ISP access clash looms

A battle is looming between law enforcement agencies and ISPs over who should pay for a project that would give police easier access to service provider networks.

The federal government is considering changing the Criminal Code to give law enforcement groups the tools to intercept e-mail and Web correspondence.

According to Justice Canada, the federal department undertaking this review of “lawful access” rules, the police say they need greater interception capabilities to help capture ne’er-do-wells who use the Internet to plan nefarious deeds.

Noting potential privacy and cost implications, the feds held a public consultation last year to glean thoughts on the matter. Justice Canada published a summary of the comments in August.

The cost debate provides a glimpse into just how difficult a path the government faces with lawful access legislation: who should pay for new intercept-ready switches, routers and storage media that might be required for lawful access?

ISPs say it’s Ottawa’s bill.

“Because these obligations are being imposed upon us for a government purpose…government should pay for it,” said Jay Thomson, president of the Canadian Association of Internet Providers (CAIP) in Ottawa.

The police say service providers should pay, contending that the government should prevent ISPs “from…recovering infrastructure costs from law enforcement agencies,” according to Justice Canada’s “Summary of Submissions to the Lawful Access Consultation” on the department’s Web site.

The document says 56 police agencies responded during consultation, including the Ontario Provincial Police, Charlottetown Police Department, Saskatoon Police Service and many divisions of the RCMP.

Thomson said most Canadian ISPs are small operations that cannot afford new intercept-ready equipment. He added that “ultimately, any business…passes its costs onto its customers.” If service providers have to buy new gear, users will pay the price.

But John Boufford, director of advocacy for the Canadian Information Processing Society (CIPS), said “Users are going to bear the cost one way or another. If law enforcement pays for it, it’s tax dollars at work.”

Boufford said CIPS sees lawful access as “a civic responsibility” for ISPs.

“Banks are faced with reporting certain activities around money laundering statutes….I’m not aware of any financial help that went their way to offset the cost of implementing this monitoring and reporting.”

But certain questions about lawful access remain unanswered.

“The whole issue of who is a service provider and who is not, I don’t think has been resolved,” Boufford said, indicating concerns that enterprises operating their own networks might also have to install interception equipment.

In an earlier interview, Thomson said he’s sure the government doesn’t intend to apply new lawful access rules to enterprises. But he still has reservations.

“We don’t know what kind of costs we’re talking about here, because we don’t know what the technical and administrative obligations would actually be….We want more information before we can make a determination as to whether this is a reasonable proposal or not.”

He added, “Our understanding is the government has received that message, and it will be following up with industry, providing us more detailed information.”

In the Frequently Asked Questions section of its lawful access Web page, Justice Canada tries to address one big privacy and cost concern for ISPs: will they have to catalogue every user’s online activities and pay for the technology to store the ensuing petabytes of info?

The FAQ says Justice Canada doesn’t want such deep “data retention.” But Lawrence Surtees is skeptical. An analyst with IDC Canada Ltd., he noted that Canada has signed a European Union (EU) cyber-crime convention, and plans to ratify it in the future. Surtees said the EU agreement might require data retention. And if the EU wants retention, Canada would have to oblige.

“Now you’re prescribing way more complex upgrades,” he said.

Justice Canada’s summary of comments from the lawful access consultation is on the department’s Web site, For more information about the debate, see Network World Canada‘s article, “Ottawa’s data dig” in the Nov. 29, 2002 issue, page 24, and ComputerWorld Canada‘s article, “Proposed law sparks privacy concerns” in the Jan. 10, 2003 issue, page 6.