Canadian telecoms push back on proposed police powers

Rogers, TekSavvy, and a consortium of Canadian information technology companies are pushing back against proposed changes to Canada's national security legislation.

In comments to the federal government, submitted last Thursday as part of a public consultation on national security reforms, the companies argue that Canada's existing laws governing police powers are adequate, and that the government has not provided enough evidence to justify expanding those powers.

The companies also say the government has not provided specific details on how telecommunications companies would be required to implement some of its most contentious proposals — specifically, systems designed to intercept communications and retain user data long term.

• RCMP wants warrantless access to ISP user data

"The Government's Green Paper has not provided significant evidence of a particular problem that cannot be addressed in the existing legislative framework," Rogers's submission reads, adding "there are no concrete proposals for new legislative requirements."

Rogers and TekSavvy submitted their comments independently, as did the Information Technology Association of Canada (ITAC), and share similar albeit nuanced positions.

Neither Bell nor Videotron submitted their own comments, but pointed CBC News to a submission made by the Canadian Wireless Telecommunications Association (CWTA), which focuses less on specific policy proposals than on general comments about privacy and cost.

Telus and Shaw did not participate in the consultation.

Basic subscriber information and data retention

In September, the government announced a public review of the country's controversial national security legislation, Bill C-51, introduced under the previous Conservative government.

One of Prime Minister Justin Trudeau's campaign promises was to repeal the "problematic elements" of the bill. 

However, as part of the consultation process, the Liberal government released a discussion paper that actually considers an expansion of existing police powers.

One possible scenario, which has been endorsed by police, is warrantless access to Basic Subscriber Information (BSI), which can include a customer's name, address, telephone number, IP address — information that police say is presently difficult to obtain in a timely manner.

To be clear, we do not recommend any expansion of mandated interception capabilities.- TekSavvy's submission to the federal government

Rogers argues that there is "no evidence to date" to support the police's claim, while TekSavvy says it is not clear to them that such a power is "justified."

Another possibility is a "general requirement" that phone and internet companies be required to retain data for an unspecified amount of time to assist police in criminal investigations.

In the submissions reviewed by CBC News, Rogers, TekSavvy and ITAC argued that companies should not have to retain information any longer than is required for business practices, in keeping with the spirit of Canada's existing privacy legislation.

"We are concerned that a mandated data retention requirement would place all of a service provider's customers under a generalized air of suspicion of prospective wrongdoing," TekSavvy wrote in its submission. "It would communicate that the government wants records kept on all citizens 'just in case' they engage in inappropriate activities."

The companies have also expressed concern that retaining user information for long term periods of time would pose additional privacy and security risks, requiring additional protection from hackers and unauthorized users than if data was deleted more quickly, or not retained at all.

Lawful access and encryption

For more than a decade, police and government officials have sought to pass legislation that would require telecommunications providers — and in some cases, application service providers such as Facebook and Google — to build systems capable of intercepting digital communication.

At present, only wiretaps of phone, fax, and text messages are required — and not by law, but as a condition of their licences. The government argued in its discussion paper this fall that given a current lack of technical interception equipment at many communication providers, the police suffer an "inability to intercept communications [that] can cause key intelligence and evidence to be missed" in the course of investigations.

However, TekSavvy and ITAC say the potential privacy and security risks of lawfully mandated interception systems would be significant, pointing to the potential for such systems to be accessed by hackers, criminals, and other unauthorized parties, which has happened in other jurisdictions in the past.

"To be clear, we do not recommend any expansion of mandated interception capabilities," TekSavvy wrote.

More so, Rogers, TekSavvy, ITAC, and CWTA say the cost of implementing such systems would be significant and have the potential to stifle innovation and ongoing quality of service. They say the government has provided no technical guidance on how such a system should be implemented, or what its capabilities would have to be.

"It would be critical that the government identify how the related costs, including risks to Canadians in respect of privacy and network security, are justified," according to ITAC.

Rogers and ITAC also specifically voiced their disapproval of so-called "backdoors" in encryption — secret software modifications designed to give law enforcement access to communications when necessary, but can be exploited by anyone if discovered, thus weakening the security of the software overall.

Fake cell phone towers

Notably, Rogers in its submission to the government consultation directly addressed the use of police surveillance devices known as Stingrays, or IMSI catchers, in its submission — the first time the company has spoken publicly about the technique at length.

"It remains unclear as to whether such new tools and devices are permissible under the current legislative framework- Rogers on the use of IMSI catchers in Canada

An IMSI catcher collects information about nearby cellphones and their owners by pretending to be legitimate cellphone towers, tricking those phones into connecting to the fake tower. 

For telecommunications companies, the devices can interfere with the normal operating of a network, and in some cases prevent the connection of 911 calls, which Rogers lists amongst its concerns.

According to Rogers, "it remains unclear as to whether such new tools and devices are permissible under the current legislative framework," and whether "the use of this technology is in [the] best interest of protecting Canadians."

The company notes that such devices are not detectable on wireless networks "at this time." Rogers's submission calls for "specific consultation" on issues relating to transparency and judicial oversight as it relates to Stingray technology.

Similarly, ITAC highlighted the negative impact such devices can have on telecom networks.

"Prior to introducing these technologies, law enforcement should work with industry and privacy experts to fully understand impacts and address potential risks," ITAC's submission reads.

• How Canada extended its secret Cold War wiretapping program