Summary of Submissions to the Lawful Access Consultation
Chapter 2: Response Overview
2.1 Law Enforcement
Police services expressed strong support overall for the proposals.
The ability of police to lawfully access telecommunications services has not kept up with the advances in communications technology. This gap is creating a safe zone where criminals can communicate free from fear of detection. It must be technically possible for police to lawfully intercept all telecommunications services offered in Canada without exception.
Communications Service Providers (CSPs)11 should pay for installing lawful access capability on new or significantly upgraded services. The government should specifically prohibit CSPs from directly or indirectly recovering infrastructure costs from law enforcement agencies through any cost recovery scheme, such as burying them in operational or hook-up charges.
In principle, CSPs should be able to recover reasonable costs of providing operational assistance to law enforcement. These costs should be distributed over a broad base (like the existing 911 fee) rather than being recovered from individual police services. However, CSPs must not be permitted to impose fees or other charges as a condition of compliance with a judicial order.
A compliance mechanism that is independent of government should be established in order to determine conformity with the legislation.
Forbearance of interception capability and capacity should be the exception rather than the rule. CSPs should be required to submit an implementation plan with each forbearance application, with quarterly reporting, showing in detail how full compliance with the legislation will be achieved.
Significant fines should be imposed on CSPs for non-compliance with mandatory capability requirements. With law enforcement and service providers working together in a cooperative partnership, the vast majority of difficulties will be worked out. Only the most severe and blatant contraventions of the capability and capacity standards set out in the proposed legislation would result in enforcement action.
Lawful interception of private communications by police in Canada must continue to be subject to prior court approval.
CNA and LSPID12 is not personal information and law enforcement agencies should not need a judicial authorization to obtain it. A statutory provision should be created requiring CSPs to provide law enforcement and national security agencies with CNA and LSPID information. If this is rejected on privacy grounds, a production order with a nominal procedural threshold should be considered instead.
To help combat increasing international crime, Canadian lawful access powers need to be harmonized with those available in other countries. Australia, the Netherlands, New Zealand, the United Kingdom and the United States are ahead of Canada in adopting lawful access legislation in line with today's technology.
2.2 Industry
Most CSPs who responded were supportive of the need for effective lawful access in the face of technological change13.
The consultation document lacks detail and is too imprecise to allow anything but high-level comments. Further consultation is called for, including the opportunity to comment on the specific proposals contained in draft legislation and accompanying regulations, prior to their introduction in Parliament.
The interception of unviewed e-mail and similar digital communications traffic in transit should be considered interception of a "private communication" and therefore subject to the protections contained in a Criminal Code Part VI authorization. A search warrant or production order should be required for law enforcement to access opened e-mail that a user has chosen to retain.
The circumstances under which a forbearance order may be justified should be stated, as well as the criteria that will be used to evaluate when, and for how long, such orders will be valid. Any rules or standards dealing with the forbearance power should be clear and transparent.
The legislation should ensure that law enforcement agencies remain responsible for reasonable costs incurred by service providers making operational assistance available to law enforcement agencies in carrying out lawful interception, seizure and preservation orders. These costs should be worked out between each service provider and the agency concerned rather than being based on universal tariffs laid out in the regulations for various types of support. Industry Canada and the Solicitor General, or an independent arbitrator, should mediate any disputes about fees for service between a CSP and a law enforcement agency.
Definitions provided in the consultation document differ from those given in the Telecommunications Act. Some important terms such as "basic intercept capability" are not defined. Clear consistent definitions in line with those used internationally are essential to the success of the proposed legislation.
The government should pay for the "basic intercept capability" until lawful access solutions are readily available for the transmission equipment used by service providers that can be deployed and maintained at minimal incremental cost to the service provider. This is regardless of how "significant upgrade" and "new service or technology" are defined in the resulting legislation.
The consultation document failed to show that the current provisions in law are inadequate to allow effective access to data communications services in Canada or that investigations or prosecutions have been unsuccessful due to lack of technical capability.
There is strong opposition against obliging service providers to collect, maintain or guarantee the accuracy of subscriber information beyond that needed for their own business purposes.
CSPs are also strongly opposed to the creation of a national CNA/LSPID database, citing privacy and security concerns as well as the high costs of developing and maintaining such a database. They point out that most cybercriminals are quite capable of using false names, hacked accounts or public access terminals to communicate or transact.
2.3 Privacy and Information Commissoners
The consultation document does not demonstrate why the proposed measures are necessary.
New technologies and communications services may well pose a challenge to existing interception methods and require CSPs to provide law enforcement agencies with basic interception and surveillance capabilities to achieve lawful access to them.
The proposed measures go far beyond what is necessary to maintain existing capabilities and authorities in the face of modern communications technology.
E-mails should not be subject to a lower standard of protection than telephone calls or letters. In the same way, Internet browsing should not be afforded less protection than book purchasing or researching in a reference library.
Canadians are entitled to feel confident that their communications and on-line activities will not be arbitrarily intercepted or scrutinized.
If the Convention on Cybercrime calls for unjustifiable intrusion on the privacy rights of Canadians which is inconsistent with our values and rights, the Convention should not be ratified by the Canadian government.
The government should continue to resist any suggestions that general data retention requirements be part of the lawful access initiative.
A national database for CNA/LSPID information should not be created. There is no need to change the current law and practice concerning access to this information.
An obligation on those selling pre-paid cellphones or phone cards to collect people's sensitive information such as driver's license and credit card numbers before making the sale would be a gross invasion of privacy.
Nowhere does the consultation document indicate that accountability measures are being contemplated.
2.4 Civil Society Groups
The consultation document is unclear about the government of Canada's proposals.
The draft legislation and accompanying regulations should be made available for full and complete public review with sufficient time for interested parties to assess their impact and submit comments.
The document is unconvincing on how the proposals would actually help fight organized crime or terrorism. The government will no doubt have more access to the private lives of Canadians, but serious criminals and terrorists are unlikely to be careless enough to fall within the scope of the proposed measures.
If evidence is available to justify the proposed legislative amendments, it should be made public so that it can be seen whether the security benefits outweigh the privacy costs. If such evidence does not exist, the measures should be dropped.
The proposals would establish a lower standard for lawful interception and/or search and seizure of online communications versus telephone and postal mail, for example. No justification has been provided for this. Criminal Code standards should be designed to apply regardless of technology.
Any new legislation should specifically address privacy issues wherever individual privacy is at risk. General references to the Canadian Charter of Rights and Freedoms (the Charter) and the Personal Information Protection and Electronic Documents Act (PIPEDA) are insufficient.
The government has failed to present evidence that this massive surveillance infrastructure is necessary. For example, it is unknown how many investigations have actually been seriously hampered by lack of technical capability.
If law enforcement agencies have difficulty in dealing with new communications technologies, the solution is not to lower legal standards for interception, but to provide law enforcement agencies with the technical expertise and equipment they need to deal with the evolving environment.
The proposals require customers or their CSPs to pay for the surveillance. This is wrong in principle and impracticable in operation.
The job of ISPs is to provide services for their customers. This should not include monitoring those customers for the purposes of the state. Production orders must not be used to circumvent the high thresholds that would be required if law enforcement agencies were carrying out the search or interception themselves.
2.5 General Public
The opportunity to comment on these proposals is much appreciated.
It is not clear what benefit is to be gained from the proposed legislative changes that does not already exist in the law today.
It is a matter of serious concern when international treaties such as the Convention on Cybercrime are signed without democratic consultation and then presented to the public as though it is essential that they be ratified.
The consultation document fails to show how the Internet has
"created difficulties for investigators"
. Also, in the case of the Internet, the"need for sophisticated equipment"
seems to boil down to packet sniffers which are widely used by ISPs and available for a few thousand dollars each.No case is made in the consultation document that Canadians deserve less privacy when using digital communication rather than analog electronics, or indeed when they use electronics rather than pen and ink.
Data encryption is widely used by criminals and terrorists when communicating over private and public networks including the Internet. Encryption techniques are often not detectable, not interceptable and can render law enforcement and CSP interception technology ineffective.
Should a law enforcement agency require assistance from a service provider that is beyond the normal cost of doing business for that provider, then the agency should pay the cost of the assistance. Such costs should not be the responsibility of the service provider nor should they be passed on to the end client.
No CSP should be an information collection agency on behalf of the Canadian government. If the government wants and needs information, it should be responsible for retrieving, collecting and storing it. The CSP should only be obliged to provide the facilities when there is a lawful order to do so.
Another national database of personal records is completely unnecessary. There is no national registry of telephone users or postal mail users - there should not be one for Internet users. A national database of this kind would also be a dangerous accumulation. Can bureaucrats guarantee that this highly sensitive database would never be successfully hacked?
E-mails should require a court order for interception regardless of the point of interception.
- Date modified: