Increasing Canadian Internet Monitoring

Earlier this month I blogged about the government tabling its latest proposal for increasing Internet surveillance capabilities with 3 little bills (C-50, C-51, C-52).  So far, they have received limited attention despite their potential to completely change the way the Internet is used in Canada.

I am not a lawyer; however, the bills appear to focus on required information disclosure, mandating surveillance technologies, and providing new police powers:  

  • ISPs currently may voluntarily disclose customer information, but are not required to do so.  Under the new rules, Internet Service Providers (ISPs) must provide customer information to law enforcement without court oversight.  The new system would require the disclosure of customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers.

    The decision to require disclosure of personally identifying information (PII) without any oversight should immediately raise Canadian privacy community concerns.  The ability to link PII with other data will open the door to creating detailed profiles for individuals. 

  • ISPs will be forced to introduce deep-packet inspection technologies that will allow real-time surveillance.  The bill sets out detailed capability requirements that will eventually apply to all Canadian ISPs, including intercepting communications, and isolating the communications of a particular individual.

    The bills also establish reporting requirements including the disclosure of all ISP technical surveillance capabilities within 6 months of the law being enacted.  Follow-up reports are required when providers acquire new technical capabilities. 

  • New police powers will be provided allowing law enforcement to gain access to surveillance data.   These include new data transmission warrants granting real-time access to all information generated during the creation, transmission or reception of a communication, including the type, direction, time, duration, origin, and destination of the communication.  Preservation orders could then be obtained, requiring ISPs to preserve subscriber information for 90 days.  Having preserved the data, production orders can be issued to require the disclosure of the information and data.  

Of course I believe that it is important to provide law enforcement with the necessary tools to address online crime issues, but I fail to see clear evidence that the current legal framework has impeded important police work, and big brother does NOT need to see what we google or how we spend our personal time.  Proposals to alter the fundamental protections afforded to, and privacy expectations of, individuals in Canada come at an enormous financial and personal cost.  If one is suspected of serious wrong-doing, and sufficient evidence can be produced to demonstrate probable cause to a judge, then by all means, phone calls, Internet use, and other communications can be legally intercepted after a warrant is issued. 

Arguments that “those who have nothing to hide have nothing to fear” are clearly misguided.  Under this new legislation, anyone with a wireless access point setup at home or experiencing a malware infection could potentially find themselves languishing in jail.  Cops trolling through logs looking for anyone that might have done something wrong at some point could scoop them up in the broadest of nets. 

I suspect that ISPs are going to see a marked increase in the volume of encrypted traffic on their networks.