In the wake of the Sept. 11 terrorist attacks, the Canadian government hurriedly introduced a series of new anti-terror measures.
Quietly included was a seemingly innocuous announcement — Canada, alongside other countries such as the United States, would implement the global cybercrime treaty developed by the Council of Europe.
The full impact of that decision began to take shape last month when Ottawa released a discussion document outlining the changes required to bring Canadian law into conformity with the treaty. The document, titled Lawful Access, details significant changes in the surveillance practices of Internet service providers (ISP) and in law enforcement's access to computer data. The proposal is troubling not only for what it says, but even more so for what it doesn't say.
The Lawful Access document covers four main issues. First, ISPs will be required to install surveillance systems on their networks to allow for interception capabilities. If implemented, the law would ensure that ISPs could provide authorities with access to all communications over their networks including the content of messages and details about data traffic. While the proposal recognizes that this entails a significant new cost for ISPs, it leaves open the question of who should pay for it.
Second, the proposal calls for the creation of several new production orders, which could be used by law enforcement to compel ISPs to disclose certain information. The orders, which could be obtained merely by meeting a low evidentiary standard, include compelling ISPs to provide authorities with subscriber information.
Third, in order to meet the cybercrime treaty requirements, the proposal recommends creating a new data preservation order, which would be used to force ISPs to preserve all data specific to a client or to a transaction for a specified period of time. The order would ensure that ISPs do not delete the information while an investigation is under way.
Fourth, the proposal seeks to clarify the legal status of e-mail, particularly with regard to how it should be treated for interception purposes.
The new proposal has created considerable concern for many groups, including ISPs (who worry about compliance costs), privacy advocates (who worry about the increased level of surveillance) and individual Internet users (who worry about both the costs and the loss of privacy). While Canadian officials have suggested that those who operate within the law have nothing to fear, the establishment of widespread network surveillance and the lowered threshold for obtaining data is clearly a matter of concern to everyone.
Even more disturbing is what the document doesn't say. The proposals are obviously far reaching, yet surprisingly they contain little evidence that the changes are actually needed by law enforcement. Rather than justify new surveillance by demonstrating how the current framework has resulted in botched investigations and frustrated officials, the proposal merely points to the need to comply with the cybercrime treaty as the primary rationale for many of the reforms.
As a point of comparison, the current debate over the Kyoto Protocol has prompted heated discussion from both advocates and opponents on the effects of its implementation. Though few would try to justify Kyoto simply on the basis that Canada signed on several years ago, that is precisely what seems to be happening in the cybercrime realm where support for dramatic changes are based on treaty obligations and not on what is best for Canadians.
Moreover, the proposed document tells only part of the cybercrime treaty story. A detailed look at the treaty's 48 articles reveals that its obligations go much deeper than the proposal suggests. For example, it covers far more than just computer crimes such as hacking and fraud — it goes so far as to include copyright infringement among its list of covered offences. This suggests that surveillance and data preservation orders could be used in investigations related to suspected copyright matters such as large scale peer-to-peer file sharing.
The cybercrime treaty also contains detailed provisions on mutual assistance between countries. If another signatory to the treaty, such as Ukraine, were to ask Canada to obtain a data preservation order as part of one of its investigations, the treaty would require Canada to make the request on Ukraine's behalf. Canada can refuse only if it considers the request to be related to a political offence or if the request is likely to prejudice Canadian sovereignty or security.
The federal government's proposals, which are open to public comment through Nov. 15, will have far-reaching effects on the privacy and security of every Canadian. While some new cybercrime reforms may be needed, Ottawa must do a better job of explaining where the current system falls short and how it plans to address the rest of the cybercrime treaty before it rushes to enact these proposals.