Is online spying dead? New privacy threats and the case for vigilance
There has been growing concern amongst many members of the pro-privacy community that the government’s new Bill C-55 has risen from the ashes of the costly, invasive, and warrantless online spying Bill C-30 that was formally withdrawn earlier this year.
Well, you can rest-assured that Bill C-55 is not Bill C-30 with a pretty new dress.
To refresh your memory on why Bill C-30 was so strongly opposed, here’s B.C. Civil Liberties Association policy director Micheal Vonn’s short and succinct summary of what was originally proposed in the bill:
C-30 was the government’s proposal to significantly expand the surveillance powers of police and intelligence agencies. For example, the bill would have required telecommunications service providers give police and intelligence agencies certain kinds of information about their customers without a warrant and require telecommunications service providers to in-build surveillance architecture into their systems.
In contrast to these highly invasive measures, Bill C-55 offers considerably less in the way of additional surveillance on Canadians, and, importantly, will make national surveillance laws conform to the Supreme Court surveillance decisions made last year.
The CBC reports that the spying measures proposed in Bill C-55 will only give law enforcement “the right to secretly intercept private communications without a warrant in relatively rare, urgent situations.” Further, the government has assured Canadians that there are strict limits on the types of officials who can use the wiretaps, and the specific types of crimes that can be involved. By contrast, Bill C-30 would have allowed "authorities" to collect your data in any situation without a warrant—not just in emergencies. In addition, both the provincial and federal governments would be required to issue annual reports on the use of such measures—a method of oversight not present in Bill C-30.
So, what’s the big takeaway here? Well, in a nutshell: Bill C-55 is not Bill C-30.
However there are still things to be concerned about in C-55. For example, how are ‘emergencies’ defined, and who has the ability to define them? In addition, the bill limits wiretaps to 90 days, after which anyone who has their communications intercepted should be notified by police. However this period can be extended in 90 day blocks, meaning that warrantless wiretaps could continue without notice for up to three years.
As the B.C. Civil Liberties Association argued this week in a submission to the Parliamentary Standing Committee on Justice and Human Rights, Bill C-55 should be used as a stop-gap measure in emergencies, when there is not time to seek a warrant for interception. But not providing a time limit on this emergency surveillance, C-55 could be used as an alternative form of longterm wiretapping.
Other spying developments requiring vigilance
At the same time as these issues are being debated, other policy developments suggest that the ghosts of Bill C-30 may take on a new life behind closed doors.
As Micheal Vonn again notes, “Ironically, having won such a wonderful democratic victory, we are almost assuredly going to see the arena for such changes now slink out of the public forum and into the realm of the shadows.”
A recent blog post by surveillance expert Christopher Parsons entitled ‘Lawful Access is dead; Long live Lawful Intercept!’ illustrates the backdoor methods through which some policy makers are still quietly pushing internet surveillance.
According to Parsons, Vic Toews’s department, Public Safety Canada, is working with Industry Canada to change the rules for wireless licensing. These changes affect the ‘lawful intercept’ requirements for telecommunication providers—rules that require the service provider to have the ability to access and store communications when provided with a warrant. Changes to these rules will significantly expand “the volume and types of communications that ISPs must be able to intercept and preserve”.
Why is this important? Because as Parsons explains, these changes would make it so that ISPs have the intercept capabilities and data retention facilities that would have been introduced had bills like C-30 passed. Put another way, these Industry Canada changes would build the capacity for surveillance into our ISPs, which is the first step in putting online spying into action.
How will the government slip this past Canadians? Changes to licensing agreements aren’t subject to the same kind of public debate as national laws like Bill C-30. As Vonn notes, this is a way of “doing through the back door what you can’t do through the front door. It’s a way of insulating critical debates about our rights from the Canadian public.”
This continued effort to build in the capacity for mass-spying is doubly worrying because, currently, if law enforcement officials ask an ISP to turn over a user’s data to without a warrant, the ISPs may or may not provide the information at their discretion. In such situations, some ISPs do refuse (e.g. Teksavvy) but some don’t (Google and Twitter recently released stats on the number of government requests for user data they receive, and it’s a lot—so you’d better hope you have a pro-privacy ISP).
While Bills C-30 and C-55 would make such warrantless disclosures of information mandatory, they do contain reporting requirements which would give us an insight into what law enforcement and service providers are doing with our data. By contrast, when ISPs give up user information voluntarily, those users don’t know their information has been turned over to law enforcement.
Another piece of legislation to be mindful of is the now dormant Bill C-12, which may encourage such voluntary disclosure and further weaken oversight. The bill is an amendment to the Personal Information Protection and Electronic Documents Act and is currently lying in wait with Industry Minister Christian Paradis expressing no clear plans to advance the bill. As Ottawa professor Michael Geist points out, “the bill has some serious faults, with no penalties for security breach, no update to the Privacy Commissioner's powers, and provisions that make organizations more likely to disclose personal information without warrant during an investigation.”
If the government is really serious about scrapping online spying, they need to pull back not only on the bill itself, but on all the other little policy changes that together build the spying system. Once the capacity for online spying is put in place, it will be challenging to remove, and it should absolutely not be built in before there is even a law to allow its use.
So is online spying dead?
The current terrain of Canadian spying legislation is complex. Bill C-30 is dead, and that is cause to celebrate. But it’s also important to remain vigilant. Serious questions remain over Bill C-55 and its so-called "emergency" situations, as well as how long authorities can continue to monitor communications after getting approval for intercept. At the same time, Bill C-55 represents an opportunity to limit warrantless wiretaps to emergency situations only. Such a stipulation would prevent future attempts at mass surveillance along the lines of Bill C-30.
On the privacy side, Bill C-12 threatens to further erode the protections we do have. However we have already seen positive steps in a pro-privacy direction, as last week NDP MP Charmaine Borg officially announced her intent to pass a private member’s bill that would force companies to notify Canadians of any release of their private information, and would give the privacy commissioner enforcement powers to prevent non-compliance.
Canadians need guarantees that telecom companies and online service providers will not surrender our private information to authorities without court oversight.