Special Report:

What More Needs to be Done—Recommendations

2. Rescuing Children from Internet-Facilitated Sexual Abuse

The key step in rescuing victims of abuse is to identify and locate them. While this may seem a daunting task, ironically the same Internet technology that facilitates the repeated victimization of children can help law enforcement identify and rescue those same victims.

One of the most powerful clues that police have available to assist them in this regard is the Internet Protocol or “IP” address.

An IP address is a numerical identifier given to a particular computer or device when it is hooked up to the Internet—something like a licence plate for a car. When offenders are exchanging images, the IP address is often publicly accessible. This information can often help authorities to determine the location of the offender by providing more information about the Internet Service Provider (ISP) the offender is using (i.e. the company that is providing the abuser with Internet access) as well as the geographic region of the user. 

In some cases, the IP address can actually narrow down the location of the abuser to a specific city. Once a geographic area is defined, the next step is to contact the ISP and to ask for the name and address of the customer registered to that IP address.

Unfortunately in Canada, this is where authorities sometimes hit a dead end and the investigation is forced to shut down. According to the Personal Information Protection and Electronic Documents Act (PIPEDA), ISPs in Canada “may,” but are not legally obliged to, provide police with information such as the name and address of customers who are known to be exchanging or distributing child sexual abuse images.

Currently, police send a standard letter to the ISP, which asks for customer name and address information for a specific IP address and for a specific date and time.⁵¹ Whether or not the ISP provides this information is up to the individual company. Many ISPs have provisions in their service agreement that say they will disclose any information they, in their sole discretion, deem necessary to satisfy any applicable law, regulation, legal process, or government request.⁵² The Bell Code of Fair Information Practices defines “personal information” for a customer as “a customer’s credit information, billing records, service and equipment, and any recorded complaints.”⁵³ Basic subscriber information such as the customer’s name and address is not considered personal information for the purposes of the Privacy Policy.

Even though many ISPs do cooperate, 30 to 40 percent of requests are still denied.⁵⁴ Some ISPs are hesitant to cooperate for fear of resulting legal action by customers, whereas others even go so far as to advertise their lack of cooperation with police to attract customers.⁵⁵ 

When it comes to protecting our children, depending on the goodwill of any industry, especially those under pressure not to breach privacy rights, is not good enough.

Giving authorities the tools they need

The idea of requiring ISPs to provide customer name and address information is not new. For years, the law enforcement community has been calling for legislative reforms to require ISPs to provide this information without judicial authorization (i.e. a warrant).⁵⁶ 

The same sentiments were expressed in 2007 when the Office of the Federal Ombudsman for Victims of Crime brought together law enforcement experts from across Canada for a roundtable on Internet-facilitated child sexual abuse. Without exception, the number one barrier to pursuing cases identified by law enforcement attending the roundtable was the lack of access to customer name and address information.

The RCMP’s National Child Exploitation Coordination Centre (NCECC) warns, “As long as they [ISPs] are at liberty to decline to provide this information to police upon request, investigations can and are being impaired. In the case of online child exploitation matters, the result is that many investigations cannot proceed (emphasis added).”⁵⁷

A 2007 Department of Public Safety consultation document on customer name and address information provided a similar warning: “If the custodian of the information is not cooperative when a request for such information is made, law enforcement agencies may have no means to compel the production of information pertaining to the customer…. The availability of such building-block information is often the difference between the start and finish of an investigation (emphasis added).”⁵⁸

Sadly, this challenge translates into unsuccessful rescue efforts. In one case, an online undercover officer investigating the live online sexual abuse of a child on a Friday evening requested the customer name and address information from the ISP but was told to call back on Monday during regular business hours.⁵⁹ In June 2007, a law enforcement agency asked an ISP for customer information because it had reason to believe children were at risk. The ISP refused to provide the information unless the investigator produced judicial authorization. It was not until pressure was applied by Child Welfare Services that the ISP finally provided the customer’s name. By this time, the suspect had moved and dismantled his computer.

In a few cases, police have been able to convince ISPs of the importance of the information by going to extreme lengths. Such was the case when an officer investigating live sexual abuse was told by the ISP to get judicial authorization. The ISP became cooperative only after the officer held the phone to the computer speakers to let the representative hear the child’s screams.

The right to privacy

“We recognize that privacy is an important value underlying the right to be free from unreasonable search and seizure and the right to liberty. However, the privacy of those who possess child pornography is not the only interest at stake in this appeal. The privacy interests of those children…are engaged by the fact that a permanent record of their sexual exploitation is produced.”

–Madam Justice L’Heureux-Dubé⁶⁰

Any public policy debate that involves the Internet must include the issue of privacy and the very real and legitimate privacy concerns that Canadians have.

The public is rightly concerned about their privacy and has a right to be protected from unreasonable search and seizure. As such, privacy should be considered when deciding what kinds of information law enforcement should have access to regarding Internet customers. Efforts to address enforcement issues to date, however, have been too narrowly focused on false warnings of “Big Brother” or have fostered misconceptions about what kind of information police are able to obtain with an IP address and a customer’s name and address. Very little attention has been given to the real, and more serious, privacy interests of the children whose images of abuse and torture are being traded.

Unfortunately, Canadians have been misled about the potential privacy implications of legislation that would permit law enforcement access to customer name and address (CNA) information. For example, one privacy advocate contends, “CNA information, like name and address, are keys to acquiring other personal information, including highly sensitive data such as health or financial records.”⁶¹ The author goes on to argue that “…the government is in fact seeking enhanced search powers through expedited processes and lower standards, thereby slashing privacy safeguards and expectations.”⁶² Another said, in response to an Ontario Superior Court decision that upheld police access to CNA information without a warrant,⁶³ “It is not just your name. It is your whole Internet surfing history.”⁶⁴

These points touch on the two most common arguments put forward by privacy advocates:

1. It is inappropriate for law enforcement to seek, without judicial authority, the name and address of a potential offender.
2. Providing customer and name and address information gives police enhanced powers to review and collect more personal information, such as health records or a client’s Internet surfing history.

These points are false and confuse the issue by offering dangerous misconceptions. First, a person’s name and address are not private and law enforcement does not need judicial authorization to obtain them. Second, if police want more information about a suspect, such as his or her Internet surfing history or medical records, they must obtain judicial authorization.

In R. v. Plant, the Supreme Court of Canada said that for information to be constitutionally protected, it must be at the “biographical core of personal information which individuals in a free and democratic society would wish to maintain and control from dissemination to the state, and that the information must disclose ‘intimate details’ about the ‘personal lifestyle or private decisions.’”⁶⁵

The Plant case involved a police investigation into a marijuana grow-op. The police obtained information from the electricity company—another service provider—regarding the owner’s electricity use. They used this information to obtain a search warrant. The Supreme Court said:

“The police check of computerized records was not unreasonable.... In view of the nature of the information, the relationship between the accused and the electrical utility, the place and manner of the search and the seriousness of the offence under investigation, it cannot be concluded that the accused held a reasonable expectation of privacy in relation to the computerized electricity records which outweighed the state interest in enforcing the laws relating to narcotics offences. While they reveal the pattern of electricity consumption in the residence, the records do not reveal intimate details of the accused’s life. Since the search does not fall within the parameters of s. 8 of the Charter, this information was available to the police to support the application for a search warrant.”⁶⁶

In R. v. David Ward, Justice Lalonde said, “There is certainly no evidence…that disclosure of the applicant’s name and address only, absent the police obtaining a search warrant, would open the floodgates to intimate personal details about the applicant’s lifestyle, habits and choices.”⁶⁷

In February 2009, Justice Lynne Leitch of the Ontario Superior Court ruled “[t]here is no reasonable expectation of privacy in the information provided by Bell considering the nature of that information. One’s name and address…are not biographical information one expects would be kept private from the state. It is information available in a public directory….”⁶⁸ This marked the first time a Superior Court had issued such a ruling, although some lower courts have made consistent rulings.⁶⁹

In R. v. Quinn, at the request of law enforcement, a bank confirmed that a specific account belonged to the appellant. This information was later used to obtain a search warrant.⁷⁰ The British Columbia Court of Appeal upheld the warrant and finding saying, “[T]here was no search, much less any unreasonable search as envisioned in the Charter.”⁷¹

The federal government already authorizes agencies the power to collect this type of information without a warrant. For example, the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC), which works to identify money laundering and terrorist activities financing, can request information such as business records, and enter business premises, without a warrant.⁷² The information must be kept in such a way as to enable FINTRAC access in a timely fashion and failure to comply with these requirements could lead to imprisonment for up to five years. 

Certain ISPs will only provide CNA information without a warrant in cases where “imminent” danger is identified. Some ISPs have agreed to provide the information upon request only if someone is in imminent danger.  However, if police cannot prove imminent danger the ISPs will usually require judicial authorization.⁷³ 

This is problematic for a number of reasons, including the fact that imminent danger is not always obvious. In 2006, police in Aylmer, Quebec, arrested a 19-year-old man after he sent child sexual abuse images to an undercover Ottawa police officer online. After the arrest, the man admitted to sexually abusing his 8-month-old son and filming it. At the time of his arrest, the police had no idea he was abusing his son.⁷⁴ In this scenario, because police could not have known or demonstrated in advance that a child was in imminent danger, a little boy would have gone on being abused. Similarly, in February 2009, law enforcement in Ontario arrested over 30 men during a province-wide child pornography sweep. A 12-year-old girl was removed from the home of one of the men arrested on suspicion of distributing child sexual abuse images, but at the time of his arrest, law enforcement had no reason to believe the man was abusing a child. Clearly, it is not possible for ISPs to determine the level of risk to a child in these situations.

If imminent danger cannot be proven and law enforcement is required to get a warrant, there is a greater risk to the child. First, warrants take time and law enforcement may not be able to get one in time to rescue the child in danger. The more time police spend trying to get judicial authorization for information that is not personal or private, the less time they have available to identify and rescue children. As stated by the Public Safety Minister, “In some of these cases, time is of the essence. If you find a situation where a child is being exploited live online at that time…police services have had good cooperation with a lot of internet service providers, but there are some that aren’t so cooperative.”⁷⁵

Second, a warrant cannot be obtained in the investigation of a criminal offence until sufficient information “to support reasonable and probable grounds for that offence exists.”⁷⁶ Obtaining basic CNA information is part of the information that would assist in obtaining a warrant.

Privacy rights of the victim

A balanced discussion of privacy must also consider the rights of the victim.  

For victims whose abuse has been shared on the Internet, there is no privacy. They must grow up knowing these images or videos will be on the Internet for the rest of their life. It is a privacy violation that never ends.

Privacy rights are established in the Canadian Charter of Rights and Freedoms and international forums. For example, section 7 of the Charter guarantees the right to life, liberty and security of the person, which is certainly undermined by child pornography.⁷⁷ Privacy is also one of the principles the federal government is required to consider under the Canadian Statement of Basic Principles of Justice for Victims of Crime. The United Nations Resolution on Guidelines on Justice in Matters involving Child Victims and Witnesses of Crime also affirms that children have a right to privacy and it should be protected as a matter of primary importance.

In the case of child sexual abuse images, the invasion of privacy goes far beyond simply sharing personal information. Madam Justice L’Heureux-Dubé wrote, “If disseminated, child pornography involving real people immediately violates the privacy rights of those depicted, causing them additional humiliation.”⁷⁸ She went on to say, “The law intrudes into the private sphere because doing so is necessary to achieve its salutary objectives. The privacy interest restricted by the law is closely related to the specific harmful effects of child pornography. Moreover, the provision’s beneficial effects in protecting the privacy interests of children are proportional to the detrimental effects on the privacy of those who possess child pornography.”⁷⁹

Two recent decisions have caused some concern about the willingness of the court to consider the privacy interests of the child victim.

The first case involved an artist (Katigbak) who had over 500 images and 30 video clips that constituted child pornography. He claimed he was working on an artistic project (over a six-year period of time) to raise awareness of the effect of child pornography or sexual abuse on the children.⁸⁰ The other case (Sauve) involved a manager of a group home where some clients had pedophilic tendencies; he claimed he collected images to help treat a client.⁸¹

Both men were acquitted because the Courts accepted the accused’s justifications for possessing and collecting the images. Both cases addressed the issue of “undue harm to the child” and found that the actions of neither men put children under the age of 18 at undue risk. In Katigbak, the Court relied on the fact that the accused did not purchase the images, he was not sexually motivated and did not intend to distribute them. The Court said this “negatives the concern that the victims are being re-victimized by a viewing of the images.”⁸² In Sauve, the Court said Parliament was not referring to a general risk of harm to children.

Neither Court, nor the two accused, considered the harm done to the children whose images were being collected. No matter the reason behind it, these children gave no permission to either man to access or collect their images. In doing so, these men contributed to the victims’ ongoing abuse.

The Crown is appealing the Katigbak decision. We urge the Department of Justice to monitor these cases to determine if an amendment is necessary to highlight the privacy interests of the children whose images are being collected.

As a final point, it is important to consider the following: The more time police spend trying to get judicial authorization for information that is not personal or private, the less time they have available to identify and rescue children.

The need for legislative change

The RCMP’s NCECC says “the single most important challenge facing investigators of Internet facilitated child exploitation ahead of all other issues, has been their inability to obtain basic customer information such as someone’s name and address from Internet Service Providers (ISPs).”⁸³

This was confirmed in 2007 when our office held a roundtable with law enforcement from across the country. At the roundtable, law enforcement identified its inability to acquire customer name and address information as the single biggest obstacle to identifying offenders and rescuing child victims of Internet-facilitated child sexual abuse. 

In 2006, the Standing Committee on Access to Information, Privacy and Ethics conducted a review of the Personal Information Protection and Electronic Documents Act (PIPEDA). It heard from victims’ groups and law enforcement that, although PIPEDA authorizes ISPs to provide basic information to law enforcement, many were not doing so. Clayton Pecknold of the Canadian Association of Chiefs of Police explained the challenges the police face:

“…we are increasingly seeing some companies interpreting lawful authority to mean that a warrant or court order is required before they comply. This is an interpretation that is not, in our respectful view, consistent with the intent of the drafting of the act. Such an interpretation by companies, while no doubt grounded in a legitimate desire to protect their customers’ privacy, is overly restrictive and defeats, in our view, the intent of paragraph 7(3)(c.1).”⁸⁴

In 2007, the Committee released its fourth report and recommended:

“…that consideration be given to clarifying what is meant by ‘lawful authority’ in section 7(3)(c.1) of PIPEDA and that the opening paragraph of section 7(3) be amended to read as follows: ’For the purpose of clause 4.3 of Schedule 1, and despite the note that accompanies that clause, an organization shall disclose personal information without the knowledge or consent of the individual but only if the disclosure is […].’”

Responding to the report, the former Minister of Industry confirmed “that the purpose of s.7(3)(c.1) is to allow organizations to collaborate with law enforcement and national security agencies without a subpoena, warrant or court order. Organizations who share information with government institutions, including law enforcement and national security agencies, in accordance with the requirements of this provision, are doing so in compliance with PIPEDA.”⁸⁵

In October 2007, the Department of Industry released a consultation document on several issues relating to the Committee’s report, including the proposal to clarify lawful authority. The Office of the Federal Ombudsman for Victims of Crime submitted a written brief to the Minister calling upon him to enact legislation quickly to clarify lawful authority as well as to make a further amendment to the legislation to require ISPs to provide CNA information to police investigating child sexual abuse cases.⁸⁶

In a response sent in November 2007 to the Ombudsman’s office, the former Minister of Industry said, “The Government of Canada accords the highest importance to the safety and security of Canadians and recognizes the particularly vulnerable nature of children in the online environment.” The former Minister acknowledged that the current law has created “challenges for law enforcement investigations” and that law enforcement reports that its ability to gain access to “basic information that is essential and often quite urgent” has been hindered. He stated that PIPEDA was not intended to be an impediment to the cooperation between companies and law enforcement, yet he said, “Obligations to collaborate in investigations and the establishment of consequences for obstruction currently rest with the Criminal Code of Canada. As such, a requirement for compulsory disclosures or information would be incompatible with the purpose of PIPEDA….”⁸⁷

Canada has fallen behind on this point. Other countries, including the U.K., Australia and the U.S., have passed legislation that does not require law enforcement to secure judicial authorization before accessing CNA from an ISP.⁸⁸

In the fall of 2007, the Department of Public Safety released its own consultation document on customer name and address information. The Office of the Federal Ombudsman for Victims of Crime participated in the consultation, urging the former Minister of Public Safety to introduce legislation that would require ISPs to provide CNA information to law enforcement. In response, the Government said it was examining how best to address this serious issue, including the possibility of legislation in this area.⁸⁹ On February 11, 2009, the current Minister of Public Safety confirmed he was considering legislation to address problems of enforcing laws in the age of the Internet. Specifically, the Minister stated, “If somebody’s engaging in illegal activities on the Internet, whether it be exploitation of children, distributing illegal child pornography, conducting some kind of fraud, simple things like getting username and address should be fairly standard, simple practice. We need to provide police with tools to be able to get that information so that they can carry out these investigations.”⁹⁰

• ⁵¹ The letter was developed by the Canadian Coalition Against Child Exploitation (CCAICE), a voluntary group of partners that work to reduce child sexual exploitation on the Internet. CCAICE includes industry, government, non-governmental and law enforcement stakeholders from across the country. The existing arrangement is based on paragraph 7(3)(c) of the Personal Information Protection and Electronic Documents Act.
• ⁵² Bell Customer Service Agreement, p. 14.
• ⁵³ Bell Code of Fair Information Practices, Definitions, p. 4.
• ⁵⁴ NCECC Submission to Public Safety Canada, “Customer Name and Address Information Consultation,” October 2007.
• ⁵⁵ Ibid., p. 4.
• ⁵⁶ A recent report prepared by Deloitte for the Canadian Association of Police Boards, entitled Report on Cybercrime in Canada (April 25, 2008, pp. 1–2), which included interviews with law enforcement, Crowns and others with experience in this area, said there was support for changes to existing legislation that would enable information sharing with law enforcement agencies, with lower judicial standards than those now applied to search and seizure warrant and mandatory reporting requirements for child pornography.
• ⁵⁷ NCECC Submission to Public Safety Canada, “Customer Name and Address Information Consultation,” October 2007.
• ⁵⁸ www.publicsafety.gc.ca/prg/ns/cna-en.asp.
  The document also clarified “the possible scope of CNA information to be obtained is later identified, but it should be noted from the outset that it would not, in any formulation, include the content of communications or the Web sites an individual visited while online….”
• ⁵⁹ Ibid., p. 5.
• ⁶⁰ R. v. Sharpe, 2001 SCC 2, [2001] 1 S.C.R. 45, para. 189.
• ⁶¹ Ian Kerr, Submission to the Customer Name and Address Consultation, October 19, 2007. www.idtrail.org/content/view/763/42/.
• ⁶² Ibid.
• ⁶³ R. v. Wilson, ONCJ St-Thomas, no. 4191/08, February 10, 2009.
• ⁶⁴ Shannon Kari, “Judge’s ruling could let police access IP data without warrant,” Ottawa Citizen, February 13, 2009.
• ⁶⁵ R. v. Plant, [1993] 3 S.C.R. 281.
• ⁶⁶ Ibid.
• ⁶⁷ R. v. David Ward, Sudbury Court File No. 071751, June 16 and 17, 2008.
• ⁶⁸ R. v. Wilson, ONCJ St-Thomas, no. 4191/08, February 10, 2009.
• ⁶⁹ Ibid. Most decisions support the principles that a customer’s name and address are not “private” information, but there have been dissenting opinions (R. v. Kwok).
• ⁷⁰ R. v. Quinn 2006 BCCA 255.
• ⁷¹ Ibid., para. 93.
• ⁷² FINTRAC gets its authority from the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
• ⁷³ CBC News, “Search warrants for child porn too slow, say RCMP,” April 2, 2008. www.cbc.ca/canada/prine-edward-island/story/2008/04/02/childporn-warrants.html.
• ⁷⁴ CBCNews.ca, “Quebec man jailed for molesting infant son, making child porn,” July 20, 2007.
• ⁷⁵ Bill Curry, “New law to give police access to online exchanges,” The Globe and Mail, February 12, 2009.
• ⁷⁶ NCECC Submission to Public Safety, “Customer Name and Address Information Consultation,” October 2007, p. 7.
• ⁷⁷ R. v. Sharpe, 2001 SCC 2, [2001] 1 S.C.R. 45, para. 189.
• ⁷⁸ Ibid., para. 135.
• ⁷⁹ Ibid., para. 240.
• ⁸⁰ R. v. Katigbak (2008) Reasons for Decision. Some of the alleged offences were committed before the 2005 amendment and prior to that the Criminal Code referred to “artistic merit or an educational, scientific or medical purpose.”
• ⁸¹ R. v. Sauve (2008) O.J. No. 4230.
• ⁸² R. v. Katigbak (2008) Reasons for Decision, para. 36.
• ⁸³ NCECC Submission to Public Safety Canada, “Customer Name and Address Information Consultation,” October 2007, p. 1.
• ⁸⁴ Standing Committee on Access to Information, Privacy and Ethics, Meeting 30, February 13, 2007.
  www2.parl.gc.ca/HousePublications/Publication.aspx?DocId=2695445
  &Language=E&Mode=1&Parl=39&Ses=1.
• ⁸⁵ Government Response to the Fourth Report of the Standing Committee on Access to Information, Privacy and Ethics, Statutory Review of the Personal Information Protection and Electronic Documents Act (PIPEDA). www.ic.gc.ca/eic/site/ic1.nsf/eng/h_02861.html.
• ⁸⁶ www.victimsfirst.gc.ca.
• ⁸⁷ Letter from the Honourable Jim Prentice, Minister of Industry, November 29, 2007.
• ⁸⁸ The scheme set out in Bill C-74 and the department’s consultation appear to be more restrictive than that of the other three countries. Dominique Valiquet, Telecommunications and Lawful Access: II. The Legislative Situation in the United States, the United Kingdom and Australia, February 28, 2006, Library of Parliament. www.parl.gc.ca/information/library/PRBpubs/prb0566-e.html.
• ⁸⁹ “Government Response to the Annual Report of the Federal Ombudsman for Victims of Crime, April 2007 to March 2008.” http://canada.justice.gc.ca/eng/news-nouv/nr-cp/2009/doc_32330.html.
• ⁹⁰ Bill Curry, “New law to give police access to online exchanges,” The Globe and Mail, February 12, 2009.