Small ISPs face new pressures under Tory bill

The Conservative government is trying to give police better access to online communications, introducing a new bill Thursday that will force ISPs to hand over subscriber data without a warrant and implement intercept-capable technologies.

Public Safety Minister Peter Van Loan introduced The Technical Assistance for Law Enforcement in the 21st Century Act in an effort to modernize Canada’s Criminal Code to keep up with the Internet and other emerging technologies. Without a legal requirement for ISPs to make their networks wiretappable, the Conservatives argued that criminals will continue to exploit online “safe havens.”

“What the government is proposing today is new legislation that will update our legal framework for interception that was designed nearly 40 years ago in the era of the rotary telephone,” Van Loan said at an Ottawa press conference. “We are simply seeking to modernize our laws to reflect the realities of a 21st (century) high-tech society.”

The proposed legislation will require ISPs such as Rogers Communications Inc. and Bell Canada Enterprises Inc. to install and maintain “intercept-capable” technologies on their networks. ISPs will have to pick up the bill on new equipment and software, with the government agreeing to help compensate any retrofitting that needs to be done to existing networks.

Smaller ISPs with less than 100,000 subscribers will be granted a three-year exemption from certain requirements deemed too costly by the government. A number of organizations, such as banks, private networks and charities, will be excused from the legislations requirements entirely and will not be required to install intercept capable equipment.

Tom Copeland, the chair of the Canadian Association of Internet Providers, said for most of the smaller ISPs, the three-year timeframe will present a significant challenge, especially considering much of the equipment used is unable to be retrofitted.

“That means we’d have to buy new equipment, and according to the government release that would constitute an upgrade and ISPs wouldn’t receive government help,” he said. “Rather than setting out a three-year plan to retrofit their gear, we’ll probably see a lot of smaller providers setting up a three-year plan to shut their doors.”

Brian O’Higgins, independent technology consultant and co-founder of recently acquired Ottawa security firm Third Brigade Inc., supported the idea of updating Canada’s laws relating to cyber crime, but stressed the need for government to ensure ISPs are not overly burdened with massive costs.

“Right now it’s really important for Canada to crank out real broadband and get that out, so I don’t want to see this slow that down,” he said. “If this impacts the availability or rollout of broadband that would be a bad thing.”

“In this case, the government may be required to pay for the privilege to get this access and do the intercept.”

Other industry observers feared the three-year grace period for small ISPs to implement surveillance tools would be counterintuitive.

“Every time a new technology or law is introduced, it has the effect of challenging criminals to find another way to conduct illegal activities,” said Carmi Levy, an independent technology analyst based in London, Ont. “The net effect will likely see criminals shifting away from larger ISPs in the short term to avoid detection.”

Another aspect of the legislation — and an area where many online service providers are considerably farther along — will require ISPs provide police with prompt access to subscriber information, such as name and address information, without the need for a warrant.

According to Michael Geist, research chair of Internet and e-commerce law at the University of Ottawa, this requirement means that Public Safety Minister Peter Van Loan has reneged on the promise of his predecessor and cabinet colleague Stockwell Day, who pledged not to introduce mandated subscriber data disclosure without court oversight.

“It is pretty much exactly what law enforcement has been demanding and privacy groups have been fearing,” Geist wrote in a Thursday blog post, adding that the legislation would embed broad new surveillance capabilities into the Canadian online landscape.

Levy agreed that the legislation would do little to make the Internet a safer place, adding that the only positive impact of the legislation will be seen among businesses that “implement surveillance solutions.

“By mandating ISPs to invest in traffic monitoring capabilities, this legislation would drive investments in a sector that up until now hasn’t had much to celebrate,” he said. “For everyone else, the question now becomes whether law enforcement agencies can be trusted to maintain data privacy and integrity in the face of these soon-to-be-built-in surveillance tools. Expect Canadian consumers and businesses to start asking hard questions of their ISPs.”

Business as usual over the Internet won’t be business as usual at all if this legislation is enacted into law, he added.

In addition to the hotly debated bill, the government also introduced a second, related-piece of legislation Thursday, which it called The Investigative Powers for the 21st Century (IP21C) Act.

This bill would allow law enforcement officials to obtain transmission data that is sent or received via telephone or Internet-based messaging and give police the ability to issue a preservation order for specific subscriber communications.