Summary of Submissions to the Lawful Access Consultation

Chapter 7: Comments by the General Public49

Total Number of Written Submissions Received: 219

Where possible the language used in submissions from the general public has been retained to provide the reader with an authentic sense of the comments received.

The number of stars allocated to each item provides an indication of how frequently respondents expressed that opinion or one similar to it. Five stars denotes "very frequently". One star generally indicates a single response on the topic.

A. General

  1. The opportunity to comment on these proposals is much appreciated. *****

  2. It is not clear that the proposals would contribute in any meaningful way to combating crime or terrorism. No solid case has been made to show how access to an individual's online activities can contribute to those objectives either. ****

  3. The costs are high, the risks are high and it is not clear what benefit is to be gained from the proposed legislative changes that does not already exist in the law today. ***

  4. An outside observer may wonder whether reference in the consultation document to the Convention on Cybercrime is more a rhetorical prop than a guiding justification for the proposals introduced. ***

  5. It is a matter of serious concern when international treaties such as the Convention are signed without democratic consultation and then presented to the public as though it is essential that they be ratified. **

  6. The consultation document fails to show how the Internet has "created difficulties for investigators". Also, in the case of the Internet, the "need for sophisticated equipment" seems to boil down to packet sniffers which are widely used by ISPs and available for a few thousand dollars. *

  7. When the Privacy Commissioner of Canada condemns proposals, they should immediately be withdrawn. *

  8. This proposed update to the law is a bad example of the government overstepping the Canadian Charter of Rights and Freedoms "in order to protect the people". We do not need to be protected like this. It would be better to live in fear than have rights and freedoms taken away by those (the government) who are supposed to be protecting them. *

  9. No case is made in the consultation document that Canadians deserve less privacy when using digital communication rather than analog electronics, or indeed when they use electronics rather than pen and ink. *

  10. The privacy and security of the online individual is at much greater risk from other online criminal activity such as identity theft and database break-ins, and inappropriate service provider conduct, than from any other source. *

  11. The definition of "service provider" should be refined, so that home networks are excluded, for example. *

B. Requirements to Ensure Intercept Capability

  1. The consultation document claims that ISPs currently do not have the means to allow law enforcement to attach interception equipment. This is false. Virtually all network traffic can be intercepted right now with the right equipment. ***

  2. Data encryption is widely used by criminals and terrorists when communicating over private and public networks including the Internet. Encryption techniques are often not detectable, not interceptable and can render law enforcement and ISP interception technology ineffective. ***

  3. Anonymous Internet browsing is feasible and endorsed by the World Wide Web Consortium (W3C), the Internet Engineering Task Force (IETF), the Third Generation Partnership Project (3GPP) and other standards-related organizations. Anonymizer clouds on the Internet can also render interception technology useless. ***

  4. If the access requirements placed on first level ISPs are too onerous, they will prevent the development of small providers in rural areas and could drive all small ISPs out of business. ***

  5. Purposely opening a security hole for law enforcement access in an ISP network is very hard to justify. Suppose it were hacked and data stolen or identity fraud takes place. Who would be liable? Server logs should be plenty good enough for tracking down wrong doings. **

  6. The expectation that each ISP be appropriately equipped with the capability to provide a non-specific suite of statistical, interception and log information on a suspect is entirely too open-ended and quite likely too costly for implementation. It would be more practical to have ISPs cooperate with investigative agencies on methods to attach interception, seizure and logging equipment to the service in question. *

  7. No legislation should be introduced that enforces a formal system of data interception points throughout Canada's communications infrastructure. Such a system is prone to abuse - especially where packet and cell-switched networks are involved. *

  8. It is reasonable to allow the same or equivalent interception capabilities on the Internet that are presently available for regular mail and the telephone service. No more, no less. *

  9. Some practical capability solutions:

    1. Ensure all Internet e-mail is intercepted/interceptable by the state and (where needed) recorded.

    2. Set up a system for obtaining court orders for either the surrender of encryption keys or the installation of keyboard sniffers.

    3. Make sure that national security agencies that intercept and (attempt to) decrypt traffic without the knowledge of the sender/receiver are tightly controlled by the courts and a truly independent watchdog.

C. Forbearance

  1. It is completely unnecessary to identify CSPs specifically who are exempt from compliance50. The procedural laws governing lawful search and intercept should account for this. Exceptions should be granted or not by the judge evaluating an order. *

D. Costs

  1. Should a law enforcement agency require assistance from a CSP that is beyond the normal cost of doing business for that provider, then the agency should pay the cost of the assistance. Such costs should not be the responsibility of the service provider nor should they be passed on to the CSP's end client. ***

  2. Costs incurred by agencies carrying out interception and monitoring online and on other parts of the network should be reported annually to Parliament and made available to the Canadian public. *

  3. Because of the potentially random, unpredictable nature of law enforcement investigations, the cost and tools associated with police seizure or interception should be borne by the law enforcement agency - not the service provider. *

  4. Fair financial compensation for ISPs should include direct labour costs for law enforcement cooperation, the opportunity cost of not being able to use the staff involved for other chargeable tasks, capital expenditure on hardware, software, licences and maintenance costs. *

E. General production Orders

  1. No ISP should be an information collection agency on behalf of the Canadian government. If the government wants and needs information, it should be responsible for retrieving, collecting and storing it. The ISP should only be obliged to provide the facilities when there is a lawful order to do so. ****

  2. Production orders are unnecessary, given the ability of law enforcement agencies to obtain information using existing means. The rationale presented for issuing anticipatory orders is absurd. ***

  3. Any attempt to monitor communications must be authorized by court order. The request for such an authorization must be explicit in terms of who, what, where and when (including for how long to monitor). Such a request should not be open-ended and should not exceed a maximum period defined in legislation. One month might be a suitable limit. ***

  4. Production orders need to be explicit and precise. Wild goose chases should be specifically prohibited. **

  5. Law enforcement agencies should not be able to monitor private transactions without judicial oversight by way of an anticipatory order. **

F. Specific Production Orders for Traffic Data

  1. It is unacceptable for police to require ISPs to keep a log of websites each individual has visited, in case they desire to snoop later on. Individuals should not be investigated, or deemed suspicious, based on their choice of channels or reading matter, online or offline. *

  2. E-mail headers tend to include much more information than a postal envelope. They will typically include not just the addressee but also the source, subject and size of the message. *

G. CNA/LSPID Information

  1. Another national database of personal records is completely unnecessary. There is no national registry of telephone users or postal mail users - there should not be one for Internet users. A national database of this kind would also be a dangerous accumulation. Can bureaucrats guarantee that this highly sensitive database would never be successfully hacked? *****

  2. There is no national registry of telephone users or postal mail users - there should not be one for Internet users. That is a completely unacceptable suggestion. ****

  3. A national database of this kind would be a dangerous accumulation. Can bureaucrats guarantee that this highly sensitive database would never be successfully hacked? **

  4. The consultation document makes it clear that this type of order is required to allow law enforcement agencies to carry out "fishing expeditions" in the absence of justification for a court order. Judicial oversight is essential. *

  5. CSPs should not be required under any circumstances to collect information that they would not normally collect in their day-to-day operations. Doing so could interfere with legitimate business models that rely on not collecting such information, add costs and would result in taking on work that law enforcement agencies should be doing themselves. *

  6. Severe penalties should be established for unlawful access to ISP databases containing individuals' online activity records and other personal data. *

H. Assistance Orders

  1. Assistance orders should be explicitly required rather than implied. They should detail clearly the assistance required. *

  2. Rate schedules for assistance to law enforcement agencies should be similar to those charged by the government for responding to Access to Information Act requests from the public. *

I. Data Preservation Orders

  1. Data preservation orders should apply to all forms of data regardless of medium. They should be valid for no longer than is reasonable to secure the necessary production order - like one week. ***

  2. The proposed preservation of e-mails and other Internet communication for use by law enforcement agencies is bound to increase the use of cryptography software by the public. **

J. Virus Dissemination

  1. The Convention would make it illegal for software companies to create or store viruses and it would make university researchers and ISPs criminals for studying virus behaviour. This is unreasonable. *****

  2. The subject of criminalizing virus software should be revised to include all types of malicious software - software (or devices) developed or possessed with the intent to infringe on the integrity, availability and confidentiality of computer systems and telecommunications networks. ***

  3. Under the present provisions of the Criminal Code only the effects of spreading a computer virus, or an attempt to do so, are criminal acts. There is no need to change the existing law. ***

K. Interception of E-Mail

  1. E-mail, like snail mail and telephone conversations should be treated as private communications. Legislation arising from this consultation should plainly codify the expectation of privacy except when information is publicly disseminated. *****

  2. E-mails should require a court order for interception regardless of the point of interception. ****

  3. Intercepting an e-mail while stored at an ISP is equivalent to intercepting a telephone message recorded at a local switch on a facility like Bell's Call Answer service. It is a private communication and should always be treated as such. **

  4. Obliging ISPs to retain e-mails for up to six months raises serious questions. What guarantee does the public have that their emails will actually be deleted after six months and how will the government guarantee that ISP employees will not abuse the records of e-mails at their disposal? *

  5. Technical detail should be avoided in any future legislation about e-mail interception as it may open the door to legal wrangling and unnecessary litigation. *

  6. Care should be taken to ensure that - in addition to e-mail - newer communications facilities such as real-time chat and messaging services are included in any subsequent legislation. *