The uncertain purpose of warrantless access

It was not a great week for Western civilization as politicians worked to increase police powers without judicial oversight.

Under the banner of stopping pornographers or terrorism, Canadian, American and British politicians are working hard to increase police access to information without judicial oversight.

• The Canadian Conservatives, under Minister Victor Toews, are pushing bill C-30 (an omnibus legislation echoing previously failed bills C-50, C-51 & C-52) the “Protecting Children from Internet Predators Act“
• The Americans, thanks to Republican Representative Lamar Smith, are getting H.R. 1981 – “Protecting Children From Internet Pornographers“; Lamar is also the author of the internet damaging SOPA.
• The British want phone calls, emails and texts stored for a year.

Also, let’s not forget the Australians either, who said (I’m paraphrasing) screw the law, let’s just spy on people without warrants.

The story in Canada is particularly interesting; while nobody disagrees with the need to stop the bad people doing bad things, there’s no clear reason why law enforcement needs this level of access without judicial oversight. To date there’s been no cogent argument presented, no supporting evidence, that makes the case for this increased access. Supporters of the previous bills and now C-30 have been totally unable to provide one single case where the courts unreasonably denied their request for access, nor have they been able to provide evidence of a systemic problem that can only be remedied by granting access without judicial oversight.

Minister Toews went on the record saying that this proposed Canadian legislation wasn’t giving the police any new access. Yet it absolutely does grant the police more power and then some. When originally proposed in 2005 it was called the “Modernization of Investigative Techniques Act” with variants of that name in three successive attempts before rebranding in 2012 to protect the children. With a name like that how could it do anything other than give the police more powers?

More concerning than the granting of warrantless access to law enforcement is that it grants thirds parties, in the form of government appointed inspectors (specifically not law enforcement), with even more warrantless access capabilities. While the police would “just” be granted warrantless access to subscriber information, these inspectors can look at anything on an ISP’s computer systems.

The legislation is opposed by leading legal minds; all the privacy commissioners of Canada (at the federal and provincial level) oppose this legislation as do over 100,000 Canadian citizens. Never mind the delightfully, ever so Canadian, passive aggressive protest on twitter of #tellVicEverything.

Yet it gets worse, the legislation allows for a gag order to be placed on any telecommunications provider who is forced to hand over subscriber information; meaning they cannot tell their subscribers that information was handed over. If the legislation reminds you a little bit of the PATRIOT ACT it should because there’s a similar (although much broader) gag clause in there too.

To recap:

• You have a government representative reintroducing repeatedly failed legislation that is unwanted, unneeded and actually harmful
• The legislation grants law enforcement the ability to get access to subscriber information without going to a judge for a warrant
• Third parties can be given the power to perform warrantless investigations and take copies of any information they find
• ISPs and telecommunication’s companies can be blocked from telling subscribers there information was accessed

A 2009 report on the PATRIOT act’s sneak and peak warrantless access capabilities revealed that a law designed to fight terrorism was only being used 1% of the time for it’s intended purpose, the rest was just for ordinary crime. What if the actual purpose of Bill C-30 and it’s foreign brethren is not really for their stated purpose of protecting children from bad people online or stopping terrorists? What if this were for some other purpose, one that often get’s frustrated in courts because of it’s wonky legal standing? Police rarely have problems getting a warrant to catch a real criminal, so which group stands to benefit from warrantless subscriber information access and unfettered non-police investigations? I suspect a look at campaign finances and meeting schedules of the legislation’s authors would tell us; having a look at prior legislations passed by these same folks might be informative too.

So why should we as security professionals care about this? Should we not be on the side of the law given that this legislation might help catch the bad guys that harm our networks and systems? The answer to that lies in the acronym C.I.A. – Confidentiality, Integrity and Availability – the three pillars on information security. While privacy & confidentiality are not identical they are certainly close enough that we should be helping protect users from anything that breaches their expectation thereof. In this case the proposed legislations would undermine the desired confidentiality of user’s and their data, which is something we shouldn’t allow.

Even if citizens thought it a good idea to grant access to their data to stop criminals they are ultimately trading away their privacy permanently and that’s something we should help protect against. As Benjamin Franklin once said “They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety”. If you haven’t done so already, join the fight in some way such as signing the Stop Spying petition or write to your minister of Canadian parliament / representative / minister of British parliament to demand that all information access be controlled by proper judicial oversight.