January 10, 2003
Proposed law sparks privacy concerns
The federal government is floating a trial balloon called the Lawful Access-Consultation Document, which, if passed into law, could dramatically change the very nature of the cyber-world.
Designed to fill in some of the gaps in the existing criminal code and deal with infrastructure modification, the law could require ISPs to "collect and retain" a wide variety of data about online activity.
The basic idea is to amend lawful access, a search and seizure tool used by law enforcement today, to cover "the rapidly evolving technologies…(that) can make it more difficult to gather information required to carry out effective investigations," according to the proposal.
One objective is to give investigators the ability to quickly preserve data sitting on an ISP’s servers. Today, ISPs can delete data as they see fit. For law enforcement to gain access to stored data, they require a search warrant or interception order. By the time they get it, the data could be gone.
"The preservation order is designed to be used very quickly," said Gareth Sansom, director of technology and analysis in the criminal law policy section of the Department of Justice in Ottawa. Though it would still require a judicial authorization, the threshold could be lowered to expedite the process.
But this does not mean police would have access to the stored information. They would still have to come back with a search warrant.
"It is an attempt to find a quick way of preserving information so it is not deleted," Sansom said.
Ray Albright, who, as a forensic investigator for KPMG in Toronto often needs access to ISP log files, likes the idea of the preservation model. But even though increased data preservation and retention could help him with his investigations, he says it is hardly a panacea.
"That only helps us in one aspect, you are still going to have to be able to put the guy at the keyboard at the end of the day," he explained. And in his experience, ISPs today, without federally forced compliance, are "more than co-operative" when asked for data.
But for many the bigger fear, and one which has got many of Canada’s privacy commissioners up in arms, is the slippery slope that is created if Canadians allow the government to increasingly monitor their cyber-activities in the name of crime prevention and national security. Some envision e-mail messages and online chats being copied and stored in case they are needed at a later date.
In the Lawful Access Proposal, this is referred to as data retention. Though Sansom is adamant that it is not on the table at the moment, the thought is enough to set off alarm bells. "I have heard those fears," he said.
But "nobody envisions the terabytes that would be required to…actually [copy and store] content," he said.
Ann Cavoukian, Ontario’s privacy commissioner, is not so sure.
"I really think that if these types of measures pass, what is going to be the difference between our society and a totalitarian state?" she said. "You have, bit by bit, an erosion of our privacy and our freedoms," she said. "It is so short sighted."
"What the hell are they going to do with all this information?" was Franks Work’s simple question. As the information privacy commissioner for Alberta he has some concerns, but his issues with the proposal are not just limited to privacy.
"I think it will destroy the Internet as we know it now, and I think the Internet offers us a huge amount of potential as a vehicle for creativity and change," he said.
"I don’t even think it will come close to solving what it is supposed to do and the cost (will) be huge," he said.
Cost is another big issue, and one which has the ISPs a bit worried.
ISPs would be required to provide "basic intercept capability before providing new services or a significantly upgraded service to the public." Though there is no "retro fit" for older equipment, Sansom said, there is the question of who will pay for the new technology.
"I know a lot of ISPs have said flat out that they will add a line item on customers’ bills so they know it’s the government’s fault," said Bob Carrick, president of CanadianISP.com, an ISP directory.
John Boufford, president of e-Privacy Management Systems, a consulting firm specializing in privacy and information technology in Lakefield, Ont., says ISPs should pay for the upgrades.
"Co-operating in law enforcement investigations is a social responsibility and shouldn’t be reimbursed," he said. His sense is that government funding would be money poured down the drain. But even he admits the buck would be passed. "Ultimately, I think the customer does pay."
Peter Hope-Tindall, chief privacy architect for Oakville, Ont.-based dataPrivacy Partners Ltd., says it doesn’t really matter whether the government or the ISP pays for the upgrade. "It is the citizen who is going to be paying either through taxes or increased service costs," he said.
Work has another worry. He sees increased costs being enough to force some ISPs out of business, leading to a few ISP juggernauts.
"That’ll be a treat," he said.
— With files from Network World Canada
©2003 ITworldcanada.com All rights reserved.