A battle looms over who should pay for a project that would give police easier access to service provider networks.
The federal government is considering changing the Criminal Code to give law enforcement groups the tools to intercept e-mail and Web correspondence.
According to Justice Canada, the federal department undertaking this review of “lawful access” rules, the police say they need greater interception capabilities to help capture those who use the Internet to plan nefarious deeds.
Noting potential privacy and cost implications, the feds held a public consultation last year to glean thoughts on the matter. Justice Canada published a summary of the comments in August.
The cost debate provides a glimpse into just how difficult a path the government faces with lawful access legislation: who should pay for new intercept-ready switches, routers and storage media that might be required for lawful access?
ISPs say it’s Ottawa’s bill.
“Because these obligations are being imposed upon us for a government purpose…government should pay for it,” said Jay Thomson, president of the Canadian Association of Internet Providers (CAIP) in Ottawa.
The police say service providers should pay, contending that the government should keep ISPs “from…recovering infrastructure costs from law enforcement agencies,” according to Justice Canada’s “Summary of Submissions to the Lawful Access Consultation” on the department’s Web site.
Thomson said most Canadian ISPs are small operations that cannot afford new intercept-ready equipment. As well, “ultimately any business…passes its costs onto its customers.” If service providers have to buy new gear, users will pay the price.
But John Boufford, director of advocacy for the Canadian Information Processing Society (CIPS), said “users are going to bear the cost one way or another. If law enforcement pays for it, it’s tax dollars at work.”
Boufford said CIPS sees lawful access as “a civic responsibility” for ISPs.
“Banks are faced with reporting certain activities around money laundering statutes….I’m not aware of any financial help that went their way to offset the cost of implementing this monitoring and reporting.”
But certain questions about lawful access remain unanswered.
“The whole issue of who is a service provider and who is not, I don’t think has been resolved,” Boufford said, indicating concerns that enterprises operating their own networks might also have to install interception equipment.
In an earlier interview Thomson said he’s sure the government doesn’t mean to apply new lawful access rules to enterprises. But he still has reservations.
“We don’t know what kind of costs we’re talking about here, because we don’t know what the technical and administrative obligations would actually be.”
In the Frequently Asked Questions section of its lawful access Web page, Justice Canada tries to address one big privacy and cost concern for ISPs: will they have to catalogue every user’s online activities and pay for the technology to store the ensuing petabytes of info?
The FAQ says Justice Canada doesn’t want such deep “data retention.” But Lawrence Surtees is skeptical. An analyst with IDC Canada Ltd., he noted that Canada has signed a European Union (EU) cyber-crime convention, and plans to ratify it in the future.
Surtees said the EU agreement might require data retention. And if the EU wants retention, Canada would have to oblige.
“Now you’re prescribing way more complex upgrades,” he said.