Internet Hardware Forum Feb 25/12
Investigating and Preventing Criminal Electronic Communications Act and to amend the Criminal Code and others Acts
Protecting Children from Internet Predators Act
On February 13th Vic Toews Minister of Public Safety introduced this bill in the House of Commons. The bill originally called Investigating and Preventing Criminal Electronic Communications Act and to amend the Criminal Code and others Acts but it was changed to Protecting Children from Internet Predators Act.
This was done primarily to try to sell it to the public. A similar bill has been introduced 2 or 3 times in passed parliamentary sessions however the bills died due to a minority government and an election call. Now there is a majority government.
In fact when opposition members protested this bill Toews, exclaimed that if one was not for this bill then they must be siding with the child pornographers! Whenever I have seen police departments coming out in favor of this bill in was in reference to stopping other crimes as well. I have yet to see what the warrantless information will allow the police to do other than to go on fishing expeditions.
The information that the minister indicated the bill would allow authorities to get from ISPs without a warranty would be name, address, email address, and IP address of the account holder for that IP.
The reason why there has been such uproar about this bill is the vagueness in which it has been written as well as the lack of safeguards. Toews indicated that more detailed information would require a warrant. What Toews did not mentioned is that the bill allows more detailed information be provided by the ISP voluntarily and at the same time protecting the ISPs from civil and criminal prosecution!
Section 487.0195 states the following:
(1) For greater certainty, no preservation demand, preservation order or production order is necessary for a peace officer or public officer to ask a person to voluntarily preserve data that the person is not prohibited by law from preserving or to voluntarily provide a document to the officer that the person is not prohibited by law from disclosing.
(2) A person who preserves data or provides a document in those circumstances does not incur any criminal or civil liability for doing so.
This provision opens the door to police approaching ISPs and asking them to retain data on specified subscribers or to turn over any subscriber information – including emails or web surfing activities – without a warrant. ISPs can refuse, but this provision is designed to remove any legal concerns the ISP might have in doing so, since it grants full criminal and civil immunity for the disclosures.
While many would hope that ISPs would not hand over personal information without a warrant, revelations that they already provide customer name and address information about 95 percent of the time suggests that police have little to lose in asking for more detailed data preservation and disclosure. Bill C-30 increases the likelihood of “voluntary” warrantless disclosures, creating a legal framework that makes it easy and risk-free from a provider perspective.
There are also a lot of things that are unknown about C-30.
The introduction of Bill C-30 has generated enormous public debate (Michael Geist focused on the “voluntary” warrantless disclosure of subscriber information in one of his blog posts) but less discussed is how the bill leaves out many crucial details on the new surveillance rules will actually function. Indeed, for a bill that is ten years in the making, it is shocking how much is still unknown.
At the top of the uncertainty list are cost questions. The cost of new surveillance equipment could run into the tens of millions of dollars, yet the government has not said who will pay for it. Surveillance mandates in other countries have typically come with government support. For example, when the U.S. passed the Communications Assistance for Law Enforcement Act (CALEA) in 1995, $500 million was granted to cover provider costs. In addition to the surveillance equipment costs, there are fees and costs associated with surveillance “hook-ups” to law enforcement as well as fees for disclosing subscriber information. Bill C-30 leaves these issues for another day by opening the door to fees but leaving specifics to future, unspecified regulations that can be passed by the Governor-in-Council without gaining Parliamentary approval.
Surveillance capability specifics are also still largely unknown.
Bill C-30 requires Internet providers to have the ability to engage in multiple simultaneous interceptions but a wide range of questions – minimum and maximum simultaneous interceptions, how interception requests are made, maximum number of agencies making requests, etc. are all left to future regulations. Bill C-30 doesn’t even specify what communications must be interception-capable. Section 7 identifies a series of requirements including enable the interception of communications and isolate the communication. But what is a “communication” for these purposes? That is left to the unspecified regulations.
The mandatory disclosure of subscriber information without a warrant has been the hot button issue in Bill C-30, yet it too is subject to unknown regulations. These regulations include the time or deadline for providing the subscriber information (Bill C-30 does not set a time limit) and “prescribing any confidentiality or security measures with which the telecommunications service provider must comply.” In other words, disclosing the disclosure could be subject to further restrictions.
These are just some of the uncertainties. Section 64, which identifies the issues subject to future regulations by the Governor-in-Council cover almost every major substantive issue in the bill. In case the government has forgotten something, there is a catch-all regulatory power “generally, for carrying out the purposes and provisions of this Act.”
Public Safety Minister Vic Toews has indicated that he is open to amendments and that the government welcomes debate on the bill at committee. However, it is difficult to propose amendments to an incomplete bill. The public should not be asked to accept lawful access legislation that leaves so many issues to future discussion and regulation. A full debate and reform process necessitates the government coming forward with the accompanying regulations before the hearings on Bill C-30 get underway.
Perhaps the most dangerous provision is Section 14, which gives the government a stunning array of powers:
- to order an ISP or telecom provider to install surveillance capabilities “in a manner and within a time” specified by the government
- to order an ISP or telecom provider to install additional equipment to allow for more simultaneous interceptions than is otherwise specified in the law (the government sets a maximum and then can simply ignore its own guidelines)
- to order an ISP or telecom provider to comply with additional confidentiality requirements not otherwise specified in the law
- Whto order an ISP or telecom provider to meet additional operational requirements not otherwise specified in the law
Given these powers, Section 14 essentially gives the government the power to override the limits and guidelines it establishes in the bill (it must pay the provider an amount the government decides is reasonable for doing so). If that wasn’t enough, Section 14(4) goes even further. It provides:
The Minister may provide the telecommunications service provider with any equipment or other thing that the Minister considers the service provider needs to comply with an order made under this section.
What does this mean? In short, it gives the government the power to decide what specific surveillance equipment must be installed on private ISP and telecom networks by allowing it to simply take over the ISP or telecom network and install its own equipment. This is no small thing: it literally means that law enforcement has the power to ultimately determine not only surveillance capabilities but the surveillance equipment itself.
As Privacy International revealed late last year, there is a massive global surveillance industry that specializes in selling invasive surveillance technologies directly to governments and law enforcement. Companies like Gamma Group offer “turnkey lawful interception projects” that includes SMS interception, speech identifying tools, and data retention, while Innova offers “solutions for the interception of any kind of protocols and IP-based communication, such as web browsing, e-mail and web-mails, social networks, peer to peer communication, chat and videochat.” Endace offers the “power to see all for Government” and Hacking Team provides a suite of tools for governmental interception. Last year, Wikileaks published a powerpoint presentation from Glimmerglass that shows how law enforcement can link email addresses, online chat, and social media activity to generate detailed profiles of individuals (pages 10-12).
There are dozens of these companies operating around the world, servicing steady demand from the Middle East and Asia. If Bill C-30 becomes law, the Canadian government will be positioned to require private ISPs to install these kinds of technologies directly within their networks.
By trading pseudonyms for IP addresses, then IP addresses for real names and addresses, and repeating the process, police could get a pretty clear picture of what you’ve been up to online.
“Investigations are going to change in character, to what we call fishing expeditions,” said Tamir Israel, a lawyer at the University of Ottawa’s privacy-minded Canadian Internet Policy and Public Interest Clinic, who’s been following this bill’s evolution for years.
What’s more, there is no guarantee that details uncovered in the course of this work will stay tucked away in police notebooks. For better and for worse, police do leak. Just ask Rob Ford, Toronto’s beleaguered mayor, whose 911 calls wound up in the national news. One of the many uses of online anonymity is to let people in the public service raise their voices in public. Knowing that the local police force has the power to unmask anonymous commenters at will can only cause a political chill.
After all, a system that allows for real-time surveillance, or for the archiving and sorting of your data, would be the holy grail for criminals (and possibly the office intern), whether they’re out for profit, political ends or a good time. You can’t bring oil barrels full of honey to the forest and then act surprised when bears show up.
Security disasters already happen with alarming regularity. The Government of Canada got hacked. Sony got hacked, compromising customer data. Google itself got hacked. Do you trust your ISP’s security know-how more than Google’s?
Finally, consider what could happen if other laws changed, too. Woe betide all of us if, a few years down the line, copyright infringement should become a criminal offence. (This isn’t inconceivable: After all, video recording in a movie theatre already is.) If it did, these surveillance powers and tools could be turned against people who break digital locks by ripping DVDs, or download the tools to do so.
The enemy here is not Vic Toews, that inept amplifier of talking points. Nor is it law enforcement – the police have a job to do, and will use every tool at their disposal to do it.
The enemy here is the law of unintended consequences. By stripping away checks and balances, and turning the Internet into a wonder of surveillance, we lay ourselves at its mercy.
Jennifer Stoddart, Canada’s privacy commissioner, and Ann Cavoukian, Ontario’s privacy commissioner, followed up with two separate public pleadings last fall, reiterating their concerns.
At a minimum, the “untenable” proposal for warrantless access to subscriber information “should be withdrawn,” Cavoukian argued.
Newly released information, released to Postmedia News under the access to information law, shows department officials said such a request was “not tenable.”
That’s because it “could limit the ability of police to access basic subscriber information in non-emergencies” and warrants are “generally granted for criminal investigations. Requiring a warrant would be problematic when police undertake non-criminal, general policing duties, such as contacting next-of-kin after a traffic accident or returning stolen property,” the records state.
But senior departmental officials also criticized Toews, who previously served as attorney general of Canada and Manitoba, for failing to state in his public response to Cavoukian that there are provisions of the Criminal Code that allow police to read emails without a warrant in special cases.
In a letter to the editor, Toews wrote in part: “Let me be clear. No legislation proposed in the past, present or future by a Conservative government will create powers for police to read emails without a warrant.”
“This is problematic because Section 184.4 of the Criminal Code currently provides for that,” the director of national security technologies at Public Safety wrote to colleagues after reading the letter.
In addition, a previous bill introduced by the Conservatives enhanced the safeguards associated with that section, “without moving away from the authority to intercept in exceptional circumstances without judicial authorization. Therefore, given the government was amending the provision to add safeguards to it, it can be inferred that the government supports ‘warrantless interceptions.’ ”
While Toews publicly says the bill is designed to go after users of child pornography, internal records refer to other issues, says Geist.
“You just can’t be serious. On one hand, we’d got Vic Toews screaming about child pornography cases and on the other hand, it’s pretty clear that one of their main justifications is that this has to do with non-emergency situations that aren’t even criminal situations. To say that you’re going to drop key privacy protections because you want to return a kid’s bike is just absurd,” Geist said.
The records also show that one of the cases flagged by the RCMP to help Public Safety build its case in favour of the bill, known as Operation Carole, involved images that did not meet the Criminal Code definition of child pornography. As a result, “production orders or search warrants could not be obtained,” the RCMP summary states.
“The point here is that you’re not supposed to get a warrant and access this information for content that isn’t even illegal. What they’re saying is, this is content that wasn’t illegal and so that was why they couldn’t get a warrant, so now they need to change the law on the mandatory basis to get that same information? That just invites fishing expeditions and other forays into personal information without proper justification,” said Geist.
The records also said that to require the police to obtain a warrant to access basic subscriber information “would literally collapse an already over-burdened judicial system.”
Information provided by the RCMP at the department’s request shows about 94 per cent of requests for basic subscriber information is provided voluntarily by ISPs. The telecoms refuse in six per cent of the cases, RCMP statistics provided to the department state.
From a small ISP point of view:
When Mark Jeftovic finished reading C-30 I had 23 sections of notes, with comments like “wtf?”, “surely, they jest”, and “omfg”. It is nothing less than a framework to enable unfettered state access into all domestic network communications (except for banks, who are exempt), total unwavering compliance from all internet providers, and penalties for non-compliance which seem to occur without due process.
The government says its no worse than publicly disclosed details in a phone book, privacy advocates beg to differ.
To me it’s all a sideshow. Regardless of what subscriber details are given to authorities, there are numerous other provisions in the Bill which make it nothing less than chilling:
- If a service provider provides encryption capabilities, they must reserve the capability to provide unencrypted intercepts to authorities (but they do not need to do this if the communications are already encrypted when they transit their networks)
- “Enable interception of communications generated by or transmitted through the apparatus to or from any temporary or permanent user of the service provider’s telecommunications services”
- Provide the ability to correlate “all elements of intercepted communications” – what this means to me is that if an access provider has been ordered to furnish data on you (including your IP), they have to be able to to give correlated data for that IP: everywhere you’ve visited or connected with over the network, which protocols, and I am assuming in the case of an access provider, the contents of those communications.
- Facilitate simultaneous intercepts from multiple agencies.
- Any new software or hardware installed by any service provider must meet the “operational requirements” of the act “even if the form of the software in question would require the telecommunications service provider to acquire additional software licences or telecommunications facilities to achieve that increased ability“.
And, just in case any of this is too onerous on service providers, the Minister is happy to help out:
The Minister may provide the telecommunications service provider with any equipment or other thing that the Minister considers the service provider needs to comply with an order made under this section.
Oh, and by the way, the Minister may also compensate service providers for additional expenses incurred in becoming compliant with the act, or pay for said equipment it furnishes to the service providers. In other words, it all gets paid for out of our taxes.
The compliance requirement for all service providers is nothing less than nightmarish:
- All providers must permit police officer, RCMP or CSIS officer the ability to assess or test the service providers facilities that may be used to intercept communications.
- Service providers to provide lists of names of employees who would be tasked with undertaking intercepts, who may then be subject to police background checks
- Section 34(1) – “An inspector may, for a purpose related to verifying compliance with this Act, enter any place owned by, or under the control of, any telecommunications service provider in which the inspector has reasonable grounds to believe there is any document, information, transmission apparatus, telecommunications facility or any other thing to which this Act applies.
Once in the facility, said inspector can:
- “examine any document, information or thing found in the place and open or cause to be opened any container or other thing;”
- “examine or test or cause to be tested any telecommunications facility or transmission apparatus or related equipment found in the place;”
- ” use, or cause to be used, any computer system in the place to search and examine any information contained in or available to the system;”
- make copies of anything they want.
Then there is the extra-judicial provision for non-compliance by any service provider:
39. Every person who contravenes a provision, order, requirement or condition designated under subparagraph 64(1)(p)(i) commits a violation and is liable to an administrative monetary penalty not exceeding the prescribed maximum or, if no maximum has been pre- scribed, to a penalty not exceeding $50,000, in the case of an individual, and $250,000, in any other case.
This happens, not by being charged with an offense, not by being summoned, but by being served a “Notice Of Violation”.
41. (1) A designated person may issue a notice of violation and cause it to be served on a person if they believe on reasonable grounds that the person has committed a violation.
42. (1) A person who is served with a notice of violation must, in accordance with the notice, pay the penalty set out in the notice or make representations with respect to the amount of the penalty or the acts or omissions that constitute the alleged violation.
(2) A person is deemed to have committed the violation if they either pay the penalty in accordance with the notice of violation or do not pay the penalty and do not make representations in accordance with the notice of violation.
Also, an employer is liable for a “violation” if it is committed by an employee, whether or not the employee is identified or proceeded against.
And to top it all off, as a final “fsck you” from the Minister to all Internet Service Providers in Canada:
All ISPs must, within 6 months of the Act becoming law submit a report to the Minister of Public Safety and Emergency Preparedness detailing the facilities they operate.
But hey, if we don’t like it, then according to Safety Minister Vic Toews “we must be siding with the child pornographers“, right?
What This Law Will Do If Passed
So basically what happens if this becomes law is this:
- Canadian service providers will lose business to foreign technology providers who are not constrained by warrantless state oversight into their facilities, customer information and data.
- Service Providers will pass along indirect costs of compliance to customers since there will inevitably be additional expenses outside the scope of government reimbursement.
- Kiss good-bye what I think is currently a fairly healthy climate of willful, uncoerced co-operation between ISPs and Law Enforcement. ISPs now have their own Acceptable Use Policies and tend to self-police in ways that help LEA when actual crimes are being committed. Existing law works and as Michael Geist notes in another post, gets results. Bring in this law, and law enforcement becomes Big Brother. Nobody wants to deal with Big Brother.
- A technology Brain Drain will occur. If this law comes through looking like this then I for one will start my next company somewhere else. I doubt I’ll be alone in that. Crappy winters are one thing, but this, I don’t need.
- Not a single technology entrepreneur, investor, executive or knowledge worker in Canada will vote for the Conservative Party ever again. Maybe that’s not a bad thing.