Canada mulls warrantless internet info-gathering powers for police

Filed Under: Data loss, Featured, Law & order, Privacy

Yesterday, I wrote up my take on the recent Australian bomb-hoax story, in which a suspect was tracked from Sydney to Kentucky through a mixture of old-fashioned detective legwork and cyberinvestigation.

I suggested that making this sort of investigation as easy as it seems on crass TV cop shows would be a bad idea:

There are many hoops which the cops have to jump through to be able to pursue an enquiry of this sort - a due process which means they can't always and immediately get access to anything they want.

And that is exactly as it should be. Most of us are law-abiding, and our privacy and security is too important to be eroded merely to make the Orwellian nonsense of Hawaii-Five-O into a reality.

Today, someone pointed out to me the text of Bill C-52, currently under consideration by the Canadian federal parliament.

Amongst the many proposals in this Bill are two specific clauses to reduce the 'due process' imposed upon Canadian law enforcers when they wish to acquire information about internet subscribers from Canadian ISPs.

This information includes:

any information in the service provider's possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider's telecommunications services and the Internet protocol (IP) address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber's service and equipment.

The first sort of investigator authorised to acquire this information merely by asking (actually, the second listed in the Bill, as it is a special exception to the main proposal) is, broadly speaking, any police officer.

But there are restrictions on this power which make it much less unreasonable than it sounds. It is for "exceptional circumstances only", and it applies only if:

(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;

(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and

(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.

You can probably quickly think up a number of scenarios in which this regulation might be a lifesaver. And the Bill requires any police officer who takes advantage of these special powers to declare that he has done so to a superior, who is, in turn, required to re-confirm the request with the service provider. So there is at least some bilateral oversight involved.

Of greater interest to privacy advocates, however, is the proposal in the Bill that each law enforcement agency would be able to designate up to five percent of its staff to request precisely the same information pretty much at will, about any subscriber.

This makes 'fishing expeditions' possible. The Bill doesn't appear to place any limit, other than perhaps common sense, on the number of subscribers whose data can be sucked from an ISP at any time.

The Bill doesn't even seem to propose that the requests be based on any sort of specific identifier, such as a name or an email address.

This suggests, in the worst case, that an ISP might be compelled simply to hand over information about all subscribers. No warrant needed, and thus no proactive oversight by the judiciary.

I'll leave it to the Canadian legislature to debate whether this is really a change which Canada needs; to Canadian privacy advocates to argue the pros and cons as visibly as they can (I'm OK with legal street protests, but no Anonymous-style 'hacking', please!); and to the voters to make amends next time if the Bill passes but is deemed a step too far.

My concerns go beyond just those about our right to be free, as far as possible, from surveillance and intrusion by law enforcement. I'm just as worried about the safety of having information about our internet identities routinely duplicated into multiple databases.

If you are Canadian, I urge you to oppose Bill C-52 as a matter of public safety, at least until you can be sure that every agency and every officer who might request information about your internet identity will protect it at least as well as your ISP.

Recent data breaches and data leakages haven't just been happening to commercial organisations, but to law enforcement, too.

(Global examples of law enforcement security lapses include San Francisco, Arizona and Manchester, UK.)

The more people who acquire and store your Personally Identifiable Information (PII), the more points of security failure, and thus the more likely it will end up in the hands of cybercriminals.

So if law enforcement in your country wants to become more aggressive at acquiring your PII, I think it ought first to show you that it sets unstinting standards for protecting it. For example, any police force which lets its officers use unencrypted laptops in the field ought, ipso facto, to be disqualified from collecting information about you other than in the most exceptional circumstances.

And please note that I didn't make that last remark because I work for a company that has a range of encryption products to sell. Actually, it's the other way around. I work for such a company because I believe that privacy and security are incredibly important.

, , , , , , , , , , ,

You might like

7 Responses to Canada mulls warrantless internet info-gathering powers for police

  1. Brian · 1513 days ago

    A lot to ponder, better left for those with greater minds than mine. :)

  2. RoundTop · 1512 days ago

    Arstechnica has a good discussion on this issue.

    In the comments it mentions that C-52 is not the current bill, it is the previous bill which the new one is believed to be based on. The new bill has not been introduced yet.

    • Paul Ducklin · 1512 days ago

      I'm not quite sure about Canadian legislative terminology. It seems similar to the UK, for obvious reasons, but probably with weird differences, for reasons no-one now seems to remember, as in Australia. (We have 'Members of Parliament', like the UK and unlike the US, but we have a 'House of Representatives' and a 'Senate', like the US and unlike the UK.)

      That's why I wrote "Bill C-52, currently under consideration by the Canadian federal parliament," trying to avoid saying that it was "currently tabled" or "before the House", or some other more formal-sounding term...

      It seems that I might have said , "Bill C-52, which is the background to current parliamentary machinations about regulations surrounding internet information gathering." But that's a bit of a mouthful, even for me. (And the word "machinations" has subjective implications I would prefer not to, ah, imply. I'd like to leave the inferencing to the reader :-)

      Like you, my understanding, with apologies to Monty Python, is that C-52 "isn't dead, it's just resting."

  3. Argh! Did C-52 really get re-introduced? I thought it finally got killed off during the previous parliamentary session...


  4. Just what we need. Less due process.
    Actually I'm very irritated by this.

  5. boo · 1498 days ago

    this is horrible and idiotic. would the parliament like it if we hacked into their personal computer systems?

  6. Guest · 1331 days ago

    This is the NEW-GESTAPO era now...

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog