Document Sample
LAWFUL ACCESS Powered By Docstoc
					                                    LAWFUL ACCESS
                                         By: Jason Young

Cybercrime and Punishment
Brian Deck is a poster boy for cybercrime. Earlier this year, the 38-year-old Edmontonian was
found guilty of luring a 13-year-old girl using the Internet and sexually assaulting her three times
in two days.1 Governments around the world have often pointed to individuals like Mr. Deck, and
the horrific crimes they commit, as justification for expanding law enforcement powers in
cyberspace. Canada’s broad initiative to do so is known as “lawful access”.
The federal lawful access initiative seeks to amend the Criminal Code2 and other federal statutes
to, inter alia, modernize or add new substantive computer-related criminal offences, and to make
it easier for law enforcement and national security agencies to access telecommunications service
provider (“TSP”) subscriber data, and “traffic data”.3 The lawful access initiative is a substantial
federal legislative development, which will likely have significant and lasting impact on
Canadians’ privacy and freedom of expression rights and on electronic commerce in this country.

After the terrorist acts of 2001, there has been a tendency to date new surveillance initiatives to
September 11th, but the impetus of the lawful access initiative began much earlier. In February
1997, the Council of Europe established a committee to draft “a binding legal instrument” dealing
with the creation of new computer-related offences, substantive criminal law, the use of national
and international coercive powers, and the intra-jurisdictional problems that a borderless Internet
raised.4 The first public draft of the Convention on Cyber-crime was released in April 2000, and
the final text in June 2001. In September of that same year, Canada, two dozen European nations
and an additional three observer nations, signed the treaty. To date, 42 countries have signed, but
not a single major Western nation has ratified it.5 There are signs that this is about to change.
Domestically, the lawful access initiative first reared its public head in an eponymously-titled
consultation paper, released by the Department of Justice on August 25, 2002.6 The intent of the
document was to chart Canada’s obligations in ratifying the Convention. The high-level discussion
lacked much substance or detail, nevertheless, the underlying importance of these often highly-
technical issues provoked over 300 submissions to the Department of Justice from a wide spectrum of
industry, law enforcement, regulatory and civil society organizations. On August 6, 2003, the
government released a summary of these collected submissions, which made it clear that many
stakeholders foresaw substantial problems with the initiative and were worried about the potential
impact that ratification might have on Canadians’ rights to privacy and freedom of expression, and
general conditions for market competitiveness.7
Earlier this year, the Department of Justice met for a second time with stakeholders to seek
comment on some of the specific challenges under consideration and provisions of a proposed
omnibus lawful access bill. The following is a summary of the main points of these proposals,
culled from documents provided to stakeholders.8 Unlike the first phase of consultations,
participation in this second round was by invitation only. To date these documents have not yet
been made public.
Access to Subscriber Data
Currently, law enforcement may ask to obtain subscriber data and other information from TSPs without
judicial authorization, under an exemption in the Personal Information Protection and Electronic
Documents Act.9 TSPs are not, however, legally obligated to provide any personal information about
subscribers without judicial authorization, and can refuse to hand over subscriber information to law
enforcement officials in the absence of a warrant, subpoena or court order.
The proposed lawful access bill would require TSPs to provide “subscriber data” to police upon
mere oral or written request, without judicial authorization. Subscriber data would be limited to
name, address, telephone number or other telephony service subscriber identifiers, and Internet
subscriber service identifiers, i.e., SMTP (Simple Mail Transfer Protocol) e-mail address or IP
(Internet Protocol) address. Law enforcement could obtain some or all of this data upon request
by providing the TSP with at least one of the listed identifiers. Police would have to give date and
time in order to get a dynamic IP address.
Further, a TSP would be subject to a gag order with respect to any request made. Nor would they
be allowed to disclose any statistical data on the number of requests made by law enforcement
generally, or the procedures used to produce subscriber data or any other information about such
disclosures. The Department of Justice would maintain records regarding subscriber data
requests, but does not contemplate reporting this information to Parliament.
Finally, while the mandate would not impose so-called “know your customer” obligations on
TSPs nor require them to collect any more information than they already collect. TSPs would be
required to make their “best effort” to provide the most up-to-date information in their
From a privacy standpoint, there are a number of potential criticisms of this aspect of the
proposal. First, “subscriber data” gained by the police can open the door to a wealth of personal
information available via Internet and public records searches. Disclosure of this information can
link an individual to a potentially vast number of online activities or communications. It can be
used to collect a wide range of both accurate and inaccurate information, readily available online,
about that individual. Information of this sort has been held subject to the highest constitutional
protections in Canada.10
Moreover, any request by law enforcement for a particular subscriber’s data is bound to be
stigmatic, because the mere request implies suspicion of wrongdoing. A mere request could
encourage TSPs to subject the subscriber to increased scrutiny without prompting by law
enforcement, potentially allowing the state to circumvent established safeguards in law. Without a
threshold to meet, anyone could come under potentially stigmatic suspicion for any or no reason
at any time, merely for participating in the information economy. This is inconsistent with the
principles of the Charter of Rights and Freedoms, particularly s. 8.11 A requirement that law
enforcement must first demonstrate cause for suspicion before an independent judiciary, as they
must do before engaging in other types of electronic investigations, would discourage fishing
expeditions and help minimize the likelihood of an innocent individual being wrongly targeted.
This concern was recently expressed by the Federal Court of Appeal when it set out the test for
disclosure of the identity of Internet subscribers alleged to have committed civil offences.
    ...[I]n cases where plaintiffs show that they have a bona fide claim that unknown persons are infringing their
    copyright, they have a right to have the identity revealed for the purpose of bringing an action. However,
    caution must be exercised by the courts in ordering such disclosure to make sure that privacy rights are
    invaded in a minimal way.12

Indeed, the music industry’s recent efforts to force Internet service providers to disclose the
identity of subscribers alleged to have shared music files online illustrates the inherent and
increasing value that subscriber and traffic data will have in the civil litigation context and brings
into stark relief the potential implications lawful access requirements might have beyond criminal
investigations. To the extent that the lawful access mandate increases the requirement for TSPs to
collect subscriber information or renders access to that information easier under a lower standard,
it will make TSPs attractive evidentiary targets for both criminal and civil actions, negatively
impact individual privacy rights and chill online freedom of expression.

TSP Interception Capability Requirements
With few exceptions, TSPs are not now required to meet specific standards for isolating or
producing data upon request by police. Evidence adduced by Internet service providers during the
recent high-profile hearing in BMG v. John Doe clearly demonstrates that TSPs maintain different
quantities and types of traffic and transmission data according to their unique business needs.13
The proposed bill anticipates technical as well as legal requirements for mandated interception
capability. The technical requirements will apply broadly in order to minimize competitive
distortions, but would — at least initially — exempt a number of classes of TSPs including those
with under 100,000 subscribers; backbone and international gateway providers, as long as they
did not modify telecommunications traffic or authenticate end users; and TSPs who provide
service ancillary to a school, library, community centre, restaurant, hotel, apartment building or
condominium, hospital, place of worship or telecommunications research network.
The government has indicated that the costs of the mandate would be borne directly by TSPs,
who would not be required to retrofit existing equipment, but would be required to implement
intercept capability as they upgrade their equipment.
At the operational level, a TSP would be required to isolate and provide access to the most up-to-
date information identified by the authorization to intercept as soon as possible and no longer
than 72 hours after a request. In circumstances in which the intercepting agency required the
information immediately, a TSP would be required to produce the information no more than 30
minutes after a request.
A TSP would also be required to remove encoding, compression, encryption or any other
treatment and to assist law enforcement to do so in the event that the TSP could not do so by
itself. In stark contrast to the U.S. debates on digital network interception, the Department of
Justice does not contemplate that this requirement would apply to treatments applied by the end
user him or herself.
Inspectors would ensure compliance with these requirements. Failure to comply could result in
fines or criminal liability for the directors, officers and agents of a TSP who passively contributed
to non-compliance.

Criminal Code Amendments
The proposed bill would adopt a number of new or updated criminal investigatory powers,
including production, preservation and assistance orders, tracking warrants, and transmission data
recorders. The bill would also amend the Criminal Code to include new offences for importing,
obtaining for use or making available hacking devices, and for communicating false messages.
Additionally, the Department of Justice has indicated it is considering repealing or amending s.
191 of the Code on interception devices, and repealing the formality of endorsing warrants.

Specific production orders
In March 2004, the government passed Bill C-13 which amended the Criminal Code by adding
general and specific production order provisions to “better detect, prosecute, and deter serious
capital market fraud”.14 These production orders allow investigators to compel third parties to
produce, at a specified time and place and in a specified form, data or documents (or to prepare
and produce a document based on data or documents) relevant to the commission of an alleged
offence by a person suspected of committing an offence under any federal law. Prior to Bill C-13,
production order authority in the Criminal Code applied only in very limited fashion to telephone
records, and for specific records subject to the Income Tax Act and the Competition Act.15
During the second round of consultations, the Department of Justice suggested additional production
orders that would be used solely to obtain tracking information, i.e., the last location a debit card was
used; and transmission data, i.e., routing and addressing information. The procedure for seeking a
production order would require prior judicial authorization on the basis of “reasonable grounds to
suspect”, a lower standard than the “reasonable grounds to believe” threshold now used for traditional
investigatory powers. This lower standard is identical to the s. 492.1, s. 492.2 production orders of the
Code and s. 487.013 production orders adopted under Bill C-13. The government’s rationale for
adopting this lower standard is their belief that the information subject to these production orders
would attract a lower expectation of privacy.
The government has identified three concerns regarding these production orders, namely the need
to adopt “technologically neutral” definitions, limit production of “content” as opposed to
“traffic” data under the lower threshold, and deal with content which cannot be excluded. In a
welcome development from the initial consultation, the government now seems to recognize the
difficulty in drawing bright lines between “content” and “traffic” in the digital realm and have
instead suggested that the separation problem should be re-conceptualized as between
information attracting a reasonable expectation of privacy and that which does not. This will not
be a panacea, but it is progress.

Preservation orders
The concept of a preservation order was proposed as a mechanism to expediently safeguard
volatile data under the control of a third party custodian. Preservation orders would function as
“do not delete” orders and would not form the foundation of a general data retention regime, such
as that now found in some European states.
Under the proposal, an officer who had “reasonable grounds to suspect” that a person had
possession or control of documents or data that would assist in the investigation of any federal
offence could order immediate preservation of that data for up to 15 days without judicial
authorization. The order would include notice to the custodian that the designated officer is
required to seek post facto judicial authorization for a preservation order beyond the initial time
period, at which time the custodian could oppose the order by making written representations to a
judge. A preservation order granted by a judge under this threshold would last no more than 90
days from the date of the initial request.
A preservation order could also be used to access partial disclosure of transmission information
needed to determine from which TSP a communication originated at a specific time. Partial
disclosures would not require judicial authorization.

E-mail privacy
Under current Canadian law, e-mail communications are subject to different degrees of privacy
depending upon whether the e-mail is “in transit” or “stored”. This is not efficient for law
enforcement nor is it in keeping with the way in which Canadians use new communications
technologies. Consequently, the government has proposed amendments to the Criminal Code
which would better reflect social values and mainstream use of new means of communications by
treating all private communications equally, regardless of the method used.

The current “hacking” provision in the Criminal Code criminalizes the making, possession, sale
or offer for sale or distribution of any instrument or device or any component thereof, the design
of which renders it primarily useful for fraudulently accessing or controlling a computer system.
The government proposes to expand this provision by adding a new substantive offence for
importation, obtaining for use and making available of a device under circumstances that give rise
to a reasonable inference it would be used to access a computer without authorization. The intent
aspect of the provision would ensure that it would not affect legitimate research into computer

In Discipline and Punish, French philosopher Michel Foucault explored the historical evolution of
punishment from the physical to the psychological.16 Foucault argued that the modern state
internalizes social control in the individual through the architecture of uncertain surveillance. He
called this architecture ‘panopticism’. To the extent that the federal government’s lawful access
initiative expands state surveillance powers in cyberspace, it will have a panoptic effect that blurs the
line between the investigation of criminality and the operation of discipline and control historically
only associated with punishment of the guilty.
Technology magnifies the potential of the panoptic effect. Poorly-considered laws can
unconsciously import undesirable technological values which reinforce the panoptic effect and
threaten our most cherished rights and freedoms, including privacy and freedom of expression.
The centrality of technology in the lawful access debate requires that the government proceed
with all due caution in adopting new investigatory powers.
The Department of Justice and law enforcement stakeholders have been adamant that what they
are seeking is not an expansion of investigatory powers, but merely maintenance of the status quo
in the new digital environment. But applying traditional rules of electronic surveillance to
cyberspace is not simply maintenance of the status quo, but rather introduces new and unique
implications for privacy and freedom of expression.17 While it is apparent that between the
introduction of the first consultation document in August 2002 and the current proposals, the
government has come some distance in recognizing the unique challenges that this technological
environment poses, it is also clear that significant concerns remain.
Such concerns focus on new exceptions to the principle of judicial authorization for searches and
seizures, lower thresholds for judicial authorization in some circumstances, inadequate safeguards
to prevent abuse of personal information collected by law enforcement, and provisions that will
operate to conscript private sector actors as agents of the state.
To ensure that lawful access does not come to represent an unconscious expansion of police
powers in cyberspace, the government must take positive steps to ensure that the values that new
technologies bring to the interpretation of legal tests are consciously factored in establishing those
tests. The Ontario Information and Privacy Commissioner recently suggested three steps by
which to do this.18
First, the Commissioner recommended that a task force be immediately struck to coordinate efforts
between government, the private sector, universities and other groups on privacy and security
research. The Commissioner noted that this task force should precede any legislative amendments to
state surveillance authority.
Second, the Commissioner called for increased appreciation of the potential sensitivity of the
information which could be produced under the new lawful access powers, recommending that
access to information associated with private electronic communications be subject to rigorous
independent oversight. The Commissioner noted that traditional surveillance powers, such as
search and seizure warrants and wiretap authorizations, are already subject to stringent judicial
oversight under the Criminal Code, in no small measure because their effectiveness would erase
any notion of privacy were they not to be subject to such conditions.
Third, the Commissioner called for the creation of an independent, arm’s-length surveillance and
access review agency, much like models already established by other countries, notably
Switzerland. This agency would supervise access to highly sensitive personal information by law
enforcement and report annually to Parliament on the effectiveness of the regime. These three
recommendations are both welcome and necessary safeguards, which must be seriously
The oversight structure for traditional powers of electronic surveillance under the Criminal Code
stipulates that they are procedures of last resort. This is precisely because we, as a society, have
decided that their efficacy has the potential, if left unregulated, to annihilate any notion of privacy
and freedom of expression in a free and democratic society. We cannot afford to vindicate
privacy only after it has been violated.19 Invasions of privacy must be prevented, and where
privacy is outweighed by other societal claims, there must be clear rules setting forth the
conditions under which it can be violated. This truth is more poignant in the lawful access
context, because our legal rights are bounded, in part, by technological and administrative design
which are fluid and can — and do operate — to unintentionally alter the meaning of our legal
Editor’s note: Jason Young is a student-at-law at technology law firm Deeth Williams Wall LLP in Toronto.
The views expressed here are his own and not those of his employer. He would like to thank Phillipa
Lawson and Catherine Thompson for their assistance with earlier drafts of this summary.
     See R. v. Deck, [2004] A.J. No. 1503 (Prov. Ct.) (QL).
     R.S.C. 1985, c. C-46 [Code].
     Canada, Department of Justice, et al., Lawful Access: Consultation Document (Ottawa: Justice, 2002), online: Justice
     <> [Lawful Access].
     See Press Release, Council of Europe, First International Treaty to Combat Crime in Cyberspace Approved By Ministers’
     Deputies (September 19, 2001); Council of Europe, Explanatory Report to the Convention on Cybercrime, paras. 7-15 (2001).
     The countries that have ratified the treaty as of June 1, 2005 are as follows: Albania, Bulgaria, Croatia, Cyprus, Estonia,
     Hungary, Lithuania, Romania, Slovenia, and the former Yugoslav Republic of Macedonia.
     Lawful Access, supra, note 3.
     Canada, Department of Justice, Summary of Submissions to the Lawful Access Consultation (August 2003), (Ottawa: Justice,
     2003), online: Justice <
     The documents provided to civil society stakeholders in March, 2005, included the following: Combating cyber-crime: the
     context; E-mails: Considerations for Criminal Law Policy; Lawful Access Proposals: Proposals with Respect to Compelling
     Interception Capability and Access to Subscriber Information; Lawful Access: Legal Review; Lawful Access — Amendments to
     the Competition Act; and Transmission Data: Considerations for Criminal Law Policy.
     S.C. 2000, c. 5, s. 7(3)(c.1).
     Millar v. Taylor (1769), 4 Burr. 2303, 2379, 98 E.R. 201 at 237 and 242.
     Part I of the Constitution Act, 1982, being Sch. B to the Canada Act 1982 (U.K.), 1982, c. 11.
     BMG v. John Doe, [2005] F.C.J. No. 858 (QL), 2005 FCA 193 at para. 42.
     BMG v. John Doe, [2004] F.C.J. No. 525 (QL), 2004 FC 488 (written representations of the third party Telus at para. 2) compare
     (written representations of the third party Bell Canada at para. 21).
     Canada, Bill C-13, An Act to amend the Criminal Code (capital markets fraud and evidence-gathering), 3rd Sess., 37th Parl.,
     2004 (assented to March 29, 2004).
     Code, supra, note 2, s. 492.2(2).
     Michel Foucault, Discipline and punish: the birth of the prison (New York: Pantheon, 1977).
     For an expansion of this argument, see generally Jason Young, “Surfing While Muslim: Privacy, Freedom of Expression & the
     Unintended Consequences of Cybercrime Legislation” (2004) No. 9 Int. J. of Comm. Law & Pol’y at 17, online: Social Science
     Research Network <>.
     Letter from Ontario Assistant Commissioner (Privacy), Ken Anderson, to federal Minister of Justice, Irwin Cotler, (April 21,
     2005), “IPC Submission to Minister of Justice and Attorney General of Canada on 2005 ‘Lawful Access’ Consultations”.
     R. v. Duarte, [1990] S.C.J. No. 2 (QL), [1990] 1 S.C.R. 30 at 44.

Contact Jason Young for additional information on Lawful Access

Reproduced with the permission of the publisher LexisNexis Canada Inc. from Canadian Privacy
   Law Review Vol. 2 Number 9 June 2005