Protect Canadians Instead of Attacking Them: Computery Green Paper Comments
The Canadian government is asking for feedback via their Online Consultation on National Security, also called the Public Safety Green Papers. My friend Zachary Jacobi has written excellent pieces describing his reasoning for his feedback on each section. I especially appreciate his comments on the extremely problematic proposed Investigative Capabilities in a Digital World. I’m even more paranoid than him when it comes to giving government feedback, so I’ve added to his commentary and copied my resulting replies below.
Please leave your own comments on the Green Papers. The Canadian government seems to be really heading in the wrong direction in the domain of digital law enforcement. When we unite our voices against harmful measures, especially when they open digital feedback, it works. For example, this happened in the United States with Net Neutrality when the FCC opened up the proposal for comments and got over-flowed with responses. Hopefully, we can convince the government about this issue as well.
Investigative Capabilities in a Digital World
How can the Government address challenges to law enforcement and national security investigations posed by the evolving technological landscape in a manner that is consistent with Canadian values, including respect for privacy, provision of security and the protection of economic interests?
As long as almost all crimes that cause actual harm to someone must be undertaken in the physical world, it makes sense to value the privacy of Canadians and their economic interests (especially as Canada tries to become a leader in digital technology) more highly than simple investigatory convenience.
In terms of privacy and Canadian values, it is impossible to make encryption or other computery intercept capabilities with a back-door only the government can use. Instead of constantly trying to undermine the digital security of Canadians, the government should fund initiatives to keep them secure. This would support the Canadian values of freedom of thought, expression and association.
On an economic level, It’s impossible to expect Canadian businesses to be competitive internationally if they’re crippled by the costs of maintaining more data than they need to for their own business operations or maintain expensive intercept capabilities. Maintaining subscriber data puts Canadians at much higher risk of embarrassment, extortion, or identity theft in the event of a data breach. Data is a liability. Additionally, computery intercepts often depend on DMCA-like laws that harm innovation.
Privacy rights and economic interests are too important to allow any significant compromises to them to be made currently or any time in the foreseeable future.
In the physical world, if the police obtain a search warrant from a judge to enter your home to conduct an investigation, they are authorized to access your home. Should investigative agencies operate any differently in the digital world?
Definitely not. Requiring a judge of a transparent court to approve most requests — like subscriber information or intercept capability — is an equally useful norm in both the physical and digital worlds. With respect to encryption, encryption keys should fall under the general protection from self-incrimination that everyone enjoys under the charter.
Currently, investigative agencies have tools in the digital world similar to those in the physical world. As this document shows, there is concern that these tools may not be as effective in the digital world as in the physical world. Should the Government update these tools to better support digital/online investigations?
Any tools that would better support investigations must have their potential utility balanced against their real and significant privacy risks. In this document, the government has failed to explain how these tools would justify the substantial risk to privacy rights and innovation that they pose.
My concerns about these risks have already been outlined in my response to the first question.
Is your expectation of privacy different in the digital world than in the physical world?
They are not. I understand the government has certain surveillance capabilities and these are heavily regulated to respect the privacy of Canadians. Just like I would be greatly against posting a camera outside of the door of my house to document my coming and going without a warrant approved by a court, I am similarly against tracking where I go on the Internet.
This privacy is a precious thing and the rise of organizations like OpenMedia show how dedicated Canadians are to maintaining it.
Basic Subscriber Information (BSI)
Since the Spencer decision, police and national security agencies have had difficulty obtaining BSI in a timely and efficient manner. This has limited their ability to carry out their mandates, including law enforcement’s investigation of crimes. If the Government developed legislation to respond to this problem, under what circumstances should BSI (such as name, address, telephone number and email address) be available to these agencies? For example, some circumstances may include, but are not limited to: emergency circumstances, to help find a missing person, if there is suspicion of a crime, to further an investigative lead, etc…
Circumstances where authorities can obtain subscriber information without a warrant should be limited to those where the health or safety of the subscriber or others at that dwelling can be reasonably assumed to be at risk. Some examples: suicide threats where trained professionals believe there is probable cause to worry, a missing persons case being filed for the subscriber or there being reasonable grounds to suspect the subscriber is a missing person, posts on social media that cause family and child services to worry for the safety of children at the residence, or posting a ransom demand. Some counter-examples: claims of copyright infringement, concerns of terrorist activity or radicalization.
Do you consider your basic identifying information identified through BSI (such as name, home address, phone number and email address) to be as private as the contents of your emails? your personal diary? your financial records? your medical records? Why or why not?
I consider it to be approximately as private as the contents of my emails. While I conduct almost all of my online activities under my own name, it is occasionally useful for me to go incognito (for example, if I expect harassment or threats as a result of what I write). Because of this, I have expectations that my subscriber information will be kept private in almost all cases, with the exception of those mentioned in the previous section, as I would with my private emails.
Do you see a difference between the police having access to your name, home address and phone number, and the police having access to your Internet address, such as your IP address or email address?
Yes. Having access to a home address simply tells you where someone might be found. Having access to an IP address and an email allows you to develop a complete profile of someone. What sites they visit, who they interact with, and what they comment — all laid bare. It is much more invasive than having a mere physical address or a phone number (as few places keep records of what number they were called with, while almost all website keep record of what IPs visited them).
Interception Capability
The Government has made previous attempts to enact interception capability legislation. This legislation would have required domestic communications service providers to create and maintain networks that would be technically capable of intercepting communications if a court order authorized the interception. These legislative proposals were controversial with Canadians. Some were concerned about privacy intrusions. As well, the Canadian communications industry was concerned about how such laws might affect it.
I agree with Canadians, such as Cory Doctorow, who believes digital rights are human rights [1]. I also agree with OpenMedia who expressed privacy concerns, as well as the concerns of our communications industry.
Should Canada’s laws help to ensure that consistent interception capabilities are available through domestic communications service provider networks when a court order authorizing interception is granted by the courts?
Only if the fully cost is borne by the government and interception is only done after transparent court orders are granted. Furthermore, the government should conduct thorough security audits of any intercept capability it develops. Bad actors using intercept capabilities would be devastating for any Canadians affected and seriously shake overall faith in law enforcement.
That being said, any reasonable data collection strategy can be circumvented using free, readily available technologies, such as the Tor Browser or Virtual Private Network (VPN). I am afraid that by consenting to information to be intercepted, the government will invest resources into undermining these technologies or other security technologies, which would be horrifyingly unethical, as described in the next section in regards to my concerns about encryption and in my first comment in the “Investigative Capabilities in the Digital World”. Consequently, if the Government of Canada were to enact such a law, they would need to accept that such collection would be imperfect, possibly futile and would need to share it’s details with the public.
Encryption
If the Government were to consider options to address the challenges encryption poses in law enforcement and national security investigations, in what circumstances, if any, should investigators have the ability to compel individuals or companies to assist with decryption?
There should be no circumstances under which individuals or companies are compelled to assist with decryption. Requiring companies to decrypt devices weakens security for all Canadians. It is impossible to build a backdoor that can’t be exploited and any weakening of security on commercial devices opens Canadians up to much higher risk of identity fraud or theft. Individuals should not be compelled to hand over their encryption keys for the same reasons they are not compelled to self-incriminate in testimony.
How can law enforcement and national security agencies reduce the effectiveness of encryption for individuals and organizations involved in crime or threats to the security of Canada, yet not limit the beneficial uses of encryption by those not involved in illegal activities?
This is impossible. You can’t simultaneously weaken and maintain security. Police must accept that encryption is here to stay. Without it, simple actions like shopping online would be impossible. Any effort to weaken encryption in Canada would be devastating to our technology sector and threaten the viability of the internet in Canada.
Data Retention
Should the law require Canadian service providers to keep telecommunications data for a certain period to ensure that it is available if law enforcement and national security agencies need it for their investigations and a court authorizes access?
Yes, but only if the period is reasonable. Forcing providers to keep data for longer than a month would quickly strain their infrastructural capabilities, increasing our already high internet costs to unacceptable levels.
However, please see my comments in the next question in regards to concerns about the quality of these data.
If the Government of Canada were to enact a general data retention requirement, what type of data should be included or excluded? How long should this information be kept?
For the law to be any use at all, websites visited would have to be tracked. This could be balanced with privacy concerns by only recording the domain name and leaving out specifics of which pages were visited. Information should be kept for at most one month. Beyond that, law enforcement can’t claim it urgently needs the data. This strikes the right balance between the usefulness and the cost of maintaining this type of record.
As with the second question of the Interception Capability section, I’m unclear how this data will be acquired and withhold any approval pending further details.
