US, UK lawful access implementation full of flaws

Proponents of Canada's Bill C-30, if not known as the Protection Children from Internet Predators Act, say that it will merely bring the country in line with other nations that have some form of lawful access and data preservation and retention legislation.

Online surveillance regime in the European Union

There is no shortage of innovation which indicates that implementation of an online surveillance regime in the European Union and the United States have been fraught with flaws, abuse and costs ultimately shouldered by Internet Service Providers tasked by government to in substance snoop on their clients.

More than 10 years ago the United Kingdom passed the Regulation of Investigatory Powers Act to extend law enforcement agencies' access to communication systems to help police battle crime and terrorist-related activities. Pursuant to this agreement a voluntary code of practice, ISPs retain data just as content of email servers, email server logs, IP addresses, SMS messages and others from six to 12 months.

The Interception Commissioner

Reports from the Interception Commissioner, which provides a yearly assessment of interception of communication traffic, indicate that a growing number of "interception errors," according to a paper written by Christopher Parsons of the Political Science Department at the University of Victoria.

Back in 1994, the U.S. enacted the Communications Assistance for Law Enforcement Act which imposed interception capabilities on telecom service providers. Today, The Defence Department continues to call for ISPs to retain data for two years. The department is as well developing a system for monitoring Internet traffic and federal law enforcement is requesting the extension of CALEA to include other providers just as Facebook and Skype.

If we would like to have an idea of how much it might cost Canadian ISPs to retrofit existing networks to facilitate the "snoop and scoop" activities outlined in Bill C-30, we can look to the U.S. as then for an example.

In addition to data storage CALEA as well required providers to make their systems "intercept ready". Prior to CALEA enactment the industry estimated this would cost them between $3 and $5 billion, the FBI's estimate was around $500 million to $1 billion. Since at the time industry has lowered its estimate to $1.3 billion, however Parsons notes that this figure did not include VoIP (Voice over Internet Protocol)-based communications.

But it is not only the financial cost that businesses should be worried about. Requiring providers to render their systems "surveillance ready" will introduce security vulnerabilities to their systems.

Requiring companies to build a "backdoor" for law enforcement agencies to access their networks and accomplish a data dump creates a single "point of failure" which hackers can exploit, according to John Villasenor, professor of electronics engineering at the University of California.

Surveillance research that cannot be penetrated

It might be argued that a surveillance research that cannot be penetrated by hackers can be securely built. If Bill C-30 is about trusting those in charge, I'm a bit worried. The current track record of government agencies both here and in the U.S. in protecting their own networks against breaches is not very encouraging.

Nestor Arellano is a senior writer for ITBusiness.ca. Follow him on Twitter, read his blogs and join the ITBusiness.ca Facebook Page.