Web Surveillance Legislation Requires Study, Not Speed

With the new Parliamentary session scheduled to kick off within the next few weeks, two major initiatives will dominate the initial legislative agenda: passing a budget and introducing an omnibus crime bill that contains at least 11 crime-related bills. My weekly technology law column (Toronto Star version, homepage version) notes the prioritization of the crime legislation is consistent with the Conservative election platform, which included a commitment to bundle all the outstanding crime and justice bills into a single omnibus bill and to pass it within the new Parliament’s first 100 days.

The Conservatives argue that the omnibus approach is needed since the opposition parties “obstructed” passage of their crime and justice reforms during successive minority governments. Yet included within the crime bill package is likely to be legislation creating new surveillance requirements and police powers that has never received extensive debate on the floor of the House of Commons and never been the subject of committee hearings.

The package is benignly nicknamed “lawful access,” but isn’t benign. If the Conservatives move forward with their complete lawful access package, it would feature a three-pronged approach focused on information disclosure, mandated surveillance technologies, and new police powers.

The first prong mandates the disclosure of Internet provider customer information without court oversight.  Under current privacy laws, providers may voluntarily disclose customer information but are not required to do so.  The new system would require the disclosure of customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers.

The second prong requires Internet providers to dramatically re-work their networks to allow for real-time surveillance. The bill sets out detailed capability requirements that will eventually apply to all Canadian Internet providers.  These include the power to intercept communications, to isolate the communications to a particular individual, and to engage in multiple simultaneous interceptions.

Having obtained customer information without court oversight and mandated Internet surveillance capabilities, the third prong creates a several new police powers designed to obtain access to the surveillance data.

Lawful access raises genuine privacy and free speech concerns, particularly given the fact that the government has never provided adequate evidence on the need for it, it has never been subject to committee review, and it would cost millions to implement yet there has been no disclosure on who would actually pay for it. Given these problems, it is not surprising that every privacy commissioner in Canada has signed a joint letter expressing their concerns.

Not only is the substance problematic, but the attempt to fast track lawful access virtually guarantees that it will not be fully vetted. For example, over the past few weeks there has been mounting concern that the legislation would also create new criminal liability for hyperlinking to content that incites hatred and for using anonymous or false names online.

The source of these concerns is a legislative summary by the Library of Parliament’s Parliamentary Information and Research Service. While there is reason to doubt the interpretation involving linking and anonymity liability contained in the summary, the recent fears provide a textbook illustration of why lawful access should not be included in the omnibus crime legislation.

Lawful access is complex legislation that touches on a very wide range of issues, many of which extend far beyond conventional criminal law. Given that the proposals breed uncertainty and have never been the subject of public review, lumping them together with many other bills represents a serious threat and is bound to result in only a cursory analysis of an important piece of legislation that has far reaching consequences for privacy, security, and free speech.


  1. Graham J says:

    Opposition parties did reject it, yes. And they represent the majority of Canadians.

    Just because the Cons got elected doesn’t mean Canadians want all of their ideas implemented.

  2. Well..
    Canada voted in a dictator, time to let him exercise his dictatorial powers and pass this oppressive law!

    Congratulations to each and everyone Canadian that voted conservative. You’ve screwed us all. Now please get out 🙂

  3. It’s interesting that while middle eastern populations are struggling to get out from under repressive regimes, the United States and Canada seem to be heading as quickly as possible toward legislating the tools they need to become repressive governments, Bill of Rights in each case be damned. The Patriot act has been extended, US Customs is shutting down web sites without due process, we’re all subjected to gate groping, CSIS is posting names of security risks to the US on the basis of extremely vague suspicions, Canada appears to be bowing to US entertainment industry interests without consideration for consumers — the list goes on. Baaad signs.

  4. What will Privacy Commissioner have to say?
    Office of the Privacy Commissioner of Canada
    Will Jennifer Stoddart’s budget be cut?
    Or worse?

  5. Graham J, qwerty
    Welcome to the world of “First Past The Post”. The same could be said about pretty much any federal government in Canada for the past 50 years. At the Elections Canada website you can see the results of elections since the 1997 general election:

    1997: Liberal Party wins a majority with 38.5% of the popular vote (note the PC and Reform parties together got 38.2%) and 155 (vs 80) of 301 seats.
    2000: Liberal party wins a majority with 40.8% of the votes (PC and Alliance 37.7%) with 172 of 301 seats (vs 78 for the PCs and Alliance)
    2004: Liberal party window a minority with 36.7% of the votes (CPC 29.6%) and 135 (vs 99) or 308 seats.

    The makeup of Parliament rarely reflects the votes cast.

    I can understand the second prong… this puts IP telephony on a par with classic POTS. As far as the other stuff, however, is concerned, I don’t believe that the police should be able to access without a warrant.

  6. “The second prong requires Internet providers to dramatically re-work their networks to allow for real-time surveillance….and it would cost millions to implement yet there has been no disclosure on who would actually pay for it.”

    Not to mention that real-time surveillance is not feasible for strongly encrypted data. Some of the encryption schemes are so incredibly robust that they would take a very very long time to crack, if ever. The only way this could work is if they were to outlaw encryption, as in China. Realistically I’ve heard them “claim” it was needed to fight terrorism. C’mon, terrorists, kiddy porn dealers and other such scumbags are smart enough to use technologies where they won’t be tracked.

    This is a well known mandate from the US media lobby, that will be nothing more than another tool in the witch hunt of so-called piracy. OH, and again, serious pirates, those they should really be after are smart enough to use technologies to keep them off the radar.

    Originally posted bu Crockett…

  7. ISP only?
    In addition to the privacy issues, there is a major economic issue.

    This would need to extend much further than just classic ISPs. Hotels, restaurants, campgrounds, internet cafes, neighbourhood wireless, etc, etc. Without the same levels of monitoring for these locations, the measures will be effectively useless.
    The costs involved in upgrading these kinds of locations to do the same level of individual tracking will aggregate higher than the costs to an ISP, multiple times higher. I don’t think they have any clue about the extent of the economic ramifications. All those costs will need to be passed on to the end customers. How much more per meal? Per hotel room? Will neighbourhood shared wireless even exist? Library internet access? The list grows every day.

    For a government that prides itself on fiscally responsible behaviour, it’s pretty obvious that they haven’t thought this through very far at all. I suspect this is because they don’t understand the full ramifications of the technology and it’s implementations.

  8. My biggest problem is that there’s no way to tell what computer on a home network is accessing what data as far as the ISP logs go, which will be an even bigger problem with unsecured wifi access points. Personally I’ll be opening up one of my APs if this bill is passed.

    Frankly I’ve seen nobody from the Conservatives suggest exactly how this system is going to work and what will be involved. If it adds latency they’re going to have a lot of angered VOIP users and gamers on their hands.

  9. @Joe
    I suspect it won’t matter, with how the Conservative government has be throwing rights out the window, I have a suspicion they’ll holding the subscriber responsible for their connection(s). Ignorance will not be admissible as defense.

    The big problem I have with this is that wireless encryption is easily hacked and it’s even easier to spoof an IP address.

  10. maebnoom says:

    ~ Time to go deeper with anonymising & encryption (ex: i2p), while leaving a few APs open on a sandbox, as “plausible deniability”. ~

    In other words, the real criminals can just go deeper – it’s not hard. This is a backwards move. Dictatorships – aren’t they great?

  11. Anonymising
    TOR works quite well as well, as long as you’re not trying to vast amounts of data through it.

  12. At the very least, when this comes to pass, I’ll be using TOR or i2p or something similar to do my banking and other secure transactions. I’ll not have such traffic tracked but the government or anyone else.

  13. How can we stop it?
    Just because a majority has been voted in shouldn’t mean we can’t do anything to stop this. There’s two big issues in Canada when it comes to this – 1) We complain and do nothing 2) How the heck do we stop this even if we were ready to fight for our rights?

  14. Seriously? says:

    In other news…
    In other news, VPN sales in Sweden, USA, and other countries sky rocket as Canadians prepare for the pending lack of privacy.

  15. Operations Manager
    As a company that provides remote VPN access to our telecommuting employees, out of necessity, and who works with customers with VPN access points for support reasons, we see this situation as economically unworkable. Both ourselves and our customers would theoretically qualify as ISP’s because of the service we have to provide to our staff. Estimates are that in order to provide the level of tracking required by the legislation, the costs will exceed the value of our contracts to each customer. For real-time monitoring, depending on retention levels, we could also be required to put in place infrastructure that far exceeds our current annual gross revenues.

    If the law passes, we will likely have to shut down and lay off our staff because being in our segment of the information technology business would become financially impractical. For a “conservative” government who claims to understand and have fiscal responsibility as a priority, it appears as if blind ideology is taking precendence over business reality – regardless of the judicial implications.

  16. Supreme Guru
    Actually, saying there is a huge re-work of the networks for surveillance is a misunderstanding. Its simply a tap that has to be put in and maintained in a few central locations. They are one of the cheapest costs and easiest things to do on a network – i.e. for the public ISP. For small private ISPs, like Randy is talking about would be excluded for the reasons he talks about but they end up using public ISPs upstream, everyone does.

    The posts are interesting but this site seriously lacks technical realities.

  17. @Max
    If you feel a simple “tap” is all that is required at the ISP, then you have simplistic view of current ISP networks. One simplification is that all ISP’s issue public IP’s to all customers, which isn’t true. Another simplification is that all internal ISP routing is static, which it isn’t true. Not all traffic will pass through those “few central locations”. There are more.
    If you assume that all traffic of interest passes through the first level gateway (not always true), and if the ISP were to implement this “tap” on every first level gateway router in their network, it still isn’t a simple “tap” like a mirrored port on a switch. The real time analysis and recording will likely be happening on a device a half-dozen hops away, so you will need to buffer/encapsulate that mirrored data and send it there as well – in real time. Multiple simultaneous interceptions are required as part of the measures. Congestion and dropped packets start to become a real issue. At a simplistic level, every first level router on a big ISP needs a hardware, microcode, and networking upgrade, with zero benefit to the customers.

    All this is possible, just costly, for an ISP. How costly depends on the ISP, and how they have implemented their network. But there is a cost.
    Note the requirement “to isolate the communications to a particular individual”. If situations like Randy and myself have pointed out are excluded, the ISP costs are moot. The costs for these locations/sites to implement these measures far exceed (many multiples) the costs for any and all ISP’s combined. If you don’t include these sites in the measures, it is ineffective, and a useless cost for the ISP’s (and you seem to agree).

    It gets worse. More customers are implementing multiple ISP, load sharing links. Picture a DSL, T1, Cable, G3, and Satellite link, all into the same customer router, all dynamically load sharing traffic from all systems behind the router (slightly more complex than dynamic egress routing used within an ISP). The number of businesses doing this is growing rapidly. The technology is readily available for anyone.
    An ISP based monitoring agency would have to track *all* communications from *all* ISP’s connected to that customer. Tightly synchronized timestamps become important. They still wouldn’t be able to isolate a single individual past the customer firewall.

    I wouldn’t be too quick to underestimate the technical expertise of some of the readers here. Some have been doing this level of networking, on small and large scales, for multiple decades. Fundamentals are relatively simple, implementations can be quite complex.

  18. @Max

    Packet tracing is one small part of the equation. Yes, we can buy a sniffer, but securing and retaining the contents is another matter. I’m not prepared to allow anyone who asks free and unfettered access to our intellectual property – easily cleaned from packet traces. We have major privacy concerns ourselves in this regard, subject to the Canadian Privacy laws – unless those laws are repealed.

    A contributing factor here is sitting behind NAT, there is no way for a downstream ISP to trace individual users. In order to provide valid identification, tracing and retention would have to be offloaded to the segment co-located with the WAP. I can easily see ISP’s formally requiring this in their TOS in order to meet their own obligations. We’ve seen draconian measures from ISP’s in the past without that translating into advancement. At this point, NAT is required since there is little or no commitment to IPv6 – another (but unrelated) sore point – from our downstream provider.

    In addition, being behind SSL and VPN boundaries, there’s no effective way for the downstream ISP to trace actual content unless they are willing to hack into our streams without authorization and in contravention of many inter-governmental relationships.

    This has the potential for costly negative economic impacts that will simply be downloaded from the federal government onto the backs of tax-paying companies. I hope there will be a bailout plan or some tax rebate to pay to implement this law.

  19. Randy, In order to bill someone there is always some way to track.

  20. @Max
    Privacy legislation issues aside…

    No, there isn’t “always some way to track”, not cost effectively. With the use of a VPN, Proxy, strong encryption and/or the use of obfuscation networks like i2p or hop-nets like TOR that hide and/or misreport your IP address to potential treats outside the ISP, all they can do effectively is count bytes.

  21. …”In order to bill someone there is always some way to track”

    That’s very much implementation dependent. And “track” can be construed in a wide variety of ways. What the measures are asking for is the ability to “intercept and trace”, not “track”.
    Tracking can be a simple counter, packets, bytes, web hits, minutes, etc. Tracing is intercepting and monitoring the complete flow. An analogy would be the difference between tracking the amount of minutes your cell phone is using vs intercepting and monitoring all calls and text messages, as they occur. Not the same thing from a technology perspective.
    A poorer analogy would be for the electric company to monitor your usage on a second by second basis while also required to monitor how much your fridge draws vs your living room lamp during those same seconds.
    Most current implementations have the ability to “count”, but not the ability to “trace”. It’s much more expensive to include the ability to “trace”.


    I wonder if this also means a lack of enforcement when our government takes bribes from other countries/organizations…

  23. Hum..
    Max speaks with a great of conviction, but demonstrates relatively low levels of understanding of the technology involved.

    Who pays your salary boy?

  24. Hum..
    No, it sounds like Max has a limited diversity of experience. Give him another 20 years in the industry and he will be fine.

    He reminds me somewhat of bright people with a newly minted degree or certificate. They know their material very well, but they have don’t have a clue what they don’t know – yet. His salary is probably based on what he knows, and justified.
    Finding answers to things you don’t know is more valuable, to him and his employer. Diversity and experience helps a lot in defining what that is.

  25. @Randy
    While I see where you are coming from, I am not sure about your statement that you would be an ISP based on the proposed legislation as I understand it. The onus, as I see it, would be on the providers of the connectivity to the customer to provide the access (this would be you if you allowed access through dial-up)… Depending on how the legislation is worded decryption of the stream may not be needed, just the bit stream.

    As “oldguy” puts it well, the proliferation of connections for a customer can be problematic (for the requesting agency); however while he raises an interesting point, how many people that the police and intelligence agencies are interested in would simultaneously use two or more connection types in a load balancing setup? For instance, would their home router be connected to both the cell company and the cable company and load balance across them? While there is a consideration, the problem is that of the agency wanting the data… the only real thing the provider can do is to timestamp the data and to forward it. I can see situations where some communications occur via one link, and different ones on a different link.

    @IamMe: My understanding is no, that is about Canada not having the laws in place regarding Canadian companies bribing foreign official. My understanding is this: the agreement means that the signatories need to create laws making it for a company in country X to bribe government officials in country Y. Making such a bribe would expose the company to lawsuits in both country Y and country X.

  26. I’ve said it a number of times. Those people that the police and intelligence agencies “say” they’re interested in are generally smart enough to say off the radar (Terrorists, kiddy-porn producers and other such scumbags). Web surveillance will ultimately become a tool for pursuing on-line “piracy”…but only the end-user. Again, those producing it are usually smart enough to stay off the radar, otherwise they wouldn’t last very long.

  27. …”how many people…would simultaneously use two or more connection types in a load balancing”

    They would just check into a hotel, or use the restaurant in that hotel, and use the internet connection. Many hotels, internet cafes, resorts, campgrounds, and other places that cater to the public are installing these kinds of connections. In some cases it is a standards requirement to have this type of ISP connectivity for guests.

    I am leaning towards agreement with IamME, there is little likelihood that these measures will be effective against the people they are ostensibly targeted against. Not unless they push the measures much deeper than the discussion (and information) has indicated so far. Such an action would be very costly to wide areas of the economy, once the dominoes have all fallen.

    This is one of those areas where “minimum measures” might as well be none at all. It might be more effective to take half that money and invest it into better police training and resources, and use different techniques.

  28. Bytowner says:

    Speaking of Stoddart
    Would she be targeted for removal/discreditation if she puts up a real fight on this point?

    Ask Stogran, Keen, Page and company.

    Hopefully, the fears are unfounded but that historical pattern remains for all to see.

  29. A call to arms! Free speech tools for emerging democracies (and deliquescent ones too!)
    The Byron Sonne case, lawfull access…

    OK, the game is over: big corporations and the government own the internet (and anything else may we add).

    We must _now_ design, test and deploy control and attack resistant low bandwidth ad hoc wireless wide area networks for protecting (restoring?) free speech, justice and democracy.

    Those tools cans be used in Syria, Libya, Yemen, Bahrain and .. hmm where else? wink wink..

    Telecom EEs and cypherpunk hackers , where are you?

    PS: 6 millions canadians voted for the CPC and 9 millions refused to vote (don’t ask me why). Is this a sound, working democracy?

  30. ChairSitterOnner says:

    “PS: 6 millions canadians voted for the CPC and 9 millions refused to vote (don’t ask me why). Is this a sound, working democracy?”

    Isn’t that just insane.

  31. Graham J, the opposition parties do NOT represent the majority of Canadians. I didn’t vote for the Conservatives, yet the NDP certainly do NOT represent me. 60% may not have voted for the CPC, but ~70% didn’t vote for NDP, ~80% didn’t vote for Liberals, and ~95% didn’t vote for Bloc or Green. There is no such party as “NDP/Liberal/Bloc/Green”. They are separate parties.

  32. Welcome to the United States of Canada
    Can all those conservative voters actually say they didn’t see this coming ?