Giving police passwords would ‘criminalize privacy’: encryption vendor

The news that Canada’s police chiefs are advocating for federal laws that would compel individuals to provide electronic passwords with a judge’s consent isn’t sitting well with some members of Canada’s IT community.

Earlier this week at its annual conference in Ottawa, the Canadian Association of Chiefs of Police (CACP) passed a resolution that formally requests legal measures to lawfully unlock digital evidence, citing the rise of cybercriminals who are using encryption tools to hide illicit activities as the impetus.

During a news conference on Tuesday, RCMP Assistant Commissioner Joe Oliver noted that at present under Canadian law, police cannot compel individuals to comply with a request to provide a password during an investigation. Law enforcement needs to keep pace with modern criminals who are effectively  “going dark” by operating in cyberspace with tools that mask their identities, said Oliver.

“The victims in the digital space are real,” said Oliver, adding that Canada’s law and policing capabilities aren’t keeping pace with the evolution of technology.

But according to Jacob Ginsberg, senior director for Toronto-based email encryption software firm Echoworx, such as move would be an “unconscionable” one.

“While we don’t blame CACP for wanting tools to make their jobs easier, a law of this kind would criminalize privacy, and it would be unconscionable for a democratic society to draft a law whereby denying a request from police to go through your things, digital or otherwise, would be illegal,” he said in an email.

The association represents in excess of 90 per cent of the police community in Canada which include federal (RCMP), First Nations, provincial, regional and municipal, transportation and military police leaders. The CACP theme for its 111th conference was “public safety in a digital age” and police chiefs such as Ottawa Police Chief Charles Bordeleau noted in a statement the event was intended as an “opportunity to share, learn and work together on a way forward that helps us fuse traditional policing with modern day cyber activity.”

“Police services across the world are facing new challenges and threats related to technological developments and the criminal innovation that has ensued,” Bordeleau said.

In 2014, the rights of online users were upheld in a Supreme Court of Canada ruling that Internet service providers cannot deliver user names and addresses to law enforcement without a warrant. At the time, The Supreme Court didn’t agree with the concept of users having “no reasonable expectation of privacy” for the data obtained by police.

According to police, service-oriented enterprises such as financial firms and telecommunication companies currently require court approval for nearly all types of requests from authorities for basic identifying information.

The CACP also cited a recent Osterman Research report that revealed that 44 of 125 Canadian companies interviewed suffered a ransomware attack in the past 12 months — of which 33 of the victims paid a ransom that was between $1,000 and $50,000 in order to regain stolen data.

But the issue of handing over passwords —even with a court order — will be controversial, predicts Ray Boisvert, CEO of I-Sec Integrated Strategies and former deputy director of intelligence at the Canadian Security Intelligence Service (CSIS).

In an interview with IT World Canada, he said he understands the view of those worried about privacy. However, he also understands the position of police, who have legitimate obligations to investigate crime.

In the non-digital world, he noted, search warrants already allow police to seize and go through paper documents looking for specific information spelled out in the warrant. Sometimes, he added, the warrant can be quite broad.

“On the face of it, this seems like it’s clearly unconstitutional,” David Christopher of Internet advocacy group OpenMedia told CBC News, adding the CACP request represents a “wildly disproportionate” response considering the individual privacy risks involved.

Added Echoworx’s Ginberg: “Policy makers and courts across the globe are still adjusting to crime in the digital age, but having the power to access a person’s whole digital life, especially during the course of an investigation where it’s not established that wrongdoing has taken place, should not make you a criminal.”

— with files from Howard Solomon

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Ryan Patrick
Ryan Patrick
Editor of ITWorldCanada.com, CSO Digital, and CanadianCIO. Seasoned technology reporter, editor and senior content producer.

Featured Story

How the CTO can Maintain Cloud Momentum Across the Enterprise

Embracing cloud is easy for some individuals. But embedding widespread cloud adoption at the enterprise level is...

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.

Featured Tech Jobs