June 18, 2009
Internet service providers would have to make it possible for police and intelligence officers to intercept online communications and get personal information about subscribers, under bills tabled Thursday.
"We must ensure that law enforcement has the necessary tools to catch up to the bad guys and ultimately bring them to justice. Twenty-first century technology calls for 21st-century tools," said Justice Minister Rob Nicholson as he announced the new bills with Public Safety Minister Peter Van Loan at a news conference in Ottawa.
The bills are intended to modernize the Criminal Code and help law enforcement officials chase those suspected of using the internet and other new technologies to communicate and commit crimes, as well as maximize the ability to conduct international investigations, Nicholson said.
Targets 'safe havens'
One bill, announced by Van Loan, would require telecommunications and internet service providers to:
Van Loan said the bill won't provide new interception powers to police, but simply update the legal framework designed "in the era of the rotary telephone."
He noted that police can already get the authority to intercept communications, but the network is often incapable of allowing such interception.
"Criminals, child pornographers, organized crime members and terrorists are aware of these interception safe havens. They identify them and gravitate towards them to exploit them and continue their criminal activities undetected, out of the reach of the investigative powers of law enforcement."
Van Loan added that internet service providers are currently not required to provide subscriber information to police and the Canadian Security Intelligence Agency (CSIS), and may be unwilling to provide such data without a police warrant, slowing down the investigation of crimes such as child sexual exploitation or online theft.
The other bill, introduced by Nicholson, would:
Nicholson said the government believes the proposed legislation strikes an "appropriate balance" between law enforcement's investigative powers to protect public safety and the privacy and rights and freedoms of Canadians.
Calgary deputy chief of police Murray Stooke said police have been requesting the modernization of laws related to interception of communications for a decade. He added that the government consulted broadly with Canadians and interest groups before introducing the new legislation.
"We do understand that the privacy concerns of Canadians must be respected," he added, "but at the same time, we have a growing gap in terms of our capacity [to investigate crimes]."
However, University of Ottawa law professor Michael Geist wrote in his blog Thursday that the bills are "pretty much exactly what law enforcement has been demanding and privacy groups have been fearing. It represents a reneging of a commitment from the previous Public Safety Minister on court oversight and will embed broad new surveillance capabilities in the Canadian internet."
Tom Copeland, head of chair of the Canadian Association of Internet Providers (CAIP), which represents dozens of smaller Canadian ISPs, said Thursday he fears the bill requiring internet-tapping capability could put some of his members out of business.
Van Loan said the companies themselves will have to pay for new equipment to meet the requirements, although the government will provide "reasonable compensation" when retrofits to existing hardware are needed.
The companies will have 18 months to make the changes, but there will be a three-year exemption for those with less than 100,000 subscribers.
But even that may not be enough time for some small providers, as they usually buy used, older network equipment that wouldn't be tappable, he said. Buying that new equipment could cost $15,000, and even if the government covers half, the remainder would be a "significant burden," Copeland said.
"I know a lot of providers who couldn't come up with the other half – it's just not the margins we have."
Larger internet service providers such as Bell also expressed concerns.
Spokeswoman Jacqueline Michelis said in an email that the company "has long been committed to working with law enforcement agencies to find effective and efficient solutions for their legitimate surveillance needs," but policing costs shouldn't be downloaded to one particular industry.
"Other funding mechanisms must be found," Michelis said.
Copeland said that with respect to providing subscriber information without a warrant, he is glad the bill brings some "clarity and consistency" to the issue. Previously, he said, ISPs were unsure whether providing that information would violate the Privacy Act and leave the companies vulnerable to a lawsuit.
He said the other bill introduced Thursday represents no real change to ISPs.
Rogers Communications participated in consultations during the drafting of the bills and now that they have been tabled, will study them and provide feedback to the government, said Nancy Cottenden, director of communications for the company, in an email.
+++++++
From http://www.michaelgeist.ca/content/view/4069/125/
Thursday June 18, 2009
As expected, the Government has taken another shot at lawful access legislation today, introducing a legislative package called the Investigative Powers for the 21st Century (IP21C) Act that would require mandated surveillance capabilities at Canadian ISPs, force ISPs to disclose subscriber information such as name and address, and grant the police broad new powers to obtain transmission data and force ISPs to preserve data. Although I can only go on government releases (here, here), the approach appears to be very similar to the Liberal lawful access bill of 2005 that died on the order paper (my comments on that bill here) [update: Bill C-46 and C-47]. It is pretty much exactly what law enforcement has been demanding and privacy groups have been fearing. It represents a reneging of a commitment from the previous Public Safety Minister on court oversight and will embed broad new surveillance capabilities in the Canadian Internet.
The lawful access proposal is generally divided among two sets of issues - ISP requirements and new police powers.
There are two key components here. First, ISPs will be required to install surveillance capabilities in their networks. This feels a bit like a surveillance stimulus package, with ISPs making big new investments and the government cost-sharing by compensating for changes to existing networks. The bill again exempts smaller ISPs for three years from these requirements. While that is understandable from a cost perspective, it undermines the claims that this is an effective solution to online crime since it will result in Canadians at big ISPs facing surveillance while would-be criminals seek out smaller ISPs without surveillance capabilities.
Second, the bill requires all ISPs to surrender customer name, address, IP address, and email address information upon request without court oversight. In taking this approach, Public Safety Minister Peter Van Loan has reneged on the promise of his predecessor and cabinet colleague Stockwell Day, who pledged not to introduce mandated subscriber data disclosure without court oversight.
There are several new police powers that come with the lawful access approach. First, police will be able to obtain transmission data about Internet-based messaging. The government says this does not cover the content of a private communication, but it will cover information about what a person is doing online (what sites they visit, who they communicate with, etc.). This will be subject to a judicial order that will allow for obtaining real time data (a warrant) or historical data (a production order).
Second, police can obtain a preservation order that would require ISPs to preserve (ie. not delete) data related to a particular subscriber or even a specific communication. Third, there is an expansion of the police power to obtain a tracking warrant, by allowing police to "remotely activate existing tracking devices that are found in certain types of technologies such as cell phones." Fourth, the law expands the computer virus provision in the Criminal Code and opens the door to greater international cooperation of cybercrime enforcement.
As for what is not in the lawful access package, there is nothing on data retention, a controversial issue in Europe. It is also not clear what reporting requirements the Government envisions to ensure that there is transparency in the process.
I'll have more to say in the days ahead, but it should be stated that everyone wants to ensure that police have the ability to deal with serious crime. Lawful access has been on the public agenda for years, with law enforcement has demanded new powers but not providing compelling evidence that the current system has created serious barriers to their investigations. For example, last year CIRA caved to law enforcement pressure for a backdoor to WHOIS domain name registrant information. More than a year later, law enforcement has never once used this backdoor. Given the potential for misuse (Greece, U.S. telcos), the onus should be on law enforcement to demonstrate how the current system has harmed investigations and then we should work on ensuring that there is always - including for customer name and address information - appropriate court oversight.