If a proposal to expand the surveillance powers of Canadian police forces becomes law, it would render electronic encryption technologies ineffective and gouge the profits of those who supply them, according to a Toronto-based consultancy on privacy and security.
Privaterra, a non-profit group that specializes in the area of data privacy, secure communications, and information security, has been closely monitoring the federal Department of Justice’s “lawful access” proposal, which outlines ideas on how it would govern the interception of Internet traffic by law enforcement officials.
Last month, the Canadian Association of Chiefs of Police said it wants more power through the lawful access provision. Increased powers would take the form of warrants to monitor Web surfing, mobile telephones, e-mail, instant messaging, and phone services that use Internet connections.
Public Safety Minister Anne McLellan confirmed that her department is “actively working on” the issue.
What worries Robert Guerra, Privaterra’s managing director, is the repercussions of such a proposal becoming law.
He said it’s next to impossible for the government to amend lawful access provisions without revisiting its policy on encryption technologies. In order for police to intercept many electronic communications, it inevitably needs access to public keys used to encrypt confidential information, he said.
Such keys are typically used by corporations, banks, and any other organization that has confidential information to protect, he added.
Giving police access to public keys also means encryption companies would have to create a backdoor in their networks so that authorities can intercept the transmission of information, said Guerra.
“This complicates things a lot more.”
Among other things, this would take the teeth out of Canadian encryption equipment, he said. As well, exports for this equipment would subsequently decrease because the products would be seen as “weakened” and “compromised,” he added.
Currently, the government doesn’t require access to public keys, as was determined a number of years ago, noted Guerra. But the lawful access proposal does not clearly state whether this will change if the proposed amendments go through, he added.
“Given the tone of the police, they say we should intercept everything. We asked the government point blank if cryptographic policy would change, and they said ‘Oh no, we don’t want to do that.’ But the police aren’t necessarily saying otherwise.”
Michael MacNeil, associate professor of law at Carleton University, agrees that if the lawful access provisions went all the way, “it may well have an impact on the use of encryption.”
“It’s one thing for the telecom company to be required to give access to the police to whatever communications take place, but if they are encrypted communications, police won’t be able to do anything with it unless you’ve built in some means of breaking through the encryption.”
In order to ensure police officers are held in check when obtaining private keys or developing a “private-key registry,” they must go before a judge to prove that possession of the keys is absolutely necessary, said MacNeil.
“The demonstrating may require a warrant from a judge. And if it were set up in that way, it would be of the highest standard. But this legislation may not go as far as a registry of private keys.”
Constantine Karbaliotis, who heads up the security and privacy practice at CGI, said there must be “very stringent controls” over the interception of people’s private communications, adding such controls are primarily found in the judicial process.
Canadians tend to stray away from the likes of U.S.-style legislation, such as the Patriot Act, where the Federal Bureau of Investigation can go before a secret judicial hearing to request access to electronic information.
“(The FBI) doesn’t have much of a burden of proof to actually meet when obtaining personal information,” he said, adding Sept. 11 had a lot to do with this. “I would expect there is more emphasis (in Canada) on proving (there is a need to disclose that information). Assertions (by the police) need to be challenged.”
Karbaliotis points to the U.S. when looking at how higher police access to personal information could affect the Canadian encryption industry.
“If you were to require some sort of backdoor (to your networks), what’s going to happen? When the U.S. had constraints on the export of encryption technologies, the same technologies were developed outside the U.S.
Guerra said this possibility would mean Canadian suppliers would be limited in their abilities to export “non-compromised” tools to other countries.
McNeil noted that Canada has a vibrant industry in providing these services.
“But if Canadian government starts regulating what it can do, it may make them uncompetitive in other markets.”
Comment: [email protected]