For several months I and a handful of others in the Canadian privacy and security community have been mulling over what Bill C-30, better known as Canada’s ‘lawful access’ legislation, might mean for the future of encryption policy in Canada. Today, I’m happy to announce that one of the fruits of these conversation, a paper that I’ve been working on with Kevin McArthur, is now public. The paper, titled “Understanding the Lawful Access Decryption Requirement,” spends a considerable amount of time considering the potential implications of the legislation. Our analysis considers how C-30 might force companies to adopt key escrows, or decryption key repositories. After identifying some of the problems associated with these repositories, we suggest how to amend the legislation to ensure that corporations will not have to establish key escrows. We conclude by outlining the dangers of leaving the legislative language as it stands today. The full abstract, and download link, follows.
Canada’s lawful access legislation, Bill C-30, includes a section that imposes decryption requirements on telecommunications service providers. In this paper we analyze these requirements to conclude that they may force service providers to establish key escrow, or decryption key retention, programs. We demonstrate the significance of these requirements by analyzing the implications that such programs could have for online service providers, companies that provide client software to access cloud services, and the subscribers of such online services. The paper concludes by suggesting an amendment to the bill, to ensure that corporations will not have to establish escrows, and by speaking to the dangers of not implementing such an amendment.
Download paper at the Social Sciences Research Network
The Government of Canada has, at least temporarily, backed away from pushing through its tabled lawful access legislation. While many critiques of the legislation abound – some of which I’ve recently noted surrounding warrantless access to subscriber information – there have been limited critiques of the actual financial costs associated with the bill. While some public commentators have suggested that the legislation will threaten small Internet service providers’ financial viability, there has yet to be a formal, detailed, and public financial accounting of lawful access-related costs.
I’m incapable of offering this accounting. The same is true for every other Canadian, whether they are a government bureaucrat, private citizen, corporate agent, or government Minister, because the legislation itself remains murky. Thus, rather than suggest that the legislation will cost X dollars, in this post I outline why people cannot cost out the bill if they solely rely on existing public information.
I begin this post by quickly outlining what the Canadian government suggests that the legislation will cost. Having done so, I move to critique the origins of the government’s numbers. This entails first examining the issue of interception capabilities, second, of storage costs, and third, of the status of Telecommunication Service Providers’ existing lawful access capacities. I conclude by noting the lack of clarity surrounding C-30’s breadth and the need for clarity during the legislative, rather than regulation-setting, stage of the bill’s development.
The most recent version of the Canadian Government’s lawful access legislation is upon us. The legislation expands the powers available to the police, imposes equipment- and training-related costs on Telecommunications Service Providers (TSPs), enables TSPs to voluntarily provide consumer information to authorities without a warrant, forces TSPs to provide subscriber data without warrant, and imposes gag orders on TSPs who comply with lawful access powers. Economic and civil rights costs are, as of yet, murky. Despite being an extremely lengthy piece of legislation, Bill C-30 lacks the specificity that should accompany serious expansions to Canadian policing and intelligence gathering powers.
In this post, I first outline a ‘subscriber data regime’ to discuss what does – and may – be entailed in accessing Canadians’ subscriber data. Second, I explain how subscriber data can be used for open-sourced intelligence gathering. Third, I argue that an administrative process of expanding subscriber identifiers is inappropriate. Finally, I articulate why warrants are so important, and why court approval should precede access to subscriber data. In aggregate, this post explicates the concerns that many civil advocates, academics, and technical experts have with access to subscriber information, why Canadians should be mindful of these concerns, and why Canadians should rebuff current efforts to expand warrantless access to subscriber information.
Last year I was approached by the founder and editor in chief of The Winston Report to update and publish one of my postings on Canada’s forthcoming lawful access legislation. The Report is the quarterly journal of the Canadian Association of Professional Access and Privacy Administrators (CAPAPA). The updated piece that I contributed is more compact than what I originally wrote on this site, though I think that this makes it a stronger, more direct piece. I want to publicly thank Sharon Polsky for the opportunity that she provided to me, and for being so kind as to position my piece as the lead featured article in the Winter edition of the journal. I also want to thank my tireless editor, Joyce Parsons, for her incredible work strengthening my prose. A preprint version of my contribution, which retained a creative-commons license as part of my agreement with the editor in chief, is made available to you below under the normal Creative Commons Attribution, Noncommercial 2.5 Canada license.
Download pre-print .pdf version of (Un)Lawful Access: Its Potentials, and its Lack of Necessity.