Monday, 13 February 2012

Lawful Access?

Every time I turn around I find out that Canada is about to pass some other Criminally insane police-state 'big brother'-ish law!!! Lawful Access Law? All this purports to do is eliminate the need for a warrant to wire-tap telephones (Land and Cell), email, and internet traffic because the existing laws are subject to "privacy laws and the Canadian Charter of Rights and Freedoms".


Without even reading the law, the Canadian government's FAQ outright tells us, in plain English (ou en fran├žais, si vous desirez):
Law enforcement and national security agencies conduct investigations with the aid of certain techniques, one of which is lawful access.

For the police, this involves the lawful interception of communications and the lawful search and seizure of information, including computer data. Lawful access is a specialized tool used to investigate serious crimes, such as drug trafficking, money laundering, smuggling, child pornography, and murder. Lawful interception of communications is also an essential tool for the investigation of threats to national security, such as terrorism.
Remember, Terrorism is quickly being defined as anybody who disagrees with the government, or shaves, or values privacy... Apparently when 'you can't please all the people all the time', it's the displeased people who are wrong...

Does lawful access legislation already exist?

Lawful access is provided for in legislation such as the Criminal Code, the Canadian Security Intelligence Service (CSIS) Act, the Competition Act and other acts. This legislation is subject to privacy laws and the Canadian Charter of Rights and Freedoms.
 I don't like where this is going, not one bit...

Why does lawful access legislation need updating?

Current Criminal Code provisions regarding the interception of communications were first adopted in 1974. The Criminal Code was amended in the 1980s to include specific references to computer systems in the search and seizure provisions, and again in the 1990s. In 1984, Parliament passed the CSIS Act, which provided CSIS with the authority to lawfully intercept private communications for national security purposes.

While technology has evolved considerably since then, Canada's lawful access laws have not kept pace. Increasingly complex technologies are challenging conventional lawful access methods. Criminals and terrorists are taking advantage of these technologies to assist them in carrying out illicit activities that threaten the safety and security of Canadians. To overcome these challenges, legislative tools, such as the Criminal Code and other statutes, must evolve so that law enforcement and national security agencies can effectively investigate criminal activities and threats to national security while ensuring that Canadians' privacy and human rights are protected.

The worldwide adoption of new communications technology and the increasingly global nature of crime underpin the need for international cooperation in developing effective solutions. Canada has cooperated with European and other countries in the development of the Council of Europe Convention on Cyber-Crime. Canada has also been working with G8 states on issues such as cross-border communications and combating high tech crime. Canada needs to update its legislation that provides for lawful access in order to be in a position to ratify the Convention on Cyber-Crime as well as to meet our G8 and other international commitments.
Convenient, three paragraphs in which you don't really answer the question you, yourselves ask...This rhetoric is, in fact, exactly what I've come to expect... It's as if they are attempting to bore me back to sleep. We are all aware that technology advances much faster than bureaucracy, now tell us the important bits.

Communications technology keeps changing. How can the law keep pace?

Under the current laws, not all telecommunications service providers are required to design intercept capabilities into their networks. When a new technology or communication service is introduced, law enforcement and national security agencies often have to research and develop new methods to gain lawful access to those networks. The lack of a technical solution, or a delay in the ability to use it, hampers investigations and the prevention of serious crimes or threats to national security.
To address this issue, the government is proposing that service providers in Canada be required to ensure their networks or infrastructures have the technical capability to enable lawful access by law enforcement and national security agencies when the agencies are legally authorized to intercept a communication or search and seize data.
Which service providers? Wiretapping phone lines has been doable for a long, long time. I am pretty sure cellular networks have had that ability built into their initial design, but I would have to review the specifications on that. Packet Sniffing has existed as long as the internet, so what are they missing? They still are not completely answering the question...

Who uses lawful access?

Lawful access is used by law enforcement and national security agencies, such as the Royal Canadian Mounted Police (RCMP), the Canadian Security Intelligence Service (CSIS) and municipal and provincial police forces, as well as the Competition Bureau.
Competition Bureau? Why?

So the page goes on to indicate that "Data Preservation" is what needs to be instituted by the Service Providers, it does stipulate that the Data to be Preserved is restricted only to data as listed in a warrant. And stipulates that carriers are not supposed to be datawarehousing everybody's data all the time. phew... But what are they proposing to change, really. That is not answered here. Let's move on.

A public consultation on the proposed law apparently happened IN 2003 and they list the summary of each group's comments -- with my own comments noted like this --

2.1 Law Enforcement

  1. Police services expressed strong support overall for the proposals.
    -- No surprise there --
  2. The ability of police to lawfully access telecommunications services has not kept up with the advances in communications technology. This gap is creating a safe zone where criminals can communicate free from fear of detection. It must be technically possible for police to lawfully intercept all telecommunications services offered in Canada without exception.
    -- without exception? what if a technology does not exist yet? --
  3. Communications Service Providers (CSPs)11 should pay for installing lawful access capability on new or significantly upgraded services. The government should specifically prohibit CSPs from directly or indirectly recovering infrastructure costs from law enforcement agencies through any cost recovery scheme, such as burying them in operational or hook-up charges.
    -- I have a better idea, they can be billed as a pay per use, make it expensive so that there needs to be some serious consideration about whether it's worth it or not. Actually, scratch that idea... I still pay taxes.--
  4. In principle, CSPs should be able to recover reasonable costs of providing operational assistance to law enforcement. These costs should be distributed over a broad base (like the existing 911 fee) rather than being recovered from individual police services. However, CSPs must not be permitted to impose fees or other charges as a condition of compliance with a judicial order.
    -- Nice. I get to pay for this through higher fees --
  5. A compliance mechanism that is independent of government should be established in order to determine conformity with the legislation.
    -- I'm not sure I follow, do you mean like a 'committee of concerned citizens who volunteer', or 'a committee of judges'? In neither case will that happen and actually work: Concerned citizens will not be allowed into the backbone of an ISP network to observe, and judges will not understand the backbone of an ISP network...--
  6. Forbearance of interception capability and capacity should be the exception rather than the rule. CSPs should be required to submit an implementation plan with each forbearance application, with quarterly reporting, showing in detail how full compliance with the legislation will be achieved.
    --Network planning #1: it is cheaper & easier to overbuild capacity now than it will be later. What do you mean it's against the law?--
  7. Significant fines should be imposed on CSPs for non-compliance with mandatory capability requirements. With law enforcement and service providers working together in a cooperative partnership, the vast majority of difficulties will be worked out. Only the most severe and blatant contraventions of the capability and capacity standards set out in the proposed legislation would result in enforcement action.
    -- Is that not how the legal system tends to work in the first place? seems somewhat redundant --
  8. Lawful interception of private communications by police in Canada must continue to be subject to prior court approval.
    --Finally, I agree with them, but, does this mean that there was no provisions requiring a warrant? --
  9. CNA and LSPID12 is not personal information and law enforcement agencies should not need a judicial authorization to obtain it. A statutory provision should be created requiring CSPs to provide law enforcement and national security agencies with CNA and LSPID information. If this is rejected on privacy grounds, a production order with a nominal procedural threshold should be considered instead.
    --Whoa, hold the phone, Customer Name and Address (CNA) IS personal information if all you had to go on was an IP address. Local Service Provider ID? that is simple to obtain via WHOIS records, publicly available--
  10. To help combat increasing international crime, Canadian lawful access powers need to be harmonized with those available in other countries. Australia, the Netherlands, New Zealand, the United Kingdom and the United States are ahead of Canada in adopting lawful access legislation in line with today's technology.
    -- I am tempted to ask, so, if the US and Australia jumped off a bridge would you be all 'me too! me too'? But that just seems like too simple an argument --

2.2 Industry

  1. Most CSPs who responded were supportive of the need for effective lawful access in the face of technological change13.
    -- no comment --
  2. The consultation document lacks detail and is too imprecise to allow anything but high-level comments. Further consultation is called for, including the opportunity to comment on the specific proposals contained in draft legislation and accompanying regulations, prior to their introduction in Parliament.
    -- No surprise there, government and lawyers are not network technicians --
  3. The interception of unviewed e-mail and similar digital communications traffic in transit should be considered interception of a "private communication" and therefore subject to the protections contained in a Criminal Code Part VI authorization. A search warrant or production order should be required for law enforcement to access opened e-mail that a user has chosen to retain.
    -- So the plan is to not require a warrant? I guess this confirms the same thought I had above--
  4. The circumstances under which a forbearance order may be justified should be stated, as well as the criteria that will be used to evaluate when, and for how long, such orders will be valid. Any rules or standards dealing with the forbearance power should be clear and transparent.
    -- Sounds like another attempt to slip one under the radar. Not stipulating that the 'request' (warrant) have a duration --
  5. The legislation should ensure that law enforcement agencies remain responsible for reasonable costs incurred by service providers making operational assistance available to law enforcement agencies in carrying out lawful interception, seizure and preservation orders. These costs should be worked out between each service provider and the agency concerned rather than being based on universal tariffs laid out in the regulations for various types of support. Industry Canada and the Solicitor General, or an independent arbitrator, should mediate any disputes about fees for service between a CSP and a law enforcement agency.
    -- Let the legal system pay, sliding scale, sure. --
  6. Definitions provided in the consultation document differ from those given in the Telecommunications Act. Some important terms such as "basic intercept capability" are not defined. Clear consistent definitions in line with those used internationally are essential to the success of the proposed legislation.
    -- same comment as for point 1 --
  7. The government should pay for the "basic intercept capability" until lawful access solutions are readily available for the transmission equipment used by service providers that can be deployed and maintained at minimal incremental cost to the service provider. This is regardless of how "significant upgrade" and "new service or technology" are defined in the resulting legislation.
    -- So I still pay for this, I suppose there was no end-run around that... --
  8. The consultation document failed to show that the current provisions in law are inadequate to allow effective access to data communications services in Canada or that investigations or prosecutions have been unsuccessful due to lack of technical capability.
    -- This backs up my point on wiretapping and packet sniffing, there really is nothing indicating the present 'drawbacks'. --
  9. There is strong opposition against obliging service providers to collect, maintain or guarantee the accuracy of subscriber information beyond that needed for their own business purposes.
    -- what other subscriber information are they asking for? --
  10. CSPs are also strongly opposed to the creation of a national CNA/LSPID database, citing privacy and security concerns as well as the high costs of developing and maintaining such a database. They point out that most cybercriminals are quite capable of using false names, hacked accounts or public access terminals to communicate or transact.
    -- Very true on all counts. I think privacy security concerns is the biggest issue at stake here, once there is a 'system' collecting this information, it will become an attractive target. --

2.3 Privacy and Information Commissoners

  1. The consultation document does not demonstrate why the proposed measures are necessary.
    -- Somebody else sees this, good. --
  2. New technologies and communications services may well pose a challenge to existing interception methods and require CSPs to provide law enforcement agencies with basic interception and surveillance capabilities to achieve lawful access to them.
    -- I thought this was the proposed nature of this law... Do they mean police may need training? I am sure they will. --
  3. The proposed measures go far beyond what is necessary to maintain existing capabilities and authorities in the face of modern communications technology.
    -- BINGO --
  4. E-mails should not be subject to a lower standard of protection than telephone calls or letters. In the same way, Internet browsing should not be afforded less protection than book purchasing or researching in a reference library.
    -- I agree, these activities are nearly identical and should be treated as such under the law. --
  5. Canadians are entitled to feel confident that their communications and on-line activities will not be arbitrarily intercepted or scrutinized.
    -- I probably won't, but maybe that's just me. --
  6. If the Convention on Cybercrime calls for unjustifiable intrusion on the privacy rights of Canadians which is inconsistent with our values and rights, the Convention should not be ratified by the Canadian government.
    -- If the U.S. Government is involved, it likely does call for much that is unjustifiable, and should not be ratified. Fuck 'em, they're going to be too busy quelling their own revolt in the next two years, and they'll be bankrupt after the Syria and Iran wars, so I think we can avert any worries about becoming the next 'rogue state' who's a member of 'the axis of evil'. --
  7. The government should continue to resist any suggestions that general data retention requirements be part of the lawful access initiative.
    -- yes. Ripe for abuse, Identity theft, retention means nobody knows who's accessing the data, when, and for what purpose --
  8. A national database for CNA/LSPID information should not be created. There is no need to change the current law and practice concerning access to this information.
    -- same point as in 7, not to mention the cost of such an implementation if prohibitive --
  9. An obligation on those selling pre-paid cellphones or phone cards to collect people's sensitive information such as driver's license and credit card numbers before making the sale would be a gross invasion of privacy.
    -- ???! you mean the pimple faced down at the convenience store would start asking me for Credit Card info to by a prepaid cell card? I don't have one... --
  10. Nowhere does the consultation document indicate that accountability measures are being contemplated.
    -- S-C-A-R-Y! --

2.4 Civil Society Groups

  1. The consultation document is unclear about the government of Canada's proposals.
    -- This point is popping up all over the place, That is usually a good sign that somebody's hiding something. --
  2. The draft legislation and accompanying regulations should be made available for full and complete public review with sufficient time for interested parties to assess their impact and submit comments.
    -- OK, so I guess I won't be reading the draft legislation... --
  3. The document is unconvincing on how the proposals would actually help fight organized crime or terrorism. The government will no doubt have more access to the private lives of Canadians, but serious criminals and terrorists are unlikely to be careless enough to fall within the scope of the proposed measures.
    -- "That's just how these things go sometimes..." The Oracle. But seriously, I am pretty certain that any good 'international syndicate' has figured out how to use encryption, or even certain keywords in conversations to sound like 'legitimate business' or even 'friendship'. Criminals are ahead of the law most of the time, if they weren't we'd have eliminated crime centuries ago so why should the rest of us suffer. --
  4. If evidence is available to justify the proposed legislative amendments, it should be made public so that it can be seen whether the security benefits outweigh the privacy costs. If such evidence does not exist, the measures should be dropped.
    -- sames as point 2 --
  5. The proposals would establish a lower standard for lawful interception and/or search and seizure of online communications versus telephone and postal mail, for example. No justification has been provided for this. Criminal Code standards should be designed to apply regardless of technology.
    -- and, amended to include new technologies as they relate to their predecessor where applicable. Technically, an email is easier to dig up than a phone call because a phone call exists in the now and ceases to exist in the ever after. Some people keep emails forever. --
  6. Any new legislation should specifically address privacy issues wherever individual privacy is at risk. General references to the Canadian Charter of Rights and Freedoms (the Charter) and the Personal Information Protection and Electronic Documents Act (PIPEDA) are insufficient.
    -- Thank you --
  7. The government has failed to present evidence that this massive surveillance infrastructure is necessary. For example, it is unknown how many investigations have actually been seriously hampered by lack of technical capability.
    -- Massive surveillance infrastructure? What am I not reading? oh, right that thing that's not available to the general public. --
  8. If law enforcement agencies have difficulty in dealing with new communications technologies, the solution is not to lower legal standards for interception, but to provide law enforcement agencies with the technical expertise and equipment they need to deal with the evolving environment.
    -- absolutely, I mean, they could have infiltrated the Syrian Governments email with the password '12345' sometimes it's stupidly easy, but they are not aware of certain methods to facilitate it... --
  9. The proposals require customers or their CSPs to pay for the surveillance. This is wrong in principle and impracticable in operation.
    -- The Government paying for it would equate to the same thing , except that we'd pay, then our kids would pay, then our grand-kids would pay... I don't think this point will get anywhere. --
  10. The job of ISPs is to provide services for their customers. This should not include monitoring those customers for the purposes of the state. Production orders must not be used to circumvent the high thresholds that would be required if law enforcement agencies were carrying out the search or interception themselves.
    -- Again, I agree. But I don't think this should fall completely under the purview of law enforcement, tools provided:sure Know-how provided: sure, usernames and passwords activated by an ISP once proper legal authority has been reviewed: absolutely. Keep them locked out of the system unless they have a warrant specifying what they are looking for otherwise, it'll turn into the wild west in no time. --

2.5 General Public

  1. The opportunity to comment on these proposals is much appreciated.
    -- how very polite --
  2. It is not clear what benefit is to be gained from the proposed legislative changes that does not already exist in the law today.
    -- again... This has been a key point of 3 out of 5 groups --
  3. It is a matter of serious concern when international treaties such as the Convention on Cybercrime are signed without democratic consultation and then presented to the public as though it is essential that they be ratified.
    -- I feel that way about ACTA too... It's like Canada's is the world's kid brother with a 'me too' attitude... Why don't we just stop holding elections if all our legislature will be consigned to 'ratifying international agreements' that we've already signed? We could free up a lot of budget firing the elected officials and send our kid brother to the U.N. to just sit around saying "me too". --
  4. The consultation document fails to show how the Internet has "created difficulties for investigators". Also, in the case of the Internet, the "need for sophisticated equipment" seems to boil down to packet sniffers which are widely used by ISPs and available for a few thousand dollars each.
    -- I agree... I mean, facebook keeps changing it's "privacy policy" every other week, it's actually more difficult to keep up with than the bureaucratic legal system. Some 'terrorists' are likely to miss some of the finer points and inadvertently update their status to 'death to America' while not realizing that was visible to friends of friends, friends' goats... and there are a billion people there who's lives you can peek into if that's what this is really about... --
  5. No case is made in the consultation document that Canadians deserve less privacy when using digital communication rather than analog electronics, or indeed when they use electronics rather than pen and ink.
    -- We don't. --
  6. Data encryption is widely used by criminals and terrorists when communicating over private and public networks including the Internet. Encryption techniques are often not detectable, not interceptable and can render law enforcement and CSP interception technology ineffective.
    -- Good, somebody has raised this issue for me. --
  7. Should a law enforcement agency require assistance from a service provider that is beyond the normal cost of doing business for that provider, then the agency should pay the cost of the assistance. Such costs should not be the responsibility of the service provider nor should they be passed on to the end client.
    -- That still falls on tax payers, the point is rather moot --
  8. No CSP should be an information collection agency on behalf of the Canadian government. If the government wants and needs information, it should be responsible for retrieving, collecting and storing it. The CSP should only be obliged to provide the facilities when there is a lawful order to do so.
    -- I agree --
  9. Another national database of personal records is completely unnecessary. There is no national registry of telephone users or postal mail users - there should not be one for Internet users. A national database of this kind would also be a dangerous accumulation. Can bureaucrats guarantee that this highly sensitive database would never be successfully hacked?
    -- Can anyone? "Security" is effectively an illusion... But I think I have said this before, maybe even on this blog... --
  10. E-mails should require a court order for interception regardless of the point of interception.
    -- Again, they're proposing they shouldn't need one? --
I cannot find any publicly available draft of the proposed law that I am commenting on, but as stated above, that is probably because "there is no spoon"... I do not trust any time the Government tries to pull this kind of shenanigan. These consultations were published in 2003 and I still cannot find anything... Because they were changed into to bills... Bill C-46: Investigative Powers for the 21st Century Act and Bill C-47: Technical Assistance for Law Enforcement in the 21st Century Act.

It's getting late, this post is long, I'm getting tired. I will have to follow up on them in future posts and find out if they became law... If they did, I am not sure there's much I can do, and writing about it will probably put me on a terrorist watch list... According to CIPPIC (Canadian Internet Policy and Public Interest), C-47 has never been passed, maybe that's why I got an alert about this today.


No comments:

Post a Comment