My post yesterday on a secret government – telecom lawful access working group attracted considerable attention with many understandably focused on the revelations that virtually all major Canadian telecom companies (with the notable exception of Shaw) actively worked with the government for months on lawful access legislation. Yet perhaps the most important document is a lawful access regulations policy document that offered guidance on plans for the extensive regulations that will ultimately accompany the Internet surveillance legislation. The specific document obtained under Access to Information is dated October 2010 and was created to support an earlier version of the lawful access bill. However, the same government documents indicate that the policy document was provided to telecom providers last fall, including disclosure to the Canadian Network Operators Consortium in December 2011 after CNOC was at an event a month earlier with Public Safety Minister Vic Toews and expressed support for the lawful access bill.
The regulations policy document are not the regulations per se, but rather a clear indication of planned regulations under the guise of a policy document. The document contains several key sections:
- The Interception Regulations, including specific details on interception capabilities (as many as 200 simultaneous interceptions), response time to interception requests (30 minutes for remote interceptions), confidentiality requirements, transmission capabilities (real time transmission of intercepted communications), and delivery of intercepted communications.
- The Interception Equipment Regulations, including very specific capabilities for simultaneous interceptions including multiple targets and providing intercepted communications to up to five different agencies at the same time. These regulations also identify requirements on service providers to increase their capacity (up to five business days).
- The Subscriber Information Disclosure Regulations, including the form to be used to request subscriber information (which can come from police, the Competition Bureau, or CSIS). These also discuss the concept of law enforcement providing at least one identifier (ie. a name, email address or IP address) in order to receive the other corresponding subscriber information. There are also confidentiality requirements and details on telecom provider record keeping. The regulations also identify timing requirements for disclosure, typically within two business days but within 30 minutes in exceptional circumstances.
- The Other Obligations Regulations, including location information disclosures that may require telecom companies to disclose location information such as street address, longitudinal and latitudinal coordinates or cell site. It is not clear whether such information would require a warrant. These regulations also will provide details on assisting law enforcement in testing equipment, the special rules for smaller providers, and categories for administrative monetary penalties for failing to comply with the law.
- The Payment to Providers Regulations identify when telecom providers will be compensated by law enforcement. These include (1) complying with a Ministerial Order to obtain equipment, software, or to modify existing equipment; (2) provide telecom support related to interceptions; and (3) providing subscriber information.
While the actual regulations may change, it is shocking that Public Safety has provided this information to dozens of companies but kept it secret from the Canadian public. The secrecy associated with the lawful access initiative certainly further undermines trust in Bill C-30 and highlights the need to scrap the bill and the two-tier policy process and start from scratch.