As expected, the Government has taken another shot at lawful access legislation today, introducing a legislative package called the Investigative Powers for the 21st Century (IP21C) Act that would require mandated surveillance capabilities at Canadian ISPs, force ISPs to disclose subscriber information such as name and address, and grant the police broad new powers to obtain transmission data and force ISPs to preserve data. Although I can only go on government releases (here, here), the approach appears to be very similar to the Liberal lawful access bill of 2005 that died on the order paper (my comments on that bill here) [update: Bill C-46 and C-47]. It is pretty much exactly what law enforcement has been demanding and privacy groups have been fearing. It represents a reneging of a commitment from the previous Public Safety Minister on court oversight and will embed broad new surveillance capabilities in the Canadian Internet.
The lawful access proposal is generally divided among two sets of issues – ISP requirements and new police powers.
1. ISP requirements
There are two key components here. First, ISPs will be required to install surveillance capabilities in their networks. This feels a bit like a surveillance stimulus package, with ISPs making big new investments and the government cost-sharing by compensating for changes to existing networks. The bill again exempts smaller ISPs for three years from these requirements. While that is understandable from a cost perspective, it undermines the claims that this is an effective solution to online crime since it will result in Canadians at big ISPs facing surveillance while would-be criminals seek out smaller ISPs without surveillance capabilities.
Second, the bill requires all ISPs to surrender customer name, address, IP address, and email address information upon request without court oversight. In taking this approach, Public Safety Minister Peter Van Loan has reneged on the promise of his predecessor and cabinet colleague Stockwell Day, who pledged not to introduce mandated subscriber data disclosure without court oversight.