When Bob Carrick first got hold of the federal government’s discussion paper on “lawful access” – which describes the ISP’s role in divulging sensitive customer information to authorities – he wasn’t sure what to make of it. Laid out before him was a document describing either the steps required to eradicate electronic subversion or a dire warning for service providers and their customers.
The document hints at greater ISP observance of customer accounts and touches on network upgrades that could be costly to both carriers and clients. It mentions changes to Canadian law that would facilitate increased government scrutiny, but offers little guidance as to what those changes might be.
The paper unnerved Carrick, president of CanadianISP.com, an ISP directory.
“It’s too darned open-ended,” he said of the government’s 21-page missive, noting how the lack of detail puts service providers in a tough spot. “You can’t do cost justifications if you don’t know what you’re expected to do.”
Carrick is not alone in his trepidation. Others are just as worried, pointing out the government’s document, short as it is, might be long on bad news. It could oblige service providers to act like police officers, increase carriers’ costs and directly or indirectly affect corporate Canada’s bottom line.
Department of Justice Canada, which put out the contentious paper, could not be reached for comment before press time. Even so, industry insiders and observers are trying to figure out what “lawful access” really means.
“Any time any government is seeking additional power – additional intrusions – it behoves us as a society to discuss it,” said Lawrence Surtees, an analyst with IDC Canada Ltd. in Toronto.
He pointed out that the discussion should start not with the government’s document, but with another one from across the Atlantic: the European Union’s (EU) Cyber-crime Convention. It’s a treaty designed to keep cyber crime in check, and one that Ottawa plans to ratify.
The Convention claims to quell “the risk that computer networks and electronic information may…be used for committing criminal offences.” It requests that signatories “adopt such legislative and other measures as may be necessary” to cut down on illegal network and computer access, unsanctioned interception or interference, computer-related forgery, child pornography, et cetera.
In order to make life easier for enforcement agencies, the Convention suggests signatories should enact laws that direct ISPs to preserve stored data, disclose traffic information and allow authorities to intercept content.
So goes the Convention. But before ratification, Canada must enact certain changes at home to comply with the international law, and no one’s quite sure how this country plans to make nice with the EU without trampling on service providers and end users here.
Consider the notion of “data preservation,” an aspect of the Convention. Some people say it will blossom into a nasty case of expenditures for carriers and their customers.
At the offset, preservation is no arduous task. First the police would call upon an ISP to preserve customer data already stored. ISPs keep certain client info, such as credit card numbers, addresses, phone numbers and usage logs for billing. Served with a preservation order, an ISP would make sure not to delete that information.
The police would follow up with some sort of production order to attain the data.
Preservation alone is neither difficult nor costly. After all, it simply means ISPs would hold on to the limited customer data they already have.
Nonetheless, preservation could give rise to “retention,” which is a different prospect altogether. Retention means ISPs would track and log every chatroom message, every URL visited and every e-mail address accessed by each user. Some point out that retention undermines the hard-won trust that customers place in service providers. Others suggest it lays the foundation for privacy rights violations on the part of authorities and spells a free-speech chill online.
IDC Canada’s Surtees said retention could be incorporated into the Cyber-crime Convention. In a paper he co-wrote concerning lawful access, the analyst points to a “confidential agenda” put forth by the European Police Office (EUROPOL) that would see deep data retention become the name of the game.
“The [EUROPOL] directive would apply data-retention rules to any communications device and service, including landline phones, mobile phones, smart handheld devices, faxes, e-mails, chatrooms…” Surtees wrote. “One source has identified more than 700 types of Internet service elements alone that would be affected.”
If retention were made part of the Convention, how would ISPs handle it? Carrick said service providers would face a storage nightmare. Considering each user generates one to three Gigabytes of information per month, a small ISP would need to store hundreds of Terabytes. That means having to invest in new servers and software.
Carrick said ISPs would pass the costs associated with retention on to users. “I know a lot of ISPs have said flat out that they will add a line item on customers’ bills so they know it’s the government’s fault.”
As if the prospect of increased rates weren’t bad enough, the Convention could hit enterprises squarely in the pocket book, given a particularly jaded reading of the EU document.
Consider its definition of “service provider.” The Convention says a service provider is “any public or private entity that provides to users of its service the ability to communicate by means of a computer system.”
In the enterprise, employees communicate via the in-office data network. Does this mean Canadian businesses might count as service providers? Michael Power, an Ottawa-based partner with the law firm Gowling Lafleur Henderson LLP, said it’s possible. Surtees agreed. But others insist Canada’s version of the Convention would not concern the enterprise.
“Our understanding is they don’t mean that to apply to corporate undertakings,” said Jay Thomson, president of the Canadian Association of Internet Providers (CAIP) in Ottawa.
The Canadian paper makes reference to an “intercept capability,” wherein an ISP should be able to capture a user’s electronic correspondence for further scrutiny. At issue here are the definitions of “cost” and “correspondence,” neither of which is spelled out in great detail.
Concerning cost, the Canadian document says, “Service providers would be responsible for the costs associated with providing lawful access capability for new technologies and services.” But it goes on to say, “They would not be required to pay for necessary changes to their existing systems or networks.”
It’s a confusing passage, said Thomson. “The big question here is, what constitutes new technology or, even more difficult, a substantial upgrade?”
Without details in the feds’ document, it’s difficult to know just what the government meant by this distinction. Thomson said it’s “a big hole in the proposal and it will be very difficult to deal with.”
The definition of correspondence also requires scrutiny. On the surface it appears the government simply wants information regarding with whom and at what time a user chatted online or via e-mail – rather like a telephone number trace, only for the Internet.
But the Internet is vastly more complicated than the telephone. It encapsulates a variety of communication technologies, including e-mail, chatrooms, instant messaging (IM) and even voice over Internet (VoIP) calls.
Let’s say the police request permission to view a user surfing, ostensibly to find out if he’s visiting a particular URL. During the spy game, the authorities get a sense of the user’s surfing habits – an overview of his online predilections unmatched by a phone number trace in the TDM world.
Does the online information go beyond the number-to-number data that police would garner from a number trace? “That is the fear and something we need to learn more about before we can adequately respond,” Thomson said.
Surtees said gear makers must be salivating at the prospect of peddling high-priced interception-ready systems.
“A practical question for the Canadian service provider is, are vendors going to want to sell them the Cadillac version? Who watches over the manufacturers?”
David Elder, a regulatory specialist with Bell Canada in Hull, Que., said he’s worried service providers will have to change stripes as well as various network elements. Given the manpower, time and technology that interception might require, does lawful access transform the service provider into a data traffic cop?
“We’re not in that business,” Elder said, adding that carriers walk a “delicate balance” between protection and privacy. Bell wants the federal government to keep in mind this tightrope act when it completes lawful access proposals.
Carrick and Thomson said the government is listening to the industry’s complaints. For one thing, ISP representatives said they are assured that legislative changes will apply to public service providers and not enterprises.
As well, the feds have opened the floor for discussion. The government is seeking public comments on lawful access and recently extended the deadline for submissions to Dec. 16. (See
www.canada.justice.gc.ca/en/cons/la_al
for more information.)
“The proposal has been worked out a little,” said Carrick.
But until the government comes out with its final word and ratifies the EU Cyber-crime Convention, it’s difficult to know how this story will shake out. All anyone can say for certain is Canada’s newfound focus on lawful access might make waves for service providers. And “you can be sure if ISPs have to pay for it, you and I have to pay for it,” said Power, the lawyer from Gowling.
