Monday, September 16, 2013

Accessing wireless communications in Canada

Some valuable articles in the Globe and Mail today about how Canadian law enforcement agencies access wireless communications (Colin Freeze & Rita Trichur, "Wireless firms agree to give Ottawa ability to monitor calls, phone data," Globe and Mail, 16 September 2013):
When wireless companies apply this week to bid on newly available public airwaves, they will also be committing – again – to an unpublicized accord that governs how they will help police and intelligence agencies monitor suspects.

For nearly two decades, Ottawa officials have told telecommunications companies that one of the conditions of obtaining a licence to use wireless spectrum is to provide government with the capability to monitor the devices that use the spectrum. The Sept. 17 kickoff of the auction-countdown process will underscore that commitment, made out of sight of most Canadians because it is deemed too sensitive by the government.

Documents show that court-approved surveillance in Canada is governed by 23 specific technical surveillance standards known as the Solicitor General’s Enforcement Standards (SGES).

Any firm taking part in a wireless auction can obtain a copy, but the contents are not available to the general public.

But The Globe and Mail has obtained past and current versions of the accord, which governs the way that mobile-phone companies help police pursue suspects by monitoring telecommunications – including eavesdropping, reading SMS texts, pinpointing users’ whereabouts, and even unscrambling some encrypted communications.

Wireless carriers are told they must be ready to hand over such data should police or intelligence agencies compel the release of the information through judicially authorized warrants. Such information goes well beyond traditional wiretaps, and also includes phone logs and keystrokes. ...

“Real-time, full-time” eavesdropping on conversations is just one of the capabilities sought by police, according to the standards. Authorities also want records of call logs, texts, keystrokes and other data, including “the most accurate geographical location known.”
The G&M helpfully posted the unredacted text of the 2008 version of a document that explains the standards, Solicitor General's Enforcement Standards for Lawful Interception of Telecommunications - Compliance Table.

The article refers to the provision of data to both law enforcement agencies and intelligence agencies, but the SGES document describes only the rules pertaining to law enforcement agencies. (Intelligence agencies such as CSIS do not have law enforcement powers and are not considered law enforcement agencies.) CSIS is mentioned on page 9 of the document, however, where it is noted that "The level of security for [sending intercepted data to] the RCMP and other law enforcement agencies will be met if the service providers can achieve the required level of security for CSIS."

Presumably a similar but separate document exists that lays out the rules for providing intercepts to CSIS. If so, it would be interesting to know if it differs in any way from this document.

Another article in today's paper reports that the government recently moved to update and expand its access to smartphone data under the SGES rules but it has run into opposition from the wireless industry (Colin Freeze & Rita Trichur, "Ottawa sought broader access to smartphone user data, records show," Globe and Mail, 16 September 2013):
The federal government tried to use an impending public-airwaves auction to alter the language of a surveillance accord with mobile-phone companies, acting on concerns that police lack the tools to lawfully intercept Internet data that passes through smartphones.

Records show that, following consultation with industry officials, the government pulled back on some of the proposed changes, which were not discussed publicly.

Police and mobile telecommunications companies now are calling for Parliament to update laws that would make explicit how authorities can lawfully access corporate repositories of telecommunications data. ...

While never actually publishing the existing SGES standards, the Industry Canada consultation document went on to say the directives had been largely unchanged since 1995. It added that one “proposed change is to remove the text ‘circuit-switched voice telephony’ from the lawful intercept condition, as networks are no longer limited to circuit-switched technology.”

Cutting through the jargon, observers say the proposed change would have opened up a vast new realm of surveillance on Internet data passing through Canadian mobile phones – not to mention a Pandora’s box of potential privacy problems.

“The changes that are proposed by Industry Canada represent a significant expansion of what communications could be placed under surveillance,” wrote Christopher Parsons, a PhD candidate at the University of Victoria and an expert in digital-privacy issues, in a blog posting early this year.

He wrote that the contemplated change would amount to an “entirely new means of communication that may be captured (e.g. e-mail, streaming music and video usage, TV-watching, gaming over wireless networks, etc.). … Thus, whereas carriers previously had a limited set of clear interception requirements, this simple change in language would substantially expand what they would be required to be able to intercept and preserve.”

While the 1995 SGES accord specifies interception standards for voice, SMS texts, geolocation information and other “telephony metadata,” it is silent on how authorities are to capture data moving through today’s smartphone Internet browsers.

Police argue they need this capacity better spelled out to advance their lawful investigations, but mobile-carriers have resisted, pointing out that they don’t control such data and that capturing it is, for them, a more difficult and expensive proposition than more standard surveillance.

Parliament has failed to pass successive “lawful-access” bills that were introduced over the past 10 years, meaning there are few explicit ground rules for how surveillance practises are to keep pace with evolving technology.

Industry-government accords such as the SGES have emerged instead, evolving behind closed doors as a conversation between government and industry officials.


Post a Comment

<< Home