That was fast! On Friday, the Liberals introduced their private member’s bill on lawful access. It’s Bill C-416, the Modernization of Investigative Techniques Act.

Michael Geist reports that the Liberals plan on reintroducing lawful access by means of a private member’s bill. The move is part of the Liberals’ effort to appear “tough on crime” in advance of an anticipated spring election. My hunch is that, unless an election interferes, the Tories will either support the bill or try to steal the Liberals’ thunder with proposals of their own.

Geist quotes this speech by Liberal leader Stephane Dion:

Marlene Jennings, the Liberal justice critic, is re-introducing the Modernization of Investigative Techniques Act. This bill will allow the police and Canadian intelligence community to adapt to new communications technology. Telephone and Internet service providers will be required, subject to vigorous privacy safeguards, to include an interception capability in new technology, and make subscriber contact information available on request to designated law enforcement officials. This act strikes the right balance between the needs of police and industry, while respecting Canadians’ right to privacy.

That last sentence in particular makes me snicker. Note how citizens’ interests are an afterthought: it’s police and telecom interests that are the priority here, as usual for lawful access policy. (In the last round of stakeholder consultations, for example, business interests got plenty of input into the lawful access policy proposals. By contrast, civil society groups got one meeting in which the proposals were outlined for them, and then a laughably short two-week window in which to submit their comments.)

I’ll have a more substantive post on lawful access — what it is, what’s wrong with it, and past attempts to legislate it — in the near future.

This is the second of two posts on Passenger Protect, Canada’s forthcoming no-fly list. Part 1 described how Passenger Protect is going to work.

Why we should be concerned about Passenger Protect

First of all, there’s the cost. Passenger Protect represents a huge increase in federal spending on border security. In fact, just a few months ago, CBC was reporting that the cost might keep the program from being implemented. Look at the numbers from the government’s own feasibility study: “Implementation costs for the RCMP, CSIS and the CBSA alone would range from $95 million to $270 million, the study estimates, with annual operational costs of between $19 million and $60 million. Costs for Transport Canada are not included in the estimate.” By way of comparison, the 2006 federal budget allocated $133 million for the entire Canadian Air Transport Security Authority, and about the same amount for hiring one thousand new RCMP officers. I’m no expert on government finance, but the Passenger Protect numbers don’t look good to me.

Second, and more importantly, there’s the question of effectiveness. Will the no-fly list actually make us safer? If the US example is anything to go by, probably not.

Now, to their credit, the designers of Passenger Protect have learned a thing or two from the disaster that is the US no-fly list. For example, unlike in the US, there will be an appeal process — so, in theory, you’ll be able to get your name off the list if it shouldn’t be there. Whether it will work that way in practice is another story, of course, but at least there will be a process in place. There are also specific criteria for adding names to the list, which as far as I can tell is something the US list lacks.

That said, there are still a number of big gaping flaws to reckon with. For one thing, Canada will almost certainly be sharing its no-fly list with the US. So if you end up on the Canadian list, you will also end up on the US list. And once you’re on the US list, you don’t get off it — just ask Maher Arar. (If a formal commission of inquiry can’t get you off the US no-fly list, what chance does a “Not-a-Terrorist” certificate from the Office of Reconsideration have?)

The Canadian no-fly list will also be using the US list as one of its information sources. Now, the US list is finally going to be cleaned up in the near future, but it’s certainly been the case in the past that that list was worthless. The Wikipedia article on the US list runs through some of the better-known false positives if you need examples. I frankly don’t understand how Canada’s security agencies will be able to extract reliable information from the US list. Our own records of individuals with ties to terrorism are far less comprehensive than American records, so I hope the Homeland Security people will be sharing everything they know about the 44,000 people on their no-fly list — because we’d have to be nuts to just use their list without evaluating the information it’s based on first.

Then there are the disturbingly vague criteria for including a person on the Canadian list. For example, the first class of people on the list includes any “individual who is or has been involved in a terrorist group, and who, it can reasonably be suspected, will endanger the security of any aircraft or aerodrome or the safety of the public, passengers or crew members.” Is the definition of a terrorist group restricted to designated terrorist organizations? Does involvement in such a group include just donating money? Does it include involvement antedating the group’s designation as a terrorist organization? Will such involvement itself qualify as reasonable grounds to suspect the person is a threat? These are not idle or unfounded questions. Remember, the agencies responsible for answering them have already helped send at least one innocent person off to be tortured in a foreign country; we can expect them to cast their nets wide and not worry too much if they catch a few innocent people along the way.

Also, the no-fly list will only work if the terrorists agree to use their real names when they book a flight. Which is kind of an important point, because it means we are spending hundreds of millions of dollars on a system that will only catch the really stupid terrorists. You know, the ones we probably would’ve caught anyway.

Incidentally, in the 18 months since Paul Martin’s Liberals first floated the idea, Passenger Protect has never once been debated in the House of Commons. The Special Senate Committee on the Anti-Terrorism Act did raise a few concerns about the program in the report they released this month (which recommends clarifying the criteria for adding names to the list and publishing guidelines on how to get your name removed), but the people you and I actually elected don’t seem too concerned about it. Maybe we should give them a nudge.

Canada is about to get its very own homegrown no-fly list. The initiative is called Passenger Protect, and it got its start under Paul Martin’s Liberal government back in 2005. The Liberals lost power before it could be implemented, but Stephen Harper’s Conservatives thought it was a good idea, so they’re going ahead with it. It’s set to take effect for domestic flights in March, and for international flights in June.

How it will work

The no-fly list will be compiled by a Transport Canada advisory group based on recommendations from CSIS and the RCMP. They’ll be adding the names of anyone who is or has been involved with terrorist groups and might pose a threat to aviation security; anyone who has previously been convicted of “serious and life-threatening crimes against aviation security”; and any convicted violent offenders who might harm the crew or other passengers.

In addition to using their own records, CSIS and the RCMP will be relying on information from foreign intelligence sources, including the US no-fly list. The Canadian list will include each person’s name, gender, and date of birth, and in some cases their address, phone number, and passport number as well. All airlines flying through Canada will have access to the list, but they’ll be required to keep it confidential. However, Canada will almost certainly share its list with the US and other Canadian allies — so if you’re on the Canadian no-fly list, you can expect to end up on the US list, too.

When you go to get your boarding pass, your airline will check to see if your name is on the list. If it is, you won’t be able to print your boarding pass online or at a kiosk — you’ll have to proceed to the check-in desk, where airline staff will ask for your ID and check your gender and date of birth. If you’re still a match at this point, they’ll get in touch with a Transport Canada officer to verify your identity and status, and permit or refuse boarding accordingly. If you want to appeal their decision, you can talk to the Office of Reconsideration, an independent review board.

For more information, check out:

• Transport Canada’s information package on Passenger Protect
• Transport Canada’s response to the Privacy Commissioner’s questions
• Identity Screening Regulations

Coming soon: Why we should be concerned about Passenger Protect.

I’ll be posting more about Passenger Protect, Canada’s nascent no-fly list, in the near future, but for now, here’s a CBC article suggesting that the cost of the system — estimated at $250 million — could keep it from being implemented. (The article is in French only, alas. Here’s a reasonably coherent English-language version, courtesy of Babelfish.)

[UPDATED. See end of post.]

Canada’s big ISPs have agreed to block access to websites listed on a child pornography blacklist. The goal is laudable, but the devil, as usual, is in the details.

First, the facts: The initiative is called Project Cleanfeed Canada. It’s based on a similar project in the UK and has the blessing of the federal government. The blacklist will be maintained by Cybertip.ca, a group that already has a system in place for receiving and analyzing reports of child pornography online. Bell, Bell Aliant, MTS Allstream, Rogers, Shaw, SaskTel, Telus, and Videotron have all signed on.

It’s clear that everyone has their hearts in the right place here. No one wants to help creeps get access to kiddie porn. Aside from the obvious moral issues, child pornography is illegal in Canada — creating it, distributing it, and accessing it are all against the law. But a mandatory blacklist implemented at the ISP level is not the solution, for a whole bunch of reasons.

First off, there’s the question of effectiveness. As any good librarian can tell you, Filters Don’t Work. The history of internet filtering is rife with false positives and false negatives — sites get blocked when they shouldn’t be, and sites that should be blocked get missed. This system is going to miss out on a ton of child porn sites; inevitably, people are going to find the ones that haven’t been blacklisted yet. To an extent, false positives aren’t a big deal, since most people don’t encounter kiddie porn online to begin with and this initiative will make it even less likely. It’s also true that those who really want to get the stuff will find ways to circumvent Cleanfeed — even the RCMP have admitted that. So this is really just a way of protecting those of us who don’t want to be exposed to child porn.

I’m okay with that. But what about the false positives? What happens when sites get blacklisted by mistake? Michael Geist notes that there will be an appeal process, and also mentions that the blacklist will be kept secret to prevent it from doubling as a child porn directory. However, Cory Doctorow argues that this approach is flawed. There are several problems: a secret blacklist makes it hard to figure out that you’re being blocked like this; many non-Canadian website owners won’t go to the trouble of appealing — even if they figure out they’ve been blacklisted, which is unlikely; and even for Canadians, if they manage to find out what’s wrong, the appeal process can be a huge obstacle. (Cory, who has been a victim of wrongful blacklisting in the past, gives a great example of this last problem.)

Then there’s the question of precedent. At the moment, as I understand it, Canadian ISPs essentially bear no responsibility for the lawfulness of the content they transmit. (The full story is a bit more complicated, but for the purposes of this discussion that’s how things stand.) They can’t be sued for what their clients choose to look at or make available, and they don’t have to monitor or regulate the content that passes through their systems — in fact, they’re apparently not allowed to block access to content that doesn’t break the law. This is good for privacy (because the ISPs have no reason to monitor what you look at online), good for free speech, and good for the ISPs’ bottom lines. But now the ISPs are assuming the role of content watchdog, and that opens the door to pressure for increased access restrictions. How long will it be before we start seeing proposals, from either the government or the less civil-libertarian elements of the public, for blacklisting other types of objectionable content?

Now, to be fair, Michael Geist says that child pornography is a special case because of its legal status (it’s more restricted than anything else, even hate speech), and that it’s unlikely ISPs will start blocking other content. Dr. Geist knows what he’s talking about, so I’m willing to take a benefit-of-the-doubt stance. But on the other hand, it’s not like ISPs are bastions of intellectual freedom. In fact, we’ve already seen one major ISP block access to a website set up by its union — and, inadvertently, 766 unrelated sites (PDF) — during a lockout, purely because it didn’t like the content of the site. So if the pressure mounts for other blacklists beyond child porn — well, I for one won’t be surprised if the ISPs give in.

Finally, there’s the underlying assumption that this is something that should be imposed by the ISPs. There is a basic philosophical problem here. It’s not exactly censorship in the traditional sense that’s the issue — it’s not like, in Canada, child porn is protected speech and people have a right to look at it if they want to (it’s not, and they don’t). I’m saying that it’s wrong for ISPs to be doing this, because of their particular role in the transmission of information. ISPs are not content providers but access providers. To put it another way, it’s not their job to choose what content they make available; it’s their job to provide access to the content that others have chosen to make available. It sounds like a minor distinction, but it’s not — it means that those who control our ability to communicate online will now be in a position to choose, based on what we have to say, whether others get to hear us. Giving ISPs a veto over the content they transmit is inherently a major structural change in the free flow of information in this country, and the potential for adverse consequences is too great to ignore.

(I’ve linked several times to the excellent discussion of Project Cleanfeed Canada on Michael Geist’s blog. The comments touch on more aspects of the initiative than I’ve been able to cover here. The whole discussion is highly recommended.)

UPDATE, 4 December 2006: Michael Geist has written a Toronto Star column on Cybertip.ca. He addresses some of the concerns that have been raised, noting, for example, that there will be an appeals process with an independent review mechanism. Dr. Geist also mentions the slippery-slope issue, but concludes that despite some potential risks, “the project deserves the benefit of the doubt.”

As I said earlier, I’m willing to give Cybertip.ca the benefit of the doubt. They’re showing every sign of good faith (although it would be nice to see more information on the initiative on their website), and they are clearly responding to some of the potential pitfalls of their approach. However, several grave concerns still haven’t been adequately addressed:

• The accessibility of the appeals process is still an open question. How exactly will the process work? Does Cybertip.ca notify the site administrator when a site is blacklisted? How will Cybertip.ca ensure that the appeals process is open to everyone, including anonymous site owners and non-Canadians?
• The ISPs are still setting a bad precedent. Dr. Geist feels that the benefits of the initiative outweigh the risks of seeing the blacklist expanded to other types of content. But we’ve already seen that ISPs can’t be relied on to stand up for intellectual freedom, and I for one don’t think that the unique legal status of child pornography makes for a reliable safeguard.
• After all is said and done, this is still a case of ISPs regulating content — tentatively and at arm’s length, I know, but that’s still what they’re doing, and it’s a historically new role for them (at least in Canada) and a structural change in the flow of information online. That’s cause enough to be concerned.

From the Canadian Press:

Ottawa is exploring the possibility of allowing the private sector to finance and operate a new border crossing at Canada’s busiest point of entry to the United States, Trade and Infrastructure Minister Lawrence Cannon said Monday.

The clear signal that the federal government is entertaining private involvement in a second bridge between Detroit and Windsor, Ont., comes amid new polling data that suggests nearly two-thirds of Canadians support the idea of public-private partnerships.

The poll in question was commissioned by the Canadian Council for Public-Private Partnerships, and you can read it for yourself, if you like. It’s quite the piece of work. Apparently these are the questions they asked:

1. Governments are having trouble keeping pace with demands for new or improved public infrastructure and services. Do you agree or disagree?
2. It is time to allow the private sector to deliver these types of services in partnership with governments. Do you agree or disagree?
3. If your access to services remained the same, if the quality of services was the same or better and if the cost to you was no more than if the government was providing the service, would you support or oppose private sector involvement in the following areas: [and a bunch of service sectors are listed].

Aren’t access, quality of services, and cost three of the key issues surrounding privatization? (They also left out accountability, which to my mind would be the fourth.) How can you trust a poll that dodges those issues? And yet the Canadian Press story pretty much ignores the evident bias here. Sure, it quotes a union boss saying that the survey is “very short on questions that relate to access, cost and quality concerns,” but the reporter doesn’t follow that up — instead, the poll results are discussed as if they were reliable.

Also worth noting:

Security at the border crossing would continue to be the domain of Canadian and American border agencies, said David McFadden, chairman of communications for The Canadian Council for Public-Private Partnerships.

“What the private sector does is maintain the infrastructure, make sure it’s properly paved, cleaned, things of that nature,” McFadden said.

Let’s hope they stick to that. I’m not holding my breath, though: the article goes on to point out that Cannon “did say that a private-sector partner could ‘operate’ the crossing.” It would be nice if they could at least get their stories straight.

Last night, in the middle of a story on real estate fraud, CTV News inexplicably threw its support behind a national identity card. The segment claimed that such a card would ameliorate the risks of fraud and identity theft.

It’s not true. When it comes to real estate fraud, a national ID card offers no advantages over other identification documents. In fact, from a security standpoint, national ID cards are a singularly bad idea. Here’s why (and I’m getting this stuff from Bruce Schneier, so you can take his word for it):

• ID cards can be forged, no matter how “unforgeable” they’re designed to be.
• In order to get a real, official, government-issued ID card, you have to present other pieces of identification, which can be forged.
• ID cards have to be checked — usually by human beings, who are error-prone and often poorly trained.
• Finally, and most importantly, a national ID card would have to be backed up by a national ID database containing identifying information on everyone in the country. This database would need to be “widely and instantaneously accessible from airline check-in stations, police cars, schools, and so on.” It would contain data pulled together from all over the place, which means the data will be weird, inconsistent, and probably unreliable. Such a database would be a massive procedural and technological challenge (and that’s putting it mildly; Charlie Stross has convincingly argued that the UK’s plans for such a database could never work). It would also be a massive security risk: imagine what could happen if malicious hackers broke into the system and started messing with people’s records!

Schneier concludes, “That’s why, when someone asks me to rate the security of a national ID card on a scale of one to 10, I can’t give an answer. It doesn’t even belong on a scale.”

And yet the idea has been floating around in Canadian politics for a while now. It’s been on the table in national security discussions pretty much since September 11. Last February, Public Safety Minister Stockwell Day said that such a card is inevitable. I’d like to think the Canadian government will pay attention to security gurus like Bruce Schneier, learn from the debacle that Britain’s ID card scheme has become, and drop whatever plans it has to implement an ID card system of its own. But governments like to be seen to be doing something — especially when it comes to national security, which is the usual context for ID card proposals — and with major media outlets are talking favorably and uncritically about the idea, I suspect Ottawa will be pushing ahead with an ID card scheme. So maybe it’s time to start thinking about how to oppose such a plan.

A group called Online Rights Canada is making it very easy to write a letter to your Member of Parliament advocating balanced copyright. Pick your province, select your MP, and edit the suggested text of the letter. If you’re a Canadian, please take a few minutes to help out. It will be a lot harder to have an impact once there’s actual legislation on the table.

If you’re not sure why copyright reform is important or don’t know much about the recent history of the copyright reform process, Online Rights Canada provides some good background material. CIPPIC also has a good FAQ on the subject.

From a message posted to the Data Liberation Initiative mailing list:

As of April 24, 2006, all electronic publications available on the Statistics Canada website will become free of charge. … The adoption of the New Publishing Model supports the longstanding principles underlying the Agency’s dissemination program: to make information of broad public interest widely available to the Canadian public but to charge individual clients for special products and services where the benefits do not accrue to the public at large and where additional costs are incurred by the Agency in providing them. … The move to free electronic publications will increase consistency in our priced publication program and improve access to our published information for users, respondents and stakeholders.

This is a significant step towards opening up access to Canadian government information. We’re still stuck with Crown copyright (unlike in the US, where government documents are in the public domain), but it looks like the federal government is starting to move in the right direction.