Lawful access, the government’s planned legislation on Internet surveillance, has generated considerable attention over the past few days as the government decided against including it in its first omnibus crime bill. That decision generated media coverage, claims that the government backed down in the face of a 70,000 signature online petition, and a debate in the House of Commons in which Public Safety Minister Vic Toews stated that warrantless online wiretapping is not planned. While I recognize these developments feel like a cause for celebration, I fear there is a major problem developing as too much of this discussion doesn’t actually involve the real lawful access.
First, the omission of lawful access from Bill C-10 does not mean lawful access is dead or defeated. It is only delayed as Justice officials have indicated that the government is “committed to reintroducing” the lawful access measures. In fact, yesterday Toews confirmed again “the legislation will come.” The exclusion from the omnibus crime bill is definitely a step in the right direction – it should allow for the committee hearings that have never happened despite several attempts to pass lawful access – but lawful access will still be introduced and presumably passed at some point in the future.
Second, the debate has unfortunately veered into concerns over lawful access that don’t reflect reality.
Much like the fears earlier this year over criminalization of linking, Canadians would be better served fighting the real provisions in lawful access. The most recent headlines involve the current claims over warrantless online wiretapping. Open Media, who released several well-produced lawful access videos, unfortunately perpetuate these concerns by focusing on the issue. The NDP, which has been outspoken on lawful access, is now also focusing on warrantless online wiretapping. In yesterday’s debate, NDP MP Charmaine Borg stated:
Mr. Speaker, in the last Parliament, the NDP fought to stop the Conservatives from passing legislation allowing police officers to spy on citizens on the Internet without a warrant. Since this measure is not included in the omnibus crime bill, it is a victory for the NDP and all Canadians. Can the government confirm that it will, once and for all, heed the experts and the vast majority of the population, who are opposed to surveillance without a warrant?
Immediately afterward, NDP MP Pierre-Luc Dusseault asked:
Mr. Speaker, even former Minister of Public Safety Stockwell Day was opposed to electronic surveillance without a warrant. Can the minister confirm that his government is admitting that this surveillance initiative, an even greater intrusion into the lives of Canadians, has been abandoned? Can he guarantee today that it has been abandoned once and for all?
The problem with this line of attack is that lawful access doesn’t envision warrantless online wiretapping, making this fight the equivalent of a political softball. Advocates rail against warrantless online wiretapping and Toews effortlessly swats away the concerns by assuring everyone that the government has no plans to introduce such measures.
If prior lawful access bills are any indication, Toews is right. Lawful access won’t include warrantless online wiretapping, at least in the conventional sense. But to give the government a pass on those grounds is to overlook the real dangers that will be in the bill. If the Conservatives move forward with their complete lawful access package, it would feature a three-pronged approach focused on information disclosure, mandated surveillance technologies, and new police powers.
The first prong will mandate the disclosure of Internet provider customer information without court oversight. Under current privacy laws, providers may voluntarily disclose customer information but are not required to do so. The new system would require the disclosure of customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers. While some of that information may seem relatively harmless, the ability to link it with other data will often open the door to a detailed profile about an identifiable person. Given its potential sensitivity, the decision to require disclosure without any oversight should raise concerns within the Canadian privacy community. It should be noted that this issue – mandated access to customer personal information without a warrant – was what Stockwell Day pledged not to do. Day took an important stand on the issue and it is crucial to call the government on it.
The second prong will require Internet providers to dramatically re-work their networks to allow for real-time surveillance. The bill is likely to set out detailed capability requirements that will eventually apply to all Canadian Internet providers. These include the power to intercept communications, to isolate the communications to a particular individual, and to engage in multiple simultaneous interceptions.
Moreover, based on the prior bill, it will establish a comprehensive regulatory structure for Internet providers that would mandate their assistance with testing their surveillance capabilities and disclosing the names of all employees who may be involved in interceptions (and who may then be subject to RCMP background checks). The bill will also likely establish numerous reporting requirements including mandating that all Internet providers disclose their technical surveillance capabilities within six months of the law taking effect. Follow-up reports will also be required when providers acquire new technical capabilities.
The requirements could have a significant impact on many smaller and independent Internet providers. Although the bill may grant them a three-year implementation delay, the technical capabilities extend far beyond most of their commercial needs. Indeed, after years of concern over the privacy impact associated with deep-packet inspection of Internet traffic (costly technologies that examine Internet communications in real time), these bills may require all Internet providers to install such capabilities.
Having obtained customer information without court oversight and mandated Internet surveillance capabilities, the third prong will create a several new police powers designed to obtain access to the surveillance data. These include new transmission data warrants that would grant real-time access to all the information generated during the creation, transmission or reception of a communication including the type, direction, time, duration, origin, destination or termination of the communication.
Law enforcement could then obtain a preservation order to require providers to preserve subscriber information, including specific communication information, for 90 days. Finally, having obtained and preserved the data, production orders can be used to require the disclosure of specified communications or transmission data.
While Internet providers would actively work with law enforcement in collecting and disclosing the subscriber information, they could also be prohibited from disclosing the disclosures as court may bar them from informing subscribers that they have been subject to surveillance or information disclosures.
Lawful access raises genuine privacy and free speech concerns, particularly given the fact that the government has never provided adequate evidence on the need for it, it has never been subject to committee review, and it would cost millions to implement yet there has been no disclosure on who would actually pay for it. Given these problems, it is not surprising that every privacy commissioner in Canada has signed a joint letter expressing their concerns. Canadians need to speak out to ensure that any lawful access package maintains appropriate oversight and reporting requirements. There is enough to worry about in the real lawful access proposals that critics don’t need to focus on problems that don’t exist.