The Devil is in the Details: How Bill C-30 Leaves Many Surveillance Questions Unanswered

The introduction of Bill C-30 has generated enormous public debate (I focused yesterday on the “voluntary” warrantless disclosure of subscriber information) but less discussed is how the bill leaves out many crucial details on the new surveillance rules will actually function. Indeed, for a bill that is ten years in the making, it is shocking how much is still unknown.

At the top of the uncertainty list are cost questions. The cost of new surveillance equipment could run into the tens of millions of dollars, yet the government has not said who will pay for it. Surveillance mandates in other countries have typically come with government support. For example, when the U.S. passed the Communications Assistance for Law Enforcement Act (CALEA) in 1995, $500 million was granted to cover provider costs. In addition to the surveillance equipment costs, there are fees and costs associated with surveillance “hook-ups” to law enforcement as well as fees for disclosing subscriber information. Bill C-30 leaves these issues for another day by opening the door to fees but leaving specifics to future, unspecified regulations that can be passed by the Governor-in-Council without gaining Parliamentary approval.

Surveillance capability specifics are also still largely unknown.

Bill C-30 requires Internet providers to have the ability to engage in multiple simultaneous interceptions but a wide range of questions – minimum and maximum simultaneous interceptions, how interception requests are made, maximum number of agencies making requests, etc. are all left to future regulations. Bill C-30 doesn’t even specify what communications must be interception-capable. Section 7 identifies a series of requirements including enable the interception of communications and isolate the communication. But what is a “communication” for these purposes? That is left to the unspecified regulations.

The mandatory disclosure of subscriber information without a warrant has been the hot button issue in Bill C-30, yet it too is subject to unknown regulations. These regulations include the time or deadline for providing the subscriber information (Bill C-30 does not set a time limit) and “prescribing any confidentiality or security measures with which the telecommunications service provider must comply.” In other words, disclosing the disclosure could be subject to further restrictions.

These are just some of the uncertainties. Section 64, which identifies the issues subject to future regulations by the Governor-in-Council cover almost every major substantive issue in the bill. In case the government has forgotten something, there is a catch-all regulatory power “generally, for carrying out the purposes and provisions of this Act.”

Public Safety Minister Vic Toews has indicated that he is open to amendments and that the government welcomes debate on the bill at committee. However, it is difficult to propose amendments to an incomplete bill. The public should not be asked to accept lawful access legislation that leaves so many issues to future discussion and regulation. A full debate and reform process necessitates the government coming forward with the accompanying regulations before the hearings on Bill C-30 get underway.


  1. Cost Not Important
    The cost of this legislation is its least important thing. The government simply does not have the authority to invade my privacy unless it can prove beyond a reasonable doubt that society as a whole will benefit from it. Unless they can do that, C-30 should be thrown out; there can be no compromise.

  2. “Communication”
    You touch on a HUGE point. Even under the current law, there is a question whether intercepting someone’s internet feed is actually intercepting “communication”. Both the current law and the proposed new law deal with intercepting communication; there’s no basis in law to intercept any that is not communications. But the cases which try to define communication say it’s an effort to convert meaning to another individual. The bulk of someone’s online activity doesn’t meet that description. Banking, reading the paper, checking websites–none of it is “communication”. There are surprisingly few cases relevant to this even though internet intercepts happen all the time. For my two cents worth, this is the fundamental issue that no one is thinking about.

  3. Illegal GPS Device & Bill C30
    This story is timely:

    Ben Ferrill wants you to know that there is no recourse for him. Someone attached a GPS unit to his vehicle illegally, and he cannot get any answers from the OPP or anyone, for that matter.

    Or how about this:

    “Intelligence” gathered by police in the 18 months leading up to the G8/G20 and afterwards was shared with “major banks, telecom firms, airlines, downtown property companies and other businesses…”

    Why? Why did the police share this information with all and sundry? FGS, let’s hope they remembered to share this info about the dissenters with the important people, like the barista at Starbucks.

  4. David Collier-Brown says:

    I can predict one detail: “Oh heck, spool it all to disk”
    If I were a small ISP, I’d take one look at the price of a proper Sandvine server with the horsepower to do a decent job of capturing selected communications and freak out.

    I’d be tempted to just buy a couple of fast dumb boxes to write absolutely everything to circular buffers on disk.

    –dave (pretending to be Dr Evil) c-b

  5. The warrantless access to subscriber data is interesting
    Given that they apparently want it for situations like notifying next-of-kin, why no requirement to disclose that your information has been given to police ? That only makes sense when you’re suspected of wrongdoing…

  6. Toews: “you can stand with us (and support the bill) or stand with the child pornographers.”

    Given 60% of Canadians voting did not vote for the Cons he’s essentially said most of Canada is for child pornography. Wow. That’s one way to ensure those who realize this never vote Cons. Given how hypersensitive the politicians have made the public about child pornography he’s wondering why he’s being threatened?

    Then the Cons don’t mention we’d essentially be paying millions for this ourselves in the end. Not surprised. This is about what I expect from Harper’s merry band who live in La-La Land.

  7. Had to post this–another parody:

  8. Campers Probed
    Campers in three Ontario provincial parks were investigated in the months before the G8/G20.

    Did their outdoorsy ideologies and family activities place them at odds with the status quo and the distribution of power in society?

    Flash back to 2001, and the events of that year. Beware the outdoor toilets of Algonquin Park:

  9. David Harvey says:

    Expansion of scope by regulation
    One disturbing aspect I haven’t seen discussed: the exclusions in Schedules 1&2 are subject to amendment by regulation s.5(4)

    So while corporate IT departments, libraries, coffee shops offering wifi, etc. are not at present covered, it would only take a regulation to bring them under the act. The expense of this, and the greatly broader scope, is troubling.

  10. David Harvey says:

    Application to data centres and colo’s

    As currently written, the bill appears to apply to data centres and colo’s which rent space to others (ie, not caught by Sch. 1 Pt. 1 1.)

    Is that how you read it? Maybe they are exempted under Sch. 2, Pt. 1 1., but I’m not certain what the intent of that part is.

    Thanks for your thoughts on this.

  11. previous bill
    i know the costs to isp’s isnt a big issue, but wasn’t there a previous version of this bill that stated the cost was to be born by ISPs, and that small ones were exempt for 4 years? i remember thinking that was a pretty big loophole.

  12. How Does Twit Toews Keep Hi Job?
    He doesn’t read legislation before presenting it to Parliament. He threatens everyone who objects to the legislation with investigation for child pornography. He didn’t help draft the legislation or he would know what’s in it. So what is he actually doing? That’s a pretty big salary to sit around waiting for someone to hand you talking points.

  13. Preservation orders > real-time surveillance
    Does a preservation order effectively circumvent interception requirements and evidentiary thresholds?

  14. jenningsthecat says:

    Phone conversations too…
    Something that seems very obvious, but which I haven’t yet heard mentioned specifically, is telephone conversations. These days most telephone conversations are digital in nature. Any such conversations that go through an ISP’s infrastructure, (or any such conversations that Bell, Rogers, Telus, and the like CHOOSE to route through their own ISP infrastructure), will be subject to warrantless interception. And, voila! No warrant required for wiretapping that WILL be admissible in court.

    Nice trick there on the part of Stephen, Rob, and Vic!

  15. I would prefer that law enforcement have some of the capabilities that hackers have.
    Speaking as someone who is harrassed online, no-one should have to succumb to criminal actions of those quite smug in their relentless pursuits.
    The internet is a public place. And as such should be adequately monitored. We rely on all kinds of monitoring ( surveillance, scans, etc) to keep safe; the internet should not be the exception.

  16. @Cindy
    I don’t really agree that the Internet is a public place. Facebook might be a public place (in part because they seem to have tried to make it that) but email is not a public place, and forums where you are allowed to post pseudonymously are not really public either.

    Anonymity and pseudonymity have a valid place in society.

    Privacy certainly also has a place, and I think it’s an important one (we call it a human right). I consider my home a private place, and I use my computer at home — so I am starting from an assumption of privacy, because it’s my human right, and when I do things publicly outside, or on the Internet, that is a conscious choice, but privacy is my right by default. I think this is the right place to start, because the alternative leaves people powerless against the state.

    We are talking about inverting this situation on the Internet, which I don’t want to see.

    I can understand your perspective, as much as anyone can put themselves in another’s shoes, but do you not value the ability to “retreat” from the public aspect of the Internet and hide from people who are harassing you, without disconnecting all together?

    What if Facebook didn’t LET you hide your friends lists?

    What if you were being harassed by someone in a position of power, or direct access to surveillance systems? What recourse do you have then, when the system itself is corrupt?

    It’s not about trust, or having anything to hide. Privacy prevents abuse.

  17. @Cindy
    I agree with what Norm says. But I’d like to address your concern about the technical capability.

    Police already have access to the same technical capability as the hackers do, and they use them to pursue cases. Perhaps there aren’t enough police that have these skills, but that is a different problem.

    What the measures in C-30 are reaching for, goes well beyond any technical capability that a hacker has.

    Keep in mind that the largest part, by far, of the people with appropriate technical skills are ethical, and wouldn’t dream of invading your privacy. In fact, they are constantly developing technology to improve your privacy (it’s their privacy too). The measures in C-30 negate at least some of the technical measures being developed to protect your privacy.

    It isn’t the “police” that will end up implementing these measures, it is the ISP. They will need to put the tools in place. It will cost a lot of money and be under the control of the ISP.
    If any ISP were to announce (without being ordered to by law) that they were setting up such blanket monitoring capability, with remote control, massive capability, and even without a warrant under certain conditions, they would lose customers in droves. Nobody could trust that they would only use it “when required”.
    If you had an incident where your privacy was invaded, it wouldn’t be just the hackers you would need to worry about. Add your ISP employees, the police, and miscellaneous government appointed officials, to the list.

    The technical measures in C-30 would add very little, if anything, to the ability of police to catch the hackers (or pornographers), these people already know “how to hide themselves” – even from such measures. It’s the honest people that don’t take such steps, that will have a much higher risk of having their privacy invaded. People like you.

  18. Air Jordan 4 Cement says:
    But tomorrow comes, how many tomorrow, I was born with the bright moon, never comes.