Tuesday, February 21, 2012

Some suggestions to fix the lawful access bill

There are many, many problems with the warrantless access to customer data in Bill C-30, known as the lawful access bill. The main problem pointed to by the proponents of the Bill is that it takes too long to get a warrant that requires an internet service provider to hand over customer name and address information that corresponds with an IP address. If that is really the problem they are trying to address, it would be best to address it by making the warrant-seeking process more efficient and limit warrantless requests to circumstances where there is a real emergency.

Since the government has suggested it is open to amending the Bill, it doesn’t sound like they are amenable to throwing it out and fixing the warrant process. In hopes of adding to the discussion on what’s wrong with the Bill and how it can be fixed, below I’ve set out some of the major problems and how they can be fixed in a way that restores the protection of privacy while permitting law enforcement to investigate serious crimes.

I don’t expect these are the only solutions, but will hopefully start a discussion on how to fix lawful access.

  1. There is no limitation on the circumstances under what these powers can be used.

    Problem: As drafted, there is no limitation under which these powers can be used. They can be used for child exploitation investigations or serious crime, but can also be used without any justification or to reunite someone with their lost iPhone.

    Solution: Limit the use of these powers to (a) the investigation of serious crimes only under the Criminal Code, the Narcotics Control Act, the Canadian Security Intelligence Service Act and the National Defence Act where there are reasonable and probable grounds to believe that the information is necessary for the investigation of a crime that has occurred or is likely to occur, or (b) where the subscriber about whom the information relates is reasonably believed to be a victim of the crime or whose life or safety is in imminent jeopardy, and the victim’s identity is unknown.

    (If lost iPhones are a serious problem that require police intervention, require the police to hand them them to the telco and require the telcos to reunite them with their heartbroken owners.)

  2. There is no accountability to the justice system.

    Problem: The requesting officer is not required to justify the request and to be accountable to the wider justice system. Under a warrants-based system, an affidavit is required and it needs to be filed with the courts.

    Solution: Require that the requesting officer swear an affidavit, under oath, articulating the circumstances described above and the basis for this belief. The affidavit shall be filed with the superior court of the relevant jurisdiction. This affidavit can be filed after the fact in exigent circumstances. This affidavit should be counter-signed by an officer of superior rank to the requesting officer or a senior crown attorney, who will also swear that she is of the view that the facts set out by the officer form the basis for a lawful request.

  3. There is no accountability to the individual if charges do not result.

    Problem: The individual whose information is sought will likely never know that this information was sought and obtained unless it comes out in open court after charges have been laid. In the current draft C-30, there is actually a gag order that prevents the ISP from telling the individual even if asked.

    Solution: The affidavit referred to above shall be provided to the individual whose information is sought within six months unless a judge agrees, based on affidavit evidence provided by the relevant law enforcement officer, that doing so would be harmful to an ongoing criminal or national security investigation. An individual whose information is wrongfully sought or obtained should have a private right of action against the officer and the officer’s employer if there were not reasonable grounds to seek the information.

  4. There is no accountability to the public at large.

    Problem: The Bill, as currently drafted, doesn’t give the public at large any understanding of how the intrusive powers are used and under what circumstances.

    Solution: The Minister of Justice or the Minister of Public Safety shall table an annual report before Parliament setting out the number of such requests, including the requesting police agency, the criminal code section or other violation being investigated, whether charges were laid against the individual and whether a conviction resulted. This is in addition to the ability of the federal and provincial privacy commissioners to audit the practices of the agencies within their jurisdiction, except that summary results of their audits shall be tabled in Parliament annually. (Additional funding to each privacy commissioner should be provided to defray the costs of such audits.)

I'd be happy to hear any other proposed solutions ...


Anonymous said...

1. Schedule 2 excludes restaurants, hotels, and other business who provide internet access but whose primary business is not a formal ISP-for-money (as defined in the analogous US law). What is not excluded is corporate IT departments, who are TSP's under this Bill. That is unacceptable and will cause companies to move out of Canada.

2. Minister can appoint any person or class of persons S.34 to enforce the Act. These persons have the right to take copies of any file/document present in the TSP facility. This is also unacceptable and must be struck. With #1, it compromises corporate NDA relationships with their customers especially because there is no obligation of secrecy by these unknown classes of persons on what will be done with the information.

Laurel L. Russwurm said...

Is Bill C-30 fixable?

The real problem is that there has been absolutely no credible justification for needing any legislation of this kind.

saltorio said...

I agree with Laurel L. Russwurm. I have yet to see a credible reason why any part of this legislation is required, beyond the police finding it to be too much of a hassle to get a warrant (which itself is not a valid reason... warrants aren't supposed to be easy to obtain).

Anonymous said...

All the legal firewalls in the world will not prevent a dedicated skilled hacker from accessing streams of personal information being stored on the proposed spy network.

privacylawyer said...

I agree with that, though this post has just focused on the warrantless access to customer data. The intercept capability is another issue entirely!

Anonymous said...

afaik, warrants have been introduced since in old times there was abuse with warrantless actions.
repeating/reintroducing the same old stupid mistake is just alzheimer-ish.

Sharon said...

1. Restricting the discussion to emails, texts, browsing history, and search parameters is shortsighted since virtually (no pun intended) all communications are now digitized and traverse cyberspace. So the warrantless access will be to everything including personal phone calls from your home and cell phone, the applications and payments you submit online, your medical and prescription details, and everything else that's entrusted to the web.

It also includes individual politicians' and police officers' conversations, including those with constituents and confidential informants. I imagine that the Canadian Chiefs of Police and individual cops and politicians might be surprised to realize this law will make their communications as accessible as the rest of us, and that they, their families, and their colleagues will then also be in jeopardy along with the rest of us. That makes the retained communications an even more attractive target for the "bad guys" to go after -- and that puts the cops' very lives in danger. Do you suppose Minister Toews has considered that unintended consequence?!?

2. ISPs, Google, and most other major Canadian and US players already cooperate with law enforcement and routinely provide whatever is asked of them, often without any warrant. While they post privacy policies about how they will treat consumer information, their policies about cooperating with law enforcement are difficult (often impossible) to find. Divulging everything from IP addresses and subscriber information to preserving and providing the data **requested** by law enforcement is permitted under Canadian privacy laws, which do not require reporting or oversight. According to Canadian lawyer Michael Geist, "The RCMP alone made more than 28,000 requests for customer names and addresses in 2010. These requests go unreported as subscribers don’t know their information has been disclosed and the Internet providers and telecom companies aren’t talking either."

TK said...

I agree with Anonymous, section 34 specifically states that an "inspector" - i.e. anyone appointed by the Minister - can be empowered to enforce the Act. Outrageous. I don't think this bill can be fixed either. It must be repealed.

Paul Lewis said...

The whole thing seems redundant given the mechanisms already available, and that this is at best a "low hanging fruit" measure - i.e. it may capture data on those miscreants too stupid to use anonymisation technology.

Talking of which it also raises issues that I think need thought from a technical perpective - e.g. what about "tor" (onion routing for privacy - important if your are in China for instance) - suppose your exit node is in Canada - now there is an increased risk of linkability, in the worst case if the data is in the wrong hands your life may be endangered. Also as a host of an exit router all the traffic passing through may now be more linkable to you (rather than the originator) so your personal risk is increased - I think these type of issues need more careful thought and technical consideration.

Anonymous said...


Canada, Britain & U.S. Government want to Spy On Its Citizens’/ Electronic Communications?
The Canadian (Commons recent Bill C-30) would—give any Canadian police officer without a warrant—the power to request Internet service providers turn over customer information (see section 17 of C-30) cause the same loss of electronic privacy and civil liberties that British Government recently proposed—to spy on Brits’ electronic communications. Is it coincidence the British and Canadian proposals appear to mirror legislation U.S. Government said it wanted passed in 2011 to spy on U.S. Citizens?

Overlooked by mainstream media is that Britain and Canada signed with the U.S Government an array of (Asset Forfeiture Sharing Agreements) to share with Canadian and British Police/Governments assets seized from Brits, Canadians and Americans that resulted from e.g., evidence or information gleaned from electronic surveillance of Citizens’ communications, e.g., emails, faxes, Internet actively, phone records.

U.S. Government wants the power (without a warrant) to introduce as evidence in criminal prosecutions and government civil trials, any phone call record, email or Internet activity. Police can take out of context any innocent—hastily written email, fax or phone call record to allege a crime or violation was committed to cause a person’s arrest, fines and or civil asset forfeiture of their property. There are more than 350 laws/violations that can subject property to Government forfeiture, which requires only a civil preponderance of evidence.