Carriers shouldn’t be forced to hold customer data
OTTAWA – Communications service providers shouldn’t be forced to hold onto subscriber metadata for police access for lengthy periods of time, Rogers Communications has told the federal government.
The company made that submission last week to Public Safety Canada’s public consultation on creating a new national security framework, which is looking at a number of issues sensitive to police including mandatory rules for data retention and installing interception gear to help investigations, help with unscrambling encrypted communications and giving police more power to access basic subscriber information.
Also meeting the December 15th deadline for submissions were the Canadian Network Operators Consortium (CNOC), which represents 35 independent Internet service providers, and the Information Technology Association of Canada (ITAC), which lobbies for many of the countries biggest information and communications providers including Rogers, Bell and Telus.
Briefly, their positions are similar: Police don’t need new powers, and any new equipment Ottawa forces providers to buy should be paid by the federal government or police forces. This is something the Canadian Wireless Telecommunications Association also told the government as we previously reported.
While the public consultation is over it could be some time before the government sets policies, and even then more discussion is likely to follow before legislation is introduced, although the country’s police chiefs have called for urgent action. For this process Public Safety Canada issued a Green Paper to help the public get background on the issues. Usually a government will put out a White Paper with specific recommendations for another round of public input before setting policy. And even after legislation is passed there may be additional cabinet input that must be set before laws come into effect.
In its submission Rogers noted that storage and retrieval of records takes time and resources. “Under any new legal framework that requirement that will include data retention provisions, communications provides should only be required to retain data to the same extent that they retain it in the normal course of operating their business,” it says – and, it notes, for most information commonly requested by police Rogers holds for no longer than 13 months.
If there is a data retention obligation, Rogers adds, all of the costs should be paid for either by police or Public Safety Canada.
On the government forcing all communications service providers to install interception equipment, Rogers notes as a wireless provider it already has done that as part of regulations. Whether that requirement should be law depends on the wording of the legislation, and Rogers notes so far there are no firm proposed requirements. But, it adds, any new wireless services shouldn’t be constrained by “a new and inflexible lawful interception regime.”
“There is no evidence to date substantiating the need for increased access to BSI without a court order.” – Rogers Communications
“It is vitally important that any new lawful interception framework not be allowed to become a bottleneck on innovation.”
As for easier access to basic subscriber information (BSI), which some police departments say is being slowed by having to get court orders, Rogers says “there is no evidence to date substantiating the need for increased access to BSI without a court order.”
In its submission ITAC said Ottawa should work with service providers and police to improve technical obstacles to getting court approval for quick access to basic subscriber information rather than give police more power to get the data. The association also said if the government orders service providers to add intercept capabilities for police to their networks Ottawa should justify the costs – for equipment as well as privacy.
ITAC represents 36,000 information and communications firms across the country.
In its brief, CNOC said it is “particularly concerned about the impact that the costs of some of the suggestions in the Green Paper” – particularly adding interception equipment – “could have on competitive telecommunications service providers, and urges the government to carefully consider the impact on competition, as well as the affordability of the Internet, that some measures may have.”
While a few CNOC members, such as Teksavvy Solutions of Chatham, Ont., and Distributel of Montreal are larger, the brief notes that some have fewer than five employees.
If ordered to install intercept gear, competitive providers may find it has to pass on the cost to customers, the brief says. Even if that was possible the price increase would reduce revenue and affect the affordability of Internet access. Many Canadians already can’t afford to be on the Internet, it adds. So any costs of beefing up national security should be borne by the government.
“In CNOC’s opinion, the current system is working well to protect Canadians.”
As for increased police access, “in CNOC’s opinion, the current system is working well to protect Canadians, while avoiding placing burdensome costs on TSPs and balancing the privacy interests of the end-users of telecommunications services.”
Ottawa has been seeking public submissions on a wide range of national security issues including changing the criminal code and the way police can conduct electronic surveillance and gather evidence of criminal wrong-doing.
Of most importance to the ICT industry are issues around whether telecom service providers should have to keep subscriber data for a set period of time, whether those providers which don’t already have communications interception equipment for police should have to buy it, and whether companies that make encryption solutions should have to add a so-called backdoor so law enforcement agencies can get at scrambled data.
If the federal government wants to give law enforcement more digital surveillance powers it should “ build a consensus across Canadian society on the right balance between security and privacy as well as the appropriate transparency and oversight mechanisms governing the exercise of state power,” ITAC says.
“Surveillance capabilities or backdoor requirements may also undermine Canada’s innovation economy.” – ITAC
Because Canadians will only use technology they trust, requiring surveillance capabilities or backdoors to support law enforcement could undermine products used by residents every day, says the association, putting their privacy and security at risk. “Surveillance capabilities or backdoor requirements may also undermine Canada’s innovation economy,” the brief adds.
A government discussion paper issued in September said law enforcement and national security agencies have had difficulty getting “timely and effective access” to basic subscriber information since the Supreme Court said police have to get a court order rather than merely request the information from a provider.
Some police departments have been accused of wanting to speed things up by doing away with court approval, but ITAC suggests there’s nothing wrong with the system now that won’t benefit from tweaking. That would include a standardized court order form for use across all police services, clear and narrowly defined terms for the information sought, and clear rules designed to avoid police “fishing expeditions” that could contravene judicial requirements and privacy laws.
ITAC also warns the government to make sure police can’t expand the definition of basic subscriber information to go beyond a suspect’s name, address and Internet protocol (IP) address to include things like social network or email account details.
“If any expansion in intercept powers is pursued, the government needs to ensure they do not inadvertently discourage innovation and undermine Canada’s reputation as a trustworthy technology jurisdiction,” ITAC emphasizes.
As for forcing service providers to keep subscriber metadata for a period of time, that “would be a significant departure from existing practices and would raise serious questions about Canadian’s privacy rights. Additionally, the costs of mass data retention would be significant.”
“It really does seem like revisiting the lawful access debate we had with bill C-30… and certainly some people have been disappointed that this government hasn’t immediately rolled back Bill C-51,” – David Fraser, McInnes Cooper
The issues raised in the government’s discussion paper are controversial and Ottawa extended the deadline for submissions to December 15th, but even before the public consultation started RCMP Commissioner Bob Paulson was quoted as saying police want access to certain service provider subscriber data without a court order. The Harper government tried to give police that in Bill C-30 before public opinion forced it to abandon the legislation.
The background paper Public Safety Canada issued in September to kick off this round of public consultations drew some attention. “It really does seem like revisiting the lawful access debate we had with bill C-30 under (former Public Safety minister) Vic Toews, and certainly some people have been disappointed that this government hasn’t immediately rolled back Bill C-51 (the 2015 Anti-Terrorism Act),” says Halifax privacy lawyer David Fraser of the firm McInnes Cooper. “Others have seen in the backgrounder the hand of bureaucrats in Public Safety and the Canadian Association of Chiefs of Police.”
He agrees with the privacy commissioners’ brief that so far the government hasn’t justified additional powers needed by police.
“In a number of cases more than anything service providers need clarity in what they need to provide (to police) and under what terms,” telecom industry analyst Mark Goldberg said in an interview after the consultation started. Otherwise providers will worry about being sued. “If the law is clear a service provider must provide certain information under certain conditions and the law enforcement agencies meet those conditions then I think the service providers are comfortable with whatever those requirements are and would then have the expectation that having complied with those requirements they will be safeguarded from follow up from subscribers.”
