Summary of Submissions to the Lawful Access Consultation

Chapter 6: Comments by Civil Society Groups

TOTAL NUMBER OF WRITTEN SUBMISSIONS RECEIVED: 14

The number of stars allocated to each item provides an indication of how frequently respondents expressed that opinion or one similar to it. Five stars denotes "very frequently". One star generally indicates a single response on the topic, although that response may have been made on behalf of an association or group representing a number of organizations or individuals. Respondents in this section are listed in Annex D.

A. General

  1. The consultation document is unclear about what the Government of Canada is actually proposing. This means that comments by civil society groups must unavoidably be similarly vague. Participants look forward to responding to whatever legislative proposals are brought before a parliamentary committee. *****

  2. The document is also unconvincing on how the legislative proposals would actually help fight organized crime or terrorism. Agencies of the state are likely to have much more access to the private lives of Canadians, but serious criminals and terrorists are unlikely to be careless enough to fall within the scope of the proposed measures. *****

  3. The lack of clarity about evidentiary thresholds, oversight and safeguards makes it impossible to provide an opinion on this proposal. ****

  4. The government's proposals for greater lawful access to private communications have not been demonstrably justified, according to the tests articulated by both the Supreme Court37 and the Privacy Commissioner of Canada38. ****

  5. If evidence is available to justify the proposed measures, it should be made public, so that Canadians can weigh it and thus make informed judgments as to whether the security benefits of the measures outweigh the privacy costs. If such evidence does not exist, the measures should be dropped. *****

  6. Cybercrime, whether or not the problem is real, impending, or imagined is being used as a justification for proposed legislation that is in grave danger of curtailing rights of individuals to privacy. Canada should not ratify the Convention on Cybercrime if to do so would be inconsistent with Canadian values and rights set out in the Canadian Charter of Rights and Freedoms and interpreted by the Supreme Court of Canada. ****

  7. The proposals would effectively establish a lower standard for lawful interception and/or search and seizure in the online context versus the offline context (telephone and postal mail, for example), yet no justification has been provided for this. Criminal Code standards should be designed to apply, regardless of technology. ****

  8. The draft legislation and accompanying regulations should be made available for full and complete public review with sufficient time for interested parties to assess their impact and submit their comments. ***

  9. The consultation document states that the objective of the lawful access proposals is "to maintain lawful access capabilities for law enforcement and national security agencies in the face of new technologies". Instead, the proposals would significantly increase the ability of the agencies to intercept, search and seize electronic communications of individuals and personal information about individuals in electronic form. ***

  10. The purpose of a consultation process is to gain useful feedback from stakeholders and to use that feedback to shape better legislation. The success of such a process requires full and frank disclosure of what the government intends to do. The lawful access consultation process appears not to have proceeded in this manner. ***

  11. The proposal that law enforcement and national security agencies need to "maintain lawful access capabilities" in the face of technological developments should be rejected. Not only would the proposal increase such capabilities beyond their present scope, but section 1 of the Charter requires that restriction of rights must be "demonstrably justified" and that they be consistent with "a free and democratic society". No such need has been empirically demonstrated. ***

  12. Civil society groups would like to see statistics justifying the need for the proposed changes. The case for new powers has not been well-documented. ***

  13. The broad working definition of "service provider" to include universities, colleges and libraries that provide Internet services to the public is a matter of concern. ***

  14. The Internet may be relatively new, but the fundamental values of privacy and civil liberties have not changed. Our rights were won and preserved by the sacrifice of earlier generations, often in the face of threats far greater than anything that exists today. Respect for them, and for the country they have left us, makes it unthinkable that we should surrender these rights now, whether on the pretext of fighting terrorism, or of imitating a bad European or American law. ***

  15. The lawful access related obligations under the Convention go further than the proposals in the consultation document. They include disclosure of crypto keys and new criminal offences relating to child pornography and real-time monitoring of data communications. All such obligations should be the subject of consultation before the Convention becomes law in Canada. **

  16. Our sense of what it is to live in a democracy requires that the state should not interfere with, or restrict the rights, liberty or security of an individual unless there is demonstrable need to do so. Further, where there is compelling evidence of such need, the law or other action of the state should be tailored such that the restriction on, or interference with, individual rights is no greater than is necessary to accomplish the objective of the law or state action. *

  17. Any new legislation should specifically address privacy issues wherever individual privacy is at risk - general references to the Charter and the Personal Information Protection and Electronic Documents Act (PIPEDA) are insufficient. *

  18. The Internet is a widely-used meeting place for the exchange of political, religious and cultural views as well as a personal communications network. These proposals therefore threaten not only Canadians' right of privacy protected by section 8 of the Charter but also the fundamental freedoms of expression and association protected by section 2 and the right to liberty protected by section 7. *

  19. Evidence derived from US law enforcement agencies suggests that technological and administrative impediments - more than legal ones - are the cause of most difficulties experienced in cybercrime investigations and prosecutions. Challenges include insufficient record keeping by CSPs, inability to effect data preservation extraterritorially, inability to crack encryption and a lack of common data sharing protocols. *

  20. If law enforcement has difficulty in dealing with new communications technologies, the solution is not to lower the legal standard for interception or search and seizure; rather it is to provide law enforcement agencies with the technical expertise and equipment they need to deal with the evolving environment. *

  21. Privacy protection for electronic communications should be stronger than that for non-electronic communications, given the unprecedented opportunities available for law enforcement surveillance and intrusion. *

  22. Applications for authorization and actual intercepts executed in Canada have decreased over the past twenty years39. No explanation is offered for this fall and no statistics are provided on frequency of interception authorizations or how many were abandoned for lack of technical capability to implement them. *

  23. The fact that a proposed law may benefit law enforcement agencies does not end the debate about whether the law is constitutional or otherwise desirable. Instead it serves as the beginning of the discussion. *

  24. Oversight of any new powers is required. There should be one oversight mechanism with tight rules and judicial supervision - not a proliferation of processes. *

  25. The tension between privacy and security is not a zero-sum game. Thinking it is, concedes too much to those who assert that law enforcement should be empowered at any cost. A responsive legislature would seek creative solutions that accommodate both the values of security and those of privacy. Only by engaging in strong oversight of law enforcement action will Canada continue to embody the ideals of the Charter. *

B. Requirements to Ensure Intercept Capability

  1. The government has failed to present evidence that this massive surveillance infrastructure is necessary. For example, it is unknown how many investigations have actually been seriously hampered by lack of technical capability. ****

  2. Increased powers are not needed for Internet interception in Canada. Existing laws provide ample authority to investigate criminal use of the Internet when police are able to satisfy a judge that there is probable cause for doing so. ***

  3. If the proposed intercept capabilities are only required "when a significant upgrade is made to their systems or networks", ISPs may be reluctant to upgrade their operations or capabilities. This could limit the introduction of new and improved services and possibly conflict with Canadian telecommunications policy40. ***

  4. Most of the challenges faced by law enforcement and national security agencies in accessing modern telecommunications would be more appropriately addressed in Silicon Valley than in Parliament, Congress or Brussels. **

  5. Canada should be careful to consider how data communications differ from POTS41 and how law enforcement agencies should treat those differences. This area has caused serious difficulties for the US and the Netherlands when drafting lawful access legislation.**

  6. If judges authorize police to monitor private communications, the lack of technical capability should not be such as to frustrate that authorization. *

  7. In addition to presuming communications media neutrality42 with no demonstrated basis for doing so, the consultation document ignores an important corollary - the doctrine of technological neutrality43. *

  8. For intercepted material to be useful, law enforcement agencies need to understand its content. Serious criminals can make this difficult to do by using readily available strong encryption. This means that criminals, terrorists and other minorities who use encryption for all networked communications will be the only ones who enjoy guaranteed privacy online. *

  9. Are private sector service providers agents of the state? Is information collected by CSPs subject to the unreasonable search and seizure provisions of the Charter? Neither of these questions is addressed in the consultation document. *

C. Forbearance

  1. The circumstances under which a forbearance order may be justified should be stated, as well as the criteria that will be used to evaluate when, and for how long, such orders will be valid. Any rules or standards dealing with forbearance power should be clear and transparent. *

  2. Lawful access requirements are particularly onerous for small ISPs and non-profit organizations providing Internet services to their members. Forbearance proposals are not comforting as they may be discontinued in the future. *

D. Costs

  1. The proposals require Canadians or their CSPs to pay for the surveillance. This is wrong in principle and impracticable in operation. *

  2. The federal government should provide financial support for Canada's ISPs that need to install additional technical facilities to meet the requirements for data preservation. *

  3. The increased costs of providing interception capacity and support would severely impact regional freenet service providers which depend on volunteer effort and donations to keep going. *

E. General production Orders

  1. The job of ISPs is to provide services for their customers. This should not include monitoring them for the purposes of the state. Production orders must not be used to circumvent the high thresholds that would be required if the law enforcement agency were carrying out the search or interception itself. ***

  2. The Criminal Code should be amended to include a provision for a general production order. This order, however, should only be used for facilitating access to information from CSPs. *

  3. There is opposition to the creation of general production orders without clear evidence being presented showing how existing warrant powers are insufficient. If general production orders are nevertheless created, they should be subject to the same procedural safeguards as search warrants (or interception, where appropriate). *

  4. For all intents and purposes, production orders are warrants and must be subject to all the thresholds and protections contained in Part XV of the Criminal Code and established jurisprudence. The federal government provides no information to show why a widening of such powers is necessary, or why the present search warrant combined with an assistance order is inadequate. *

  5. In the same way, it is hard to see how anticipatory orders would require a different standard than that in use at present for search and seizure or interception of communications. *

  6. Since law enforcement agencies can use other means to obtain this type of electronic information and, in the event of exigent circumstances, the courts can assist with a court order, it seems unnecessary to give further consideration to the proposed changes. *

  7. All interception and/or search and seizure of electronic communications should require judicial approval, should identify a specific target, should identify specific information to be intercepted/ seized and should have a specific rationale and justification for the interception or seizure. All orders issued should be time-limited. *

  8. General production orders, if enacted, should require terms safeguarding the confidentiality and security of the information gathered for production. *

  9. Today's search and seizure legislation requires the subject of a search or interception to be notified after the fact. Any production order standard should incorporate the same requirement. *

  10. A general production order should not be a stand-alone order. It should only be issued if a search warrant or authorization to intercept has already been approved. *

  11. The routine use of advanced communications services by the public has led to the perception that these communications are private and not open to examination by law enforcement agencies unless reasonable grounds have arisen. The courts should be the ultimate arbiter of the standard of proof required to protect the privacy of the individual. *

  12. A Canadian search warrant by itself cannot be executed outside Canada to obtain documents that are not within the country. Mutual legal assistance procedures are needed to secure offshore documents. Production orders would effectively circumvent this procedure and the protections it provides for those within and outside Canada. *

  13. A production order should not be available to compel suspects to participate in an investigation against themselves through the production of information. Such an order would very likely contravene Charter guarantees against self-incrimination. *

F. Specific Production Orders for Traffic data

  1. The government is strongly urged to reject any legislation that would allow law enforcement agencies to obtain traffic data under a reduced standard. The proposal portrays traffic data as having little privacy value, arguing that it should be subject to the same reduced standard that applies to Dialled Number Recorders (DNR). Traffic data reveals substantially more about individual activity than DNR information. **

  2. Since it seems that law enforcement investigatory tools cannot reliably separate content and traffic data, both types of data should be provided the same level of constitutional protection. **

  3. If privacy of the individual is to be protected, we cannot afford to wait to vindicate it only after it has been violated. This is inherent in the notion of being secure against unreasonable searches and seizures44. **

  4. The existing provisions for collection of telephone-related information in section 492.2 of the Criminal Code should be amended to include traffic data, rather than creating a specific production order for this purpose. Traffic data should be limited to Internet addresses, e-mail addresses and routing information. *

  5. Jurisprudence has seen the collection of DNR data without judicial approval ruled as both contravening Part VI of the Criminal Code and not doing so. This shows that DNR lies in the grey zone and that orders to collect traffic data should always require judicial oversight. *

G. CNA/LSPID Information

  1. The creation of a national database of any personal information - even limited to CNA information - raises the potential for misuse and should therefore be avoided. It amounts to collection by the state of personal information prior to the commission of an offence or the likelihood of an offence taking place. ****

  2. The consultation document fails to provide satisfactory evidence that law enforcement agencies are experiencing pressing difficulties that would justify either the specific production order for customer name and address and local service provider identification (CNA/LSPID) information or the establishment of a national database of subscriber information. ***

  3. The following Canadian Radio-television and Telecommunications Commission (CRTC) test for LSPID disclosure by Bell Canada is appropriate and should be adopted for other Canadian CSPs45 :

    A law enforcement agency must show its authority to obtain the information and indicate that:

    • It has reasonable grounds to suspect that the information relates to national security, the defence of Canada, or the conduct of international affairs.
    • The disclosure is requested for the purpose of administering or enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing or administering any such law; or
    • It needs the information because of an emergency that threatens the life, health or security of an individual, or the law enforcement agency otherwise needs the information to fulfill its obligations to ensure the safety and security of individuals or property.
      ***

  4. Just because some CNA information is available in directories, does not mean that law enforcement agencies should be granted unimpeded access to CNA information about subscribers who choose to protect their privacy. These individuals have a high expectation of privacy. ***

  5. Internet address information should certainly not be accorded a lower standard of access given that the ability to link such information to identified individuals would permit the collection of a vast amount of personal information. ***

  6. CSPs should not be obliged to collect subscriber information that they do not already collect in the normal course of their business. This proposed obligation would likely impact most service providers and retailers selling prepaid and other anonymous telephone cards and phones. As noted by the Privacy Commissioner of Canada46, this would be a gross invasion of privacy and present significant opportunities for data leakage or loss (and subsequent threats, such as identity theft). ***

  7. A judicial order should be necessary to authorize law enforcement and national security agencies to obtain information about a subscriber or his/her service provider when carrying out an investigation in relation to the individual concerned. **

  8. We should not impose any higher burden on or afford any lesser protection to service providers, retailers and end-users just because they wish to avail themselves of technological solutions as an alternative to Canada Post. *

  9. National databases create a single point of vulnerability for those interested in unauthorized access to valuable personal information. A database of this kind would also constitute a blatant contravention of the Privacy Act - notably sections 4, 5 and 7.47 *

H. Data Preservation Orders

  1. Preservation orders do not exist at present in Canadian law. No data has been provided to justify the creation of this new order, which amounts to a limited form of data retention - except the provisions of the Convention on Cybercrime. The proposal to create preservation orders should not be adopted without clear justification. *****

  2. This order is a step towards the longer-term data retention scheme adopted in other jurisdictions (such as the UK). It could be used as a "back door" method of obtaining judicial authorization for access, circumventing the higher thresholds which would apply for standard warrants. In any case, this order would represent an expansion, rather than the maintaining of existing lawful access capabilities and should be rejected on that basis alone. ***

  3. In the event that preservation orders become law, they should be time-limited, require protection of the confidentiality and security of the preserved data and prohibit the disclosure of the data until a judicial order for production is obtained. ***

I. Virus Dissemination

  1. The legitimate activities of individuals and companies, which possess viruses for analytical research, design, educational or anti-virus purposes, should not be prohibited. Equally, a person found to have an undetected virus or other device residing in their computer without their knowledge should not be found guilty of an offence. **

  2. Prohibition against viruses, as contemplated by the government, is generally supported. Care must be taken, however, to appropriately define a virus as distinct from a non-deployed or contingent virus. *

J. Interception of E-Mail

  1. E-mail should receive the same treatment by the Canadian government as first-class mail, affording it the same protection as any other private communication. Thus the statutory and common law rules of evidence would apply equally to e-mail as to postal mail. *****

  2. The Criminal Code should be amended to clarify that e-mail, at least while in transit, constitutes a "private communication" under section 183. It would then be subject to the same procedural safeguards as all other interceptions under this provision. ***

  3. The Criminal Code should define clearly when an e-mail ceases to be a communication subject to interception and when it becomes a document subject to search and seizure.48 **

  4. Canadians have a similar reasonable expectation of privacy when using e-mail as they do with other forms of communication. The legal treatment of e-mail should not be determined by technological capability but rather by our values as a society. If we wish to communicate privately by e-mail we should construct our laws to make it so. *

  5. Non-profit ISPs run by community associations that offer confidential e-mail lists to enable lawyers to consult with community advocates on difficult cases, law reform issues and other sensitive matters are concerned that the proposed legislation may violate the privacy of advocates and others using this service. *

  6. Although ISPs are private companies, they should be subject to state-imposed regulation because they are responsible for the essential service of e-mail delivery. *

K. Other Topics Introduced by Respondents

Extraterritorial Issues

  1. Cooperation with other states and transmission of intercepted and seized data under mutual legal assistance treaties raises serious sovereignty issues, as well as the potential for jeopardizing Charter-protected rights. Dual criminality is a particular issue and Canada must protect its citizens according to Canadian law. *

  2. There are serious concerns that Canadians may risk becoming subject to non-Canadian laws based on a cooperation request from another jurisdiction. Canadian law enforcement officials should only enforce Canadian laws and not assist in the enforcement of foreign laws that are substantially different. *