Sunday 23 October 2011

Laws for 21st century: A guide to Canada’s proposed cyber investigation bills

Kathryn Blaze Carlson Oct 22, 2011 – 10:35 AM ET | Last Updated: Oct 23, 2011 11:01 AM ET


Canadians spend more time online than anyone else in the world — an average of 44 hours per month — and nearly a third of the population owns a smartphone, spending more than 17 hours on the device each week. So when the Conservative government reintroduces three pieces of lawful access legislation aimed at giving police greater powers and more tools to conduct investigations using new technologies, Canadians should have a clear understanding of what is on the table. However, much of the rhetoric circulating online about the legislation is patently untrue, distracting from the meat of the bills and the very real privacy implications at stake. Although it is unclear whether the bills will appear exactly as they did when they were first tabled in the spring, Public Safety Minister Vic Toews said this month his government is committed to reintroducing the lawful access legislation. Post reporter Kathryn Blaze Carlson has studied the previous legislation and spoken to experts. Here, she offers up eight things it would do — and three it would not:

1. CREATING “BACK DOORS” FOR POLICE INTERCEPTION The Investigative Powers for the 21st Century Act would require telecommunications and Internet service providers to be capable of decrypting, decoding, and preserving historic and real-time online and telephone communications, essentially creating built-in “back doors” for police interception. Some providers already have this capability, but they preserve information on their servers for different lengths of time depending on company policy. Some smaller providers do not have this capability at all, particularly certain ones in northern Ontario and Quebec, said Christopher Parsons, a doctoral candidate at the University of Victoria studying digital surveillance. Tom Stamatakis, president of the Canadian Police Association, said it is “very frustrating from an investigative perspective” when police obtain a court order to intercept communications, only to learn the relevant Internet service provider is technically incapable of digging up the communications data. The act would also give the RCMP and CSIS the authority to conduct background security checks on any employees who are involved in intercepting communications. Mr. Parsons said it is unclear whether the legislation will target anything more than the “low-hanging fruit” because savvy criminals will be able to evade authorities by encrypting their messages and sending them through several network nodes.


2. OBTAINING BASIC CUSTOMER INFORMATION WITHOUT A WARRANT Police could demand that telecommunications and Internet service providers turn over a customer’s name, address, telephone number, email address, and Internet protocol address — and they could do so without a warrant under exceptional circumstances. “When Internet service providers hear ‘exceptional circumstances,’ they hear ‘whenever (police) want,’” Mr. Parsons said. Michael Geist, chair of Internet and E-commerce Law at the University of Ottawa, said that sort of customer information could be linked with other bits of information to build a detailed profile. It can also be used to “out” someone using a pseudonym in an online chat forum. “All of a sudden, you go from ‘HoneyBunny14’ or ‘BlackAnarchist’ to ‘John Smith’ living at a particular address with a particular phone number,” Mr. Parsons said, adding that social activists are concerned police will use the provision to monitor people organizing legal protests or expressing dissent online. Beyond that, the target is not necessarily the only person using a particular Internet protocol address, so others could be inadvertently monitored at a later stage in the investigation. Mr. Stamatakis said this sort of additional power would be exercised to investigate only the most serious crimes, including child pornography, organized crime and terrorism. “The legislation recognizes the technology criminals are using today,” he said, echoing Mr. Toews comments earlier this month that the Criminal Code contains out-of-date language such as the word “telegraph.”

3. CREATING NEW POLICE POWERS TO OBTAIN COMMUNICATIONS DATA Without a warrant, police could make a “preservation demand” requiring telecommunications and Internet service providers to single out a customer and preserve for 90 days what Dwayne Winseck, a Carleton University communications professor who has studied the Internet for two decades, called “meta data.” So-called meta data is communications information generated during the creation, transmission or reception of a communication including the type, time, duration, origin, and destination of the communication. Police would then have to ask a judge for a “production order” to actually obtain the preserved information. Once police get the court order, they could, for example, find out who a person called on their cell phone, the duration of the call, and when the call was placed. Importantly, the proposed legislation excludes the actual content of the conversation. Once police have a copy of what they want, the service providers must destroy the information. The warantless provision is a welcome one, Mr. Stamatakis said, because it acts as a stop-gap measure while police work to obtain a warrant — a lengthy, labour-intensive process at times.

4. CUSTOMERS MAY NEVER KNOW IF, OR WHY, THEY WERE TARGETED The proposed surveillance legislation says authorities could prohibit telecommunications and Internet service providers from telling a customer that he or she was the subject of information disclosures. The potential cumulative effect of all this legislation, said Mr. Geist, is self-censorship: “What we’re creating is nothing like the Chinese firewall … but I think it could have a chilling effect in terms of people’s willingness to express themselves online, even if they’re not doing anything illegal.”

5. POSSIBLY INCREASED COSTS FOR CELL PHONE AND INTERNET SERVICE If telecommunications and Internet service providers are forced to upgrade their technology and train their staff to use it, then their capital and operating costs will inevitably climb. “Customers might end up paying the added cost for something that could be used against them at any time,” Mr. Parsons said, adding the requirement could also squeeze out smaller, cash-strapped providers.

6. TRACKING DIALED NUMBERS WITHOUT A WARRANT The proposed legislation would allow police to install and use number recorders without a warrant in “exigent circumstances.” A number recorder, which records the telephone numbers associated with outgoing and incoming calls, would be installed remotely by a telecommunications provider at their call centre hub. The installation can last up to 60 days, but it could be extended to one year if a warrant is obtained and if the investigation involves organized crime or terrorism.

7. COVERTLY ACTIVATING DEVICES TO TRACK CELL PHONES AND VEHICLES The proposed legislation brings police powers into the 21st century by tacitly acknowledging that vehicles and mobile phones — and therefore the people using them — can be tracked using GPS or cell towers. The Criminal Code currently says police can, with a warrant or without one in an emergency, “install, maintain and remove a tracking device in or on any thing, including a thing carried, used or worn by any person.” The proposed bill would extend that list to include the power to “activate” a device, “including covertly.” Mr. Parsons said this allows police to “take advantage of existing technologies,” and said he would not object to the provision if it ensured there would be court oversight.

8. OPENING THE DOOR TO “FISHING EXPEDITIONS” The legislation surrounding preservation and production orders would allow police to get information from telecommunications and Internet service providers based on “reasonable grounds to suspect” the information would “assist an investigation.” The existing Criminal Code does not offer a similarly vague suspicion, but rather stipulates “reasonable grounds to believe” an offence “has been or is suspected to have been committed” or that the information will “afford evidence respecting the commission of the offence.” Mr. Winseck said this opens the door for police to go on “fishing expeditions” and potentially “turns the relationship between the cops and (Internet Service Providers) into a routine one.”

… AND THREE MISCONCEPTIONS

1. HYPERLINKING TO HATE PROPAGANDA WILL BE CRIMINALIZED When the legislative summary of one of the bills surfaced saying “the offences of public incitement of hatred and willful promotion of hatred may be committed… by creating a hyperlink that directs web surfers to a website where hate material is posted,” onlookers criticized the bill as overly far-reaching. However, the actual bill makes no explicit reference to hyperlinking, instead expanding the definition of “communicating” hate material to include “making available.” It is true the vague definition of “communicating” could capture posting a link to another website, but a recent Supreme Court libel decision will likely quiet that fear: The judges decided unanimously this week that a person cannot be held responsible for what appears on a hyperlinked site.

2. POLICE WILL GET NEW POWERS TO LISTEN IN ON PRIVATE COMMUNICATIONS
The legislation does not extend police powers to intercept the actual content of private communications, for example what was said in a telephone call or written in an email. Mr. Toews has said those claims — put forward by online privacy activists — are a “complete fabrication.” Also, the Criminal Code already allows police to intercept private communications without a warrant, so long as the situation is urgent and the interception could prevent serious harm to a person or property.

3. INTERNET PROVIDERS WILL MONITOR ALL CANADIANS, ALL THE TIME
The government has been accused of embarking on warrantless online wiretapping where Canadians will be constantly monitored, but Mr. Geist said on his blog these charges amount to “political softball.” Yes, telecommunications and Internet service providers will need the capability to preserve information on all users, regardless of whether or not they are subject to an investigation. But those providers must only preserve and produce information relating to users who are actually targeted by police.

National Post kcarlson@nationalpost.com

No comments:

Post a Comment

Leave me your thoughts on what you read or ideas for future topics.