As Canadian readers of this blog will know, our country has recently been enmeshed in a hot debate over Bill C-30, currently in Parliamentary committee. The Bill is often referred to as the "Lawful Access" bill (stemming from an earlier title) but is now officially entitled the "Protecting Children From Internet Predators Act." It provides a number of new investigative tools for Canadian police for both the monitoring and gathering of electronic data, and imposes data preservation and monitoring requirements on ISPs and other service providers.
I don't intend to review the overall debate here (though if you're interested, a good place to start is Michael Geist's blog or David Fraser's privacy law blog), but rather to focus on something about the Bill that has been entirely missing from the debate: it is designed, at least in part, to allow Canada to ratify the Council of Europe Cybercrime Convention, to which we have been a signatory for many years but have yet to ratify. The reason we have not ratified it is because the Convention requires Canada to have in place an array of investigative tools that we currently do not have, such as an ability of law enforcement authorities to do real-time internet monitoring.
The idea behind this aspect of the Convention is twofold. First, it seeks to create an international network of states which can effectively (or at least more effectively than at present) investigate and combat transnational cybercrime. Second, for there to be an *effective* international network, states must be able to assist each other in gathering and transmitting evidence -- up to and including granting expedited requests for real-time internet traffic monitoring. The need for cooperation is pressing with regard to all kinds of transnational crime but particularly so with cybercrime, where the speed and fluidity of data transmission requires some very ramped-up tools.
So, to cooperate properly with its treaty partners, towards the very salutary public policy goal of combating cybercrime, Canada does actually need quite a lot of the tools contained in Bill C-30. I am mystified as to why this isn't part of the debate. The federal government has been quite ham-handed in how it has tried to sell the legislation to the public, using an American-style emotive title that misleads people about what is actually in the Bill and what it is for. It could probably get a lot more traction by saying to Canadians, "hey, the police need tools to combat identity theft, and cyber-attacks, and yes, child predators of various kinds on the internet. And we have agreed with a group of very civilized countries that we're all going to do this, and share the evidence with each other so that we can catch these dangerous criminals." As it is, the public has not been fooled by the child porn aspect and is swayed by emotive counter-arguments, such as "the government wants to invade your privacy" and "Big Brother wants to watch you on the internet."
Why does the government never mention the Cybercrime Convention? Did it forget? Are they undertaking some kind of Scalia-inspired rejection of international law as a reason for doing anything? It is passing odd.
The debate among most legal commentators has, to its credit, not been focused on the investigative tools themselves, but rather the lack of judicial oversight or other civilian control which the government wishes to provide to law enforcement under the Bill. There's a good piece about it in the 16 March issue of the Lawyers' Weekly, where Jameel Jaffer (a Canadian who has been lead counsel with the American Civil Liberties Union (ACLU)) commented:
"I think police officers will always feel that the transparency will interfere with their investigations... Law enforcement officers, just like everybody else, don't like to be second-guessed. That's sort of a natural instinct. But it's not one that we can indulge in a healthy democracy."
I think a useful thing to add to the debate is this: even though part of what's driving the government has been the need to ratify the Convention (in the background, anyway), the Convention itself does not require the overbroad and needlessly invasive use of these otherwise necessary tools that Bill-30 would allow. The Convention, in fact, explicitly anticipates that the domestic laws of each state will vary as to whether and how much judicial or other oversight is required, and imposes absolutely no obligations -- each country can sort that out for itself.
And even among those states which have ratified the Convention, the sorting-out is going on: witness the German High Court, just recently, striking down as unconstitutional provisions of that state's Telecommunications Act which: a) were clearly designed to implement Cybercrime Convention obligations; and b) gave law enforcement overly broad seizure and demand powers without requiring them to obtain permission. Sound familiar?
Last year I blogged that Canada hadn't ratified the Convention -- again -- because the legislation died on the order table. Now we're not able to ratify it because the implementing legislation is framed in such an unnecessarily invasive way that Canadians are rejecting it. It's time for the federal government to get on with this, because the cybercriminals are laughing all the way to the bank.