Lawful Access Coming to Canada Via CLOUD Act Agreement With US?

Canadian Liberals are working on another bad Internet policy. This time, they’re negotiating the CLOUD Act.

At this point, it’s looking like the Canadian government is going for broke in trying to implement as many bad Internet policies as possible. First, it was the social media censorship legislation via Bill C-11. Second, there is the link tax legislation through Bill C-18. After that, they decided to implement copyright term extension by burying that in the 2022 Federal Budget. Finally, there is the forthcoming online harms proposal which could see large swaths of the Internet either shut down or censored.

Quietly roaming around in the background is another bad Internet related policy: lawful access. For those who are new to the scene, lawful access is Canada’s version of America’s warrantless wiretapping. This was one of the bad policies that go all the way back to the very beginnings of my career as a journalist. In 2005, I wrote an article and published an interview I did with CIPPIC’s David Fewer. At the time, I discussed the notorious legislation known as Bill C-74. At the time, the Conservatives passed a motion of non-confidence, toppling the Paul Martin Liberal government.

While the fight to stop lawful access was a hard fought one, Canadian’s ultimately won over the security establishment. When the Conservatives took power, the hope was that a change in political parties meant that a new policy direction would ensue, leading away from such terrible lawmaking. Canadian’s, however, were disappointed when the Stephen Harper Conservative government pushed for Lawful Access in 2007. An election ensues later and Harper won a majority government. This lead to the Conservatives doubling down on lawful access in 2009.

Despite numerous dirty tactics to push lawful access through, such as shutting out Carol Todd from the debates in 2014, lawful access could not get passed and eventually died on the order paper again. So, despite both Liberals and Conservatives doing everything in their power to keep resurrecting this bad policy from the dead, Canadian’s fought back and kept sending it back into the grave, driving a stake through its heart, shoving garlic in its mouth, and nailing the coffin shut in the process.

In 2017, there was even more efforts to, once again, raise lawful access from the dead, but a committee effectively shot the idea down, forcing the concept to lay dormant once again. Maybe this time would be different and Canadians will finally see the end of this terrible idea? Evidently not.

It seems that lawful access might now be, once again, resurrected from the dead through a backdoor process. In recent weeks, Canadian and American officials have been negotiating to implement a US CLOUD Act agreement. What is the CLOUD Act? The Electronic Frontier Foundation (EFF) published an explanation back in 2018 when it was being debated in the US:

The Clarifying Overseas Use of Data (CLOUD) Act expands American and foreign law enforcement’s ability to target and access people’s data across international borders in two ways. First, the bill creates an explicit provision for U.S. law enforcement (from a local police department to federal agents in Immigration and Customs Enforcement) to access “the contents of a wire or electronic communication and any record or other information” about a person regardless of where they live or where that information is located on the globe. In other words, U.S. police could compel a service provider—like Google, Facebook, or Snapchat—to hand over a user’s content and metadata, even if it is stored in a foreign country, without following that foreign country’s privacy laws.

Second, the bill would allow the President to enter into “executive agreements” with foreign governments that would allow each government to acquire users’ data stored in the other country, without following each other’s privacy laws.

For example, because U.S.-based companies host and carry much of the world’s Internet traffic, a foreign country that enters one of these executive agreements with the U.S. to could potentially wiretap people located anywhere on the globe (so long as the target of the wiretap is not a U.S. person or located in the United States) without the procedural safeguards of U.S. law typically given to data stored in the United States, such as a warrant, or even notice to the U.S. government. This is an enormous erosion of current data privacy laws.

This bill would also moot legal proceedings now before the U.S. Supreme Court. In the spring, the Court will decide whether or not current U.S. data privacy laws allow U.S. law enforcement to serve warrants for information stored outside the United States. The case, United States v. Microsoft (often called “Microsoft Ireland”), also calls into question principles of international law, such as respect for other countries territorial boundaries and their rule of law.

Notably, this bill would expand law enforcement access to private email and other online content, yet the Email Privacy Act, which would create a warrant-for-content requirement, has still not passed the Senate, even though it has enjoyed unanimous support in the House for the past two years.

So, there is one difference between the policy of lawful access all those years ago and the CLOUD Act. That difference is that, rather than compel an ISP to hand over all the customers information without a warrant or oversight of any kind, authorities are demanding that the websites the people access hand over all the information they have on said user. The difference, at the end of the day, is largely clerical and the effect is largely the same: authorities are getting access to your personal information without oversight. It’s just that they have to jump through a few more hoops to get a complete picture, but with such little oversight, the difference really doesn’t matter that much.

While the access authorities are giving themselves sound quite scary, you might be tempted to think that this is just an American law that only marginally affects Canadians. Well, that appears to be set to change as Canada is now negotiating a CLOUD Act agreement that allows US authorities to access Canadian data. From IT World Canada:

The United States will enter into negotiations with Canada on an agreement to allow police with court orders to get easier access on both sides of the border to the personal data of subscribers held by Google, Facebook, and other internet service providers involving alleged criminal offences.

The two countries made that announcement last week when they also promised to work closer to fight cybercrime – particularly ransomware – and shore up critical infrastructure.

Fraser also warned legislators to be wary of pressure from Canadian police forces to use the agreement to push again for what they call lawful access to internet subscriber information without court orders.

”I think there’s going to be some fuss and loud noises made from certain quarters related to amendments to Canadian privacy laws in order to facilitate this,” he predicted.

As a result police here have to use the Mutual Legal Assistance Treaty with the U.S. to get court orders here enforced. He called it a “cumbersome” process where Canadian Justice department officials make a request to the U.S. Justice Department, which then gets a U.S. court order for an American service provider to give it the information which comes to Canada. Usually it takes two months, but it can be longer.

An agreement under the CLOUD Act is “an express lane,” he said, for both countries.

“If it’s like the Australia agreement, it wouldn’t make Canadian court order enforceable in the U.S.,” Fraser said, “but it would allow U.S. providers to comply with those orders if they meet the criteria of the executive agreement.” For example, the alleged offence has to be a serious crime, and the court order has to comply with the legal obligations in each country. A CLOUD Act agreement allows an organization being served with a court order to challenge it under that country’s laws.

The assessment that this is just about speeding up the court process while still requiring warrants is somewhat at odds with what the analysis of the CLOUD Act in 2018 suggests.

Indeed, though, there are a number of steps this policy has to go through. There’s the negotiation process which will have to hammer out details, then there is the whole legislative process. Regardless, there is a very real risk that Canada could see the return of lawful access through the back door of the US CLOUD Act. The differences between lawful access and the CLOUD Act are wafer thin and are merely a couple of details away from being one and the same. It has some worried that this represents the early signs of an erosion of privacy rights in Canada – something Canadians have fought for years to protect.

One thing is for sure, it is very disheartening to find ourselves, once again, seeing the incoming of another privacy debate like this. How many times do we have to kill such ideas in the first place? The bad part is that Canadians have to win every single fight to keep what little privacy rights they have left intact. One loss and it is game over.

At this point, the only thing that is missing in all of this is a debate about banning effective encryption and an upload filter. Then, the Liberals can stand up and shout “Yahtzee!” because they are pretty much pushing every possible bad Internet policy known to be making the rounds these days. It’s like they hate the Internet with a burning vengeance and can’t destroy it fast enough. Every option, for them, is on the table to put a stop this whole Internet thing.

Meanwhile, where is the debate about expanding broadband to rural and indigenous communities? Where is the debate to implement Canada’s own version of the GDPR? Where is the debate about lowering cell phone and Internet bills? Whatever happened to the push to increase competition in the wireless and Internet space? How about the so-called Canadian digital charter? Anything even remotely positive has been pushed aside in favour of every bad Internet policy imaginable. It’s terrible seeing the direction this government has taken and all Canadians have left to defend their freedom is to go through the courts in the hopes that the bad policies get dismantled little by little because of how unconstitutional it all is.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top