Yesterday, I wrote up my take on the recent Australian bomb-hoax story, in which a suspect was tracked from Sydney to Kentucky through a mixture of old-fashioned detective legwork and cyberinvestigation.
I suggested that making this sort of investigation as easy as it seems on crass TV cop shows would be a bad idea:
There are many hoops which the cops have to jump through to be able to pursue an enquiry of this sort - a due process which means they can't always and immediately get access to anything they want.
And that is exactly as it should be. Most of us are law-abiding, and our privacy and security is too important to be eroded merely to make the Orwellian nonsense of Hawaii-Five-O into a reality.
Today, someone pointed out to me the text of Bill C-52, currently under consideration by the Canadian federal parliament.
Amongst the many proposals in this Bill are two specific clauses to reduce the ‘due process’ imposed upon Canadian law enforcers when they wish to acquire information about internet subscribers from Canadian ISPs.
This information includes:
any information in the service provider's possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider's telecommunications services and the Internet protocol (IP) address, mobile identification number, electronic serial number, local service provider identifier, international mobile equipment identity number, international mobile subscriber identity number and subscriber identity module card number that are associated with the subscriber's service and equipment.
The first sort of investigator authorised to acquire this information merely by asking (actually, the second listed in the Bill, as it is a special exception to the main proposal) is, broadly speaking, any police officer.
But there are restrictions on this power which make it much less unreasonable than it sounds. It is for “exceptional circumstances only”, and it applies only if:
(a) the officer believes on reasonable grounds that the urgency of the situation is such that the request cannot, with reasonable diligence, be made under that subsection;
(b) the officer believes on reasonable grounds that the information requested is immediately necessary to prevent an unlawful act that would cause serious harm to any person or to property; and
(c) the information directly concerns either the person who would perform the act that is likely to cause the harm or is the victim, or intended victim, of the harm.
You can probably quickly think up a number of scenarios in which this regulation might be a lifesaver. And the Bill requires any police officer who takes advantage of these special powers to declare that he has done so to a superior, who is, in turn, required to re-confirm the request with the service provider. So there is at least some bilateral oversight involved.
Of greater interest to privacy advocates, however, is the proposal in the Bill that each law enforcement agency would be able to designate up to five percent of its staff to request precisely the same information pretty much at will, about any subscriber.
This makes ‘fishing expeditions’ possible. The Bill doesn’t appear to place any limit, other than perhaps common sense, on the number of subscribers whose data can be sucked from an ISP at any time.
The Bill doesn’t even seem to propose that the requests be based on any sort of specific identifier, such as a name or an email address.
This suggests, in the worst case, that an ISP might be compelled simply to hand over information about all subscribers. No warrant needed, and thus no proactive oversight by the judiciary.
I’ll leave it to the Canadian legislature to debate whether this is really a change which Canada needs; to Canadian privacy advocates to argue the pros and cons as visibly as they can (I’m OK with legal street protests, but no Anonymous-style ‘hacking’, please!); and to the voters to make amends next time if the Bill passes but is deemed a step too far.
My concerns go beyond just those about our right to be free, as far as possible, from surveillance and intrusion by law enforcement. I’m just as worried about the safety of having information about our internet identities routinely duplicated into multiple databases.
If you are Canadian, I urge you to oppose Bill C-52 as a matter of public safety, at least until you can be sure that every agency and every officer who might request information about your internet identity will protect it at least as well as your ISP.
Recent data breaches and data leakages haven’t just been happening to commercial organisations, but to law enforcement, too.
(Global examples of law enforcement security lapses include San Francisco, Arizona and Manchester, UK.)
The more people who acquire and store your Personally Identifiable Information (PII), the more points of security failure, and thus the more likely it will end up in the hands of cybercriminals.
So if law enforcement in your country wants to become more aggressive at acquiring your PII, I think it ought first to show you that it sets unstinting standards for protecting it. For example, any police force which lets its officers use unencrypted laptops in the field ought, ipso facto, to be disqualified from collecting information about you other than in the most exceptional circumstances.
And please note that I didn’t make that last remark because I work for a company that has a range of encryption products to sell. Actually, it’s the other way around. I work for such a company because I believe that privacy and security are incredibly important.
