Michael Power, partner and chief privacy officer, Ottawa-based Gowling, Lafleur Henderson LLP, provides strategic and legal advice to public and private sector clients in the areas of privacy, information technology, security and electronic government. Prior to joining Gowling, Michael had various positions with the Department of Justice and Department of Foreign Affairs and International Trade, which included responsibilities for legal advice, policy development, and issue management pertaining to information technology, electronic commerce and international trade and investment issue. Michael talks about balancing the obligations to customers with demands by law enforcement agencies.
What I want to talk to you about today is…”Between a Rock and a Hard Place”, and why I chose the title – if you ask me the question, ‘Where did that come from?’ I probably spent more time trying to figure out where that came from.
I never got a satisfactory answer, than I did on the presentation. Because, in part, I knew that the distinguished panelists that preceded me were probably going to talk about a lot of the things that I was. But what I am going to do is, I am going to ask you to sort of think of this question of lawful access and the business perspective vis-a-vis lawful access from a different perspective.
Another interactive moment here. If anybody in the room is against motherhood, please raise your hand. Anybody against apple pie? Motherhood and apple pie are sort of those things that you really can’t argue with. And in a large part, you can’t pretty much argue with lawful access, right?
But in terms of lawful access, it’s designed to catch the bad guys and nobody in the business community would ever argue that they would never want to be in a position where they would say, ‘We really don’t want to help the police, or national security, or law enforcement authority catch the bad guys.’
Who would be against that?
The trouble is getting the balance right. And so if you start to think about lawful access proposals – What are we trying to do? What is our objective? How far do we want to go in order to achieve that objective?
And that’s the real question. What’s the balance? And trying to answer that larger question would simply lay out some of the smaller questions for you.
My first one is, quite frankly, ‘What’s the problem?’ By that I mean, ‘what’s wrong with the current system?’ And they say, ‘we have new technologies and we need to be able to respond to these new technologies.’ Well, we haven’t really seen the evidence. I’m a lawyer. I kind of like to see the evidence. I kind of like to see the proof. So, prove to me that you really have a problem that requires me to make such an investment and the resources necessary to deliver the solution that you want.
I think the business community really wants to see that before they totally embrace the concept of fully supporting the lawful access proposals. I’m not saying we won’t support them. But in order to achieve the objectives that you want, you’re going to have to be able to prove it.
Second question: How will it work? And the speaker who precedes me sort of dealt with ‘the devil is in the detail.’ And he’s quite right. I agree with him, in terms of the guidelines, the operational requirements, the procedures to be followed. New technology changes the way people do things. I want to make sure I get a handle on those kinds of issues first. What do you need?
What business doesn’t want is uncertainty. And in order to avoid uncertainty you need key concepts, key definitions, accurately and properly defined. And that hasn’t been seen yet, to date. So, if you’re going to ask me to do something, please tell me exactly what it is you want me to do, the scope of what these proposals are going to cover. So that I can figure out what it’s going to cost.
Why do we have to pay? We’ve heard about cost-sharing, which is laudable, but I haven’t seen where the line is yet. And this relates back again to the uncertainty principle that I have mentioned earlier. Why do we have to pay? How much are we going to pay? And, if the cost would be incremental increase in the benefit. If you’re looking for me to give you the answers, I am afraid you’re looking at the wrong place. What I am attempting to do is to simply say from the business perspective – the industry perspective – there are certain fundamental questions that do have to be addressed – simple questions.
And they would like the answers.
Why do we need to keep the information accurate? Why are you suggesting that I need to keep it more accurate than I might otherwise be required to have it accurate for my normal operational purposes? Very straightforward question. Are you passing on certain part of your responsibility? I worked with the bureaucracy. What I notice when people say, we’re updating the legislation – we’re updating the law.
And I always get a little nervous about the introduction of new concepts under the guise of updating. Shifting of some of the burden from the law enforcement, national security to the private sector. And I am not saying it’s a bad thing. Don’t get me wrong. It’s necessary. I’m just saying that there needs to be a full and frank discussion of that, before you turn around and do it.
How long do we need to keep the information? It relates to data protection orders. Again, in terms of what the parameters of that should be. And what business really wants. We want to avoid ambiguity with respect to what it is I have to retain. So, narrow target. Short duration if possible because storage means cost and these things add up.
How long do service providers actually have to be able to respond? How quickly?
In conclusion, I’m just gonna close with one comment made to me by a partner of mine. When I became a partner he came up to me, and he said congratulations. And then he said, ‘You wanted to become a partner.’ And then he said, ‘Be careful what you wish for.’
With respect to implementing lawful access proposal, be careful what you wish for.