Bill C-74, the Modernization of Investigative Techniques Act (never passed)
Bill C-74, the Modernization of Investigative Techniques Act
On November 15, 2005, the federal government introduced Bill C-74, the Modernization of Investigative Techniques Act (MITA), "an act to compel all telephone and Internet companies to create and maintain infrastructures that are intercept capable and to provide access to basic subscriber contact information such as a name, address or telephone number." Note that this bill does not introduce new Production Orders, Preservation Orders, or other Criminal Code amendments that are described below as part of the broader package of "Lawful Access" proposals on which the government has been consulting.
The sponsoring department, Public Safety Canada (PSC) provides background information on the bill on its website. In brief, the bill requires telecommunications service providers ("TSPs") to build into their new systems (not existing systems) intercept capability so that police can intercept communications without facing technical obstacles. Small TSPs have a three year grace period, and there are whole and partial exemptions for charities, educational institutions, libraries, community centres, restaurants, and hotels/condos/apts. The Minister can order a TSP to comply more quickly or broadly than otherwise required, in which case the Minister must compensate the TSP.
Bill C-74 also requires TSPs to respond to warrantless demands by designated law enforcement officials for "subscriber data" (name, address, tel#, email address, IP address). In this respect, the bill incorporates a number of safeguards, including many not present in the earlier proposals described below. In particular,
- all requests for subscriber data must be in writing;
- requests for subscriber data must be accompanied by at least one individual identifier (e.g., IP address), so as to prevent large-scale "fishing expeditions".
- no more than 5% of employees of a law enforcement agency (LEA) can be "designated officials" for purposes of requesting subscriber data (but police can get access where they can meet requirements of urgency, necessity and relevance);
- all requests must be related to a duty or function of the LEA;
- requesters must create a record of the request, identifying the duty/function for which request made, and explaining the relevance of the data gathered to that duty/function;
- subscriber data gathered can be used only for the purpose for which it was collected or for a consistent purpose;
- LEAs must conduct "regular" internal audits of subscriber data requests and record-keeping;
- LEAs must report to their Minister anything arising out of such audits that they think should be brought to the Minister's attention; and such reports must be copied on the Privacy Commissioner (in the case of the RCMP or Competition Commissioner), the Security Information Review Commission (SIRC) (in the case of CSIS), or the provincial agency in charge of privacy protection (in the case of provincial police forces)
- the federal Privacy Commissioner can audit the RCMP or Competition Commissioner on reasonable notice, and SIRC can audit CSIS, for the purpose of assessing compliance with this legislation.
CIPPIC has noted that "subscriber data" has significant privacy value insofar as it can personalize a great deal of very sensitive personal information that would otherwise be anonymous, and that it deserves to be protected against inappropriate and unnecessary access. In this respect, we note that the safeguards for warrantless access to subscriber data do not include:
- a mandatory external audit;
- mandatory reporting to the Minister and oversight agencies;
- a mechanism for public accountability (e.g., no reporting to Parliament; no publishing of reports)
"Lawful Access" refers to the lawful interception of communications as well as search and seizure of information by law enforcement agencies. In order to be lawful, such interception or searches must be authorized by law (usually by judicial order) and conducted in a manner consistent with the Canadian Charter of Rights and Freedoms.
In 2002, the Canadian government announced plans to modernize its criminal law and establish new rules regarding "lawful access" in light of the challenges posed by new technologies to law enforcement. These plans, which originated in the 1990s, became more important in light of 9/11 and the perceived heightened threat of terrorism. They are also, in part, Canada's domestic implementation of its obligations under the Council of Europe's Cybercrime Treaty, which Canada has signed but not yet ratified.
In 2002, the government consulted with stakeholder groups, including civil society, on its proposals. Over 300 submissions were received, many from individuals and organizations concerned about the potential impact of the proposed changes on privacy and civil liberties. The law enforcement community strongly supported the proposals and urged swift action.
Over the subsequent two years, the government developed and refined its proposals in light of input received. In the fall of 2004, the Minister of Public Safety announced that legislation to facilitate lawful access would be introduced shortly. In early 2005, government officials initiated targeted, closed consultations with stakeholders (including industry and civil society) on its revised proposals. The following is a summary of these proposals.
Scope of Proposals as of March 2005
The proposals are wide-ranging and cover many issues, from minor amendments to the Criminal Code (e.g., replace "telephone" with "telecommunications"), to major new powers for law enforcement. The following summary focuses on those proposals that we have identified as being of most concern to civil society.
Disclaimer: The following is based on information provided by the federal government in March 2005. Bill C-74 now covers issues of warrantless access to subscriber data and compelling intercept capability. Other proposals have yet to be introduced as legislation.
Currently, police must obtain judicial authorization in order to conduct searches or intercept communications. Under the proposals, this will remain the case, except in the following circumstances:
Access to Subscriber Data
Police, CSIS agents, and Competition Bureau agents would be empowered to obtain subscriber data (name, address, e-mail address, IP address) from telecommunications service providers (TSPs) upon mere request, without any judicial authorization or requirement for reasonable grounds to suspect wrongdoing. TSPs would be subject to a "gag order" regarding such requests (i.e., no disclosure of the content of the request, the information provided, or any other information regarding the provision of subscriber information to the police).
Under the federal PIPED Act, TSPs can refuse such requests unless accompanied by judicial authorization. This new law would remove such discretion from TSPs and force them to turn over subscriber names and addresses in response to specific requests by police.
- Requests must be specific to individual users (i.e., must provide name or address in order to get information), so as to avoid large scale fishing expeditions.
- Records must be kept regarding all requests. Such records must contain the purpose of the request, the relevant law and specific file, investigation or duty under which the request was made, and the name of the person making the request. Such records must be retained and made available for audit and oversight purposes.
- Existing oversight bodies would remain in place to deal with complaints of abuse (e.g., Privacy Commissioner, courts, Commission for public complaints against the RCMP, Security Intelligence Review Committee)
Interim Preservation Order:
In order to preserve data while an application for a 90 day preservation order is being made, police may order a TSP (or other party) to preserve evidence for 15 days. Unlike the 90 day preservation orders, these interim orders do not require judicial authorization. They do, however, require "reasonable grounds to suspect that a person has possession or control of documents or data that will assist in the investigation of an offence..."
- The officer must give written notice to the TSP, who may object or make other representations regarding the terms of the preservation order.
- No disclosure of information to police; merely a "do not delete" order.
Production of transmission data in context of Preservation Order
Police may order the TSP (or other person) to disclose transmission data necessary to identify TSPs who transmitted the data covered by the preservation order and the transmission route.
New tools for searching (requiring judicial authorization)
The Criminal Code currently provides for general Production Orders on a "reasonable grounds to believe" threshold, and for Production Orders for financial or commercial information (e.g., bank account information) on a "reasonable grounds to suspect" threshold. It is proposed that two new Production Orders be added, both on a "reasonable grounds to suspect" threshold:
- Tracking data: information that could assist in locating a person (e.g., debit card usage; cell phone usage)
- Transmission data: data relating to telecommunications dialling, routing, addressing or signalling that identifies the origin, type, direction, date, time, duration, size, destination or termination of a telecommunication
In each case, a judge may order any person to produce tracking information or transmission data, or to prepare a document containing such information.
- Judicial authorization under a "reasonable grounds to suspect" threshold
- "Transmission data" is limited to the explicitly listed types of data, and does not include message content
- A Production Order for tracking data must require that only tracking data be provided
Existing provisions for tracking warrants would be expanded to include items that a person carries that may either be activated or monitored to determine the person's location (e.g., GPS chip in mobile phone; debit/credit card transactions)
- Judicial authorization under a "reasonable grounds to suspect" threshold
Preservation Orders are designed to permit the immediate and temporary safeguarding of volatile evidence while a search warrant or production order is being sought. In addition to the 15 day order described above, these could be obtained by police on application to a judge, for up to 90 days. They apply to "any documents or data" and are in the nature of "do not delete" orders. They do not involve the disclosure of data to police except in the circumstance described above of traffic data necessary for tracing communications.
- Judicial authorization under a "reasonable grounds to suspect" threshold
- 90 day maximum
- No disclosure to police - Production Order required for disclosure (exception for traffic data?)
- Process for TSP to object/request terms
This proposal would permit judges issuing a regular search or interception warrant/order (under a "reasonable grounds to believe" threshold) to make other, lower threshold, orders such as Preservation orders or Production orders as part of the original warrant/order.
(NB: All Criminal Code offences require intent on the part of the accused)
s.342.2: Possession of Hacking tools to commit an offence: extend existing provision to cover importing, obtaining for use, and making available, and to link to mischief (430) as well as 342.1 offences. This would clearly criminalize the possession of a virus for the purpose of mischief.
s.191: Possession of Interception Devices: either repeal this section or refine to allow for lawful excuse or justification as in s.342.2
s.372: False Messages: extend to cover all means of communication, not just telephone, radio, etc.
Compelling Interception Capability
A major aspect of the lawful access proposals is the requirement for TSPs to provide interception capability for law enforcement purposes. In order not to impose undue burden on the industry, TSPs would only be required to maintain existing intercept capabilities, and to build in intercept capability as they make upgrades to their networks. Exemptions and partial exemptions would apply to small TSPs (under 100,000 subscribers), mere backbone providers, TSPs who provide telecom services ancillary to their functions as educational institutions, libraries, hotels, etc., and TSPs who provide telecom services principally to themselves and not to the public.
Unless exempted, TSPs would be required to:
- Remove any encoding, compression, encryption or other treatment of intercepted information that the TSP applies or that the TSP already has the ability to remove;
- Provide information in their possession regarding the location of equipment that is subject to an interception;
- Protect the confidentiality of intercepted information and the security of facilities used for interception;
- Have the capability to isolate information authorized for interception from other information, and to provide the authorized information to authorized individuals;
- Submit a report within 6 months of the proposals coming into effect, as to the TSP's capability to meet the specified requirements; and
- Provide information upon request to law enforcement officials relating to their telecom facilities and services, either generally or specific to a named person.
Penalties for non-compliance include fines of up to $500,000 and imprisonment of up to five years.
Civil Society Concerns
Many concerns have been raised by civil society about these proposals. Such concerns include (but are not limited to):
The government has still not provided clear evidence justifying the need for these additional powers. Without such justification, we should not be eroding civil liberties.
There is inadequate oversight of law enforcement use of these powers, so as to prevent and punish abuse. If police are given additional powers, oversight bodies must be created and/or better empowered to keep such powers in check. Current oversight mechanisms are inadequate for this purpose and need to be supplemented.
No police searches of any sort should be permitted without judicial authorization.
Access to Subscriber Data without warrant
Police should not be able to access subscriber name and address merely upon request, without any kind of justification, let alone judicial authorization.
While name and address (geographic, email, IP or SMTP) may seem on their face to attract a lower expectation of privacy than other information, that is not true in many cases. Name and address are keys to all sorts of personal information (much of it available by simple Internet searches) that is highly sensitive - financial information in public records, information about websites one visits on the Internet and communications with others online. Many people use pseudonyms on the Internet in order to engage in anonymous communications without fear of embarrassment or retribution. They have a high expectation of privacy in relation to their Internet identities, and reasonably so. Unmasking their identities without any kind of judicial authorization or even requirement for reasonable cause to suspect criminal behaviour is not consistent with the values of a free and democratic society - in particular, freedom of expression.
Judicial authorization should be required for all types of searches and interceptions. If it is not required in certain circumstances, then police should at least be held to a standard of "reasonable grounds to suspect", and subject to effective ex post facto oversight, so as to limit the potential for abuse of these powers (e.g., by engaging in fishing expeditions).
In emergency situations, police can simply ask the ISP to contact the individual; they do not need to access the data themselves.
Compelling Interception Capability
The Lawful Access proposals would effectively cause a reconstruction of network architecture, from one that currently supports a degree of anonymity to one that facilitates surveillance and identification. This will be true generally, not just for law enforcement. Under the new architecture, individual telecommunications users would be much more easily identified and pursued for purposes that may be legitimate or illegitimate.
The same challenges that new technologies pose for law enforcement constitute cherished freedoms and opportunities for individuals to engage in democratic speech. We should not replace the current architecture of freedom with one of surveillance without carefully assessing the trade-off and making an informed, democratic decision.
Moreover, the costs of such reconstruction are not insignificant and will ultimately be borne by consumers of telecommunications services (if not taxpayers).
The benefits in terms of effective law enforcement are questionable, given that criminals will logically migrate to small TSPs who are largely exempt from the requirements. Before downloading responsibility for law enforcement on private actors, the government should provide clear and compelling evidence that the benefits of such a reconstruction are worth the cost - in terms of both dollars and freedom from surveillance.
If you have concerns about the Canadian government's Lawful Access proposals, contact your M.P. and let him or her know. Sign the Petition. Watch for more information on Online Rights, or sign up for email updates at Online Rights.
This page last updated: June 2, 2007
Webpage URL: http://www.cippic.ca/documents/lawful-access/
The Act requires service providers to supply basic subscriber information to law enforcement agencies and CSIS on request. Subscriber information includes name, address, telephone number, e-mail address, Internet Protocol (IP) address, service provider information, and mobile phone identifiers. The Act requires that service providers release this information upon request, without judicial authorization. An administrative regime will be created in order to keep track of subscriber information requests.
CIPPIC maintains that allowing access to such information without the need for first seeking prior judicial authorization is a violation of Canadian's privacy rights. Subscriber information provides the link between one's real and one's ?virtual' identities. Anonymous communication on the Internet is a vital means to free democratic expression. Any police action that threatens to undermine or reveal the origins of communication ought to only be allowed given judicial authorization. CIPPIC agrees that law enforcement agencies will have legitimate interest in obtaining this information, but maintains that, much as is the case with their need to intercept private communications, they must nonetheless first prove this need to judicial authorities via application for a warrant.