OPINION: What you don’t know about lawful access

The Government of Canada has gone down the lawful access road on two previous occasions, prior to the introduction in June of Bills C46 and C47. The previous Liberal bills did not get past first reading due to impending elections and changes of government.

The crafters of the previous submissions had a tremendously difficult time getting the telecommunications providers on board given the investment they would be forced to make in order to provide the backbone for Big Brother without some compensation.

Bill C-46, the Investigative Powers for the 21st Century Act (IP21C) and Bill C-47, the Technical Assistance for Law Enforcement in the 21st Century Act (TALEA) aim to give Canadian law enforcement, national security agencies and other “authorities” broader powers to acquire digital evidence to support their investigations. This includes provisions to allow police access, without a warrant, to the personal information of users including names, addresses, telephone numbers, email addresses and internet protocol addresses. Bill C-46 ensures police can obtain warrants for current and historical transmission data, but also allows police to remotely activate existing tracking devices on cellphones and cars. It also included requirements for the telecommunications providers to decrypt date for production of evidence if they have the ability to do so.

In its current form, the legislation is not balanced. It creates too much opportunity for abuse by intelligence and security organizations, let alone law enforcement agencies. Where is the evidence that expanded surveillance powers they contain are essential and that each of the new investigative powers is justified?

To this end, the Bill is more reflective of an intelligence gathering legislation than it is a piece of law enforcement law. The federal Privacy Commissioner, in conjunction with her provincial counterparts, has warned the crafters of the legislation to be cautious in moving forward with the legislation as is.

Now that the appropriation bill C-47 has been split from the legislative piece, C-46, the telecommunications providers see the opportunity for the federal government to foot the bill for the implementation of technology, as well as a per request fee to respond to requests from law enforcement agencies, etc. The telecommunications providers have seemingly acquiesced to the Crown and have the attitude that it will be introduced into law sooner or later; we may as well be prepared. Ironically, they are not.

They have not yet thought through the impacts past the routine requests by law enforcement agencies to gather evidence on child exploitation, because that, after all, is the basis for the entire legislation. With that, the telecommunications providers assume if they apply a fee to each request, the municipalities and Crown will not over burden them with requests for fear of cost overruns. Given the expanded powers of this legislation, this is a terribly naïve mindset.

When approached on the subject of how they would estimate the level of effort for a large file from either a law enforcement agency or an intelligence agency, CSIS for example, they were ill-prepared to respond. Pushed on additional issues around staffing and secure facilities to house the infrastructure, they were equally confused. The telecommunications providers have not fully thought out what they initially saw as a Government funded requirement, to which they would be forced to adhere. They certainly have not thought about the ancillary costs of conducting business thereafter.

Additionally, C47 Sect 6 para (3) obligates the service provider to unencrypt data to its original form. Individuals or organizations that are leveraging a managed secure service should take pause to consider how this will impact you, your own clients or personnel.

The Crown threw out the olive branch in creating C-47 as an appropriation Bill, but it is devoid of any promises to provide funding or how said funding would be brought to bear.

Watching this new legislative direction unfold, it gives me pause to reflect on the evolving market that is growing internationally in response to similar pieces of law. Cisco Systems Inc., for example, is adding “lawful access” software components into its new core routers to enable peace or public officers to enter the telecommunication facility and more readily get the information they are after. Similarly, many other hardware and software companies are investing in tools that make lawful access easier to pursue and respond to.

I find it odd that the Public Safety department claimed that the Federal Privacy Commissioner’s office had been consulted in the creation of the legislation. The Office of the Privacy Commissioner indicated that no such consultation took place.

“Canadians put a high value on the privacy, confidentiality and security of their personal communications and our courts have also accorded a high expectation of privacy to such communications,” says Jennifer Stoddart, the Privacy Commissioner of Canada.

“The current proposal will give police authorities unprecedented access to Canadians’ personal information,” the Commissioner says.

This brings me to the definition of “police” within the legislation. Simply, the legislation is not limited to police in the traditional way we all think about law enforcement officers. The legislation affords the breadth of these provisions to what is referred to as a “public officer”. A public officer is defined as someone “who is appointed or designated to administer or enforce a federal or provincial law and whose duties include the enforcement of this Act or any other Act of Parliament.” A tad broad and would include not only the entire intelligence community, but every quasi intel or statistic gathering agency.

Given our long standing quintipartite relationship with the US, UK, Australia and New Zealand, imagine how that information would be shared in light of similar laws internationally.

Moreover the Privacy Commissioner is not convinced that we need to expand the authority of peace and public officers. She said “To date, the federal government has presented no compelling evidence that new powers are needed”.

Watching how parallel legislation has evolved outside of Canada, it is important to consider how a more balanced approach to these provisions will maintain the integrity of our Canadian culture.

Assuming that we like our privacy and that our Privacy Commissioner has a mandate to put privacy interests first, we want to ensure that we do not go down the path, which for example, the US has gone. What is unfolding south of the border is a culture of highly cautious, watch your neighbour fear mongering, based on the 9/11 terrorist attack. Lawful Access was made permanent after President Bush ran a pilot project with AT&T to monitor Americans internet activity. Even President Obama has fallen into the trap of supporting the legislation, as he, when a Senator, supported the immunity part of the bill, thereby protecting former President Bush from litigation. Not one of his finest hours.

The US Department of Homeland Security (DHS), spawned from a myriad of attempts at formalizing a central security facet of the US Government, has used the provisions of their lawful access legislation, to beef up the number of cases around Child exploitation by broadening searches of computers at the border. Terrific that they are catching some bad guys, but what other agendas are being fed information from the ad hoc review of personal computers at the border?

While catching a few pedophiles is good for business, at the same time it placates the populace. They all think it is for the greater good and thwarts terrorists, so they all sleep easier. Meanwhile, under this façade, the Intelligence gathering agencies can broaden their programs and undermine the privacy of the entire country under the same provisions.

This might explain why DHS is consistently tardy with their privacy report findings to the Electronic Privacy Information Center. Recently, DHS was admonished by the group through a certified letter “it has been over a year since the publication of the last report, we would like to know when the current report, concerning the activities of your office, will be made available to the public”.

The annual report, which has been issued since 2003, is supposed to account the privacy issues that the DHS is focused on and show whether the agency is fulfilling its constitutional obligations for privacy and civil liberties.

DHS, as one of the largest US departments, is a good target for groups like Electronic Privacy Information Center (EPIC), given their involvement projects such as Einstein 2.0, a network monitoring technology that improves the ability of federal agencies to detect and respond to threats, and the Real ID identity credentialing initiative. The DHS’s terror watch list program, its numerous data mining projects, the secure flight initiative, the proposed use of body imaging technologies and its , are all under privacy scrutiny.

Any business traveler knows how onerous the process of transitioning through airport security in the US has become. DHS imposed Transportation Security Administration (TSA) search policy has created a lot of ire with travelers that have resulted in delays, missed flights and lost computers. Do we want to see the Canadian Border Services Agency conducting similar activities; confiscating laptops for forensic investigation, demanding passwords and the like? Just imagine the expanded intelligence activities that could be run; certainly something the telecommunications providers have not thought about.

We can only hope that Canadians rise to the challenge of ensuring the Government of Canada responds appropriately, but if it moves into law as is, we will all get to pay to watch our privacy violated.

 



Related Download
Addressing Advanced Email Threats: Protect Your Data and Brand Sponsor: Cisco
Addressing Advanced Email Threats: Protect Your Data and Brand
Email has evolved from a tool used primarily by technical and research professionals to become the backbone of corporate communications.
Register Now