Public Safety Canada has been in close consultation with telecommunication companies over the logistics of Ottawa's so-called Internet "snoop and spy" legislation – talks that dealt with who will shoulder the costs of pricey "intercept capabilities," and whether it will even be feasible to monitor user behaviour in an increasingly complex "cloud-computing" environment.
The reams of e-mails, meeting and teleconference agendas, obtained by The Globe and Mail through an access to information request, indicate the talks extended more than a year prior to the government tabling its online surveillance bill in February.
Internet providers noted that any costs incurred by extra surveillance infrastructure and the resources to staff it 24/7 – a figure that for some private firms may run into the millions – would likely be passed down to their Canadian customers.
Public Safety offered assurances that companies won’t need to install new equipment for at least a year and a half after the legislation’s passed. Smaller companies will have three years. Even then, the requirement for "intercept capabilities" will only apply to new equipment that would have replaced older infrastructure anyway.
Ottawa’s most recent go at such legislation, Bill C-30, has been nudged out of the public psyche – stalled in the face of uproar over its proposals to let police to demand internet users’ personal information, and oblige service providers to install intercept capabilities so they can record network activity at a moment’s notice.
Well before the online surveillance bill created consternation among Canadians protective of their online privacy, telecommunication companies made it clear they wanted a say in whatever details come out of the law once it’s finally passed. Ottawa has sought to assure them the regulations, once they’re finally written and made public, won’t present a logistical or financial burden.
Documents obtained by The Globe indicate months of back-and-forth communication between the Public Safety ministry and representatives from companies and sector associations. The records detail multiple meetings and teleconferences and lengthy e-mail threads through the latest bill’s introduction in early 2012.
Public safety Canada “appeared willing to engage with industry to address some of our concerns,” reads an e-mail sent Sept. 21, 2011 to members of an industry committee shortly after a meeting with the federal government. “The fact that the legislation is a top priority for a majority government and that industry’s concerns have not gone away may have focused their attention more than usual.”
Late last year, industry players and Public Safety Canada set up a working group to discuss more than three dozen queries and concerns. The group’s members got security clearance and signed non-disclosure agreements.
Big question marks for telcos include the nature of monitoring equipment needed, practical challenges to obtaining subscriber information and how they’ll provide “intercept capabilities” that are expensive to staff and may rarely be required, but are expected to be constantly available.
In an e-mail laying out the agenda for a January, 2012 teleconference, a Bell Canada representative suggested putting together diagrams clarifying “who does what and where” for different types of networks. “Dividing up responsibilities at the operational level will be a big challenge,” the e-mail notes, “(for example, in a cloud environment, who has the obligations under the Act?)”
(The Bell employee’s name was redacted from records provided to The Globe. Bell declined to comment.)
While much remains up in the air, when pressed, Public Safety has made sure to outline the flexibility companies will have when it comes to implementing the bill.
New “intercept capabilities” will only be required for new infrastructure the companies would have been buying to replace old models. Other “exemptions and suspensions” of requirements could be possible in exceptional circumstances, Public Safety spokeswoman Jessica Slack told The Globe in an e-mail. And in cases where existing equipment needs to be updated, a company would get “reasonable compensation.”
That hasn’t assuaged companies’ concerns.
“You’re going to be looking at significant costs in terms of technological and human resources. And how those costs are going to be recovered has remained our prime concern,” said Marc Choma, spokesman for the Canadian Wireless Telecommunications Association. “As law enforcement, [police] need a lot of tools to do their job. But I don’t think taxpayers would expect the garment industry to pay for law-enforcement uniforms, or the automotive industry to pay for law-enforcement cars.”
“And,” he added later, “we don’t want to see those costs being added to consumers.”
A more pointed question for any lawful access regulation: Is it even possible for this to work as Public Safety hopes it will, given the proliferation of cloud computing? If a suspect is registered with a Canadian Internet provider but his or her connection is routed through data centres a world away, the information Canadian police want could remain out of reach.
“It would have been effective five years ago,” says Samer Bishay, CEO of Iristel, a Toronto-based Voice-Over IP service provider. “The thing is, it’s a little behind.”
Mr. Bishay thinks the lawful access bill is a great idea. “This’ll only protect people,” he says. He just isn’t sure if it will work as planned.
The proliferation of cloud computing, in which data is stored and backed up on a remote server, makes things “exponentially” more complicated, Mr. Bishay says.
“Traceability becomes really hard because everything’s sitting on a cloud. Well where is this cloud? Is it in Europe? Asia? Who knows? And it could migrate almost instantaneously.”
In response to a Globe query about the bill’s effectiveness with cloud-stored data, the Public Safety ministry’s Ms. Slack said the ministry, “always pays close attention to technological advancement’s impact on national security agencies.”
Mr. Choma said he hasn’t heard from Public Safety since the bill was sent back to committee for potential revisions. But he’d like to have a say in its final regulations.
“Well, we always hope so,” he said. “And if we do have any concerns with the regulations, we certainly hope the government … would be open to further discussion.”