To understand the possible effects of Canadian lawful access laws on social networking companies’ existing retention and disclosure policies we compared the most recently available lawful access handbooks against the most recently proposed federal legislation. In what follows we explain, generally, how compliant social networking companies would be based on their existing handbook policies under a Canadian lawful access regime.
Based on the law enforcement handbooks we had access to, none of the studied companies had provisos to provide subscriber information on the grounds identified under Bill C-30; none would release subscriber information without a court order or outside a case of exigent circumstance. As such, companies would have had to alter their policies such that the government’s ‘prescribed identifying information’ would have been sufficient to release the specific categories of data imagined under C-30. These categories that were specified under the Canadian legislation tend to be different from the ‘basic subscriber information’ that social networking companies identify in their law enforcement guideline handbooks; under the Canadian law, they would have had to disclose a subscriber’s name, address, telephone number, email address, IP address, or mobile phone routing information to the best of their ability. On the basis of these variances between the handbooks and proposed legislation, it appears that companies would have had to adjust their corporate practices for disclosing Canadians’ subscriber information.
We found that some companies already seem able to comply with data preservation requirements. Under the proposed legislation, telecommunication service providers would have had to preserve subscribers’ communications for up to 21 days in the case of domestic criminal investigations or 90 days when authorities were requesting data based on the person of interest potentially violating a law outside of Canada (e.g. if assisting British authorities investigate a person who had broken British law). However, most of the handbook are unclear as to how long data is, or can be, retained: this means that it is unknown whether Facebook, Google, Instagram, LinkedIn, or Autommatic (Wordpress) could comply with demands without modifying either their existing policy or technical processes.
While some companies, notably Facebook, LinkedIn, and Twitter, state that they would inform their users should authorities make requests for subscriber data, under C-30’s ‘gag clause’ the companies might be unable to follow through with this disclosure. As such, while the companies might not have had to modify their stated practices they might have been unable to act on them when served with a data request under the lawful access legislation.
None of the services identify the numbers of simultaneous interceptions of data that can be performed for law enforcement authorities at any one time; the regulations of C-30 were expected to spell out how many each telecommunications service provider would have had to be capable of performing at any one time. In a related vein, the legislation precluded companies from upgrading their services without also ensuring that interception capabilities ‘kept pace’ with service provision: there is no notice in the law enforcement guides that commit to a similar ongoing technological or policy capability.
Perhaps most significantly for many of these companies, should they be found to fall within the auspice of Canadian jurisprudence, is that they would have been required to be capable of fulfilling both transmissions and tracking warrants. In both cases, the companies would have been obliged to have a technological infrastructure to which authorities can install, activate, use, maintain, monitor or remove transmissions data recorders, including covertly. There is not an obligation for TSPs to assist in the attachment or use of a device, though assistance may be provided. As a result, some kind of infrastructure would have to be in place for authorities to ‘plug into’ social networking companies’ systems: there was no indication, in any of the handbooks, the indicates that any company possesses or maintains this kind of access to their systems by law enforcement.
None of the handbooks that we examined made mention of the ability to decrypt communications for law enforcement. Typically decryption would not be required, on the basis that authorities could ‘directly’ access unencrypted information from social networking companies themselves. However, in a theoretical situation where authorities only had encrypted communications from a social network that did not identify the accounts responsible for sending or receiving the communication it is unclear if the owner of the network would subsequently be able to decrypt the communication.