Over the past few days, I’ve posted on some of the implications of Bill C-30, including the mandatory disclosure of subscriber information, the “voluntary” warrantless disclosure of emails and web surfing habits, and the stunning lack of detail on a wide range of issues including costs and surveillance capabilities. While the bill includes some detail on surveillance capability requirements, perhaps the most dangerous provision is Section 14, which gives the government a stunning array of powers:
- to order an ISP or telecom provider to install surveillance capabilities “in a manner and within a time” specified by the government
- to order an ISP or telecom provider to install additional equipment to allow for more simultaneous interceptions than is otherwise specified in the law (the government sets a maximum and then can simply ignore its own guidelines)
- to order an ISP or telecom provider to comply with additional confidentiality requirements not otherwise specified in the law
- to order an ISP or telecom provider to meet additional operational requirements not otherwise specified in the law
Given these powers, Section 14 essentially gives the government the power to override the limits and guidelines it establishes in the bill (it must pay the provider an amount the government decides is reasonable for doing so). If that wasn’t enough, Section 14(4) goes even further. It provides:
The Minister may provide the telecommunications service provider with any equipment or other thing that the Minister considers the service provider needs to comply with an order made under this section. What does this mean? In short, it gives the government the power to decide what specific surveillance equipment must be installed on private ISP and telecom networks by allowing it to simply take over the ISP or telecom network and install its own equipment. This is no small thing: it literally means that law enforcement has the power to ultimately determine not only surveillance capabilities but the surveillance equipment itself.
As Privacy International revealed late last year, there is a massive global surveillance industry that specializes in selling invasive surveillance technologies directly to governments and law enforcement. Companies like Gamma Group offer “turnkey lawful interception projects” that includes SMS interception, speech identifying tools, and data retention, while Innova offers “solutions for the interception of any kind of protocols and IP-based communication, such as web browsing, e-mail and web-mails, social networks, peer to peer communication, chat and videochat.” Endace offers the “power to see all for Government” and Hacking Team provides a suite of tools for governmental interception. Last year, Wikileaks published a powerpoint presentation from Glimmerglass that shows how law enforcement can link email addresses, online chat, and social media activity to generate detailed profiles of individuals (pages 10-12).
There are dozens of these companies operating around the world, servicing steady demand from the Middle East and Asia. If Bill C-30 becomes law, the Canadian government will be positioned to require private ISPs to install these kinds of technologies directly within their networks.