Lawful Access is Dead; Long Live Lawful Intercept!

Lawful access was a contentious issue on the Canadian agenda when it was initially introduced by the Martin government, and has become even more disputed as subsequent governments have introduced their own iterations of the Liberal legislation. Last year the current majority government introduced Bill C-30, the Protecting Children from Internet Predators Act. In the face of public outcry the government sent the bill to committee prior to a vote on second reading, and most recently declared the bill dead.

Last year I began research concerning alternate means of instituting lawful access powers in Canada. Specifically, I explored whether a ‘backdoor’ had been found to advance various lawful access powers: was Industry Canada, through the 700MHz spectrum consultation, and Public Safety, through its changes to how communications are intercepted, effectively establishing the necessary conditions for lawful access by compliance fiat?

In this post I try to work through aspects of this question. I begin by briefly unpacking some key elements of Bill C-30 and then proceed to give an overview of the spectrum consultation. This overview will touch on proposed changes to lawful intercept standards. I then suggest how changes to the intercept standards could affect Canadians, as well as (re)iterate the importance of publicly discussing expansions to lawful access and intercept powers instead of expanding these powers through regulatory and compliance backdoors.

Lawful Access 101

Lawful access laws are associated with three kinds of access powers: search and seizure provisions, interception of private communications powers, and production of subscriber data. Bill C-30 would have modified the existing criminal code to accommodate several of these powers. Below are some of the ways that these surveillance capabilities could have been expanded under the tabled legislation.

Telecommunications Service Providers (TSPs) would have been required to decrypt any communications that they were responsible for encrypting. This meant that while your TSP – such as Rogers, Facebook, or email provider – could have made your communications generally secure they could not have secured them from the government. In effect, the legislation would have established pseudoencyption, whereby you could have protected yourself from a similarly positioned agent in the network but not the state actor governing the network. For more on the significance of the previously proposed decryption requirements, see “Understanding the Lawful Access Requirement.” TSPs would have been forced to provide subscriber information to authorities when compelled to do so. Specifically, authorities would have received subscribers’ names, addresses, telephone numbers, e-mail addresses, and SPIN numbers along with IP addresses. It was unclear what information, specifically, authorities would have provided to uniquely identify subscribers to TSPs. I wrote more on this topic in a previous post. TSPs would have had to possess data preservation facilities. Authorities could serve a preservation demand if they had reason to suspect that a crime had been, or would have been, committed in Canada. If preserved because of a possible Canadian Criminal Code infraction then the TSP would have had to retain data for 21 days; if preserved to assist with resolving foreign offences data could have been retained for 90 days. Officers could establish conditions around the preservation – such as preventing the TSP from disclosing that it had received a preservation demand – and could revoke such conditions at any time. For a discussion of preservation requirements and costs, see “Unpacking the Potential Costs of Bill C-30.” TSPs would have been forced to maintain capacities to provide intercept services and deliver subscriber information to authorities as new technologies were deployed and products offered to subscribers. TSPs would have had to develop systems capable of covertly activating location technologies carried by their subscribers, or to which their subscribers were regularly proximate. This meant that, when served with a warrant, TSPs could have been forced to activate mobile phones’ or motor vehicles’ GPS functionality and make data available to authorities.

When the most recent lawful access legislation was introduced in 2012 there was significant public outcry. Organizations such as CIPPIC, Open Media, the BCCLA, BC FIPA, CCLA, CCPA, and EFF unpacked some of the civil rights concerns associated with the legislation. Academics, such as myself and Michael Geist, spoke in various forums and Canada’s privacy commissioners actively sought to educate people about the legislation’s potentials. Further, privacy professionals such as David Fraser played important roles in outlining legislative consequences and in suggesting how to defray the worst facets of the legislation.

In formal political spaces, the Canadian government struggled to explain the legislation – and the need for all of its elements – to the public. In the face of public dispute over the legislation’s need the government sent the legislation to Committee before Second Reading. The Canadian Association of Chiefs of Police strongly supported the government, as did individual police chiefs from around the country. This extended to calls for examples of where the legislation would have helped to resolve criminal cases; to date, though, few substantive examples were found.

Most recently, the politics surrounding C-30 led to the death of the bill, though aspects of it have already crept into other pieces of federal legislation. While Canadians and advocates have arguably been successful in repelling lawful access (again), it’s important to recognize that some facets of the legislation were migrated outside of the Parliament many months ago. The death of C-30 does not mean that non-Parliamentary processes will similarly be killed. Specifically, facets of the lawful access legislation have been advanced by Industry Canada during the Department’s 700MHz consultation under the guise of modernizing lawful intercept capabilities.

The 700MHz Spectrum Consultation

Industry Canada announced the Consultation on a Licensing Framework for Mobile Broadband Services (MBS) – 700Mhz Band on April 25, 2012. The Department’s consultation document “seeks comments related to the licensing process, auction format and conditions of licence applicable to the 700 MHz band.” Industry Canada, not the Canadian Radio-television Communications Commission (CRTC), is responsible for spectrum management in Canada and is thus responsible for licensing wireless spectrum. Such licenses are meant to maximize the economic and social benefit that Canadians derive from the use of radio spectrum.

The consultation has asked participants to provide comments on a variety of issues. What I focus on are the proposals revolving around ‘lawful intercept’ conditions of licensing Canadian radio spectrum. These conditions are addressed in paragraphs 107 – 110 (.pdf).

Currently, licensees of Canadian radio spectrum must comply with the Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications. However, compliance is nuanced, insofar as only circuit-based communications fall under the purview of the Enforcement Standards. Industry Canada wrote that they are

… proposing changes to the lawful intercept condition of licence in order to bring the wording in line with current technologies. The proposed change is to remove the text “circuit-switched voice telephony” from the lawful intercept condition, as networks are no longer limited to circuit-switched technology. This proposed change does not affect existing spectrum licences issued under other licensing processes. Forbearance may be granted where Industry Canada deems it warranted. 109. The condition of licence refers to standards for lawful interception, entitled the Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications . Public Safety Canada is currently responsible for these standards, which were last revised in 1995. Public Safety Canada has informed Industry Canada that it is proposing modifications to the standards. Industry Canada is proposing to simply refer to the requirement to provide for and maintain lawful interception capabilities, in accordance with the enforcement standards in effect at the time of licence issue and as amended from time to time.

More specifically, Industry Canada has proposed the following rewording (emphasis added):

A licensee operating as a service provider using an interconnected radio-based transmission facility for compensation must provide for and maintain lawful interception capabilities as authorized by law and in accordance with the Solicitor General’s Enforcement Standards for Lawful Interception of Telecommunications, as amended from time to time. The licensee may request the Minister of Industry to forbear from enforcing certain assistance capability requirements for a limited period. The Minister, following consultation with Public Safety Canada, may exercise the power to forbear from enforcing a requirement or requirements where, in the opinion of the Minister, the requirement is not reasonably achievable. Requests for forbearance must include specific details and dates indicating when compliance to the requirement can be expected.

Canada’s Internet Service Providers (ISPs) have been highly critical of the proposed changes. Almost all ISPs who are involved in the consultation, to the exclusion of Mobilicity and SSi, raised concerns about the proposed changes. As stated by the Canadian Wireless Telecommunications Association (CWTA) (.pdf link), replacing “circuit switched telephony systems” with “interconnected radio-based transmission facility for compensation” “opens up several additional services to interception requirements, including Internet services, and cable and broadcasting services.” CWTA’s position is supported by Bell Mobility, who writes (.pdf link) “Industry Canada is opening up additional services to interception requirements including, but not limited to, Internet and broadcasting services” and MTS Allstream, which writes (.pdf link) “[r]eplacing “circuit-switched voice telephony systems” with “interconnected radio-based transmission facility for compensation” would substantially broaden the scope of the lawful intercept requirements by potentially extending them to applications that are based solely on the public Internet and are beyond a licensee’s control” (emphasis added).

Carriers also raised worries that Industry Canada is overstepping it’s bounds. Bell Mobility wrote “that changes, such as those contemplated in the revised [condition of license] COL, would be more appropriately enacted through federal legislation or, as stated in the Notice, through the pending revision to the Solicitor General’s standards that Public Safety Canada is proposing.” On this topic, Bell Mobility and Rogers Communications both explicitly warned that the new Enforcement Standards must be developed with industry and should be based on industry standards. Further, the CWTA wrote that

there has been no enabling legislation passed by Parliament that would require such services be intercepted, and submits that it is inappropriate for the Department to impose such requirements via a COL –particularly at a time when the Government is engaged in a legislative process covering the lawful access issue at a broader level. The COL should reflect the legislative requirements that exist at the time the licences are issued, and not be crafted in anticipation of legislative requirements that may or may not be in force at some point in the future.

Other carriers, such as Eastlink, Wind, MTS Allstream, Quebecor, Rogers, TBayTel, and TELUS shared sentiments similar to Bell’s and the CWTA’s. The CWTA’s comments are especially poignant in light of the government’s retreat from Bill C-30: lawful access has been largely dropped, but this has not corresponded with statements from Industry Canada or Public Safety indicating that either Department is stepping away from modernizing lawful interception requirements.

What’s the Significant in Changing the Language?

Replacing the “circuit-switched voice telephony” clause is significant because it expands what kinds of communications can be intercepted. Currently, the circuit-based clause restricts the kind(s) of data that can be subject to wiretap; intercept requirements are often restricted to telephone calls (circuit-based or VoIP), SMS and MMS messages, and faxes. Packet-based communications, thus, largely fall outside of the scope of prior spectrum licenses. Over the past five years there has been a significant shift from texting and voice-based communications to data-driven communications systems intended to compete with, or supplement, traditional means of cellular communication. The proposed changes to the standards are meant to account for this shift in where Canadians are communicating.

However, there are significant implications for the providers of telecommunications services and Canadians alike. Presently, telecommunications service providers comply with a well defined series of conditions to meet government lawful intercept requirements. This includes locational requirements, intercept requirements, quantities of potential surveillance targets, and so forth. The shift towards radio-based communications will require mobile communications services to be capable of capturing a considerably wide breadth of communications. Data flowing from USB HSPA+ modems would be subject to lawful intercept, as would data linked to tethered mobile phones, as would email, text messages, an other communications emitted directly from mobile devices. In essence, the government wants carriers to be capable of preserving any data that is received by, or transmitted from, wireless devices that use licensed spectrum.

While the 700MHz auction is designed for LTE-based communications, when Industry Canada’s representatives were asked about the proposed changes a spokesperson stated (registration required) that “In the future, the Department may consider proposing similar wording changes to the Lawful Intercept condition for licences in other bands.” So, changes to include all radio-based communications, including wireless broadband communications, may apply to all wireless communications services sold by Telecommunications Service Providers in Canada.

In aggregate, the proposed change in language would most clearly affect ISPs’ requirements to:

Possess data preservation facilities: pursuant to Bill C-30, changes to what kinds of communications have to be susceptible to lawful intercept capabilities will, in turn, place preservation requirements on communications providers. Thus, while the legislation will not apply to wireline communications (yet) it will apply to the preservation of data carried over next-generation wireless broadband and communications services. Presumably it will be the Enforcement Standards that discuss how long ISPs will have to preserve intercepted communications data. Maintain interception capabilities: given that C-30 required ISPs to maintain interception capabilities as new technologies were introduced, the Industry Canada condition of license would effectively mandate this legislative requirement absent the legislation having been passed into law. However, it remains unclear just how specific data interception will be: will ISPs be required to simply intercept all of a person’s communications and provide them to authorities, or intercept specific communications protocols (e.g. HTTP, STMP, etc)? If it is the latter requirement, which would presumably be spelled out in the changes to the Enforcement Standards, then the government will be instantiating a key aspect of their lawful access powers through regulatory fiat. Monitor subscribers’ locational information: this proposed language may extend the kinds of geolocational surveillance the government could conduct, though further discussion of this would be predicated on public access to the present, and forthcoming, Enforcement Standards.

In aggregate, then, the shift from circuit-based communications requirements to radio-based requirements may partially fulfill at least two or three facets of the recently-killed lawful access legislation. Moreover, a government representative recognizes that the proposed changes may subsequently be applied across the wireless spectrum; as a result, existing non-LTE communications channels may someday also be subject to broader surveillance requirements.

The changes that are proposed by Industry Canada represent a significant expansion of what communications could be placed under surveillance. There is a qualitative and quantitative difference between circuit-based and radio-based communications, insofar as entirely new means of communication may be captured (e.g. email, streaming music and video usage, TV-watching, gaming over wireless networks, etc) and more communication potentially falls under the auspice of this requirement because of the broad definition of ‘radio-based’. Thus, whereas carriers previously had a limited set of clear interception requirements, this simple change in language would substantially expand what they would be required to be able to intercept and preserve.

Democratic Legitimization is Needed

Admittedly, we cannot know for certain how, exactly, Industry Canada’s proposed changes will affect wireless communications. At least one carrier, Rogers, has asserted that any proposed changes to the wireless lawful intercept requirements should be clarified and that anything decided by Industry Canada should become redundant once the government of Canada’s lawful access legislation and regulations are brought into force. Specifically, the ISP wrote:

if the Department elects to implement a new lawful access requirement, we believe that the Department should clarify the proposed wording of the condition of licence such that the lawful interception capabilities that must be maintained will be limited to those capabilities that are provided for in industry standards and incorporated in commercially available equipment. Once the proposed legislation and regulations are brought into force, the proposed condition of licence will be redundant and should be removed by the Department.

So, should Industry Canada increase requirements on licensees, those requirements should be no more onerous than those the carriers will already be required to comply with under Bill C-30. Given the legislation’s withdrawal, however, it would appear that Industry Canada and the Enforcement Standards will be a key part of how new wiretapping and monitoring powers are brought into force. The ‘way forward’ with government surveillance, then, seems to be significantly based in updating compliance requirements instead of democratically passing legislation.

Lawful intercept powers are constitutionally significant because such surveillance infringes on constitutional rights. To be sure, such rights are not absolute and, as a result, we have a series of checks and balances to ensure that surveillance conducted by the Canadian government does not unduly or unnecessarily infringe on basic rights. However, for such surveillance to be considered democratically legitimate as opposed to just legally permissible, modifications to surveillance practices have to be debated and guided by public discourse. Moreover, such discourse needs to be finalized at the legislative level by the passage of laws, amendments, or explicit modifications to existing regulations concerning required surveillance capacities. Doing anything less weakens the democratic legitimacy of government practices that are designed to infringe on Canadians’ rights.

At the moment, Industry Canada has been the most transparent concerning changes to lawful intercept powers; they have at least noted the proposed changes in wording. Industry Canada has also noted that modifications to the Enforcement Standards are forthcoming. However, without clarity concerning Public Safety’s changes it is impossible to know what else is changing behind closed doors, to know what other lawful access powers are being introduced behind the scenes as lawful intercept capabilities.

So, the takeaway from this post is that Industry Canada’s proposed modifications significantly expand the volume and types of communications that ISPs must be able to intercept and preserve. Further, the Department is considering expanding interception requirements across all wireless spectrum holders; it needn’t just affect the LTE spectrum. We also know that Public Safety is modifying how ISPs have to preserve information related to geolocational, communications content, or transmission data. Together, these Departments’ actions are expanding government surveillance capacities in the absence of the lawful access legislation. Industry Canada’s and Public Safety’s changes to how communications are intercepted should be put on hold until the government can convince Canadians about the need for these powers, and pass legislation authorizing the expansion of government surveillance. Decisions that are made surrounding interception capabilities are not easily reversed because once the technology is in place it is challenging to remove; as such, the government’s proposed modifications to intercept capabilities should be democratically legitimated before they are instantiated in practice.