Wednesday, 15 February 2012

Playing Devil's Advocate on Bill C-30

I assume that if you are reading this, you are already aware of the furor over the "lawful access" provisions in the unintentionally humorously titled "Protecting Children from Internet Predators Act"* which is more formally (and more accurately) titled "An Act to enact the Investigating and Preventing Criminal Electronic Communications Act and to amend the Criminal Code and other Acts" AKA Bill C-30.

The section that is generating the largest amount of controversy is Part I section 16:

"16. (1) On written request by a person designated under subsection (3) that includes prescribed identifying information, every telecommunications service provider must provide the person with identifying information in the service provider’s possession or control respecting the name, address, telephone number and electronic mail address of any subscriber to any of the service provider’s telecommunications services and the Internet protocol address and local service provider identifier that are associated with the subscriber’s service and equipment"

This section allows a designated officer (not any police officer)** to request, without a warrant, information from a telecommunications service provider (TSP for short) that will link your name and address to particular service. E.g. link you to the IP address that is provided to you by your ISP or link you to the IMEI number on your cell phone.

Many see this as an unwarranted invasion of an individual's privacy. However, there is precedent for this already. Yes, in some ways the phone-book, but also something else; the license plate on a vehicle. At any time an officer of the law may query a database to get the current name, address and criminal history of the owner of a license plate. They also have access to an entire record of all incidents recorded against the address. And I think (though am not sure) that these requests are not as strictly controlled or documented as the proposed request provisions for information from a TSP. Add in video cameras, computers, and license plate recognition technology, this process can be entirely automated, allowing police departments to build a rough database history of all your movements based on where your license plate has been recorded. Throw in some automated alerts and police can be proactively notified that someone with a shoplifting history just went into Yorkdale Mall.

In contrast to a license plate, you give your IP address out every time you connect to a website. If you are in the habit of using social media using your real name and not a pseudonym, it is ludicrously easy to link your name to your IP address, and then from there to your real physical address. This is information you voluntarily provide to complete strangers all over the world. If you register for programs or information on government or police service websites, you give this information to them freely, without a second thought.

So is it not strange to be upset over the notion that police must make a documented request for information that we all provide freely to complete strangers without concerns over privacy?

Quick related segue on IP addresses. IP version 4, which is what 99.99% of us use to access the internet, results in an IP address being associated with a location, not an individual. But the world is running out of IPv4 addresses, and so there is a big push to migrate us all to IP version 6. An IPv6 address will associate a device with a location, which means in the future when you visit a website using your iPhone, the web host will be able to track your movements because each time you connect to a site, you will provide an IPv6 address identifying your device, and where you currently are. Frightening implications abound.

Another privacy concern is that police departments will create databases based on the content collected from TSPs. In that database will be the history of all the data obtained from TSPs. To my mind, this contradicts the meaning of Part I section 17:

"19. Information that is provided in response to a request made under subsection 16(1) or 17(1) must not, without the consent of the individual to whom it relates, be used by the agency in which the designated person or police officer is employed except for the purpose for which the information was obtained or for a use consistent with that purpose."

I find it quite the stretch for a police department to claim that a database archive of all this data is a use consistent with the purpose of the original request. But, the concerns are that this database would be a goldmine for hackers. This logic I actually find laughable. Police departments have all kinds of databases and other electronic information that is way more sensitive than IP addresses and names. If hackers got in (Sorry. When hackers get in.) the information available to them is so valuable that an IP addresses and name database would be candy sprinkles on the icing on the 7 layer cake served as dessert with the filet mignon steak dinner they found.

So to conclude on the "lawful access" issue, this bill provides officials (I would love to know why the Competition Bureau is included though) with the right to request information citizens regularly (and unconsciously) give away to complete strangers, and it restricts the purposes for which this information can be used. I'm not seeing why I should be that concerned.

* Humorous in that the act has nothing to do with "Protecting Children" or dealing with "Internet Predators".
** There is an exceptional circumstance provision that allows any officer to request this information, but they must provide justification within 24 hours. They cannot just flash the badge and ask for the data.


Marc Bernard said...

Just wait until you start getting RoboCalled by the Conservatives every few days - then you'll know why this is a bad idea. :)

Catelli said...

More than you know.... Gary Goodyear Robocalled me as I was writing this post.

Marc Bernard said...

Watch out for the black vans! And the drones!

Ken Breadner said...

Catelli, have you ever thought of serving as the Bullshit Analyst (BA) for some media entity? That's twice now you've completely tweaked my thinking with clear, concise explanations/interpretations.

Anonymous said...

"I find it quite the stretch for a police department to claim that a database archive of all this data is a use consistent with the purpose of the original request."

The RCMP have a pilot project to automatically read and track license plates in BC. The initial proposal was for finding stolen vehicles (which doesn't need records stored). Now they're expanding it to store the records, including the time and location for all license plates read, for a year or even more in some cases. They will have a dataminable database of vehicle travel in British Columbia.

So I don't find it a stretch at all that someone will try to archive as much as they can get away with. Besides, a purpose of "preventing crime" is enough to start an archive to fish through, until a judge tells them to stop.

Catelli said...

I haven't reviewed the provincial BC legislation covering license plate look-ups, but I believe there are no such restrictions, or rather minimal restrictions, on how that data can be used.

From that, it is an assumption on my part that bill C-30 puts in more over-site on digital data collection than exists on license plate data collection.

Christopher Parsons said...

I would note that, regarding ALPR, the system is presently excessive and meant to become more excessive. This is a space that I've been doing research in for the past 8 months and the lack of transparency - and lack of knowledge of how the system functions, on the part of government officials - is absolutely staggering. ALPR systems are designed to do more than link plates with people: they're typically intended to be integrated with other GIS databases to synthesize novel insights.

Also, save for in Alberta, a license plate is recognized as quasi-PII. Same for IP addresses. It's as soon as a plate is to be linked with another data set - your license - that it becomes PII, and the same is true of the IP addy. Thus, when you use enough information that links an IP with 'true' information about yourself it ceases to become simple public information and becomes personally identifiable information and thus protected under PIPEDA.

These powers will be abused. There isn't clear evidence that the authorities need them. The legislation is flawed and the changes significant enough that an omnibus is the absolutely wrong format: a series of smaller bills, that can actually be debated piecemeal, should be introduced if Canadians want to seriously engage with the proposed legislation.