Lawful access or unlawful access? Critics of the federal government’s proposed bill that will give police increased access to customer data from Internet service providers, predict there could be constitutional challenges to the legislation down the road.
Bill C-30, the proposed “protecting children from Internet predators act” was introduced today. It contains provisions from previous bills C-50, C-51 and C-52 that raised the concerns of privacy watchdogs. The provisions would require telecommunications and Internet service providers to give subscriber data to police and national security agencies without a warrant, including names, e-mail addresses, unlisted phone numbers, and IP addresses.
It would also force ISPs to provide a “back door” for communications to be accessible to police, and it would allow police to get warrants to obtain information transmitted over the Internet and data related to its transmission, including locations and transactions. Courts could also compel other parties to preserve electronic evidence.
While the police have been going to ISPs for years asking for and obtaining this kind of information about customers, now the government wants to entrench the requirements in law.
“There are philosophical, privacy, and practical issues to this that have been pointed out to the government but they’ve decided to proceed ahead anyway,” says Mark Hayes, partner with Hayes eLaw LLP in Toronto. “If this is brought in, for sure there will be constitutional challenges to it. The argument from those opposed is going to be it’s unreasonable search and seizure of their personal information without any judicial authority. That has a reasonable good chance of succeeding.”
More than 10 years ago, many ISPs decided they would give this information up to law enforcement and put provisions into their user agreements indicating they would give provide access with respect to child pornography.
“This was done on a relatively informal basis — most of the big ISPs did it. It allowed the police to get this information — they just provided a form saying they were doing a child pornography investigation. There’s no reason to believe they abused it but it was pretty informal,” says Hayes.
However, the police have found some ISPs aren’t playing ball, even for child pornography investigations, and they’re being told to get a warrant.
While it’s important for law enforcement to have the tools they need to obtain information, Hayes says the government needs to establish there is the proper basis for the surveillance tools they’re bringing in and a reasonable balance between people’s right to privacy and the necessity of having this kind of access.
“I’m inclined to think the big ISPs will continue to play ball because they are caught between a rock and a hard place — between their customers who they don’t want to be seen as giving up customer information, and the demands of government and the police,” he says.
“For the big ISPs it’s better to have it in legislation where the obligations are clear and they can say ‘the government is forcing us to do this’.”
With wiretaps, police must have judicial authority first. In the case of lawful access, they just need to think they need access to the information.
“It seems like pretty substantial overkill for a very limited benefit,” says Hayes. “If there is better justification the government is going to have to bring it forward.”
There’s also a cost involved for ISPs putting in the kind of monitoring technology the government is asking for in the legislation. The concern is the cost will be passed on to consumers, and both the cost and the inconvenience of complying with this law is going to be a significant disadvantage for smaller ISPs.
“There are lots of ISPs that operate literally out of people’s garages,” says Hayes. “They provide specialized services and to put these kind of requirements on them could be a real hardship.”
If the legislation is going to be defeated Hayes said the country’s privacy commissioners may be the ones to lead the charge.
Canada’s privacy commissioner, Jennifer Stoddart has said the legislation the government is considering goes “. . . far beyond simply maintaining investigative capacity or modernizing search powers. Rather, they added significant new capabilities for investigators to track, and search and seize digital information about individuals.”
Hayes points out that while the government has talked a lot about the privacy intrusive aspects of the gun registry they haven’t explained why they would introduce a much more intrusive regime around Internet use.
“It’s an odd piece of legislation that arguably doesn’t have a solid evidentiary basis,” he says.
Update: The main points of difference from the old bills the Tories introduced to today's:
- Requires telecommunications providers to disclose, without a warrant, just six types of identifiers from subscriber data instead of 11.
- Provides for an internal audit of warrantless requests that will go to a government minister and oversight review body.
- Includes a provision for a review after five years.
- Allows telecommunications service providers to take 18 months instead of 12 months to buy equipment that would allow police to to intercept communications.
- Changes the definition of hate propaganda to include communication targeting sex, age and gender.