1. Evidence, Evidence, Evidence
The starting point for discussion on C-30 should not be the problem of child pornography or online crime. The starting point must be to shift the onus to law enforcement to provide compelling evidence that its current investigative powers are insufficient (that is not the same as saying access to subscriber data is valuable). Despite ten years of debate on lawful access, law enforcement has yet to make that case. In 2002, the Public Interest Advocacy Centre wrote on lawful access:
Having reviewed the Consultation Document, and participated in a day-long consultation with government officials, it is PIAC’s view that the Government’s proposals for greater lawful access to private communications have not been demonstrably justified, according to the test articulated by both the Supreme Court of Canada and the Privacy Commissioner of Canada.
After the Liberals introduced their lawful access bill in 2005, I wrote:
Yet again, the government has failed to make the case that this is necessary. While they note that convictions are more likely with lawful access information and that this bill , there is no evidence provided that the current system has somehow led to botched investigations or failed prosecutions.
Last year, Canadian Privacy Commissioner Jennifer Stoddart wrote:
Despite repeated calls, no systematic case has yet been made to justify the extent of the new investigative capabilities that would have been created by the bills. Canadian authorities have yet to provide the public with evidence to suggest that CSIS or Canadian police cannot perform their duties under the current regime. One-off cases and isolated incidents should not prove the rule, nor should exigent or emergency circumstances, for which there are already Criminal Code provisions.
A few months ago, Open Media uncovered documents that indicate even the police forces admit they have not made a compelling case on the need for lawful access. Ten years of debate and there is still insufficient evidence to support lawful access. Given the lack of evidence, some have argued Bill C-30 is a solution in search of a problem. The reality is we don’t know. Step one is to provide Canadians with a strong, compelling case that there is a problem with the current law that needs to be addressed. If law enforcement and the government are unable to do so, the bill should be scrapped.
2. No Mandatory Warrantless Access to Subscriber Information
The biggest concern to date is the disclosure of Internet provider customer information without court oversight. Under current privacy laws, providers may voluntarily disclose customer information but are not required to do so. The new system would require the disclosure of customer name, address, phone number, email and Internet protocol addresses.
This strikes at a bedrock principle of privacy law and is rightly opposed by the privacy and civil society community. Yet in talking with law enforcement, it is clear what they want is timely, guaranteed access in appropriate circumstances. They argue the current warrant system does not meet this standard nor do the current privacy rules. I have argued that a new warrant specific to subscriber information could be developed. Such a warrant could offer rapid authorization and lower costs. For law enforcement, it would provide the access they want, while for privacy advocates it would maintain the oversight principle.
3. Reporting Warrantless Disclosure of Subscriber Information
With ISPs and telcos providing subscriber data without a warrant nearly 95 percent of the time, there is a huge information disclosure issue with no reporting and no oversight. This is a major issue on its own, particularly since it is not clear whether these figures also include requests from Internet companies like Google and social media sites such as Facebook and Twitter. The RCMP alone made over 28,000 requests for customer name and address information in 2010. These requests go unreported – subscribers don’t know their information has been disclosed and the ISPs and telecom companies aren’t talking either.
Bill C-30 would add new reporting requirements to these disclosures, which should allow for insights into what ISPs and police are doing with subscriber information. In order to make this reform effective, however, the legislation should expressly prevent police from bypassing the reporting regime by continuing to voluntarily collecting some of this information. The new system should ensure that all ISP and telco disclosures of subscriber information are logged and reported.
4. Remove the Disclosure Gag Order
David Fraser has noted that Section 23 of Bill C-30 imposes a gag order on Internet providers who would be prohibited from disclosing disclosures of subscriber information to affected subscribers. This provision, which is essentially hidden through the complexities of legislative drafting, should be removed from the bill or at least reformed to allow disclosure after an appropriate period of time.
5. “Voluntary” Warrantless Data Preservation and Production
Bill C-30 that creates a voluntary warrantless system that would allow police to ask for the content of emails or web surfing habits and allow ISPs to comply with the request without fear of liability. Section 487.0195 states the following:
(1) For greater certainty, no preservation demand, preservation order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving or to voluntarily provide a document to the officer that the person is not prohibited by law from disclosing.
(2) A person who preserves data or provides a document in those circumstances does not incur any criminal or civil liability for doing so.
This provision opens the door to police approaching ISPs and asking them to retain data on specified subscribers or to disclose any subscriber information – including emails or web surfing activities – without a warrant. ISPs can refuse, but this provision is designed to remove any legal concerns the ISP might have in doing so, since it grants full criminal and civil immunity for the disclosures.
While many would hope that ISPs would not disclose personal information without a warrant, revelations that they already provide customer name and address information about 95 percent of the time suggests that police have little to lose in asking for more detailed data preservation and disclosure. Bill C-30 increases the likelihood of “voluntary” warrantless disclosures, creating a legal framework that makes it easy and risk-free from a provider perspective. The immunity should at least be subject to a reasonableness standard so that there are some limits on these disclosures.
6. Government Installation of Surveillance Equipment
While the bill includes some detail on surveillance capability requirements, perhaps the most dangerous provision is Section 14, which gives the government a stunning array of powers:
- to order an ISP or telecom provider to install surveillance capabilities “in a manner and within a time” specified by the government
- to order an ISP or telecom provider to install additional equipment to allow for more simultaneous interceptions than is otherwise specified in the law (the government sets a maximum and then can simply ignore its own guidelines)
- to order an ISP or telecom provider to comply with additional confidentiality requirements not otherwise specified in the law
- to order an ISP or telecom provider to meet additional operational requirements not otherwise specified in the law
Given these powers, Section 14 essentially gives the government the power to override the limits and guidelines it establishes in the bill (it must pay the provider an amount the government decides is reasonable for doing so). If that wasn’t enough, Section 14(4) goes even further. It provides:
The Minister may provide the telecommunications service provider with any equipment or other thing that the Minister considers the service provider needs to comply with an order made under this section.
This gives the government the power to decide what specific surveillance equipment must be installed on private ISP and telecom networks by allowing it to simply take over the ISP or telecom network and install its own equipment. This is no small thing: it literally means that law enforcement has the power to ultimately determine not only surveillance capabilities but the surveillance equipment itself. Section 14 requires significant reform as 14(4) should be removed and provisions that give the government the right to circumvent limitations in the law should be dropped.
7. Reconsider the Internet Provider Regulatory Framework
Bill C-30 requires Internet providers to dramatically re-work their networks to allow for real-time surveillance. The bill sets out detailed capability requirements that will eventually apply to all Canadian Internet providers. These include the power to intercept communications, to isolate the communications to a particular individual, and to engage in multiple simultaneous interceptions.
Moreover, the bill establishes a comprehensive regulatory structure for Internet providers that would mandate their assistance with testing their surveillance capabilities and disclosing the names of all employees who may be involved in interceptions (and who may then be subject to RCMP background checks).
The bill also establishes numerous reporting requirements including mandating that all Internet providers disclose their technical surveillance capabilities within six months of the law taking effect. Follow-up reports are also required when providers acquire new technical capabilities.
If all of this wasn’t enough, the bill also envisions broad enforcement powers to ensure that Internet providers comply with the law. Section 34 has attracted considerable attention since it grants seemingly unlimited inspection powers that allow for entry into “any place owned by, or under the control of, any telecommunications service provider in which the inspector has reasonable grounds to believe there is any document, information, transmission apparatus, telecommunications facility or any other thing to which this Act applies.”
It is hard to see how such powers are justifiable under the current law. A re-examination of Intenet provider requirements and enforcement is desperately needed.
8. Improve Lawful Access Oversight
Bill C-30 includes several oversight mechanisms that will allow for audits and other reporting by the Privacy Commissioner of Canada. For example, Section 20(4) gives the Privacy Commissioner the power to conduct an audit of the RCMP and the Commissioner of Competition to see how mandatory disclosure of personal information powers are being used. While this is a good start, there are questions about the necessary resources to conduct audits and engage in oversight (similar questions arise within the context of provincial reviews).
In addition to the role of privacy commissioners, the government should follow the longstanding advice of Ontario Privacy Commissioner Ann Cavoukian by establishing an independent agency devoted to surveillance oversight. In her 2005 submission on lawful access, Cavoukian recommended:
we call for the creation of an independent, arm’s-length Surveillance and Access Review Agency (SARA) mandated to supervise access to this highly sensitive personal information and report annually to Parliament on the propriety of the operations of the regime. The Commissioner of such an agency should be an independent Officer of Parliament nominated by an all-party committee of the House of Commons and appointed by the Governor-in-Council with sufficient security of tenure to ensure independence and sufficient powers and resources to carry out the mandate of the Office and ensure the desired transparency and accountability.
The suggestion is a good one – lawful access requires effective oversight and the plan in Bill C-30 is unsufficient.
9. Limit the Law to Serious Crimes
Public Safety Minister Vic Toews introduced Bill C-30 by focusing on child pornography and other dangerous crimes. Yet the law as drafted applies far more broadly. On the issue of warrantless access to subscriber information, a Public Safety document released under the Access to Information Act demonstrates that the intention is to use this data for purposes that do not involve criminal or child pornography concerns. For example, it notes that warrants would be problematic for “non-criminal, general policing duties” such as returning stolen property.
Further, even the Competition Bureau is entitled to demand disclosure of subscriber information without a warrant. If the government is serious about using lawful access to combat serious crime, it should circumscribe the law by limiting its application to serious crimes and limits its use to law enforcement officials dealing with serious criminal matters.
10. Come Clean on Costs
Evidence is not the only thing that has been missing despite ten years of debate. The cost of lawful access remains a mystery, notwithstanding recent reports of $80 million over the next four years. That seems like a huge understatement as the initiative is likely to cost hundreds of millions of dollars as Internet and telecom providers are forced to invest in surveillance technologies and face significant new regulatory costs. Moreover, law enforcement is also going to see its costs increase as ISPs can seek compensation for their assistance. Smaller ISPs have already expressed concern that the additional costs may force them out of business. If that happens, the decline in competition could see monthly consumer costs rise as well.
Years ago, the government tried to argue that lawful access would reduce costs. The myths document for the 2005 bill (Public Safety relies heavily on claiming that criticisms are just myths) stated the following:
Myth: In the end, Canadians, either as a taxpayer or as a consumer, will bear the burden of additional costs to industry.
Reality: MITA will actually reduce the overall cost to taxpayers or consumers. Currently the Government of Canada budgets for the development of interception capabilities for existing technologies. The costs would be reduced over the long run by putting in place clear requirements for lawful interception that can be factored in during the design stage of new technologies. When lawful interception capabilities are provided for at the engineering stage of network design, the costs are a fraction of that of a retrofit of existing equipment.MITA will further minimize the financial impact on industry and consumers by allowing service providers to meet the requirements of the legislation in the most cost-effective way.
Claiming that lawful access will actually reduce costs was so implausible that the government has dropped the argument. While the claim may have disappeared, the costs have not. Before proceeding with the legislation, Canadians are entitled to a detailed, independent regulatory impact assessment that provides a realistic analysis of the costs created by Bill C-30 for both implementation of surveillance technologies, operational costs, and resources needed for oversight.
11. The Missing Regulations
Bill C-30 may be more than 100 pages, but Section 64 makes it clear it is only part of the online surveillance story. Section 64 gives the Governor in Council (ie. cabinet) the power to make regulations related to the implementation of the bill and it is as broad as it comes. For example, the bill requires Internet providers to have the ability to engage in multiple simultaneous interceptions but a wide range of questions – minimum and maximum simultaneous interceptions, how interception requests are made, maximum number of agencies making requests, etc. are all left to future regulations. Bill C-30 doesn’t even specify what communications must be interception-capable. Section 7 identifies a series of requirements (enable the interception of communications, isolate the communication, etc.) associated with this requirement. But what is a “communication” for these purposes? That is left to the unspecified regulations.
The mandatory disclosure of subscriber information without a warrant has been the hot button issue in Bill C-30, yet it too is subject to unknown regulations. These regulations include the time or deadline for providing the subscriber information (Bill C-30 does not set a time limit) and “prescribing any confidentiality or security measures with which the telecommunications service provider must comply.”
These are just some of the uncertainties. Section 64, which identifies the issues subject to future regulations by the Governor-in-Council cover almost every major substantive issue in the bill. In case the government has forgotten something, there is a catch-all regulatory power “generally, for carrying out the purposes and provisions of this Act.” In other words, cabinet gets to fill in the many blanks of this law without a House of Commons review or vote. Given the importance of this legislation, the public should see the regulations before the bill is passed. To do otherwise is to enact a lawful access system without knowing dozens of associated rules and regulations.
12. Deal With The Failure of Privacy Laws To Keep Pace
The government emphasized the need to update the law in order to keep pace with technology and the Internet. Yet the same problems exist on the privacy side where laws have failed to keep pace with new realities. For example, the Privacy Act, the public sector privacy law, has not been updated for decades, despite repeated efforts by every federal privacy commissioner to put the issue on the legislative agenda. Bill C-12, which implements 2006 recommended reforms to PIPEDA, the private sector privacy law, is languishing in the House of Commons with no movement whatsoever. In fact, it has taken so long to move on the bill that many of its provisions on mandatory security breach disclosure rules (the flip side of mandatory subscriber disclosure) are already outdated and insufficient. Throw in the missing anti-spam regulations (which is keeping the anti-spam law from taking effect) and the delayed 2011 statutory review of PIPEDA and it becomes clear that there is much work to be done on the privacy side. Given the close correlation between privacy and security, the government should commit to moving forward with privacy reforms in conjunction with lawful access.