As the revelations about U.S. secret surveillance continue, one of the more interesting recent articles was a Buzzfeed piece that focused on a Utah ISP that hosted a “little black box” in the corner inserted by the National Security Agency. The article describes how a Foreign Intelligence Service Act (FISA) warrant allowed the NSA to monitor the activities of an ISP subscriber by inserting surveillance equipment directly within the ISP’s network. The experience in Utah appears to have been replicated in many other Internet and technology companies, who face secret court orders to install equipment on their systems.
The U.S. experience should raise some alarm bells in Canada, since the now defeated lawful access bill envisioned similar legal powers. Section 14(4) of the bill provided:
The Minister may provide the telecommunications service provider with any equipment or other thing that the Minister considers the service provider needs to comply with an order made under this section.
That provision would have given the government the power to decide what specific surveillance equipment must be installed on private ISP and telecom networks by allowing it to simply take over the ISP or telecom network and install its own equipment. This is no small thing: it literally means that law enforcement (including CSIS) would have had the power to ultimately determine not only surveillance capabilities but the surveillance equipment itself.
While Bill C-30 is now dead, the government may be ready resurrect elements of it. Earlier this month, a cyber-bullying report included recommendations that are lifted straight from the lawful access package. For example, recommendation four states:
The Working Group recommends that the investigative powers contained in the Criminal Code be modernized. Specifically, the Working Group recommends that an approach consistent with recent proposed amendments on this subject to better facilitate the investigation of criminal activity, including activity that is conducted via telecommunication be introduced and implemented as part of any legislative package responding to cyberbullying. These amendments should include, among others:
- Data preservation and demand orders;
- New production orders to trace a specified communication;
- New warrants and production orders for transmission data and tracking;
- Improving judicial oversight while enhancing efficiencies in relation to authorizations, warrants and orders;
- Other amendments to existing offences and investigative powers that will assist in the investigation of cyberbullying and other crimes that implicate electronic evidence.
Many of these powers were addressed in the lawful access bill and may be making a comeback in legislation this fall. Given the growing awareness of the sensitivity associated with meta-data, provisions that target transmission data and tracking (ie. metadata) require careful scrutiny to ensure that there is effective oversight and appropriate limits on the data collection.