Feds introduce bill to require surveillance capabilities at ISPs

As expected, the Government has taken another shot at lawful access legislation today, introducing a legislative package called the Investigative Powers for the 21st Century (IP21C) Act that would require mandated surveillance capabilities at Canadian ISPs, force ISPs to disclose subscriber information such as name and address, and grant the police broad new powers to obtain transmission data and force ISPs to preserve data.  Although I can only go on government releases (here, here), the approach appears to be very similar to the Liberal lawful access bill of 2005 that died on the order paper (my comments on that bill here).  It is pretty much exactly what law enforcement has been demanding and privacy groups have been fearing.  It represents a reneging of a commitment from the previous Public Safety Minister on court oversight and will embed broad new surveillance capabilities in the Canadian Internet.

The lawful access proposal is generally divided among two sets of issues - ISP requirements and new police powers.

1. ISP requirements

There are two key components here. First, ISPs will be required to install surveillance capabilities in their networks. This feels a bit like a surveillance stimulus package, with ISPs making big new investments and the government cost-sharing by compensating for changes to existing networks. The bill again exempts smaller ISPs for three years from these requirements. While that is understandable from a cost perspective, it undermines the claims that this is an effective solution to online crime since it will result in Canadians at big ISPs facing surveillance while would-be criminals seek out smaller ISPs without surveillance capabilities.

Second, the bill requires all ISPs to surrender customer name, address, IP address, and email address information upon request without court oversight.  In taking this approach, Public Safety Minister Peter Van Loan has reneged on the promise of his predecessor and cabinet colleague Stockwell Day, who pledged not to introduce mandated subscriber data disclosure without court oversight.

2. New Police Powers

There are several new police powers that come with the lawful access approach. First, police will be able to obtain transmission data about Internet-based messaging. The government says this does not cover the content of a private communication, but it will cover information about what a person is doing online (what sites they visit, who they communicate with, etc.). This will be subject to a judicial order that will allow for obtaining real time data (a warrant) or historical data (a production order).

Second, police can obtain a preservation order that would require ISPs to preserve (ie. not delete) data related to a particular subscriber or even a specific communication. Third, there is an expansion of the police power to obtain a tracking warrant, by allowing police to "remotely activate existing tracking devices that are found in certain types of technologies such as cell phones." Fourth, the law expands the computer virus provision in the Criminal Code and opens the door to greater international cooperation of cybercrime enforcement.

As for what is not in the lawful access package, there is nothing on data retention, a controversial issue in Europe. It is also not clear what reporting requirements the Government envisions to ensure that there is transparency in the process.

I'll have more to say in the days ahead, but it should be stated that everyone wants to ensure that police have the ability to deal with serious crime.  Lawful access has been on the public agenda for years, with law enforcement has demanded new powers but not providing compelling evidence that the current system has created serious barriers to their investigations.  For example, last year CIRA caved to law enforcement pressure for a backdoor to WHOIS domain name registrant information.  More than a year later, law enforcement has never once used this backdoor.  Given the potential for misuse (Greece, U.S. telcos), the onus should be on law enforcement to demonstrate how the current system has harmed investigations and then we should work on ensuring that there is always - including for customer name and address information - appropriate court oversight.

Michael Geist is a law professor and the Canada Research Chair in Internet and e-commerce law at the University of Ottawa.



Jeffrey L

Jun 20, 2009 at 2:15pm

If this bill passes, we're well on our way to becoming a police state. The whole reason for warrants is so that an investigation cannot start on someone unless there is some sort of suspicion. If the bill passes and say that you don't like your neighbor? Well, call the cops and say he's a terrorist (act it up) and, if they believe you they'll start to track your neighbor. Under the present system those cops would have to go to a judge, who would look at the evidence (your accusation) and then say "there is no reason for a warrant or this investigation, do not proceed or, you will be violating this citizens RIGHT to privacy". I hope that we can still retain our Democracy the way it is and I hope that if this bill passes that this message isn't tracked back to me since it may be looked at by big brother as being "subversive". Or, maybe I thought that had the right to free speech?