Summary of Submissions to the Lawful Access Consultation

Chapter 4: Comments by Industry

Total Number of Written Submissions Received: 19

The number of stars allocated to each item provides an indication of how frequently respondents expressed that opinion or one similar to it. Five stars denotes "very frequently". One star generally indicates a single response on the topic, although it may have been made on behalf of an industry association or group representing a number of organizations. The listing of a given group (or groups) of respondents beside each comment indicates that at least one participant from that group expressed that view or one much like it. Respondents in this section are listed in Annex B.

The abbreviation CSPs is used in this chapter to denote comments by one or more of the following communications service providers or their industry associations:

A. General

  1. The consultation document lacks detail and is too imprecise to allow anything but high-level comments. It does not form the basis for meaningful consultation.
    CSPs, Banks26 *****

  2. Further consultation is called for, including the opportunity to comment on the specific proposals contained in draft legislation and accompanying regulations, prior to introduction in Parliament.
    CSPs, Banks *****

  3. Most service providers27 who responded support lawful access and the ability of Canadian law enforcement and national security agencies to undertake lawful interception of communications in the face of technological change, subject to the protections afforded Canadians under the Canadian Charter of Rights and Freedoms.
    CSPs ****

  4. The interception of unviewed e-mail and similar digital communications traffic in transit should be considered interception of a "private communication" and therefore subject to the protections contained in a Criminal Code Part VI authorization. A search warrant or production order should be required for law enforcement to access opened e-mail that a user has chosen to retain.
    CSPs, IT28 ****

  5. The consultation document failed to show that the current provisions in law are inadequate to allow effective access to data communications services in Canada or that investigations/prosecutions have been unsuccessful due to lack of technical capability.
    CSPs, IT ***

  6. The proposed legislation should impartially balance the maintenance of lawful access capabilities with the need to provide new and innovative telecommunications services in Canada while enhancing the efficiency and competitiveness of the Canadian market.
    CSPs ***

  7. Industry must be fully involved in the design and implementation of the technical standards and requirements which may be mandated by regulation. A government/industry working group may be the best way to handle this task.
    CSPs **

  8. There appears to be no public benefit in proceeding with haste to implement this legislation at the expense of adequate consultation. Technical standards and equipment solutions are unlikely to be available for a number of years and law enforcement representatives have expressed general satisfaction with the positive working relationships they have developed with major carriers and ISPs to date.
    CSPs **

  9. The Council of Europe's Convention on Cybercrime has not been ratified by Parliament in Canada - in fact only two countries that signed the Convention in Budapest in 2001 have ratified it so far. This makes it a weak basis on which to justify increased lawful access.
    CSPs **

  10. WSPs are opposed to any obligation that may cause the elimination of certain services or classes of services, such as pre-paid wireless.
    CSPs **

  11. The consultation document fails to offer balancing measures to protect the public interest and to prevent the misuse of the proposed powers.
    CSPs **

  12. Wireless service providers are currently operating under the Solicitor General's Enforcement Standards which refer to CALEA29 -style wireline telephony interception. WSPs take strong issue with the idea that these same standards should apply to services offered using packet-based switching. The industry is looking for clarification on what will happen to their existing conditions of licence and these standards when the new legislation comes into force.
    CSPs *

  13. The government's position on data retention and treatment of user encrypted data communications is not stated in the consultation document. These issues are too important to be overlooked.
    IT *

B. Requirements to Ensure Intercept Capability

  1. The term "telecommunications facility" is not defined in the consultation document (although it appears several times in the text). Definitions provided in the consultation document differ from those given in the Telecommunications Act. Clear consistent definitions in line with those used internationally are essential to the success of the proposed legislation.
    CSPs ***

  2. The addition of a single piece of new equipment with increased interception capabilities into a network should not trigger a requirement for the service provider to upgrade the whole network in question.
    CSPs ***

  3. The manufacturers of some software-enabled lawful access capabilities require both the installation of the software package concerned and the purchase of a "right to use" (RTU) licence - which can be costly - before certain features can be turned up. Service providers suggest that the proposed legislation require them to maintain the general software capability and to activate particular features involving RTU licences only when a request is received from law enforcement agencies requiring that feature.
    CSPs ***

  4. Canadian banks wish to be assured that their operation of extensive communications networks and related facilities does not qualify them as service providers under the proposed legislation. The same question also arises for a number of private corporations, hotels, universities and government departments.
    Banks, IT ***

  5. Some CSPs stress that when smaller operators (like Internet cafés) offer competing services to the public, they should be designated as service providers under the proposed legislation.
    CSPs ***

  6. Service providers should not be obliged to develop lawful access solutions for services or technologies where no solutions are yet available from vendors, since costs could very well be prohibitive.
    CSPs ***

  7. Service providers should not have to provide lawful access to network systems that they use for provision of services, but which are owned and controlled by others.
    CSPs ***

  8. All service providers competing in the same market should be subject to similar lawful access requirements whether they are facilities-based, re-sellers or third-party providers. At the same time, regulations or standards must be flexible enough to accommodate the different technologies used by the carriers involved.
    CSPs **

  9. Larger service providers should not be responsible for infrastructure or operational assistance for lawful access to private line or wholesale services, which should be the legal and financial responsibility of the end-user service providers.
    CSPs **

  10. Satellite communications service providers are poorly placed to provide useful lawful access and have no wish to incur the costs involved. They act as carriers for other carriers involved in telephony and Internet services. Commonly they own no ground facilities involved in these networks. In their view, surveillance is best carried out at end-user service providers (like ISPs) and ground-based carrier facilities - as has been the case traditionally.
    CSPs *

  11. Where service providers use encryption within their networks, they should be allowed to choose either to provide a key or to deliver unencrypted text when required to do so by law enforcement agencies.
    IT *

  12. "Significant upgrade" should be defined as the replacement of, or substantial modification to, the entire hardware and software platform used by the service provider's core network.
    CSPs *

  13. "Core network" should mean the physical entities that provide support for the network features and telecommunications services - including those that deliver subscriber location information, network control, switching and transmission.
    CSPs *

C. Regulations

  1. Most CSPs agree that it is crucial to know and understand what is required of them by law enforcement.
    CSPs ****

  2. Service providers are opposed to the imposition of uniquely Canadian requirements for lawful access. It is most unlikely that telecommunications equipment manufacturers will develop Internet or wireless intercept-ready solutions especially for the Canadian market. If they do, the solutions will almost certainly be expensive and proprietary.
    CSPs ****

  3. What do "general operational requirements" and "basic intercept capability" mean? Will the existing capabilities being offered to law enforcement agencies meet the standard? What about interface specifications?
    CSPs ***

  4. Technical standards for lawful access should be prepared by industry experts and agreed by industry-government working groups. As long as the required intercept functionality is provided, the network design to achieve this should be up to the service provider.
    CSPs, IT ***

  5. Ultimately, the responsibility for developing compliant equipment should rest with the manufacturers. Any off-the-shelf solutions meeting US legislative requirements should be accepted as compliant in Canada.
    CSPs, IT ***

  6. Some companies have incurred significant personnel and overhead costs in responding to lawful access requests which they have experienced difficulty in recovering. The regulations, or the legislation itself, should make it clear that reasonable compensation is payable for operational assistance (see F2 below).
    CSPs **

  7. Apart from specifying the need for appropriate security clearances, the regulations should not set standards for the competence, reliability and deployment of service provider employees. This should be the responsibility of the employer.
    CSPs **

  8. Lawful access capabilities should be required in all new voice or data services equipment being considered for the Canadian telecommunications market.
    CSPs *

  9. Regulation is a method of implementing law that does not undergo the same level of public scrutiny as a statute.
    IT *

  10. Issues such as distribution of costs, technical and operational standards and duties of a service provider in response to an interception order are far too crucial to the industry to be relegated to regulations instead of the full parliamentary review they deserve.
    CSPs *

D. Forbearance

  1. Clear and consistent forbearance criteria should be established. The process dealing with all forbearance requests should be fair and transparent.
    CSPs ***

  2. Forbearance may create identifiable safe havens for criminals.
    CSPs ***

  3. Some WSPs said that any service provider that is unable to meet the basic minimum intercept requirements should be obliged to seek forbearance. Other WSPs maintained that service providers should be allowed to request forbearance from any requirements that they cannot reasonably be expected to satisfy.
    CSPs **

  4. The industry should be involved in the drafting of administrative guidelines to govern the management of forbearance requests.
    CSPs **

  5. Although forbearance may be needed for the evaluation of experimental services for limited periods, it is not clear that a general forbearance policy is necessary. Interception solutions are available for almost all public telecommunications services currently in use.
    IT *

  6. Any forbearance regime should not competitively disadvantage compliant service providers compared with non-compliant ones.
    CSPs *

E. Compliance Mechanism

  1. ISPs must be provided with clear guidelines and procedures to follow when they are served with a court order.
    CSPs **

  2. Larger service providers suggest that their compliance should be determined based on the results of their regular cooperation with law enforcement and security agencies and that smaller providers be subject to law enforcement-funded inspections carried out by the Solicitor General. Having each law enforcement or national security agency conduct its own inspections would likely be unworkable.
    CSPs **

  3. Some service providers strongly oppose a system involving regular or random inspections to determine compliance or one that calls for service providers to register their compliance, on the grounds of cost. It would also mean more bureaucracy.
    CSPs **

  4. Contempt of court is an adequate deterrent for failure to comply with warrants, production orders, etc. Summary conviction offences may be needed to deal with consistent and unjustified non-compliance with lawful access capability requirements.
    CSPs **

  5. Sanctions should only be imposed if a service provider is unable or unwilling to meet its obligations when served with a properly authorized judicial order.
    CSPs *

  6. Any new compliance regime should be based on the successful model used to track lawful access compliance by Personal Communications Service (PCS) licensees in Canada since 1996.
    CSPs *

F. Costs

  1. Service providers should not have to pay for providing basic intercept capability regardless of how "significant upgrade" and "new service or technology" are defined in the resulting legislation. Until technical solutions are readily available for the transmission equipment used by service providers, that can be deployed and maintained at minimal incremental cost to the service provider, the government should pay for the "basic intercept capability" (however characterized).
    CSPs, IT *****

  2. The legislation should ensure that law enforcement agencies remain responsible for reasonable costs incurred by service providers making available operational assistance to law enforcement agencies in carrying out lawful interception, seizure and preservation orders. These costs should be worked out between each service provider and the agency concerned rather than being based on universal tariffs laid out in the regulations for various types of support. Industry Canada and the Solicitor General, or an independent arbitrator, should mediate any disputes about fees for service between a service provider and a law enforcement agency.
    CSPs, IT *****

  3. Providing lawful access for law enforcement agencies generates significant on-going costs in terms of personnel, training and security requirements, in addition to the specific costs of implementing an interception capability.
    CSPs ****

  4. The costs of making upgrades and keeping new technologies accessible to law enforcement agencies in Canada amount to a government tax on technical innovation by ISPs. If they are not reimbursed by the government, these costs will have to be passed on to consumers, reducing competitiveness and creating a strong disincentive for technological innovation and investment by Canadian ISPs.
    CSPs, IT ***

  5. Care must be taken to ensure that lawful access capability requirements do not create a windfall for telecommunications equipment manufacturers. It is inequitable that service providers are held to cost recovery when providing assistance to law enforcement agencies, while equipment manufacturers are subject to no pricing restraints when selling service providers the equipment and software necessary to provide lawful access capability.
    CSPs ***

  6. Lawful access is carried out in the public interest and should be paid for by Canadian taxpayers at large.
    CSPs ***

  7. In the absence of any argument that CSPs are faced with an unjustified financial burden, the cost of providing lawful access should be borne by industry as a civic duty.
    IT *

  8. The high cost to small service providers of compliance with the proposed interception capabilities and their maintenance could cause these companies serious and irreparable financial harm.
    CSPs *

  9. In the undesirable event that service providers are ultimately compelled by the proposed legislation to cover the costs of lawful access, the legislation should provide that all service providers, including those whose rates are regulated, will be able to recover these additional costs from their customers.
    CSPs *

G. General Production Orders

  1. Service providers should be allowed a reasonable time to respond to a production order depending on the nature of the data, the number of sources to be searched and the facilities available to carry out those searches.
    CSPs **

  2. The definition of "telecommunications associated data" given in the consultation document should be amended by adding the following phrase to its last sentence - "that does not reveal, directly or indirectly, material details of the content of the transmission".
    CSPs *

  3. Legal instruments authorizing access should be an order of a superior court - approval by a justice of the peace is not a sufficient safeguard.
    IT *

  4. Service providers oppose "anticipatory orders" as they appear to oblige a custodian to produce documents that are not yet in its possession and that may be unlikely to come into its possession in the normal course of business.
    CSPs *

  5. Any new legislation should include provisions to protect service providers from criminal and civil liability when complying with the terms of a judicial order. Section 25 of the Criminal Code does not provide adequate protection in all cases.
    CSPs *

  6. The consultation document refers to searches against third party custodians, like banks and companies, where the bank or company does the searching on behalf of law enforcement agencies within an agreed period of time. ISPs want to know how this type of production order might apply to them. They say it is not clear when an IP packet might become a document or at what stage in communicating an e-mail message the ISP might become a custodian.
    CSPs *

  7. The use of the term "document" in a data network context can be confusing and should be clarified. E-mails and e-mail attachments are pretty clearly documents, but what about web pages, instant messages, peer-to-peer traffic, instant relay chat messages and log files?
    IT *

  8. The consultation document suggests that production orders will facilitate seizure of documents stored in a foreign country. It does not examine, however, what happens if the foreign country rejects the order or whether Canada will recognize incoming foreign production orders.
    IT *

  9. If investigatory data is likely to be shared extra-territorially, the legal instrument authorizing the surveillance should be approved by a superior court judge.
    IT *

H. Specific Production Orders for Traffic Data

  1. Internet "telecommunications associated data" can be more privacy invasive than the equivalent telephony data. For example, Internet search engine records can over time reveal intimate personal information. Interception of this type of information should be subject to judicial oversight. Moreover, the definition of "traffic data" should be narrowly constructed - as it appears to be in the Convention on Cybercrime.30
    CSPs, IT ****

  2. All the procedural safeguards currently applicable to intercept orders should be maintained where there is any possibility that the data relates to or provides access to the content of a communication or could be used or manipulated to determine or suggest the content of a communication.
    CSPs ***

  3. Preservation and production orders should apply only to data that is clearly under the control of telecommunications service providers and not to user-managed data, even if resident on the service provider's facilities.
    CSPs **

  4. Some ISPs support the use of a lower standard for the production of telecommunications associated data and CNA information, as is the case in telephony lawful access.
    CSPs *

I. CNA/LSPID Information

  1. There is strong opposition against obliging service providers to collect, maintain or guarantee the accuracy of subscriber information beyond that needed for their own business purposes. The Personal Information Protection and Electronic Documents Act (PIPEDA) limits the collection of unnecessary personal data and its retention for periods beyond normal business requirements. Communications service providers are not an arm of law enforcement and should not be transformed into one by this proposed law.
    CSPs, IT *****

  2. Service providers are also strongly opposed to the creation of any national subscriber database citing privacy and security concerns, as well as the high costs of developing and maintaining database accuracy. They point out that most cybercriminals are quite capable of using false names, hacked accounts or public access terminals to communicate or transact.
    CSPs ****

  3. If it is determined that a service provider customer name and address (CNA) database is required, its operation for law enforcement purposes should be coordinated by a third party independent of both law enforcement and service providers. Each service provider database should contain the name and address data associated with wireline telephone service only.
    CSPs *

J. Assistance Orders

  1. Service providers are highly supportive of assistance orders which spell out clearly and specifically what is required of the service provider.
    CSPs ***

  2. Some larger service providers say they know their networks far better than law enforcement agencies ever will and are therefore keen to offer assistance in the execution of warrants/orders, without the need for legal compulsion.
    CSPs **

K. Data Preservation Orders

  1. Strong opposition was expressed to any data retention obligation due to cost and staffing impacts, as well as substantial technical demands on networks. Reasonable limits should be applied to the amount of data to be captured, stored and delivered under a preservation order.
    CSPs ***

  2. Larger service providers are generally supportive of the introduction of preservation orders into Canadian law as long as they are explicit and unambiguous, narrowly targeted, short in duration and they allow service providers a reasonable time to comply.
    CSPs **

  3. The concept of "exigent circumstances" preservation orders without judicial authorization is also acceptable to larger providers, provided the data is only to be preserved for the time taken to obtain a court order, which should not exceed four days. A fully documented "exigent request" should be provided together with explicit limitation of liability for the service provider.
    CSPs **

  4. The preservation period should not exceed 90 days - as required in the Convention. If prospective isolation, filtering or interception of data is required by law enforcement agencies rather than simple storage of raw data for a limited period, the order should be subject to the highest standard of judicial authorization.
    CSPs **

  5. A G8 report31 says that data preservation does not compel either collection or retention of data - it is essentially a "do not delete" order covering existing data. This assumes that a given ISP is already collecting the data concerned, otherwise there will be no data to preserve. In practice, there is often little business requirement for ISPs to collect or retain traffic data.
    CSPs, IT **

  6. A data preservation order contemplates the issuing of a further order such as a production order or a search warrant at a later time. Law enforcement agencies should be required to demonstrate that they are likely to obtain that subsequent order or warrant successfully, before the preservation order is authorized.
    Banks *

  7. It should be made clear in the legislation that data preserved under a preservation order will only be accessible by the authorized agency for law enforcement or national security purposes. It will not be available to those agencies or other persons or organizations for any other purpose or legal process, such as a civil subpoena.
    CSPs *

  8. Data preservation orders should carry the same judicial standard as a search warrant to ensure that orders are not used trivially by law enforcement agencies.
    CSPs *

L. Virus Dissemination

  1. The legislation should require law enforcement agencies to show that criminal intent existed for an offence to have occurred. This is important for software labs, service providers, common carriers and security specialists whose work demands that they possess viruses for legitimate testing purposes.
    CSPs, IT ***

  2. The legislation should make it clear that service providers will be exempted from any liability if they have no actual knowledge of the existence of the viruses on their networks.
    CSPs, IT ***

M. Interception of E-mail

  1. The key to appropriate lawful access to e-mails32 lies in whether the message has been received (read or viewed) by the intended recipient. If the message has not been received (keyboarded, unsent, not arrived, unopened, etc.) it should be regarded as a "private communication" in transit and subject to lawful access in the same way as wiretaps under section 186 of the Criminal Code.
    ISPs, Telcos, IT, ****

  2. The legislation must make it clear at what stage in the transmission of an e-mail interception or seizure is to take place and how it should be undertaken.
    ISPs **

  3. Users of chat, SMS33 messages and similar services have a reasonable expectation of privacy given the transient nature of the communications. The "private communication" definition should be broadened to explicitly capture these other services as well as e-mails.
    CSPs **

  4. There is less expectation of privacy when it comes to stored material, since it can be viewed and distributed to others. A search warrant or production order should be required for lawful access to stored communications.
    CSPs **

  5. Not all e-mail systems distinguish between "opened" and "unopened" e-mails. So on some systems, for example, it may not be possible to execute warrants requiring seizure of "opened" emails.
    CSPs *

N. Amendments to the Competition Act

  1. There seems to be general support for judicially-authorized access by the Competition Commissioner to hidden records, as well as recourse to assistance and production orders under Criminal Code safeguards.
    CSPs **

O. Other Topics Introduced by Respondents

  1. Some respondents pointed out the challenges involved in balancing the public's basic right to privacy against law enforcement's need to access data that will allow it to carry out criminal investigations effectively and to assure the security of the state. A number of respondents expressed the view that the proposed legislation could well tip that balance in favour of excessive intrusion by law enforcement agencies to an extent that could be difficult to reverse.
    CSPs **