Chapter 5: Assessment — Absence of Intercept Capability Legislation
Special Report on the Lawful Access to Communications by Security and Intelligence Organizations
Absence of Intercept Capability Legislation
183. The Committee learned that unlike a number of likeminded democracies, Canada does not have legislation to compel CSPs to develop, deploy or maintain their systems in such a way as to remain intercept capable. Instead, in the period under review, CSIS and the RCMP primarily relied on a voluntary approach, ***. The Committee heard that the absence of intercept capability legislation creates unnecessary risks for all stakeholders, including CSIS, federal, provincial, territorial and municipal law enforcement, and CSPs. These risks include delays, legal ambiguity, financial inefficiencies, and ***. The situation also challenges Canada’s ability to work with likeminded partners, who have intercept capability frameworks in place.
184. The Committee also heard that the absence of a centralized authority to coordinate lawful intercept initiatives, triage requests, and standardize approaches across national security and law enforcement agencies has caused confusion and frustration for all parties. The Committee notes CSIS and the RCMP’s progress towards the creation of a National Lawful Access Centre, but questions why it took so long and why so much of the effort to derive a solution to this particular lawful access challenge appears to be driven from the bottom up.
185. All CSP representatives expressed their concerns to the Committee about the absence of legislation, notably with respect to the lack of a clear compensation framework for judicially authorized services provided by CSPs. The Committee also notes that, in the absence of any formal policy development led by Public Safety or discussion by ministers at Cabinet, the RCMP and CSIS have developed informal principles, which have informed their policies, procedures and practices. To date, these have all been geared towards ensuring continued buy-in from CSPs, including the question of whether or how CSPs are compensated by the government for their services. The question of whether compliance costs should be borne by CSPs or by government is a question that should be discussed at Cabinet, and ultimately debated in Parliament.
F9
The absence of legislation requiring communications service providers (CSPs) to maintain lawful intercept capability creates unnecessary risks for all stakeholders, including CSIS, federal, provincial, territorial and municipal law enforcement, CSPs and ultimately the Canadian public. It also impedes Canada’s ability to work with international partners. The failure to address this issue at a strategic policy level has resulted in operational agencies themselves developing foundational policies and procedures, notably compensation models, geared toward ensuring continued cooperation from CSPs, rather than a principled approach based on input from Ministers and Parliament.
F10
The risks associated with the absence of legislation requiring communications service providers to be intercept capable is compounded by the absence of a centralized national authority to coordinate, develop, and maintain lawful intercept capabilities in Canada.
R6
The government table legislation to compel intercept capability for communications service providers (CSPs). The legislation should be encryption neutral and not include a decryption requirement. The government must also decide on a compensation model for compliance costs, i.e., whether CSPs should be compensated for the development, maintenance, and operating costs associated with lawful access.
The legislation should:
- establish and identify the national authority (i.e., the National Lawful Access Centre) for the coordination of lawful interception initiatives;
- define communications service provider so as to include any service provider operating in Canada offering electronic communications services or capabilities;
- define intercept capability to include support for computer network exploitation; and
- set mandatory technical standards, including those related to cybersecurity.