The Canadian government introduced long-awaited legislation Tuesday that will force ISPs to hand over subscriber records and other data to police during investigations, potentially creating costs that an industry associations hopes will be paid for by the criminals themselves.
Under the Modernization of Investigative Techniques Act (MITA), which was tabled by Deputy Prime Minister Anne McClellan in the House of Commons, all telephone and Internet service providers (ISPs) will require an “interception capability” which can assist law enforcement officials. RCMP, police and CSIS can also demand subscriber names, addresses, telephone numbers and IP addresses. These requests will all be recorded and potentially subject to audit or review, officials said, and court authorizations will still be required to intercept an ISP’s customers. Justice Canada, in partnership with Industry Canada, first floated the idea of MITA in 2002 under a proposal called Lawful Access.
Police have been asking for legislation that will bring up to date Criminal Code provisions for wiretaps that were written in 1974 and fail to take into account technologies such as e-mail, instant messaging and the Internet. ISPs, who say they generally co-operate with requests from law enforcement officials already, have objected to the potential capital expense in upgrading their networks or providing the ongoing administration services that may be necessary to comply with MITA.
According to the MITA backgrounder provided by Public Safety and Emergency Preparedness Canada, ISPs will have a year’s grace period to comply with the legislation once it is passed. Small ISPs with less than 100,000 subscribers will have a three-year grace period, and in some cases may only be required to provide a physical connection point to law enforcement officials.
“Cabinet will be able to provide exemptions from interception requirements where the costs would have an unreasonable adverse effect on the business of the service providers. In deciding whether to grant such exemptions, Cabinet will also consider, among other factors, the impact that an exemption would have on law enforcement or national security,” the backgrounder said.
Tom Copeland, president of the Canadian Association of Internet Providers (CAIP), said the finer points about who pays for the costs of MITA compliance probably won’t be worked out until the legislation has worked through its first or second reading.
“There’s been this question of how was would this whole regime be funded. The last pitch we made – and we had support from the chiefs of police on this one – was that proceeds of crime be considered for this,” he said, adding that other proposals have included a surcharge on customer bills similar to that which helps pay for the costs of 911 services. “That meant users were footing the bill, not criminals. We’re hoping that Justice will see the logic in it. They have not really indicated they like the idea, nor have they said they don’t like it.”
The capital costs are not insignificant, Copeland added. While large ISPs such as Bell Canada and Telus may buy the latest networking equipment, smaller firms often purchase on the secondary market. A switch that’s two to five years old may meet their business needs but not the requirements of MITA. From an administrative perspective, responding to hundreds of police requests could mean ISPs would need to hire a person dedicated to getting them the information they demand.
“You need to recoup that because it acts as a threshold to system being overburdened,” he said. “What we don’t want, of course, is just fishing expeditions by law enforcement. If there’s a very real cost to the service, they have to budget and do this in a businesslike manner.”
The government went through at least two rounds of consultation with industry on the Lawful Access proposal. One of the initial responses came from the Canadian Information Processing Society (CIPS), which suggested the appointment of a senior cabinet minister to represent citizen’s interests. John Boufford, CIPS’s vice-president, said it could be difficult to protect privacy rights if there isn’t a way for an individual to know if their communications are being intercepted, especially if an investigation takes place over several years.
“In terms of accountability, it hinges on an oversight mechanism,” he said. “I am talking about a watchdog of sorts, whether it’s called an ombudsman or a parliamentary committee which they have for intelligence activities.”
Copeland said ISPs recognize that law enforcement needs eyes and ears into the network, but he described the lengthy process of creating MITA as a “hurry up and wait” scenario.
“What has frustrated us at times has been that justice has pushed ahead with language and drafts before the industry felt that we’d come to any sort of consensus. In the last six months we have been paying more attention to what industry’s concerns are. That will eventually work its way through the system, no doubt.”
In an e-mail letter to its members, the Canadian Advanced Technology Alliance said, asking larger firms to absorb the cost of MITA compliance goes against the feedback it has given the government.
“(This) may cause network expansion and product development/rollout to be deferred or deterred. It will also obviously shave profit margins even further, diminishing profitability and potentially leading to subscriber rate increases,” the letter said.
In an earlier interview with ITBusiness.ca, IDC Canada analyst Lawrence Surtees said funding strategies could spark contention across the ISP community.
“The cost issue is a huge one, and it’s an issue of disparity,” he said. “I think there’s an issue of equity to the extent that some carriers might perceive they’re being treated differently.”
PSEPC said MITA will likely not apply to service providers whose customers include a school, church, retirement home, registered charity or research network.