Against the backdrop of terrorist attacks, alleged voter fraud and fake news, one would think arguments that the security and integrity of the voting process would be compelling. However, on November 15, 2017 the BC Office of the Information and Privacy Commissioner (“OIPC”) rejected arguments along these lines and ordered the City of Vancouver (“City”) to disclose the physical location of computer servers that stored voter data for the City’s municipal election.
Pursuant to BC’s Freedom of Information and Protection of Privacy Act (“FIPPA”), a journalist requested the City to disclose its contract with the company that provided voting software and voter data storage to the City, and to other municipalities across Canada. The City partially complied with the request, disclosing the entirety of the contract except for the physical location of the computer servers and their corporate operators. The City relied on section 15(1)(l) of FIPPA, which permits an exemption from disclosure based on the public body’s assessment that “disclosure could reasonably be expected to harm the security of any property or system, including a building, a vehicle, a computer system or a communications system”.
The OIPC applied the Supreme Court of Canada’s formulation for “reasonable expectation of probable harm” in Ontario v Ontario as the appropriate standard of proof. It is said that the statutory language of “could reasonably be expected to” requires a middle ground between that which is probable and that which is merely possible. The Supreme Court opined that: “An institution must provide evidence ‘well beyond’ or ‘considerably above’ a mere possibility of harm in order to reach that middle ground”.
The City argued that voter data is “highly sensitive” and a target for criminal activity, and stolen voter data could be used to interfere with ongoing or future elections. Further, the City submitted affidavit evidence of the Chief Technology Officer (“CTO”) of the service provider, in which the CTO stated that: “These addresses have stringent physical security precautions but, for a dedicated attacker, knowledge of the address could provide additional means to initiate social engineering attacks focusing on employees at these facilities.”
The City also relied on two previous Orders holding that FIPPA’s section 15(1)(l) exemption applied to information which would allow or assist third parties to gain unauthorized access to a computer system or weaken the security of a computer system. The IOPC distinguished these Orders from the current case as neither of them dealt with physical location of servers but about user IDs, passwords, network configuration, security settings and so on. In the end, the OIPC was not satisfied that disclosing the server locations would make unlawful access considerably more likely than a mere possibility.
FIPPA expressly provides in its section 2 that one of the purposes is to make public bodies more accountable to the public. OIPC, in its reasoning in this decision, reiterated the strong public interest in transparency in relation to contracts involving public services delivered by private contractors and reinforced its position that the risk of harm under section 15(1)(l) must be sufficient to outweigh that public interest (footnotes omitted):
There is a strong public interest in transparency in relation to contracts involving public services delivered by private contractors and the risk of harm under s. 15(1)(l) must be sufficient to outweigh that public interest. The City has not satisfied me that the security of the primary and backup server facilities or the server computer system itself could reasonably be expected to be harmed by disclosure of their location or the names of the companies which operate them. Therefore, I find the City is not authorized to refuse the applicant access to this information pursuant to s. 15(1)(l).
This Order will be of obvious concern to companies which contract with public sector bodies for the storage and processing of data, many of which rely on the secrecy of their physical operations as part of their overall IT security plan.
Companies should consider reviewing the terms of the their contracts, and work with counsel to take steps to decrease the likelihood they will be adversely affected by requests such as the one here.