Sunday, February 12, 2012

What lawful access is all about and why it matters

The Canadian federal government is expected to table its latest iteration of "lawful access" legislation in Parliament this week. This is a BIG DEAL.

First, let's set the record straight: Assuming this bill is roughly the same as the last one that fell off the order paper, it will NOT allow warrantless access to the contents of any online communications. They can't read your email or watch you surf the internet, unless they get a warrant. But what it does is requires anyone who offers telecommunications services to the public (which would include Microsoft's MSN, Google Talk, Skype, etc.) to build in a backdoor so the police can wiretap it with a warrant. This involves, in many cases, compromising the security of these systems.

But it is expected to set up a system under which the police can get a huge list of non-content personal information without a warrant. And this is very bad.


Ask yourself this:

  • Should the police be able to get access to the names and addresses of anyone who shows up at a G20 protest? An Occupy* protest? A Stanley Cup riot? Parliament Hill? The PM's residence? An abortion clinic? A sketchy part of town? If this bill looks anything like the last, they will be able to on a whim without any judicial oversight. (All they need is an "IMSI Catcher" (here's an example of one meant for law enforcement and one made by some guy for $1500), which grabs the unique identifiers of all the cell phones within range and a request to the relevant telcos to hand over the names and addresses associated with the phones. Heck, they can ask for your e-mail address while they're at it.)
  • Should be police be able to get the name and address of someone who seems to be spending an inordinate amount of time perusing the Criminal Code on the Department of Justice website? They'll be able to do just that.
  • Should the police be able to get your name and address based on your web browsing activities without having to swear before a judge that there is any compelling reason to get it? If this bill looks anything like the last, they will be able to.
  • Should the police be able to get your e-mail address, IP address and phone numbers without any probable cause? Yup, they'll be able to get that too.

The Internet is not quite like the real world. When you go to a library or a book store, you don't have to provide ID or leave a record of what you looked at or that you were even there. When you step into a store in the real world, you don't necessarily leave a trace of what you perused and what you bought (if you paid cash). You can send an anonymous letter to the editor of your local newspaper to voice an unpopular opinion without giving your name or any other identifying information. (They probably will not publish it, but that's beside the point.) But the Internet doesn't work like that.

Every device on the network has an IP address. IP addresses can be tied to an individual computer or a range of computers sitting behind a firewall or a router. Every mobile device, such as a cell phone or a smart phone, has a number of unique identifiers that it chirps out to the network that it's attached to. Every interaction that you have online, you can assume is being logged in some fashion in connection with that IP address. Many e-mails you send include in the headers the IP address of the computer it was written on.

It's just the nature of how networks work. That IP can perhaps be traced to you, to your household or to your employer. In most cases, where residential internet accounts are concerned, they are connected to the name and address of the account holder. With phones, that identifier is connected to the individual who owns the phone.

Every mobile phone regularly chirps out its location so that the phone company can route calls to your device. Your phone company always knows where you are (if you have your phone with you and it's on). That chirping is also a transmission of identifying information about your phone, which can be readily intercepted by the police or national security organizations. If your phone can be connected to you personally, it's a beacon about you and under lawful access, it's readily available to them.

In short: Everywhere you go on the internet or with your mobile phone, you leave digital footprints. That's the nature of the modern, networked world. So what protects your privacy when you do anything online? The fact that whoever allocated that IP address or provides your cell phone service has to keep it confidential unless a judge decides that the public interest (or the state interest) overrides your privacy interest. That's why we have a Charter of Rights and Freedoms in Canada and why we have an independent judiciary. There is no absolute anonymity online, but there is effective privacy by obscurity because anyone who can connect your IP address to an individual is bound to keep it confidential unless a judge says otherwise.

However, lawful access takes that important balance away. It would give police forces and national security folks virtually unfettered powers to connect those otherwise anonymous footprints to an actual person (or small group of persons).

Don't get me wrong ... The police should be able to tap phones, track people and search computers, but all with a warrant. The only thing that stands in the way of police over-reaching and the destruction of civil rights is the Charter and independent judges who are called upon every day to decide where to strike the proper balance.

The government has suggested that we shouldn't sweat it, since the information the police would have access to is just like "phone book" information. That's simply not true. Only name and phone number appear in the phone book, which you can opt out of. Lawful access would permit the police to obtain any of the following:

    name,
  • address,
  • telephone number and
  • electronic mail address,
  • Internet protocol address,
  • mobile identification number,
  • electronic serial number (ESN),
  • local service provider identifier,
  • international mobile equipment identity (IMEI) number,
  • international mobile subscriber identity (IMSI) number and
  • subscriber identity module (SIM) card number that are associated with the subscriber’s service and equipment.

The phone number analogy is completely inappropriate. With a phone book, if you know the name you can get the number. If you know the number, you can get the name. Not a big deal. In this case, the police can have one piece of the above information and demand the ten other pieces of data. And they'd never be asking for it in isolation, but rather they think they've seen something sketchy and want to connect it to a person.

When lawful access was last before Parliament, it was completely devoid of any measures that could be used to protect against abuses other than a closed recordkeeping requirement and the ability of the privacy commissioner to audit. It did not require any report statistics of its usage to Parliament, as is the case for most wiretaps. No requirement to notify the subject of the investigation after the fact. No requirement that there be probable cause. No requirement that the requesting officer justify the demand. No requirement that there even be an actual investigation under the Criminal Code. No oversight whatsoever.

Supporters say "think of the children!" Or we in a war against terrorism! The law could have been tailored to only apply to actual lawful investigations of child exploitation or terrorism offenses, but the government did not do that. Instead, they designed a system that could be used to target people who -- shudder -- violate parking by-laws or engage in lawful expression. It seems purpose-built for fishing expeditions.

Some supporters suggest that getting a warrant is too cumbersome and time-consuming. This suggestion is often misleading: if it's an emergency (exigent circumstances), the cops can get this information right away. And every province has a system where warrants can be issued 24/7 over the phone from a duty judge. If it's too inefficient for most routine investigations, get more judges or streamline the process.

This is important and Canadians should educate themselves about it. Here are some great resources:

No comments: