A surveillance society: 10 things you should know about Bill C-30

Features March 7, 2012

[One of our most-read feature stories from this year makes a return appearance in the spotlight, as relevant as ever.]

Bill C-30 is the lawful access legislation proposed by current minister of public safety Vic Toews. The bill is also known as the Investigating and Preventing Criminal Electronic Communications Act or Protecting Children from Internet Predators Act and it’s a complex, 100-page piece of legislation that outlines changes to access to digital information by the RCMP, police, and government agencies such as the Canadian Security Intelligence Society and Communications Security Establishment Canada.

The next move for the bill is unclear. The Conservatives seem to be responding to public backlash against C-30. However, most critics believe this important piece of legislation won’t be on the backburner for long.

Nexus talked about the bill with Chris Parsons, PhD candidate in the political science department at the University of Victoria, and Michael Geist, the Canada research chair in internet and e-commerce law at the University of Ottawa. Parsons also worked at the University of Guelph doing network security and management, while Geist is a respected columnist who writes extensively about technology law issues. Here they help explain Bill C-30 and the implications it would have on Canadian society.

(Graphic by Jessica Tai)

1. What happens to your information?

Currently under Canadian law, police and RCMP officers are allowed to approach Internet and telecommunications service providers (ISPs and TSPs) for subscriber information, and the service providers have the option to share this information, which is usually only done in rare circumstances to aid in an ongoing investigation. If the service providers don’t feel comfortable sharing information about their customers for any reason, they can refuse.

What some find disturbing is that although the title of the bill implies it will apply to serious crimes, the surveillance techniques could be applied to anyone. According to Geist, this is going to create an extensive surveillance infrastructure that doesn’t exist right now, because those authorized will be able to demand information about anyone, at any time, and without a warrant.

“Obviously, it does apply to crimes, but it can be applied in much broader ways as well,” says Geist, “and that’s unquestionably one of the big concerns that has arisen. If we’re serious about dealing with these [privacy] issues, then the bill could limit the law specifically to criminal activity, which is something we don’t have right now.”

Beyond the powers of lawful access, those authorized would also have the authority to inspect service providers to make sure they are using surveillance as directed. Under Section 14, “[The bill] even goes so far as to allow the state to install its own surveillance technology, directly at private ISPs,” says Geist.

 

2. Will your privacy be protected?

Privacy protection by ISPs and other web-based services is a controversial topic. Many of us just click “agree” when privacy policies pop up and don’t think about it again. Most of those policies do outline circumstances when a company will release your data, but with ISPs it’s generally only in extreme circumstances, as mentioned above. The information shared is usually things like address, phone number, and name. But with increased monitoring, a person’s subscriber information would likely be more revealing, including things like browser history and emails.

Under Bill C-30, the privacy agreements would change radically. Section 487.0195 exempts ISPs and TSPs from both criminal and civil liability for voluntarily giving away any and all of their customers’ information to police or government agencies.

“It opens the door to ISPs engaging in all sorts of activities without any kind of liability,” says Geist. “That’s not to say every ISP’s going to do it, but especially a small local ISP would want to be seen as helpful with law enforcement, and they might engage in all sorts of activities. This bill really seeks to encourage them to do that, by providing them with this statutory immunity.”

 

3. Vulnerable information 

One of the risks that comes with setting up the types of real-time interception and storage capacities outlined in C-30 is that the network opens itself to certain security vulnerabilities. These vulnerabilities are what allows the third-party access to the information, but could potentially be exploited by hackers. One of Parsons’ concerns is that smaller ISPs will be more susceptible to outside forces.

“Not to besmirch any of Canada’s ISPs, but there is a difference in the kind of technical and security resourcing that, say, a Rogers, Bell, Shaw, or Telus can bring into their lawful access environments, and an ISP that’s only serving 5,000 or 10,000 people,” says Parsons. “There’s a better chance that they just might not have staff on hand that have the same level of expertise you might get in a multibillion dollar corporation.”

Beyond the threat of hackers, Parsons outlines concerns that networks could have with employees who would be trusted with all this sensitive information.

“You have to make sure the people on the insides, the administrators, are equally trustworthy,” he says. “And you have to ensure that there’s no way for them to circumvent auditing mechanisms, no way for them to basically use the powers at their fingertips. Most instances of hacking actually tend to start from the inside with a disgruntled employee, or an employee that’s bought, or just an employee who’s suggested to look the other way.”

 

4. Insufficient oversight

Both Geist and Parsons feel that effective oversight regulations of the authorities are key in any kind of surveillance law. Geist says that although Bill C-30 does have some oversights and reporting mechanisms, they don’t go far enough.

“We’ve seen some suggest, and I think it’s a good idea, that we need a surveillance commissioner, one that extends beyond what a privacy commissioner might do, to focus more specifically on these issues,” he says.

Parsons agrees that there needs to be a series of checks and balances when this kind of blanket power is given to the state, and has done extensive research on the oversight system in Europe.

“It’s really critical that we have not just insight into how many times they use these powers, but why,” says Parsons. “How many times do they screw up? Not necessarily by malice, but certainly in the UK, if you look at their examples, you get amazing numbers of inaccuracies, just because someone hit a four instead of a three. Routine clerical-style errors will lead to inappropriate uses of the technology. But one of the reasons we know what we do in the UK, is because they have a third-party, independent, resourced commissioner keeping track of this information.”

 

5. Social impacts of surveillance

“Most Canadians probably lead fairly mundane lives. They’re not generally that concerned if the police monitor what they do because they have nothing to hide. But that misses a lot,” says Parsons. In his opinion, citizens will pay for their own surveillance in one way or another.

“It will create a culture or environment of concern,” he says. “I don’t think it leads to trust between citizenry.”

More significantly, though, he feels that most Canadians don’t quite understand how contemporary policing functions.

“They start using open-source techniques, pulling together who are you, who are you speaking to, who they are speaking to, and in that way they start developing communities of interest,” says Parsons.

So what does this mean in terms of digital surveillance?

“It means that if you’re speaking with me and the police think that I’m someone of interest, those who I communicate with, who are marginally involved in projects I’m involved in, all of a sudden they get tied to me somehow,” says Parsons. “There’s an implication on them, just by associating with me. And so if you want to ensure that you don’t fall under police surveillance, or you’re not looked at by intelligence or whoever else, then you have to start thinking, ‘Do I really want to talk to that person?’”

 

6. Intelligence appropriate 

According to Parsons, the majority of the information collected by ISPs under C-30 is more suited to intelligence gathering than solving serious crimes.

“For the low-hanging fruit they might catch some more child pornographers [under C-30],” he says. “But they’re far more likely to start monitoring other ‘extremist’ statements and comments. We can’t forget that days before C-30 was introduced, environmental groups, such as Greenpeace, were identified as extremist.”

Greenpeace, PETA, some First Nations groups, anti-capitalists, and others have been labelled extremist by the Conservative government. The political implications are strong and apply to a huge range of people.

“If you’re a journalist, and you’re doing work on a controversial story, you can imagine concern about protecting your sources,” says Parsons. “You [would] really need to start doing things like going to land lines, or going back to the few remaining public telephone booths, or just meeting face-to-face.”

The issue with the majority of information that could be gathered is that, although these topics may be politically sensitive, they don’t usually involve crimes, especially of a serious nature.

Parsons believes C-30 will without a doubt lead to more arrests, but the truly serious criminals will always remain one step ahead of police.

“When we’re talking serious organized crime, the real bad guys, they’re savvy,” he says. “They’ve been fighting this fight for a long time. What law enforcement is asking for now is unlikely to catch up.”

 

7. What will be required of ISPs?

If Bill C-30 is passed, ISPs will be required to dramatically update their networks, both technically and on a security level.

“All networks will be required to allow for real-time surveillance, to intercept communications, to isolate communications to a particular individual, and to engage in multiple simultaneous interceptions,” says Geist.

ISPs and TSPs will also be subject to inspection by the state to ensure their capabilities meet the standards outlined in the bill, and will have to file a report if they acquire new technologies.

Beyond that, employees involved in communication interception and access at an ISP or a TSP will be subject to RCMP background checks.

“If you’re to be a citizen working for, say, Facebook, or Rogers, or whoever, the notion that you’re going to have to get security screening in order to do the job you were hired to do, I think many people would find that invasive and offensive,” says Parsons.

 

8. Cost

The estimated cost of Bill C-30 by the Public Safety Commissioner is $80 million over the first four years, and about seven million per year after that.

Both Geist and Parsons have doubts about that estimate, and feel the bill would likely end up costing Canada more, at least as it’s tabled right now.

“If we look at the experience in other jurisdictions, I think that massively understates the actual costs,” says Geist. “That’s also only the cost on the surveillance infrastructure side. This will actually bring in all sorts of new costs. Where ISPs comply with requests for information they’ll be able to charge for it. So we’re talking about significant costs that at the end of the day the public is going to have to pay, whether it’s in the way of higher taxes or by way of higher fees to ISPs.”

Parsons says it’s possible to implement Bill C-30 for what the government estimates, but there wouldn’t be much point.

“You could do this on the cheap; it’s possible. It wouldn’t be very effective, but you could do it,” he says. “Or, you could do it in a very professional way, in which case we’re going to blow past $80 million dollars in a year.”

 

9. The case of the missing regulations

Geist, Parsons, and others who have studied Bill C-30 say there are many unspecified regulations. Section 64, in particular, has many scratching their heads. This section of the bill gives cabinet the power to fill in the blanks after the bill has passed, when it wouldn’t be subject to a review or vote.

“What it’s done is left out a lot of the details and the implementation of the legislation remains an unknown,” says Geist. “It leaves so many different issues to regulation, so that in terms of trying to really effectively judge what the government’s got in mind, it’s very tough to do when they’re not telling you what they’re planning.”

Among the missing regulations are things like what, exactly, in terms of equipment and staff, ISPs and TSPs will need to do to comply with the new regulations. Other things, like cost, have also been left out. As a majority government, the Conservatives have the power to pass the bill as is, leaving the door open for quick changes down the road.

“They’re in a position to add a lot of meat on the bones, so to speak,” says Geist, “and do it without having to go through the House of Commons for approval again; it happens just at cabinet level.”

Parsons says this situation isn’t entirely abnormal for such a complicated bill, but that this piece of legislation is particularly important.

“This has the capability of reshaping the internet in Canada as we know it,” he says. “I don’t want that left to regulators, or to administrative panels. This needs to be front and centre in the debate, and it’s absolutely inappropriate for the government to try and hide it or move it away to the back stage.”

 

10. Is Bill C-30 really needed?

According to Geist, the biggest issue with Bill C-30 is that, in his opinion, a sufficient case hasn’t been made by law enforcement that this bill is even necessary.

“The issue is whether or not law enforcement is in a position, based on the current rules, to deal with [online crime], and if they’re not, is that a function of the rules, is that a function of a lack of resources, or is it a function of a lack of knowledge of how to deal with these issues?” asks Geist. “There may be many factors behind the challenges faced by law enforcement. But enacting Bill C-30 doesn’t really move the ball forward on those very much.”

1 thought on “A surveillance society: 10 things you should know about Bill C-30

  1. The federal privacy commissioner is against Bill C-30. That tells me this bill is a bad idea for anyone who gives a care about their privacy.

Comments are closed.