by Nestor E. Arellano
Proponents of Bill C-30, otherwise known as the Protection Children from Internet Predators Act, say that it will merely bring Canada in line with other countries that have some form of lawful access and data preservation and retention legislation.
This is precisely why Canadians should be worried if Parliament decides to let the bill pass in its present form.
There is no shortage of research which indicates that implementation of an online surveillance regime in the European Union and the United States have been fraught with flaws, abuse and costs ultimately shouldered by Internet Service Providers tasked by government to essentially snoop on their customers.
More than 10 years ago the United Kingdom passed the Regulation of Investigatory Powers Act (RIPA) to extend law enforcement agencies’ access to communication systems to help police battle crime and terrorist-related activities. Under a voluntary code of practice, ISPs retain data such as content of email servers, email server logs, IP addresses, SMS messages and others from six to 12 months.
Reports from the Interception Commissioner, which provides a yearly assessment of interception of communication traffic, indicate that a growing number of “interception errors,” according to a paper written by Christopher Parsonsof the Political Science Department at the University of Victoria.
In 2007, there were 24 interception errors and breaches found which the Commissioner deemed to be “to high” according to Parsons.
In 2009, 36 interception errors and breaches attributed to the General Communications Headquarters, the Secret Service, Her Majesty’s Revenue and Customs, the Serious Organized Crime Agency, The Scottish Government, the Metropolitan Police Counter Terrorism Command and the National Technical Assistance Centre. During this year there were a total of 525,130 requests for communications data that resulted in 661 reported errors.
Furthermore, Parsons found that the requested data was not always used to deter crime. In the instance of one family subjected to excessive surveillance (21 acts in three weeks) data was requested to determine the family’s eligibility to send their children to a local school.
A report released by the U.K-based civil liberties group Big Brother Watch paints a troubling picture of how law enforcement agents handle data that passes through their hands.
The organization found that between 2007 and 2010:
- 243 police offices and staff received criminal convictions for breaching the country’s Data Protection Act (DPA)
- 98 police officers and staff were terminated for breaching DPA
- 904 police officers and staff were subjected to internal disciplinary procedures for breaching DPA
In one notable case, no less than 208 officers and staff received legal caution for viewing computer records related to a high profile crime. In another, a staff member was dismissed for discussing policing information on Facebook. Numerous others were found to have accessed criminal records and personal data for no obvious policing purposes.
In the United States, the problem is more significant, according to Parsons who says the country “suffers from endemic inappropriate surveillance.” He said the National Security Agency (NSA) reportedly runs a warrantless wiretapping system with the assistance of major telecom providers such as AT&T. A large amount of the surveillance conducted by state and federal agencies go unreported.
“Without reports, it is challenging to determine if access was appropriate or necessary,” he said.
Back in 1994, the U.S. enacted the Communications Assistance for Law Enforcement Act (CALEA) which imposed interception capabilities on telecom service providers. Today, The Defence Department continues to call for ISPs to retain data for two years. The department is also developing a system for monitoring Internet traffic and federal law enforcement is requesting the extension of CALEA to include other providers such as Facebook and Skype.
If we would like to have an idea of how much it might cost Canadian ISPs to retrofit existing networks to facilitate the “snoop and scoop” activities outlined in Bill C-30, we can look to the U.S. as well for an example.
In addition to data storage CALEA also required providers to make their systems “intercept ready”. Prior to CALEA enactment the industry estimated this would cost them between $3 and $5 billion, the FBI’s estimate was around $500 million to $1 billion. Since then industry has lowered its estimate to $1.3 billion, but Parsons notes that this figure did not include VoIP-based communications.
In Canada, small ISPs have repeatedly voiced concerns that compliance with to lawful access legislation will be a costly burden.
But it is not only the financial cost that businesses should be worried about. Requiring providers to render their systems “surveillance ready” will introduce security vulnerabilities to their systems.
Requiring companies to build a “backdoor” for law enforcement agencies to access their networks and accomplish a data dump creates a single “point of failure” which hackers can exploit, according to John Villasenor, professor of electronics engineering at the University of California.
It might be argued that a surveillance technology that cannot be penetrated by hackers can be securely built. If Bill C-30 is about trusting those in charge, I’m a bit worried. The current track record of government agencies both here and in the U.S. in protecting their own networks against breaches is not very encouraging.
In 2011, the Central Intelligence Agency’s own Web site was taken down by the hackers group LulzSec. The same group stole 180 passwords of members of an FBI affiliate.
That same, hackers believed to be based in China, launched a cyber attack on several Canadian government departmentsto steal classified information.
Yes, I agree we should look at other nations that have implemented their online surveillance laws. I think if we look closely we’ll probably find more reasons not to rush towards having one.