Bill C-30… Awful Access (especially for ISPs)

Given our previous opposition to various legislative proposals aimed at the Internet such as our take on SOPA, the short lived Verisign Takedown Proposal, we would be remiss if we did not comment on Bill C-30, “Lawful Access”. I read it a couple nights ago and I think it’s one of the worst legislative proposals ever tabled in, what I think is quite frankly, an effort to “keep a lid” on the internet.

When I read SOPA, and PIPA I had a textdoc open to which I cut-and-pasted various sections of note, in each case I had maybe a half dozen passages which I tagged with brief comments such as “troubling”, “overly broad” or “slippery slope”.

When I finished reading C-30 I had 23 sections of notes, with comments like “wtf?”, “surely, they jest”, and  “omfg”. It is nothing less than a framework to enable unfettered state access into all domestic network communications (except for banks, who are exempt), total unwavering compliance from all internet providers, and penalties for non-compliance which seem to occur without due process.

Yesterday the news out of Ottawa was that the government was possibly stepping back from the proposal in its current form and sending it to Committee for revisions. But as Michael Geist notes, the battle seems to be playing out over what getting warrantless access to “subscriber information” actually entails. The government says its no worse than publicly disclosed details in a phone book, privacy advocates beg to differ.

To me it’s all a sideshow. Regardless of what subscriber details are given to authorities, there are numerous other provisions in the Bill which make it nothing less than chilling:

  • If a service provider provides encryption capabilities, they must reserve the capability to provide unencrypted intercepts to authorities (but they do not need to do this if the communications are already encrypted when they transit their networks)
  • “Enable  interception of communications generated by or transmitted through the apparatus to or from any temporary or per-manent user of the service provider’s telecommunications services”
  • Provide the ability to correlate “all elements of intercepted communications” – what this means to me is that if an access provider has been ordered to furnish data on you (including your IP), they have to be able to  to give correlated data for that IP: everywhere you’ve visited or connected with over the network, which protocols, and I am assuming in the case of an access provider, the contents of those communications.
  • Facilitate simultaneous intercepts from multiple agencies.
  • Any new software or hardware installed by any service provider must meet the “operational requirements” of the act “even if the form of the software in question would require the telecommunications service provider to acquire additional software licences or telecommunications facilities to achieve that increased ability“.

And, just in case any of this is too onerous on service providers, the Minister is happy to help out:

The Minister may provide the telecommunications service provider with any equipment or other thing that the Minister considers the service provider needs to comply with an order made under this section.

Oh, and by the way, the Minister may also compensate service providers for additional expenses incurred in becoming compliant with the act, or pay for said equipment it furnishes to the service providers. In other words, it all gets paid for out of our taxes.

The compliance requirements for all service providers is nothing less than nightmarish:

  • All providers must permit police officer, RCMP or CSIS officer the ability to assess or test the service providers facilities that may be used to intercept communications.
  • Service providers to provide lists of names of employees who would be tasked with undertaking intercepts, who may then be subject to police background checks

  • Section 34(1) – “An inspector may, for a purpose related to verifying compliance with this Act, en-ter any place owned by, or under the control of, any telecommunications service provider in which the inspector has reasonable grounds to believe there is any document, information, transmission apparatus, telecommunications facility or any other thing to which this Act applies.

Once in the facility, said inspector can:

  •  “examine any document, information or thing found in the place and open or cause to be opened any container or other thing;”
  • “examine or test or cause to be tested any telecommunications facility or transmission apparatus or related equipment found in the place;”
  • ” use, or cause to be used, any computer system in the place to search and examine any information contained in or available to the system;”
  • make copies of anything they want.

Then there is the extra-judicial provisions for non-compliance by any service provider:

39. Every person who contravenes a provi-sion, order, requirement or condition designat- ed under subparagraph 64(1)(p)(i) commits a violation and is liable to an administrative mon- etary penalty not exceeding the prescribed maximum or, if no maximum has been pre- scribed, to a penalty not exceeding $50,000, in the case of an individual, and $250,000, in any other case.

This happens, not by being charged with an offense, not by being summoned, but by being served a “Notice Of Violation”.

41. (1) A designated person may issue a notice of violation and cause it to be served on a person if they believe on reasonable grounds that the person has committed a violation.

42. (1) A person who is served with a notice of violation must, in accordance with the notice, pay the penalty set out in the notice or make representations with respect to the amount of the penalty or the acts or omissions that constitute the alleged violation.

(2) A person is deemed to have committed the violation if they either pay the penalty in accordance with the notice of violation or do not pay the penalty and do not make representations in accordance with the notice of violation.

Also, an employer is liable for a “violation” if it is committed by an employee, whether or not the employee is identified or proceeded against.

And to top it all off, as a final “fsck you” from the Minister to all Internet Service Providers in Canada:

All ISPs must, within 6 months of the Act becoming law submit a report to the Minister of Public Safety and Emergency Preparedness detailing the facilities they operate.

But hey, if we don’t like it, then according to Safety Minister Vic Toews “we must be siding with the child pornographers“, right?

What This Law Will Do If Passed

So basically what happens if this becomes law is this:

  1. Canadian service providers will lose business to foreign technology providers who are not constrained by warrantless state oversight into their facilities, customer information and data.
  2. Service Providers will pass along indirect costs of compliance to customers since there will inevitably be additional expenses outside the scope of government reimbursement.
  3. Kiss good-bye what I think is currently a fairly healthy climate of willful, uncoerced co-operation between ISPs and Law Enforcement. ISPs now have their own Acceptable Use Policies and tend to self-police in ways that help LEA when actual crimes are being committed. Existing law works and as Michael Geist notes in another post, gets results. Bring in this law, and law enforcement becomes Big Brother. Nobody wants to deal with Big Brother.
  4. A technology Brain Drain will occur. If this law comes through looking like this then I for one will start my next company somewhere else. I doubt I’ll be alone in that. Crappy winters are one thing, but this, I don’t need.
  5. Not a single technology entrepreneur, investor, executive or knowledge worker in Canada will vote for the Conservative Party ever again. Maybe that’s not a bad thing.