Three bills (C-50, C-51, C-52) currently before the House of Commons could give Canadian law enforcement unprecedented access to our Internet data including forcing ISPs to give up the names and IP addresses of customers without court supervision (I’m assuming that this means without a court order, but I could be wrong):
The bills contain a three-pronged approach focused on information disclosure, mandated surveillance technologies, and new police powers.
The first prong mandates the disclosure of Internet provider customer information without court oversight. Under current privacy laws, providers may voluntarily disclose customer information but are not required to do so. The new system would require the disclosure of customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers.
While some of that information may seem relatively harmless, the ability to link it with other data will often open the door to a detailed profile about an identifiable person. Given its potential sensitivity, the decision to require disclosure without any oversight should raise concerns within the Canadian privacy community.
The second prong requires Internet providers to dramatically re-work their networks to allow for real-time surveillance. The bill sets out detailed capability requirements that will eventually apply to all Canadian Internet providers. These include the power to intercept communications, to isolate the communications to a particular individual, and to engage in multiple simultaneous interceptions.
Moreover, the bill establishes a comprehensive regulatory structure for Internet providers that would mandate their assistance with testing their surveillance capabilities and disclosing the names of all employees who may be involved in interceptions (and who may then be subject to RCMP background checks).
Michael Geist, one of Canada’s most respected Internet Law experts, discussed this potential problem on his personal blog (quoted above) and the Toronto Star (the versions are slightly different)…he points out, and I concur, that law enforcement does need the jurisdiction to be able to get to this information sometimes. That isn’t the point or question here. The line that has to be drawn is whether ISPs, for example, should all be compelled to be at the ready to live-stream and capture information on their networks. Is this something that ISPs should have to do just because law enforcement might need it at some point in the future or is it more prudent that ISPs be able to do it by court order at the time?
While I support law enforcement getting the tools and education to fight cybercrime…I also think Michael could be pushing the balance too far in the other direction. I believe what law enforcement is asking for (access to subscriber information to better tie IP addresses to people doing things at certain times, deep packet inspection, and monitoring) isn’t unreasonable, but where Michael is dead on is that the balance is too far in favour of government right now. More oversight is needed. As for the cost to ISPs, maybe the will have to bear it or many the government will have to offer a tax break to help cover the cost.
Regardless this is an issue that I hope the Opposition Parties in Parliament take up and push the Government on.