This week the Conservatives election platform included a commitment to bundle all the crime and justice bills into a single omnibus bill and to pass it within a new Parliament’s first 100 days. The Conservatives argue that the opposition “obstructed our reforms” and that this step is needed to get the bills passed. I don’t follow the general crime bills so I don’t know what happened with many of these bills. On lawful access (which involves three bills), however, this is plainly untrue.
The lawful bills received first reading in the fall and never went anywhere. There was no attempt by the government to move to second reading to allow for debate followed by committee hearings. The bills were simply introduced and nothing further happened. In fact, this is second time the Conservatives have introduced lawful access legislation and done little to advance it through the legislative process. The first attempt died when Parliament prorogued in 2009 with bills that had made it to second reading but without any committee hearings.
There are several concerns with the Conservatives lawful access plans. First, it bears noting that these bills have never received extensive debate on the floor of the House of Commons and never been the subject of committee hearings. Police officers may support the legislation, but there has never been an opportunity to question them on the need for such legislation or on their ability to use lawful access powers if the bills become law. Federal and provincial privacy commissioners have expressed deep concerns about these bills, yet they have never had the opportunity to air those concerns before committee. Internet service providers, who face millions in additional costs – presumably passed along to consumers – have never appeared before committee. By making a commitment to passing lawful access within 100 days, the Conservatives are undertaking to pass legislation with enormous implications for the Internet that has never received parliamentary scrutiny and will receive limited attention.
Second, more important than process is the substance of the proposals that have the potential to fundamentally reshape the Internet in Canada. The bills contain a three-pronged approach focused on information disclosure, mandated surveillance technologies, and new police powers.
The first prong mandates the disclosure of Internet provider customer information without court oversight. Under current privacy laws, providers may voluntarily disclose customer information but are not required to do so. The new system would require the disclosure of customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers.
While some of that information may seem relatively harmless, the ability to link it with other data will often open the door to a detailed profile about an identifiable person. Given its potential sensitivity, the decision to require disclosure without any oversight should raise concerns within the Canadian privacy community.
The second prong requires Internet providers to dramatically re-work their networks to allow for real-time surveillance. The bill sets out detailed capability requirements that will eventually apply to all Canadian Internet providers. These include the power to intercept communications, to isolate the communications to a particular individual, and to engage in multiple simultaneous interceptions.
Moreover, the bill establishes a comprehensive regulatory structure for Internet providers that would mandate their assistance with testing their surveillance capabilities and disclosing the names of all employees who may be involved in interceptions (and who may then be subject to RCMP background checks).
The bill also establishes numerous reporting requirements including mandating that all Internet providers disclose their technical surveillance capabilities within six months of the law taking effect. Follow-up reports are also required when providers acquire new technical capabilities.
The requirements could have a significant impact on many smaller and independent Internet providers. Although the bill grants them a three-year implementation delay, the technical capabilities extend far beyond most of their commercial needs. Indeed, after years of concern over the privacy impact associated with deep-packet inspection of Internet traffic (costly technologies that examine Internet communications in real time), these bills appear to require all Internet providers to install such capabilities.
Having obtained customer information without court oversight and mandated Internet surveillance capabilities, the third prong creates a several new police powers designed to obtain access to the surveillance data. These include new transmission data warrants that would grant real-time access to all the information generated during the creation, transmission or reception of a communication including the type, direction, time, duration, origin, destination or termination of the communication.
Law enforcement could then obtain a preservation order to require providers to preserve subscriber information, including specific communication information, for 90 days. Finally, having obtained and preserved the data, production orders can be used to require the disclosure of specified communications or transmission data.
While Internet providers would actively work with law enforcement in collecting and disclosing the subscriber information, they could also be prohibited from disclosing the disclosures as court may bar them from informing subscribers that they have been subject to surveillance or information disclosures.
Few would argue that it is important to ensure that law enforcement has the necessary tools to address online crime issues. But these proposals come at an enormous financial and privacy cost, with as yet limited evidence that the current legal framework has impeded important police work. In fact, when then Public Safety Minister Peter Van Loan tried to justify his lawful access package, he pointed to an emergency situation that I later revealed (via access to information) had nothing to do with the Internet.
None of this is to say the Liberals would be any better. They introduced their own lawful access package many years ago and the reactionof MPs like McTeague in 2009 was “what took you so long.” The Liberals point to protection from digital threats in their platform, but do not specifically discuss lawful access. They should be asked about where they stand now (so too for the NDP which marshalled opposition in 2009). Given the Conservatives have included fast tracking lawful access in their platform, they should be asked to explain the need for new Internet surveillance, address who will pay for it, and justify their proposal legislative approach to these dramatic reforms that have never been the subject of Parliamentary debate or hearings.