The news that Canada’s police chiefs are advocating for federal laws that would compel individuals to provide electronic passwords with a judge’s consent isn’t sitting well with some members of Canada’s IT community.
Earlier this week at its annual conference in Ottawa, the Canadian Association of Chiefs of Police (CACP) passed a resolution that formally requests legal measures to lawfully unlock digital evidence, citing the rise of cybercriminals who are using encryption tools to hide illicit activities as the impetus.
During a news conference on Tuesday, RCMP Assistant Commissioner Joe Oliver noted that at present under Canadian law, police cannot compel individuals to comply with a request to provide a password during an investigation. Law enforcement needs to keep pace with modern criminals who are effectively “going dark” by operating in cyberspace with tools that mask their identities, said Oliver.
“The victims in the digital space are real,” said Oliver, adding that Canada’s law and policing capabilities aren’t keeping pace with the evolution of technology.
But according to Jacob Ginsberg, senior director for Toronto-based email encryption software firm Echoworx, such as move would be an “unconscionable” one.
“While we don’t blame CACP for wanting tools to make their jobs easier, a law of this kind would criminalize privacy, and it would be unconscionable for a democratic society to draft a law whereby denying a request from police to go through your things, digital or otherwise, would be illegal,” he said in an email.
The association represents in excess of 90 per cent of the police community in Canada which include federal (RCMP), First Nations, provincial, regional and municipal, transportation and military police leaders. The CACP theme for its 111th conference was “public safety in a digital age” and police chiefs such as Ottawa Police Chief Charles Bordeleau noted in a statement the event was intended as an “opportunity to share, learn and work together on a way forward that helps us fuse traditional policing with modern day cyber activity.”
“Police services across the world are facing new challenges and threats related to technological developments and the criminal innovation that has ensued,” Bordeleau said.
In 2014, the rights of online users were upheld in a Supreme Court of Canada ruling that Internet service providers cannot deliver user names and addresses to law enforcement without a warrant. At the time, The Supreme Court didn’t agree with the concept of users having “no reasonable expectation of privacy” for the data obtained by police.
According to police, service-oriented enterprises such as financial firms and telecommunication companies currently require court approval for nearly all types of requests from authorities for basic identifying information.
The CACP also cited a recent Osterman Research report that revealed that 44 of 125 Canadian companies interviewed suffered a ransomware attack in the past 12 months — of which 33 of the victims paid a ransom that was between $1,000 and $50,000 in order to regain stolen data.
But the issue of handing over passwords —even with a court order — will be controversial, predicts Ray Boisvert, CEO of I-Sec Integrated Strategies and former deputy director of intelligence at the Canadian Security Intelligence Service (CSIS).
In an interview with IT World Canada, he said he understands the view of those worried about privacy. However, he also understands the position of police, who have legitimate obligations to investigate crime.
In the non-digital world, he noted, search warrants already allow police to seize and go through paper documents looking for specific information spelled out in the warrant. Sometimes, he added, the warrant can be quite broad.
“On the face of it, this seems like it’s clearly unconstitutional,” David Christopher of Internet advocacy group OpenMedia told CBC News, adding the CACP request represents a “wildly disproportionate” response considering the individual privacy risks involved.
Added Echoworx’s Ginberg: “Policy makers and courts across the globe are still adjusting to crime in the digital age, but having the power to access a person’s whole digital life, especially during the course of an investigation where it’s not established that wrongdoing has taken place, should not make you a criminal.”
— with files from Howard Solomon