About a year ago, Ontario’s information and privacy commissioner, Ann Cavoukian, was at a conference where she ran into Vint Cerf, a man often described as “the father of the Internet.” Dr. Cavoukian told him about Bill C-30, a proposed law in Canada that would give police the ability to request Internet service providers hand over subscriber data during police investigations.
“I had heard the argument from the law enforcement officials that they weren’t after the actual content of e-mails or websites people surfed, just the traffic, basically,” she said. When she asked Cerf what he thought, however, he told her that traffic data could tell a lot more about someone’s online behavior in the long term than actual content ever could. “When someone with the caliber of a Vint Cerf says something like that, it sticks with you.”
The potential dangers of Bill C-30 must have resonated with a number of other people too, because on Monday the federal government said it was finally killing it off once and for all. This comes after nearly 10 years of discussion around such legislation, which has sometimes been described as “lawful access.” When Prime Minister Stephen Harper finally secured a majority, Bill C-30 was one of the things he was expected to push through. The sudden change took privacy watchers and the IT industry by surprise, but in a good way.
“To me it’s such a victory,” said Cavoukian, who was among the more vocal critics of lawful access since it first emerged around 2003. “It’s a rare occurrence that a bill is completely taken off the books. The fact that it has been basically shut down speaks volumes, and it speaks to the success of the process of our democracy.”
Bill C-30 also marked a rare occasion where businesses and consumers were united in their protests, though for markedly different reasons. ISPs left the privacy issues to the experts and were more concerns about the costs of upgrading their equipment to comply with lawful access legislation. According to Tom Copeland, chair of the Canadian Internet Access Providers (CAIP) association, most firms were reassured that they would have an 18 month to three-year window before they had to have everything in place, but given that smaller ISPs tend to buy used equipment, Bill C-30 would have meant shelling out for the latest and greatest network gear. Even that wouldn’t have addressed the issue completely.
“The question was more about how we were to interface with law enforcement, how to collect and deliver the data,” he said. “We didn’t want a ‘Made in Canada’ solution because given the international nature of tech and telecommunications, that just wouldn’t make sense.”
Indeed, Cavoukian points out that the U.S. and the UK already have rules that resemble some of what was in Bill C-30. Although she applauds the government for its decision, she admits the pressure from foreign countries will require her and others to remain ever vigilant that the privacy of Canadian’s isn’t compromised.
“I have no problem with law enforcement agencies making a case, going before a judge and getting a warrant. The absence of that court authorization was just troubling,” she said. “I have the greatest respect for law enforcement and our police chiefs. This in no way reflects in my having a lack of trust. It’s just the potential for what could happen.”
That’s it in a nutshell. No police officer has ever managed to bring undue harm to a Canadian citizen by accessing information about their online traffic. At the same time, police officials might argue that there’s no telling what kind of harm criminals could cause – or are causing – using their computers that police could stop or prevent if only they had the means to do so more quickly. When technology and law enforcement intersect, a lot of “what ifs” come up. Despite the government’s about-face, I’m not convinced we’ll be able to leave them unanswered indefinitely.