There are a lot of problems with Bill C-30 – the Investigating and Preventing Criminal Electronic Communications Act. Unknown costs, mandatory voluntary disclosure of subscriber data -including those from foreign “authorized agents” - without judicial oversight, its ties with ACTA and Criminal Copyright Infringement, no limits on Ministerial power to expand regulations and authority of the legislation, no penalties for unauthorized disclosure or data breaches, and a sponsoring Minister who didn’t even read the bill before tabling the legislation leave much to be desired. Even the last “lawful” access bill addressed some of these concerns.
I haven’t seen much talk about another problem with C-30 – it requires Canadians to spy on each other. This might be an inflammatory statement but I believe it’s true for one simple reason: Bill C-30 requires all telecommunication services providers (with some exceptions, that can be changed by the Governor in council at any time) including any person to provide Interception capabilities, providing the personally identifying information to “authorized agents” (which includes foreign agents) of anyone using their “services” and to co-operate fully with law enforcement and intelligence agencies.
One might think this doesn’t apply to just anyone running a wide open access point – but it does. C-30 quite liberally specifies that any person providing telecommunications (which by definition from the Telecommunication Act basically means any technology that conveys information) is subject to its provisions. No, not just your ISP or a business who’s in business to provide those services – any person regardless of affiliation, association or motive who provides telecommunications is subject.
6(1) is the enabling clause of the legislation. In a nutshell, it says every telecommunications service provider must provide interception capabilities to those authorized on behalf of the Minister.
6. (1) For the purpose of enabling authorized persons to exercise their authority to intercept communications, every telecommunications service provider must have the capa-bility to do the following:
(a) provide intercepted communications to authorized persons; and
(b) provide authorized persons with the prescribed information that is in the possession or control of the service provider respecting the location of equipment used in the transmission of communications.
While this might seem pretty straightforward, the problem stems from what the definition of a telecommunications service provider (“TSP”) is. The English version of the bill defines a TSP as follows:
“telecommunications service provider” means a person that, independently or as part of a group or association, provides telecommunications services.
and a person is defined as:
“person” includes a partnership, an unincorporated organization, a government, a government agency and any other person or entity that acts in the name of or for the benefit of another.
There’s no reading between the lines here – the Bill quite clearly says “everyone” and “all entities” that provide telecommunication services is subject to 6(1). There are some exceptions to this as outlined in Schedule 1 and 2 of the Bill – more on that in a bit.
Just what is a telecommunications service?
The bill defines telecommunications service as:
“telecommunications service” means a service, or a feature of a service, that is provided by means of telecommunications facilities, whether the provider owns, leases or has any other interest in or right respecting the telecommunications facilities and any related equipment used to provide the service.
And “telecommunications facility” is defined as:
“telecommunications facility” means any facility, apparatus or other thing that is used for telecommunications or for any operation directly connected with telecommunications.
C-30 does not define what telecommunications means, but we can safely infer the definition stems from the Telecommunications Act:
“telecommunications” means the emission, transmission or reception of intelligence by any wire, cable, radio, optical or other electromagnetic system, or by any similar technical system;
It’s a fairly simple technical term – it means any communication of intelligible information by wire, cable, radio, optical, electromagnetic (radio/wireless) or similar technical system is a telecommunication. It wouldn’t be unreasonable to argue that any technology used to convey information is a telecommunication.
Exclusions from Application of the Act
There are some exclusions outlined in in Schedules 1 and 2 of C-30. I want to expand on this but time limits prevail – maybe in another post.
Those meeting the criteria outlined in Schedule 1 would not be subject to the provisions of the legislation (but are still defined as a telecommunications service provider, perhaps another dubious legal distinction this Bill creates):
1. A telecommunications service intended principally for the use of its provider and the provider’s household or employees and not by the public.
2. A telecommunications service intended principally for the sale or purchase of goods or services other than telecommunications services to the public.
3. A telecommunications service provided by a financial institution, as defined in section 2 of the Bank Act, that enables the business of banking, the trust, loan or insurance business, the business of a cooperative credit society or the business of dealing in securities or other business primarily related to the business of providing financial services.
Part 2 of Schedule 1 also lists:
1. Telecommunications service providers whose principal function is operating a registered charity within the meaning of the Income Tax Act, other than any service provider in a class listed in Schedule 2, or operating an educational institution other than a post-secondary institution, or operating a hospital, a place of worship, a retirement home or a telecommunications research network, only in respect of telecommunications services that they provide ancillary to their principal function.
2. Telecommunications service providers that are also broadcasting undertakings, as defined in subsection 2(1) of the Broadcasting Act, only in respect of broadcasting.
So it seems internal networks used by a business, or a family’s home network are not subject to the Act, nor would businesses offering Wifi as a “value added service” (ie: a coffee shop whose prime purpose is selling coffee but happens to have Wifi) – which sort of makes sense – the Internet providers of those businesses would be required to comply with the statutory requirements anyway. But a home network that is wide open, or a member of the public who wishes to setup a Mesh network, or provide free Internet would be subject. Perhaps there’s a work around by saying such a network is not principally for the public, but knowing many access points ship with public network support (we’ve observed ~1200 of them already – just look for open networks ending in –guest) this argument could be hard to make.
Schedule 2 also contains two parts of exempted categories of telecommunications service provider. Providers listed under Part 1 of Schedule 2 would be exempt from the Act – with the exception of sections 8, 9, 14, 15, 24 to 26, 28, and 32 to 64.
1. Telecommunications service providers that transmit communications on behalf of other telecommunications service providers, that do not modify particular communications transmitted and that do not authenticate the end users of the telecommunications services of those other service providers, only in respect of the telecommunications services provided to the other service providers.
Maybe this could be a workaround as well – but I’m not sure someone running an open linksys network counts as “communicating on behalf of other telecommunications service” if a contract for such an arrangement does not exist, and one has to ask whether authentication could include even a simple captive portal such as the Terms of Service page seen at Starbucks hotspots.
While providers listed under Part 2 of Schedule 2 would be exempt from all of the Act with the exception of Section 24.
1. Telecommunications service providers whose principal business or function is operating a post-secondary educational institution, a library, a community centre, a restaurant or an establishment that provides lodgings or residential accommodations, such as a hotel, an apartment building or a condominium, only in respect of telecommunications services that they provide ancillary to their principal business or function.
But these exceptions are bogus – because Section 5(4) says:
(4) The Governor in Council may, by regulation, amend Schedule 1 or 2 by adding, deleting or changing a telecommunications service, an activity or a class of telecommunications service providers.
In other words, the Government can change who is exempt from the Act at any time, without any debate or oversight.
I am both startled and amazed this Government would craft such a piece of Legislation without fully considering its ramifications. In fact, I don’t believe it – what kind of Minister would table such an important piece of legislation without fully understanding the ramifications of it.