Monday, April 11, 2011

Canadian police state legislation needs closer examination

I try not to get too opinionated on this blog, but there are some things I feel strongly about. One thing is the ability of people to live their lives (online and off) free of state surveillance and intrusion unless an impartial judge decides that the balance needs to be shifted in favour of the state.

When the recent election was called, a bill fell off the order paper that would remove the impartial judge and put significant surveillance powers it the hands of the state. (In fairness, I have to say that this was originally conceived under the previous Liberal goverment, but is currently part of the Conservative Party's law and order platform that they say will be passed within 100 days if they win a majority (Conservative majority would pass lawful access [laws] within 100 days)). One Bill in particular needs a full airing and thorough debate. It was introduced in the last session and never made it past first reading. This means there was no debate and no scrutiny of any kind.

Here's why Bill C-52 - An Act regulating telecommunications facilities to support investigations needs much closer examination.

Section 16 of the Bill requires all telecommunication service providers to hand over enormous quantities of customer information to the police, CSIS or the competition cops. There is no limit on the amount of information to be provided and is only restricted to "duties" of the cops or intelligence agency.

The provisions, at least as they appeared in Bill C-52, read as follows:

OBLIGATIONS CONCERNING SUBSCRIBER INFORMATION

16. (1) Every telecommunications service provider must provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber’s service and equipment.

(2) A designated person must ensure that he or she makes a request under subsection (1) only in performing, as the case may be, a duty or function

(a) of the Canadian Security Intelligence Service under the Canadian Security Intelligence Service Act;

(b) of a police service, including any related to the enforcement of any laws of Canada, of a province or of a foreign jurisdiction; or

(c) of the Commissioner of Competition under the Competition Act.

(3) The Commissioner of the Royal Canadian Mounted Police, the Director of the Canadian Security Intelligence Service, the Commissioner of Competition and the chief or head of a police service constituted under the laws of a province may designate for the purposes of this section any employee of his or her agency, or a class of such employees, whose duties are related to protecting national security or to law enforcement.

(4) The number of persons designated under subsection (3) in respect of a particular agency may not exceed the greater of five and the number that is equal to five per cent of the total number of employees of that agency.

(5) The Commissioner of the Royal Canadian Mounted Police and the Director of the Canadian Security Intelligence Service may delegate his or her power to designate persons under subsection (3) to, respectively, a member of a prescribed class of senior officers of the Royal Canadian Mounted Police or a member of a prescribed class of senior officials of the Canadian Security Intelligence Service.

17. (1) A police officer may request a telecommunications service provider to provide the officer with the information referred to in subsection 16(1) in the following circumstances:

(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;

(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and

(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.

The police officer must inform the telecommunications service provider of his or her name, rank, badge number and the agency in which he or she is employed and state that the request is being made in exceptional circumstances and under the authority of this subsection.

Let me break this down: Any designated police officer or CSIS agent can ask a telecommunications service provider to hand over any of the following information about a customer:

  • name,
  • address,
  • telephone number,
  • electronic mail address,
  • Internet protocol address,
  • mobile identification number,
  • electronic serial number,
  • local service provider identifier,
  • international mobile equipment identity number,
  • international mobile subscriber identity number and
  • subscriber identity module card number.

This goes well beyond the usual scenario of when the cops have an IP address of someone suspected of online child exploitation and want the customer name and address information. But the bill doesn't say that if the cops have X info, they can get Y subscriber data. Instead, it just says on request the telco has to hand over the entire laundry list of data on customers. This is without a warrant, without a production order and without any court oversight at all. Unlike wiretap laws where stats have to be released, there is no obligation on the part of the police or the ministers responsible to release information about how these powers are used and under what circumstances. The Privacy Commissioner gets to audit it, but I don't think this saves any of the problems with the Bill.

The Bill contained no limitation on what level of investigation was required. It isn't limited to serious crimes or even trivial crimes. It is not limited to criminal or national security investigations. All that's necessary is that it be connected with the cop's duties. Collecting parking tickets fit within that category.

Think about what this means, given the laundry list of data to be provided with no threshold of probable cause or even a real investigation. The police can scan the airwaves at a protest and identify the IMEIs of the mobile phones in the vicinity. One request to the telcos can get the names and addresses of virtually everyone who was there. I bet the Egyptian authorities would have loved to have done this in Tahrir Square. Next time there's a G-20 protest in Canada, the police can do this, too.

There is no limitation in the statute that would prevent the police from asking for all the above data for any subscribers who connected, for example, to any cell site in a particular neighbourhood at a particular time.

In Canada, we expect that we can generally live our lives free of government surveillance and intrusion, unless an independent judge says that the government interest in crime fighting outweighs our individual right to privacy. This legislation would remove this balance and tips the scales dramatically toward police state powers.

4 comments:

Anonymous said...

But does this really differ much from the U.S. ECPA (18 USC 2709 et al)

Anonymous said...

More signs of a police state coming down the tubes and Canadians have no idea - satiated in their smugness of how great the country is - what's on the horizon. The US has already trashed their constitution - the only thing left is internet freedom and closing that down is on the agenda there too.

RW Halifax, NS

CelineSSauve said...

Wow... Check 2-b again, would you?
"(b) of a police service, including any related to the enforcement of any laws [...] of a foreign jurisdiction"
Way to protect Canadian rights from foreign powers, Harper!

Gizmo said...

I can see this being abuse by the corporate buddies as well. If you are downloading anything...boom...next thing you know you are being targeted by corporate friendly legislation and being sued into poverty.