Privacy in Canada, you may as well forget it. This month the government has tabled three new bills C-50, C-51 and C-52 which have huge implications on your privacy rights in Canada. This is being brought to you by the guys who don't like the gun registry; instead they will tell you that you can have your gun so long as we can snoop on every part of your digital life. What the hell am I talking about? Here is what's going on.
These bills are so called "Law and Order Bills or Spy on Canadians Bills" more or less. Here is the jist of the bills. The bills contain a 3 way approach when it comes to information disclosure, surveillance technology/methods and police powers.Part 1 mandates the disclosure of Internet provider customer information without court over site. So no warrant required, if you look intimidating and have a fake badge you could potentially get a hold of personal information such as customer name, address, phone number, email address, Internet protocol address, and a series of device identification numbers (MAC Addresses). While some of that information may seem harmless, it gives authorities the ability to link it with other data. This is bad. It could give authorities the power to create a detailed profile about an identifiable person. The decision to require disclosure without any oversight (like a court order where you have to have a reasonable amount of cause or suspicion to get one) should raise a huge florescent RED Flag.Part 2 requires that ISP (Internet Service Providers like shaw, telus, rogers, bell) provide real time surveillance (spying). I hope you don't like doing online banking, because they will get the keys to anything you do. This is called a Man In The Middle Attack. The worst part of this is RCMP Background checks are required if they take part in any kind of Data capture. Which is good but IF THEY HAVE ACCESS TO THE EQUIPMENT THEY CAN DO IT ANYWAY!!! Until after the fact. Love the idea of someone being able to get a hold of my personal information and passwords at my ISP building because the staff have access to the hardware that is required to be their by law. How about then ALL ISPs have to do background checks on all staff that are hired!!! This part here will also kill a lot of smaller ISP because the law requires a lot more commercialized hardware then what is typically required for being a ISP.Part 3 gives the police new powers such as the ability to get something called "transmission data warrants" that would grant real-time access to all the information generated during the creation, transmission or reception of a communication including the type, direction, time, duration, origin, destination or termination of the communication.Police could then obtain a "preservation order" to require ISPs to preserve subscriber information, including specific communication information, for 90 days. Then having obtained and preserved the data, production orders can be used to require the disclosure of specified communications or transmission data. This puts ISP's in a weird situation. While they should actively work with law enforcement in collecting and disclosing the subscriber information, (only after due process with reasonable suspicion or cause) they could also be prohibited from disclosing the disclosures. Courts could restrict them from informing subscribers that they have been subject to surveillance and/or information disclosures.A few would argue that it is important to ensure that law enforcement has the necessary tools to address online crime issues. Yet these changes would come at a huge financial and privacy cost. The excuse for this is that police can only gather limited evidence and that the current legal framework has impeded important police work.I would argue not all this is necessary. I feel people should be required to get a warrant for the Data Transmissions first. As for ISP's keeping track of "My Information" I don't think I'll be doing any kind of online banking in the future if this is what's going to happen. It is going to be to easy for a person to get my information from the ISP's. Not to mention all the security requirements I would want to prevent "unauthorized" use of the computer hardware that can do the Man In the Middle attacks. I know if I were a tech savvy crook, after this law were passed I would try get a job at an ISP. You could access hundreds of thousands of people's personal information with no trouble. Work a night shift, get a persons facebook username and password, online baking information. If I were a crook, this is everything I would be hoping for and more. The best part about this from the crooks point of view is I could write a program or virus compromise the ISP's systems and have all the traffic route though 50 billion servers. It's the perfect crime.<sarcasm>I'm so glad our politicians are here to protect us. They have indeed thought this through</sarcasm>So here are changes that should be made to the following 3 laws. Part 1 needs to change where you need to get a court order to track data. Data gathering should be limited to that account and should only be stored for the person who the court order is for. NOT TRACKED FOR EVERYBODY AND KEPT FOR MONTHS!!! Part 2 needs to be changed so Police have to provide a special server for doing the Man in the middle attack. Police have their own IT personnel who are required to have background checks done, etc. They should be providing a server to the ISP's but only when a warrant has been issued to track an account. I feel better about police only having access to the server then the ISP staff who have what kind of background???? Part 3 is a no brainier. Yes we need these warrants we have been saying that for years but the way this is setup is all screwed up and backwards. WARRANT FIRST!!!! then you can do the rest of the stuff not the other way around. Remember innocent before guilty?TrevorSources:
http://www.michaelgeist.ca/content/view/5451/135/
