Privacy chiefs say current laws are just fine
OTTAWA – Canadian wireless carriers shouldn’t be stuck with the bill if new legislation or regulations require them to buy new equipment to intercept or collect subscriber communications or metadata, says an industry group.
As part of a public consultation on updating the country’s national security framework, the Canadian Wireless Telecommunications Association (CWTA), which lobbies for most of the country’s wireless carriers, wrote to Ottawa last week to say that giving police and intelligence agencies more timely access to basic subscriber information “must consider the impact on service providers and the privacy rights of Canadians.”
In addition, if the government demands that carriers buy more data interception and collection equipment for police and intelligence agencies, the government should pay the costs – both upfront and ongoing.
“Service providers will maintain their unwavering commitments to public safety and the security of Canadians as well as protecting subscriber privacy,” reads the CWTA’s submission. “Service providers are concerned about the potential privacy impacts and significant costs they may incur to comply with public safety legislation requirements. We therefore reiterate that any legislative requirements for wireless service providers resulting from this consultation must guarantee, to the greatest extent possible, the privacy of subscriber information, and not impact the cost or competitiveness of wireless services.”
“CWTA also submits that new requirements under national security legislation must protect against, to the full extent possible, the possibility of unnecessary or unintentional access to private subscriber data. Specifically, interception capabilities, if required, must only be used in a manner that does not intrude on the privacy of Canadians whose communications are not a necessary part of an investigation. Similarly, interception capabilities must be accompanied by sufficient independent oversight on the use of interception by government, such as a requirement for judicial approval. “
“Interception capabilities must be accompanied by sufficient independent oversight on the use of interception by government.” – CWTA
If the government orders service providers to retain subscriber data for any period of time, the association adds, any potential benefits to law enforcement must be weighed against the costs to companies, increased vulnerability of the information of innocent users, and the countervailing requirement under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) to minimize collection and retention of personal information.
The CWTA is speaking for its members on this file. A Bell Canada spokesperson said it is on board with the CWTA and will not file its own submission.
ON TUESDAY, THE ASSOCIATION got some support from the country’s federal, provincial and territorial privacy commissioners, who said that police and intelligence agencies already have enough tools to fight crime.
If the federal government disagrees, the commissioners add, new regulations should be narrow, focus on serious crime only, and should be for the briefest period of time possible.
Organizations and residents have until December 15 to make submissions.
Public Safety Canada is looking at updating the country’s security framework, everything from lawful access to carrier data to getting better access to the encrypted data of criminals. The wind-up to the consultation comes as the U.K. just enacted a new law forcing Internet providers to record every subscriber's top-level Web history in real-time for up to a year, and to force companies to decrypt data on demand.
Providers here worry that any new Canadian national security framework will demand that they, too, store customer metadata – from browsing histories to wireless location data – for lengthy periods of time, and that they will be ordered to buy expensive equipment allowing police to more easily tap into data feeds.
But on data retention, metadata and lawful access, the privacy commissioners are adamant: Unless the government can prove otherwise, existing laws and regulations are enough.
A federal discussion paper outlining possible issues to be considered suggests setting a minimum data retention period preventing providers from deleting customers in case police need to get a production order from a judge. But the privacy commissioners note that judges already have the power to order data held for at least 21 days and up to three months. “We have not seen evidence why these tools do not work,” say the privacy commissioners. “Introducing a broad retention requirement, not only impedes on human rights … it also increases the risks of breaches to that personal information. Retention requirements, if any, should be scoped narrowly, focusing on serious crime only, and should be for the briefest period of time possible.”
Similarly, the privacy czars write, a production order for "transmission data," transaction records and location tracking can be obtained from a judge on a standard of “reasonable grounds to suspect” a criminal offence.
“A modernized law adapted to new technologies must take into consideration the fact that metadata emitted by digital devices can reveal personal information whose sensitivity often exceeds that for which warrants have traditionally been required in the pre-digital world,” say the privacy commissioners. “It must also ensure that the state's modern investigative tools do not violate the privacy of law abiding citizens.”
