I assume that if you are reading this, you are already aware of the furor over the "lawful access" provisions in the unintentionally humorously titled "Protecting Children from Internet Predators Act"* which is more formally (and more accurately) titled "An Act to enact the Investigating and Preventing Criminal Electronic Communications Act and to amend the Criminal Code and other Acts" AKA Bill C-30.
The section that is generating the largest amount of controversy is Part I section 16:
"16. (1) On written request by a person designated under subsection (3) that includes prescribed identifying information, every telecommunications service provider must provide the person with identifying information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment"
This section allows a designated officer (not any police officer)** to request, without a warrant, information from a telecommunications service provider (TSP for short) that will link your name and address to particular service. E.g. link you to the IP address that is provided to you by your ISP or link you to the IMEI number on your cell phone.
Many see this as an unwarranted invasion of an individual's privacy. However, there is precedent for this already. Yes, in some ways the phone-book, but also something else; the license plate on a vehicle. At any time an officer of the law may query a database to get the current name, address and criminal history of the owner of a license plate. They also have access to an entire record of all incidents recorded against the address. And I think (though am not sure) that these requests are not as strictly controlled or documented as the proposed request provisions for information from a TSP. Add in video cameras, computers, and license plate recognition technology, this process can be entirely automated, allowing police departments to build a rough database history of all your movements based on where your license plate has been recorded. Throw in some automated alerts and police can be proactively notified that someone with a shoplifting history just went into Yorkdale Mall.
In contrast to a license plate, you give your IP address out every time you connect to a website. If you are in the habit of using social media using your real name and not a pseudonym, it is ludicrously easy to link your name to your IP address, and then from there to your real physical address. This is information you voluntarily provide to complete strangers all over the world. If you register for programs or information on government or police service websites, you give this information to them freely, without a second thought.
So is it not strange to be upset over the notion that police must make a documented request for information that we all provide freely to complete strangers without concerns over privacy?
Quick related segue on IP addresses. IP version 4, which is what 99.99% of us use to access the internet, results in an IP address being associated with a location, not an individual. But the world is running out of IPv4 addresses, and so there is a big push to migrate us all to IP version 6. An IPv6 address will associate a device with a location, which means in the future when you visit a website using your iPhone, the web host will be able to track your movements because each time you connect to a site, you will provide an IPv6 address identifying your device, and where you currently are. Frightening implications abound.
Another privacy concern is that police departments will create databases based on the content collected from TSPs. In that database will be the history of all the data obtained from TSPs. To my mind, this contradicts the meaning of Part I section 17:
"19. Information that is provided in response to a request made under subsection 16(1) or 17(1) must not, without the consent of the individual to whom it relates, be used by the agency in which the designated person or police officer is employed except for the purpose for which the information was obtained or for a use consistent with that purpose."
I find it quite the stretch for a police department to claim that a database archive of all this data is a use consistent with the purpose of the original request. But, the concerns are that this database would be a goldmine for hackers. This logic I actually find laughable. Police departments have all kinds of databases and other electronic information that is way more sensitive than IP addresses and names. If hackers got in (Sorry. When hackers get in.) the information available to them is so valuable that an IP addresses and name database would be candy sprinkles on the icing on the 7 layer cake served as dessert with the filet mignon steak dinner they found.
So to conclude on the "lawful access" issue, this bill provides officials (I would love to know why the Competition Bureau is included though) with the right to request information citizens regularly (and unconsciously) give away to complete strangers, and it restricts the purposes for which this information can be used. I'm not seeing why I should be that concerned.
* Humorous in that the act has nothing to do with "Protecting Children" or dealing with "Internet Predators".
** There is an exceptional circumstance provision that allows any officer to request this information, but they must provide justification within 24 hours. They cannot just flash the badge and ask for the data.