Canadian Internet service providers face the possibility of massive infrastructure upgrades under a government proposal that would make them store customer data and disclose it to police and intelligence agencies.
According to a 21-page discussion paper posted on the Department of Justice Canada’s Web site, the government may try to introduce a law next year that could require ISPs to keep all traffic logs for six months, while allowing authorities to more closely monitor suspected criminals. It also raises the notion of a national database of every Canadian with an Internet account. The government will take comments on the proposal until Nov. 15 at email@example.com.
In the discussion paper, the government insists that it will continue to maintain rights protected by the Canadian Charter of Rights and Freedoms, such as protection to individuals against self-incrimination. Legislation may be necessary, however, to help law enforcement officials conduct investigations properly in the 21st century.
“”These technologies can make it more difficult to gather the information required to carry out effective investigations,”” the paper says. “”While providers of certain wireless services, such as Personal Communications Services, have since 1996 been required to have facilities capable of lawful access pursuant to a licensing obligation under the Radiocommunications Act, there are currently no similar obligations for other providers.””
Bob Carrick, president of ISP help site Carrick Solutions Ltd. and the directory CanadianISP.com, said retaining records could create a breach of trust between ISPs and their customers.
“”That poses a really serious privacy issue,”” he said. “”If you’re storing every single user’s traffic for an extended period of time, that leads to some really powerful misuses. You could have anybody who works at that ISP see that data.””
Jay Thomson, president of the Canadian Association of Internet Providers, said the industry has been expecting some kind of legislative effort given Canada’s involvement in the Council of Europe’s Cybercrime Treaty. Like the United States, Canada is a non-voting member of the Council but has endorsed many of the treaty’s obligations.
“”They’re designed to ensure when ISPs and other telecommunications service providers come out with new services that the technical capabilities exist for police come in to do their wiretaps or whatever they may be,”” he said. “”If the industry’s willing to cooperate but doesn’t have the technical capability to do so, that puts the police in a bind.””
ISPs have largely maintained a cooperative relationship with law enforcement, Thomson added, particularly when the police ask for help in monitoring a customer suspected of running a child pornography site, for example.
“”We’ve always been of a mind that we’re willing to help out, as long as proper procedures are followed,”” he said. “”The big issues that arise here are with respect to what kind of cost implications will exist for ISPs.””
The Department of Justice proposal takes police rights a step further, however, said Yankee Group Canada analyst Mark Quigley.
“”Typically there hasn’t been a problem,”” he said. “”The notion here, though, is that it would be a little more pervasive — the ISPs wouldn’t necessarily have control over what was looked at or when, but it would be in the hands of the law enforcement agencies to monitor Internet traffic, Internet use, without discrimination.””
Thomson said the discussion paper does not make clear whether any law would apply to existing services or whether it would only kick in once an ISP introduces new services. There is also the question of compliance — how the regulations will deal with ISPs that don’t follow the law.
Carrick said the bigger question surrounds cost — whether upgrades necessary to comply with the law would be paid for immediately by the ISP or subsidized by the government. Right now, every ISP logs its customers’ IP address and the “”start”” and “”stop”” time of their Internet use in order to bill for the service. One ISP Carrick said he spoke to already stores 450MB of data per month on its 10,000 customers.
“”That’s just the start and stop time,”” he said. “”Their average customer has three to five gigabytes per month, which means they’d have to store three to five gigabytes per month, per customer (to keep records for six months). You times 5GB times 10,000 customers, and you’re looking at terabytes of information.””
Maintaining that information would probably require multiple servers plus server capacity to store all the data without slowing down the network itself, Carrick added.
As for a national database, Quigley said the idea was filled with risks.
“”Security systems fail all the time. There hasn’t been any one that hasn’t failed,”” he said. “”If you have a big database that collects that kind of information — to suggest that it’s only going to be available to law enforcement agencies is kind of ridiculous. There are people out there that are going to find access to it.””
Carrick said there are about 950 ISPs across Canada, 450 of which serve more than 1,000 customers.