We’ve already looked at Bill C-46 and added commentary from the perspective of a common Canadian citizen who just happens to have a background in journalism. In this article, we look at the other piece of surveillance legislation, Bill C-47. This is the other bill that is packaged with the surveillance legislation. Let’s look at some excerpts from this bill as well.
Note: This is an article I wrote that was published elsewhere first. It has been republished here for archival purposes
As we’ve noted previously, we should also note that this review of the legislation is made by someone who is not a lawyer, expert of the law or someone giving away legal advice by any stretch of the imagination. What this review strictly is is an average Canadians interpretation of the law who is not specifically or formally trained to be a law expert.
You can read Bill C-46 here.
You can read Bill C-47 here.
Bill C-47 – Quotes and Comments
What one can notice right away when looking at this bill is that this particular bill, unlike Bill C-46, Bill C-47 is directed at Canadian telecoms specifically.
6. (1) For the purpose of enabling authorized persons to exercise their authority to intercept communications, every telecommunications service provider shall have the capa- bility to do the following:
(a) provide intercepted communications to authorized persons; and
(b) provide authorized persons with the prescribed information that is in the possession or control of the service provider respecting the location of equipment used in the transmission of communications.
Not off to a good start considering the act defines “authorized persons” with the following:
“authorized”, in relation to a person, means having authority, under the Criminal Code or the Canadian Security Intelligence Service Act, to intercept communications.
“person” includes a partnership, an unincorporated organization, a government, a government agency and any other person or entity that acts in the name of or for the benefit of another.
It’s pretty safe to assume that, at the very least, this includes members of CSIS (Canada’s spy agency). It’s unclear who else that entails such as police officers (probably) for instance.
(3) If an intercepted communication is encoded, compressed, encrypted or otherwise treated by a telecommunications service provid- er, the service provider shall use the means in its control to provide the intercepted communication in the same form as it was before the communication was treated by the service provider.
“telecommunications service provider” means a person that, independently or as part of a group or association, provides telecommunications services.
So one could look at this in this light. Someone decides to use an encryption service in Canada (such as, say, a VPN-like service) and authorities have suspicion that you are doing something wrong. They can order the owner of the encryption service to decrypt that information and they would be legally obliged to do so. This defeats the reasoning behind encryption in the first place and Canadians would be forced to use a service in another country in order to secure their communications. This law only serves as an inconvenience to some and insecurity to others. There is an exception here:
(4) Despite subsection (3), a telecommunications service provider is not required to make the form of an intercepted communication the same as it was before the communication was treated if
(a) the service provider would be required to develop or acquire decryption techniques or decryption tools;
So really make sure the service has no means to decrypt that information in the first place before using it.
7. The operational requirements in respect of any transmission apparatus are that the telecommunications service provider operating the apparatus have the capability to do the following:
(a) enable the interception of communications generated by or transmitted through the apparatus to or from any temporary or permanent user of the service provider’s telecommunications services;
(b) isolate the communication that is authorized to be intercepted from other information, including
(i) isolating the communications of the person whose communications are authorized to be intercepted from those of other persons, and
(ii) isolating the telecommunications data of the person whose communications are authorized to be intercepted from the rest of the person’s communications;
(c) provide prescribed information that permits the accurate correlation of all elements of intercepted communications; and
(d) enable simultaneous interceptions by authorized persons from multiple national security and law enforcement agencies of communications of multiple users, including enabling
(i) at least the minimum number of those interceptions, and
(ii) any greater number of those interceptions — up to the maximum number — for the period that an agency requests.
These requirements may be confusing, but in short, ISPs must be able to figure out who you are, all the information in you communications and be able to share that information with any security or law enforcement people whether inside the country or from abroad. They may share all information they have on you with people in authority in other countries. If this still doesn’t seem like much, the next sections help spell out why this is important.
8. A telecommunications service provider that meets, in whole or in part, an operational requirement in respect of transmission apparatus that the service provider operates shall continue to so meet that operational requirement.
In other words, they cannot degrade or otherwise change the service that would prevent interception from taking place. In addition to this:
9. A telecommunications service provider that meets, in whole or in part, an operational requirement in respect of transmission apparatus that the service provider operates in connection with any of the service provider’s telecommunications services shall meet that operational requirement to the same extent in respect of any new service that the service provider begins to provide using that apparatus.
So they can’t offer a new encryption method that has no master key. So an act of good will to protect their users would become illegal.
Considerations
(3) In deciding whether to make an order, the Minister shall take into account the public interest in national security and law enforcement and the commercial interests of the telecommunications service provider as well as any other matter that the Minister considers relevant.
It’s nice to know that our rights will be “considered” at the very least. Somehow, some might not feel so reassured.
14. (1) The Minister may, at the request of the Commissioner of the Royal Canadian Mounted Police or the Director of the Canadian Security Intelligence Service and if in the Minister’s opinion it is necessary to do so, order a telecommunications service provider
(a) to comply with any obligation under subsections 6(1) and (2) in a manner or within a time that the Minister specifies;
(b) to enable, in a manner or within a time that the Minister specifies, a number of simultaneous interceptions greater than any maximum or limit that would otherwise apply;
(c) to comply, in a manner or within a time that the Minister specifies, with any confidentiality or security measures respecting interceptions that the Minister specifies in addition to those referred to in subsection 6(2);
(d) to meet an operational requirement in respect of transmission apparatus operated by the service provider that the service provider would not otherwise be required to meet; or
(e) to meet an operational requirement in respect of transmission apparatus operated by the service provider in a manner or within a time that the Minister specifies.
So in other words, any member of the police or Canadian secret service can authorize surveillance measures. No need for a court order (unless they want to know the contents of the communications of course, though by the time they get that order, they can do those kinds of things covertly)
(3) The Commissioner of the Royal Canadian Mounted Police or the Director of the Canadian Security Intelligence Service, as the case may be, shall pay the telecommunications service provider an amount that the Minister considers reasonable towards the expenses that the Minister considers are necessary for the service provider to incur initially to comply with an order made under this section.
This provision has some history to it. During Canada’s only file-sharing trial against a number of Jon Does, one of the concerns that came up during that trial was that ISPs would be required to use a certain number of man hours – thus costing the company money. What we see here is that tax-payers money would be used to carry out this activity of surveillance. The idea of using tax-payers money to sacrifice basic civil rights is not one that tends to go over very well in Canada.
(4) The Minister may provide the telecommunications service provider with any equipment or other thing that the Minister considers the service provider needs to comply with an order made under this section.
This may be the provision, if anything else, makes the surveillance legislation sound like, as others put it, a surveillance bailout. Our tax money, after reading this, appears to be going to fund surveillance technology which would then be forced onto Internet Service Providers and, at the very least, the providers would be pressured (probably forced) to use such technology. This only thing positive about this is the fact that some private tech companies will automatically receive a major windfall of extra cash as a result. This is at the expense of pretty much everything else related to this.
16. (1) Every telecommunications service provider shall provide a person designated under subsection (3), on his or her written request, with any information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscrib- er identity module card number that are associated with the subscriber’s service and equipment.
This was probably the provision touted by the government press releases which we touched on yesterday. This is what must be forfeited at the request without a court order. Content, on the other hand, requires a court order. The question is, what circumstances would satisfy a court to allow a search warrant that would allow officials to force content data over? Would it be little more than accessing, say, a German or a Russian website? Of course, such things aren’t really that clear.
Also in this section:
(2) A designated person shall ensure that he or she makes a request under subsection (1) only in performing, as the case may be, a duty or function
(a) of the Canadian Security Intelligence Service under the Canadian Security Intelligence Service Act;
(b) of a police service, including any related to the enforcement of any laws of Canada, of a province or of a foreign jurisdiction; or
(c) of the Commissioner of Competition under the Competition Act.
So, by law, we’ll happily hand the mentioned information over to, say, the United States without court oversight. Apparently, Canadian sovereignty is becoming a thing of the past and we are more likely to bow to foreign interests with this kind of legislation. Sounds very scary.
17. (1) A police officer may request a telecommunications service provider to provide the officer with the information referred to in subsection 16(1) in the following circumstances:
(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;
(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and
(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.
The police officer shall inform the telecommunications service provider of his or her name, rank, badge number and the agency in which he or she is employed and state that the request is being made in exceptional circumstances and under the authority of this subsection.
So, in other words, an “offence” doesn’t even have to occur in order for an officer to simply demand an ISP hand over all information about a given subscriber. Can simply anyone be subject to a seizure of personal information?
20. (1) The Commissioner of the Royal Canadian Mounted Police, the Director of the Canadian Security Intelligence Service, the Commissioner of Competition and any chief or head of a police service constituted under the laws of a province who makes a designation under subsection 16(3) shall cause internal audits to be regularly conducted of the practices of his or her agency to ensure compliance with sections 16 to 19 and the regulations made for the purposes of those sections and of the internal management and information systems and controls concerning requests made under sections 16 and 17.
Apparently, the Canadian government thinks that accountability is achieved merely by allowing ones own organization to investigate themselves. Canadians know full well how accountable police can be when they investigate themselves – especially when it comes to things like proper use of a taser at certain undisclosed Vancouver airports.
(4) The Privacy Commissioner may, on reasonable notice, conduct an audit of the practices of the Royal Canadian Mounted Police or the Commissioner of Competition to ensure compliance with sections 16 to 19 and the regulations made for the purposes of those sections and of the internal management and information systems and controls concerning requests made under sections 16 and 17. The provisions of the Privacy Act apply, with any necessary modifications, in respect of the audit as if it were an investigation under that Act.
Miraculously, this bill isn’t entirely bad after all. There’s a shred of accountability apparently embedded in this, but not by much considering that section 16 has to do with demanding private information in the first place, is this provision really enough?
21. (1) A telecommunications service pro- vider that provides information to a person under section 16 or 17 is entitled to be paid the prescribed fee for providing the information.
(2) If the information is requested by a designated person under section 16, the fee is to be paid by the designating authority.
(3) If the information is requested by a police officer under section 17, the fee is to be paid by the chief or head of the police service that employs the police officer.
This provision seems to cover the same thing an earlier provision covers. Again, tax payers money will be used to erode privacy rights under this legislation.
All of section 24 seems to reinforce what the police are demanding (customer information such as addresses, etc.)
25. A telecommunications service provider shall, on the request of a police officer or of an employee of the Royal Canadian Mounted Police or the Canadian Security Intelligence Service, provide all reasonable assistance to permit the police officer or employee to assess or to test the service provider’s telecommunications facilities that may be used to intercept communications.
This seems to simply reinforce the fact that an ISP is forced to hand over the information. They have to comply with police demands without the need (in many instances) of a court order.
27. A telecommunications service provider shall notify the Minister when
(a) in respect of any particular transmission apparatus, the increased number of simultaneous interceptions that the service provider is required, as a result of a request referred to in subparagraph 7(d)(ii), to be capable of enabling is 75% or more of the maximum number that is applicable under that subparagraph; or
(b) the number of simultaneous interceptions that the service provider is required, under sections 8 to 11, to be capable of enabling is 75% or more of the global limit that is applicable under section 12.
We’re not entirely sure what a “global limit” means, but if that means up to 75% of all traffic going through the ISP, does that mean that this could be a general dragnet of intercepted data?
Section 28 suggests that if the information about the customer changes, then it’s required that RCMP be notified of any changes. Isn’t that like tracking people without a warrant?
36. (1) For the purpose of gaining entry to a place referred to in subsection 34(1), a designated person may enter private property and pass through it, and is not liable for doing so. For greater certainty, no person has a right to object to that use of the property and no warrant is required for entry onto the property unless the property is a dwelling-house.
(2) A person may, at the designated person’s request, accompany the designated person to assist them to gain entry to the place referred to in subsection 34(1) and is not liable for doing so.
So after the obtain all the information on where you live, you can hear a knock on the door by police and they’ll be allowed to enter your private property if you run a telecommunications service. This is with a warrant from the looks of things.
37. In executing a warrant to enter a dwelling-house, a designated person shall not use force unless they are accompanied by a peace officer and the use of force has been specifically authorized in the warrant.
So you cannot resist them and section 38 appears to suggest that you cannot mislead any authority during the situation in question.
Sections 56 and 57 suggest that if an ISP resists any of this, they can be liable for a maximum fine of anywhere between $15,000 to $500,000.
Conclusions
After reading this huge piece of legislation, one can only wonder, where did our liberties go? Is this little more than thought police given that an offence doesn’t even have to occur before a certain amount of surveillance can be issued on you. Things, of course, get worse when a warrant is issued, but what can be allowed to happen without a warrant is disturbing in and of itself. What about proxies or anonymous services being offered in Canada? Are they legally rendered useless thanks this this legislation? Clearly, this legislation is aimed at getting everyone on the business end of a telecommunication to rat you out on merely suspicion. Meanwhile, provisions in the Charter will only be a “consideration” rather than, say, the law.
Combined with Bill C-46, the packaged legislation is little more than a cocktail for a disaster in civil rights given the unprecedented amount of powers police will be getting with this. All-in-all, after you read this eye burning package, it’s not hard to realize what a horrible idea a number of these provisions really are.
Drew Wilson on Twitter: @icecube85 and Google+.