News

Justice Committee Report Recommends Expanding Lawful Access Legislation

The government has placed Bill C-30, the lawful access/online surveillance bill on hold, but there is no reason to believe it is going away. In fact, a recent report Standing Committee on Justice and Human Rights suggests that the changes coming to the bill may not address public concern but rather expand lawful access requirements even further. The committee report on the State of Organized Crime that includes recommendations that reinforce Bill C-30’s mandatory warrantless disclosure of subscriber information and envision going beyond the bill by requiring both telecom companies and device manufacturers to assist in the decryption of encrypted communications as well as exploring mandatory verification of the identity of cellphone users.

On subscriber information disclosure, the report’s recommendations state:

The Committee recommends the  establishment of a statutory mechanism enabling law enforcement agencies, without a warrant, to require telecommunication service providers to disclose basic information identifying their subscribers. Privacy measures would have to be created, however, and prior court authorization would always be required to allow these agencies to intercept private communications.

This is a reaffirmation of Bill C-30 that has been the subject of widespread criticism from Canadians across the political spectrum.

The report also recommends expanding the lawful access bill by including provisions not currently found in Bill C-30. For example:

The Committee recommends that the Government of Canada introduce legislation requiring telecommunications service providers and telecommunications device manufacturers to decrypt legally intercepted communications or to provide assistance to law enforcement agencies in this regard.

This recommendation goes well beyond what is currently found in the lawful access legislation as the discussion specifically points to Research in Motion and other smartphone device manufacturers as being targeted with the decryption requirements. Moreover, Bill C-30 only requires telecom companies to decrypt if they have the technical capability, while this recommendation seems to envision a stronger, positive requirement. The report also recommends verification requirements on cellphone purchasers:

The Committee recommends that the Government of Canada examine the possibility of requiring cell phone merchants to verify the identity of purchasers. It could also determine whether it would be appropriate to impose the same  requirement on telecommunications  service providers.

The report includes a dissenting opinion from the NDP on the lawful access recommendations.  There does not appear to be a similar dissent from the Liberals, who were represented on the committee by Irwin Cotler.  Postmedia covered the release of the report but the article is no longer available on its media sites. The article included specific comments from Bell that suggest its primary concern associated with these demands boils down to questions of who will bear the costs. A company spokesperson stated “our primary concern in this area has always been the capacity of industry to implement any new requirements and who bears the cost.” That is a troubling position for many Canadians who rightly expect their telecom companies to also be concerned with the privacy of their customers. After the outcry in February over Bill C-30, many also expected the government to be open to change on lawful access, yet this report suggests that the changes may not be what many were anticipating.

37 Comments

  1. David Collier-Brown says:

    Only Bell and Rogers can afford… to bankrupt their competitors
    A year and a half ago, it was pointed out by a member that small ISPs could be rendered uncompetitive by laws requiring they provide eavesdropping hardware. Only Bell and Rogers could afford to toady up to CSIS and friends, and the small ISPs would either be legislated out of business, or forced further into the hands of our Dear Duopoly.

  2. The government isn’t interested in listening to Canadians on this. They want lawful access, so they’ll get it by forcing it through no matter what people think. They only backed down to make it seem like they were listening and get the media spotlight off it for a bit.

  3. Stupidity Overwhelming…
    Ok… I will not talk about the recommendation of cell phone identity.
    I will talk about forcing decryption of encrypted comunications.
    “The Committee recommends that the Government of Canada introduce legislation requiring telecommunications service providers and telecommunications device manufacturers to decrypt legally intercepted communications or to provide assistance to law enforcement agencies in this regard.”

    Strickly, it is impossible(at the current time) to decrypt a well implemented SSL. The best methond ISPs would employ instead would be to become Man in the Middle Attackers, tus killing the encrytion protection of bank transactions, at all times.

    There is 2 methods to implement such MitM attacks.
    1: Force users to use a proxy that strips https requests (tus removing encryption altogader).
    2: Force users to accept a root SSL certificate from the ISP (aka: bell becomes root CA) that then sign fake SSL certificates on the fly. Second method might actually go against DNSSec tough(so we return in a SOPA like problem).

    While this works for SSL based comunications, it wont decrypt data from TOR, Freenet(yes that crap might still exist) or other encryption scheme used by programs that are not based on SSL. It will also not stop VPN unless the ISP becomes a MitM(again) by implementing their own servers.

    Infact all methods requires you to actually interept the request at the handshake stage and place yourself in the middle. Not only this would cost alot(and might actually not work on some encryption implementations… aka what criminals would actually use) but it would also force ISPs to keep all that data secure less they get sued out of existance by class action suits of epic proportions if that data comes out of their servers…

  4. a sort of privacy guy
    What I desperately want to understand, is why Canada, the US, Australia and the UK are simultaneously marching down the path of Big Brother’ism, having all sacrificed SO much to protect these freedoms on a global scale, within living memory!

    Why do all four governments have the same agenda, and why is the public not MUCH more engaged and/or enraged? What is the common, motivating thread, and why now? And no, I don’t buy the explanation that it’s to combat (much less “defeat”) terrorism, although this conveniently serves the purpose of keeping the public relatively cowed.

    I’m not afraid of “terrorists”…but I am afraid of our government. Does that make them terrorists…?
    P

  5. Davegravy says:

    Deja Vu
    Here we go again, just like with the copyright bill: Propose a bunch of contentious additions to the bill, then discard them so that the bill in its original (albeit distasteful) form is a little easier to swallow.

  6. Name withheld says:

    I predict
    When Bill C-30 came into light, I decided to start using VPN with servers in other countries in protest. Doing so, I also realized that a next logical step by those Totalitarian-loving people who created or support Bill C-30, would be to criminalize the use of encrypted technology, since it defeats their dear Bill C-30.

    Looks like I am about to be right, this proposal is one step closer to criminalizing private encryption.

    I have the same puzzlement as Patrick up there: This can’t be a coincidence that so many Western governments are pushing for these Big Brother measures. What is going on? We can only speculate, and I speculate that these governments expect increasing level of protests from citizens, and since citizens benefit from social media et al. to organize, these governments feel outplayed and feel the need to equip themselves with countering tools. At some point, these governments forgot their duty is to administrate the country and be accountable to the citizens, not to *rule* the citizenry.

    I want the opposite, I want the citizenry to have all the tools and less excuse for secrecy by government to scrutinize and keep it accountable, and more stringent privacy laws for people. But this is not going there, quite the opposite.

  7. It’s ridiculous that a term like “police state” can be used without hyperbole in regards to the future of Canada.

  8. Alright, if this law passes, the first thing I want the RCMP to do is wiretap all MPP, and Senate members to monitor their communications/internet usage to ensure that there is no further possibility of corruption going on in our government…

  9. Why would post media pull this story? That sounds a bit strange to me.

  10. pat donovan says:

    lback list + mail
    Peronsal encryption legal? THAT would interfere with the biggest land-grab (of rights), blackmail scheme and tongue/thought police operation in history.

    yes, criminals would walk around it.

    privacy, property and freedom of info.
    under these yahoos, you can kiss it goodbye.

    pat

  11. I guess its easier to just make everyone a criminal and freely listen in on them than actually doing police work properly and stop fucking up cases where organised criminals are let go because of bad police work.

    So are these governments looking to become fascists or communists? Seems either one will do as they both require the spying on its citizens to curb dissent. This is the only reason I can see why they want to throw out all check and balances that millions died for 60+ years ago.

  12. Why? and Sec
    I believe we can take a note from Ayn Rand on the “why” so many governments are headed down the supposed “big brother” path:

    “There’s no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren’t enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws.” ~ Ayn Rand

    As far as security is concerned, I believe the “decryption” the language refers to would amount to intercepting communications at the point of decryption (the telecom company), and possibly giving LE the keys to your phone (as USG has recently demanded from Google). Other possible targets include iCloud (as it turns out Apple may hold the skeleton key).
    Beyond those scenarios, anything else is mathematically, or practically infeasible.

  13. Gotta love Bell …
    I refuse to spend a dime that goes towards Bell or any of their media holdings. Worst tech company in Canada in regards to caring for their customers and their rights.

    @Standing Committee “requiring telecommunications service providers and telecommunications device manufacturers to decrypt legally intercepted communications or to provide assistance to law enforcement agencies in this regard.”

    Sure, bypassing a encrypted phone lock screen is one thing but just how are they supposed to decrypt a 256bit encrypted communication without a few super computers? These legislators should have a few technologists advice them on their pipe dreams.

  14. @Thomas
    The problem is: every websites(or other applications) that uses SSL for encryption cannot be easely decrypted during the communication. The only hope for costless interception would be to intercept the handshake first. Then place itself in the middle (MitM) and fake the client towards the server, fake the server towards the client (encrypting both endpoints with for the client, a fake server SSL certificate). Now.. they will have the entire communication unencrypted and they will have to keep that secure less they get sued out of existance for leaks…

    Aka: that part is unfeasible, but then again the Gouvernement has time and again proven their stupidity and their technological ignorance…

    Canada voted for those clowns… we are stuck with them.

  15. Definitely a Privacy Guy
    @Patrick

    This is exactly what I have been thinking over the last month or so. There must be, in law, a mechanism in place to prevent another Nazi Germany? It seems that the Terrorism Act is primarily concerned with physical acts (of violence), but does not necessarily address mental grievances, like what a wife (or husband) might be subject to in a abusive marriage/relationship.

    I would like to understand how such a case would play out (legally/realistically) if citizens were to consider going to battle against its own Government on the grounds of Terrorism.

  16. +1

    At some point, these governments forgot their duty is to administrate the country and be accountable to the citizens, not to *rule* the citizenry. I want the opposite, I want the citizenry to have all the tools and less excuse for secrecy by government to scrutinize and keep it accountable, and more stringent privacy laws for people. But this is not going there, quite the opposite.

  17. @Anonyme
    I’m well aware of how SSL (and encryption in general) work. My statement about interception at the point of decryption was aimed solely at cellphones, who’s signals are encrypted before being broadcast, but decrypt-able by the carriers.

    As I mentioned, beyond this (and my other mentioned cases), it is infeasible if not impossible to enforce this law, or even practice it. (good luck breaking my 4096 bit RSA key)

  18. S Halayka says:

    RIM
    Chances are very good that RIM will bow to pressure. They did it for Saudi Arabia. Why not Canada.

  19. Protest
    The best way to bring light to this issue would be for thousands of people to protest in the street – naked (or in their underwear).

    It’s the only way average citizens would realize just how much of their personal lives would be exposed under C-30.

  20. …..
    ARE YOU FUCKING KIDDING ME! CONS MUST GO RIGHT NOW, THIS IS THE LAST STRAW I’LL TAKE FROM THEM!

  21. I use a vpn for bitorent.

    my options are

    PPTP tunnel (integrated in todays Microsoft Windows ®, Apple Mac OS X ® or Linux ® operating systems128-bit MPPE encryption, authentication protocol is MS-CHAPv2

    or SSL VPN (SSTP) as well. This new type of VPN uses SSL .Server Authentication / Key Exchange RSA (1024 bit)
    Encryption of user traffic AES/RC4 (128 bit)

    so can the government see this. or put a backdoor on my computer to see whats downloaded?

  22. So if I don’t want the government to read my encrypted communication
    all I have to do is use encryption before the information reaches the ISP.

  23. Maybe I misread, but article says nothing about ISPs decrypting anything.

  24. ha ha
    If we`re talking ORGANIZED crime then bug the golf courses. Every hole, every ball, every tree, every cart, every club.

    Those people are not that dumb to post their activities on Facebook, eh?

  25. Not ALL of Canada voted for the party pushing this
    Remember: 39 % of *those who actually voted*, voted for the party backing this. How much of the voting-eligible population actually voted in the last election, just to refresh our memories?

  26. To be blunt, governments are afraid of technology. The Internet especially. All governments, not just those who have already done things to lock it down. What the Internet allows people to do are things that they could not easily do before. Someone get outraged about something? Unless you could get you message out on the media, you could be safely ignored. Now, you can get your message out easily and organize easily without having to even be on the same side of the country. It becomes much harder to control the message, and things that would have fizzled as minor local things can get national coverage without the media saying a word until it becomes a large grass roots campaign.

    None of these things will really help to capture people who don’t really want to be caught, at least not anymore than our current laws do. That has been shown. This is the government and law enforcement running scared of something that makes it harder to control the flow of information.

  27. @Ki
    I agree. It has to do with “organised”. Governments are “organised”, businesses are “organised”. And the internet empowers individuals to become “organised” in ways that are unpredictable. That very unpredictability leads to paranoia on the parts of governments, businesses, and any agencies tasked with responsibility for the “safety” of all members and functions of a society.
    It’s not that the problems aren’t real, it’s the level of paranoia they bring to the table when attempting to solve them.
    For comparison, it would be like intensive spying on every resident of Quebec during the days of the FLQ (but wait, some members of the FLQ lived outside Quebec too!).

  28. @oldguy
    You bring up an interesting point. I would like you (the reader/commenter) to envision a time like the October Crisis and all the fallout from that and attempt to re-imagine the actions our Government may have taken with powers like these at their finger tips.

    Do we really want to empower our Government so greatly the next time there is a crisis where they feel the need to strip civil liberties, and rights with them, that they have such a heavy handed tool at their disposal?

    Not only would future incidents be traceable but people would be profiled from their past actions and beliefs online that are retained in social networking sites, forums, blogs, digital associations, emails, e-commerce…

    Having known people that grew up in Russia and East Germany I know exactly where that type of information leads a Government who is feeling threatened. This is why I feel that it is better to let criminals run wild in their penthouses then to apply these Orewellian measures.

  29. liposuction prices Sydney says:

    liposuction prices Sydney
    A excellent information products offered. looking to put extra attempt to get understanding about online information. I just included your website to preferred and will check out again
    liposuction prices Sydney

  30. Idiots
    I agree with Anonyme. This isn’t technically possible without endangering and/or crippling internet security for Canadians. Why are these morons making technical recommendations when they don’t even have a basic understanding on how any of it works?

  31. Even VPN is somewhat of a dumb-ass approach for anonymity. You have to go to the VPN first in order to Ghost, and as such you always end up having traffic heading to your addy anyways. (addy that will be under the jurisdiction of C-30.) As most of our traffic also heads through US jurisdiction, you will also be double-dinged for spy-bills. (yay back-bones.)

    True, you can get some interesting encryption going on; but that’s about it.

  32. Dennis Nilsson says:

    Sweden and France is on the same trai
    Sweden and France is on the same train as Canada, the US, Australia and the UK.

  33. Dennis Nilsson says:

    Opening the gate to robust quantum computing
    Scientists have overcome a major hurdle facing quantum computing: how to protect quantum information from degradation by the environment while simultaneously performing computation in a solid-state quantum system.

    http://www.ameslab.gov/news/news-releases/opening-gate-robust-quantum-computing

    The discovery opens the door to robust quantum computation with solid-state devices and using quantum technologies for magnetic measurements with single-atom precision at nanoscale.

  34. dumb people insisting on an even dumber idea
    these hacks on the hill are a bunch of brain dead political “yes” men.

    they can make all the stupid laws they want, but all they’re going to accomplish by improving the “mouse trap” is force the evolution of better mice than no amount brute force computer power will be able to defeat.

    oh, they want to make it illegal?

    yeah, like that’s going to work.

    to paraphrase Princess Leia: “The more you tighten your grip on people’s civil liberties, the more their hearts and minds will slip through your fingers.”

  35. This is also an direct attempt to steal industrial secrets and pass them to their ‘friends’.