That some form of “Lawful Access” legislation is necessary seems almost a no-brainer.
Who would ever be against providing law enforcement or national security agencies with the tools they need to nail bad guys?
Few would dispute that “listening in” on the conversations or intercepting the communication of suspected criminals or terrorists is a great way of learning – in advance – about their sinister plots and stratagems, and foiling them.
As Michael Power puts it: “Motherhood and apple pie are the sort of things you really can’t argue against. And you pretty much can’t argue against lawful access.” Power is a partner and chief privacy officer at Ottawa-based Gowling, Lafleur Henderson LLP. He was speaking on Lawful Access at a recent IP Security conference in Ottawa.
You pretty much can’t argue against lawful access And yet a lot of folks, including Power, have raised plenty of concerns about the proposals – and pretty forcefully at that.
Their major grouse is that the proposed updates may not be as innocuous as they seem. Privacy groups fear the government might be treading on dangerous territory by giving more teeth to law enforcement agencies, undermining civil liberties under the Charter of Rights and Freedom.
They point out that current lawful access provisions, embodied in the Criminal Code, already allow law enforcement agencies to conduct searches and seize information through a court order.
The proposed update, they said, seeks to allow law enforcement to obtain specific subscriber data from telecom service providers (TSP) even without a warrant or court order.
“Every little incremental additional power that they give to law enforcement is building up a structure in which citizens have real difficulty leading lives that are not potentially subject to state surveillance,” said Philippa Lawson, executive director of Ottawa-based Canadian Internet Policy and Public Interest Clinic (CIPPIC).
Lawson said the government is “definitely stopping short” of moving towards an Orwellian society where government and law enforcement agencies are empowered to conduct surveillance activities.
Some TSPs, however, don’t take as dim a view of the proposals.
Wireless telecom providers, for instance, trust the law to define the line between national security and protection of privacy, leaving the debate up to “politicians, the media and public opinion.”
“(Wireless carriers) really don’t have the expertise in matters of human rights and privacy, we just apply those as government sees fit,” said Peter Barnes, president and CEO of the Canadian Wireless Telecommunications Association (CWTA).
Barnes expects the proposed legislation will define “reasonable limits of privacy as opposed to the expectation and requirements of security.”
A similar view was expressed by the Canadian Association of Internet Providers (CAIP), which doesn’t believe the proposals would compromise subscriber privacy.We really don’t have the expertise in matters of human rights and privacy, we just apply those as government sees fit.
The current proposals are not a “significant erosion of the customers’ privacy rights”, said David Elder, chair of CAIP’s lawful access committee. “This is not a constant big brother surveillance of everybody’s Internet use, this is about judicially authorized intercept in cases where those are clearly required.”
Veteran telecom carrier MCI Canada, however, is a little more cautious when it comes to protecting subscribers.
“While we are obviously required…to [participate] in the enforcement of the law, we also see ourselves as advocates of our customers and to the extent that this could be perceived to be misused or overused…we will advocate that certain standards be…strictly maintained,” said Robert Quance, general manager of Toronto-based MCI Canada.
MCI Canada is part of a global company headquartered in the US where lawful access legislation has been in place for over a decade.
The continuous evolution of technology has been cited as a driving force behind the lawful access initiative.
Law enforcement agencies say innovations in communications technology have become so complicated that new tools are required to facilitate a more effective investigation and prosecution of criminals.
But Jason Young, a lawyer at Toronto-based technology law firm Deeth Williams Wall LLP, is not convinced.
He stressed the government has to demonstrate, through factual evidence, that there is a need for such new provisions.
“I would never presume to tell the police what techniques they should use in order to catch a criminal. What we’re saying is, if there is a problem, then…identify the problem and point to statistics, actual evidence. They failed to do that,” he said.
The Council of Europe’s 1997 Convention on Cybercrime was another instigator for the lawful access proposals, according to Young. He noted that Canada, though not a member of the Council of Europe, signed the treaty.
Ratifying that convention meant enacting domestic legislation in accordance with treaty provisions.
The Toronto lawyer said there are two aspects to the ratification – substantive and procedural. Substantially, the convention provides for criminal prosecution of cybercrimes such as child pornography, copyright infringement, and hacking.
On that count, Canada has laws already in place ensuring the prosecution of such criminals.
In August 2002, the Department of Justice released a consultation paper proposing to introduce new legislation that would enhance the lawful access provision of existing laws such as the Criminal Code, Canadian Security Intelligence Service Act, and Competition Act. The consultation included service providers, law enforcement agencies, civil society groups, and the general public.
According to CIPPIC’s interpretation of the lawful access proposals, judicial authorization will remain a requirement to conduct searches or intercept communications. But under the new proposal, law enforcement units will have authority to obtain basic subscriber data (e.g. name, address, e-mail address, IP address) – called production orders – from service providers “upon mere request, without judicial authorization or requirement for reasonable grounds to suspect wrongdoing.”
“(Law enforcement agencies’) primary justification has been, all along, that the information they seek through production orders is not subject to a high expectation of privacy,” said Young.
He explained these production orders are similar to information one might find outside of an envelope – recipient’s name and address, the date and time it was sent out, and the sender – without the content.
However, that analogy does not apply to a digital environment, the Toronto lawyer said.
“It’s a fine analogy to use in the analog world, but it’s not very effective in the digital environment, and traffic data in the digital environment can often tell you a lot more than simply the routing and address information,” said Young.
CAIP shares the lawyer’s view and have presented this concern to the government, according to Elder.
“That type of information, in our view, should not be treated in the same way as a telephone number. A telephone number may reveal to you who you’re contacting but it won’t reveal anything about the content of the transmission. Whereas if you’re looking at a log of Web surfing session and you get a page, you (would) know what was or could have been viewed or interacted by that subscriber,” said Elder.