
In his ruling, Justice John Sproat defined seven "guidelines" that law enforcement, justices, and telecommunications companies would be able to refer to when faced with future production orders for tower dump data. The guidelines recommend that such requests...
- Be tailored for minimal intrusion into subscribers' privacy.
- Explain why specific cell towers and the dates and times specified are relevant to the investigation.
- Justify the types of records requested.
- Offer any additional details that might help a telecom company narrow their search and return fewer records.
- Request "a report based on specific data instead of a request for the underlying data itself"
- Or, if a report will not suffice, justify why the underlying data is required.
- Request manageable amounts of data that can be "meaningfully reviewed."
The guidelines are intended to prevent future requests resembling this particular case, wherein Peel Regional Police obtained a production order requesting that Canadian cellular providers Rogers Communications and Telus supply subscriber records from 21 cell towers in the vicinity of a jewelry store burglary—records covering roughly 43,000 customers.
"The request was ultimately withdrawn, but the telecommunications giants continued the constitutional challenge against the general practise, which is employed by police forces across the country," wrote Vice News reporter Justin Ling following Justice Sproat's decision.
Even with the new guidelines, it is still possible for a company to oppose a production over that it believes is "unreasonable, or unduly onerous."
There are still unanswered questions, however—in particular, rules around the "retention, use and disclosure of tower dump data seized by the police." Most organizations, when dealing with personal information, are bound by the Personal Information Protection and Electronic Documents Act (PIPEDA), which defines retention procedures for personally identifiable information. Collected information must "be destroyed, erased, or made anonymous" once it is no longer needed for its identified purpose. But the cops aren't most organizations, and aren't bound by PIPEDA—and, to date, "no legislation addresses the retention of tower dump records," the decision reads.
For example, "The production orders do not specify how customer information is to be safeguarded and do not expressly restrict the purposes for which the Peel Regional Police may use the information."
What this means is that, while Canadian police may not have made off with the subscriber records of 43,000 cellphone users in this case, there's no telling what has been done with the tower dump data they already have.
Correction, Feb. 3: A previous version of this article incorrectly stated that the Supreme Court of Canada, rather than Ontario Superior court, was responsible for the ruling. Motherboard regrets the error.