NETWORK WARS P resentation to the 11th CACR Information Security Workshop & 3rd Annual Privacy and Security Workshop Privacy and Security: Totally Committed November 7, 2002

2 Network Wars Richard C. Owens Executive Director Centre for Innovation Law and Policy 78 Queen’s Park Toronto, ON M5S 2C5 Canada Ph: (416) Fax: (416)

3 Anti-terrorism Plan: Canada’s Response to Terror Plan? Pre/post Sept. 11 amalgam of programmes Bill C-36, Anti-terrorism Act (“ATA”). Public Safety Act (PSA). Convention on Cybercrime. International Convention for Suppression of Terrorism Financing Other Activities\Budget Allocations\ Programmes.

4 Anti-terrorism Plan Focus on: –effects on protection of personal information –effects on information technology government ISP’s/Private sector Centre for Innovation Law and Policy is a multi disciplinary institute for the study of laws related to innovation--including computer laws.

5 Anti-terrorism Act ATA introduced October 15, Highly controversial; debate limited and Bill passed. Security of Freedom conference and book-- University of Toronto Faculty of Law.

6 Anti-terrorism Act Extremely complex bill; amends many other pieces of legislation, intermixes section numbers. 146 sections.

7 ATA: Security of Information Act The Security of Information Act is entirely new legislation to replace the outdated and unused Official Secrets Act. Not just restrictions on “official secrets”-- includes sections dealing with “economic espionage”.

8 ATA: Security of Information Act (continued) Offence of “Communicating a Trade Secret” Every person commits an offence who, at the direction of, for the benefit of, or in association with, a foreign economic entity, fraudulently or without colour of right and to the detriment of Canada’s economic interests, international relations or national defence or national security, (a) communicates a trade secret to another person, group or organisation; or (b)obtains, retains, alters or destroys a trade secret.

9 ATA: Security of Information Act (continued) Definition of “Trade Secret” Any information, including a formula, pattern, compilation, program, method, technique, process, negotiation position or strategy or any information contained or embodied in a product, device or mechanism that: (a) is or may be used in trade or business; (b) is not generally known in that trade or business; (c) has economic value from not being generally known; and (d) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

10 ATA: Security of Information Act (continued) -- First Canadian statutory definition of trade secret. –First Canadian criminalization of release of trade secrets. –Very broad provision--could easily include permitting the download of restricted software. –“Foreign economic entity” includes “an entity that is controlled, in law or in fact, or is substantially owned, by a foreign state or a group of foreign states”--I.e., most universities and university spin-off’s Retention alone constitutes the offence.

11 ATA (continued) (Act also criminalises release of information relating to a patent assigned to the Minister of Defence under the provisions of section 20 of the Patent Act, as well as information relating to the terms of the assignment of the patent).

12 ATA: Security of Information Act (continued) Increasing the Capacity of a Foreign Entity 16(1) Every person commits an offence who, without lawful authority, communicates to a foreign entity or to a terrorist group information that the Government of Canada or of a province is taking measures to safeguard if (a) the person believes or is reckless as to whether the information is information that the government of Canada or of a province is taking measures to safeguard; and (b) the person intends, by communicating the information, to increase the capacity of a foreign entity or terrorist group to harm Canadian interests or is reckless as to whether the communication of the information is likely to increase the capacity of a foreign entity or terrorist group to harm Canadian interests.

13 ATA: Security of Information Act (continued) –“Lawful authority” is a high standard. –“Taking measures to safeguard” is a very low standard. –“Foreign entity” is very broadly defined to include any state controlled enterprise.

14 ATA: Security of Information Act (continued) – Another offence is that of “Harming Canadian interests” 16(2) – essentially similar components as 16(1); this offence needs to result in actual harm to Canadian interests, but has lesser intention requirement.

15 ATA: Security of Information Act (continued) Harming Canadian Interests: Every person commits an offence who, intentionally and without lawful authority, communicates to a foreign entity or a terrorist group information that the Federal or a provincial government is taking measures to safeguard if (a) the person believes or is reckless as to whether the information is information that the government is taking measures to safeguard; and (b)(b) harm to Canadian interests results. No “telecommunications exemption” exceptions for professionals; no exceptions for public interest advocacy; no exceptions for business people acting in their own enlightened self interest.

16 ATA: Criminal Code Orders to Block and or Delete Content (320.1): If a judge is satisfied by information on oath that there are reasonable grounds for believing that there is material that is hate propaganda within the meaning of subsection 320(8) or data within the meaning of 342.1(2) that makes hate propaganda available, that is stored on, and made available to the public through a computer system within the meaning of subsection 342.1(2) that is within the jurisdiction of the court, the judge may order the custodian of the computer system to: (a) give an electronic copy of the material to the court; (b) ensure that the material is no longer stored on and made available through the computer system; and (c) provide information necessary to identify and locate the person that posted the material.

17 ATA: Criminal Code (continued) Orders to Block and or Delete Content (continued) -CCTA (Canadian Cable Television Association) submissions suggested removing the words “stored on and”, because of the difficulty of assuring that all content was removed from mirror sites, caches, backup servers and the like. -Breach of the order can result in contempt of court penalties. -One Al Quaeda-linked site taken down

18 ATA: Criminal Code (continued) Orders to Block and or Delete Content (continued) –Related to Canada’s laws against hate propaganda, sections , of the Criminal Code.

19 ATA: Communications Security Establishment The ATA includes entirely new legislation governing the CSE, the equivalent of the NSA in the United States. Purpose of the CSE is: (a) to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities; (b) to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and (c) to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.

20 ATA: Communications Security Establishment (continued) CSE is intended to collect foreign intelligence from the “global information infrastructure”, which is defined to include: –…electromagnetic emissions, communications systems, information technology systems and networks, and any data or technical information carried on, contained in or relating to those emissions, systems or networks. However, there are new privacy restrictions on the CSE,as a result of its new ability to intercept signals of Canadian origination (hitherto restricted by the Criminal Code).

21 ATA: Communications Security Establishment (continued) Such interceptions can be authorised by the minister (and they will be), if: –The Interception is necessary –The information could not be readily obtained by other means –consent could not be readily obtained –satisfactory measures are in place to ensure that only essential information will be used or retained; [n.b.--not intercepted] –satisfactory measures are in place to protect the privacy of Canadians [in the minister’s discretion, subject to commissioner [supernumerary judge] oversight.

22 ATA: Communications Security Establishment (continued) These arise from the fact that protecting Canada’s networks, CSE will be intercepting communications directed to damaging Canada’s networks, which cannot in advance be known to originate in Canada. The address or packet address may indicate Canadian origination and the information therein may therefore be protected by Canada’s privacy laws.

23 ATA: Communications Security Establishment (continued) As yet, no experience with how this section will be applied--meetings are going on now within the federal government.

24 ATA: Federal Privacy Legislation Federal privacy legislation requires disclosure of information held about an individual to that individual upon request. The Anti-terrorist Act, by introducing a new section 38 of the Canada Evidence Act, grants the Attorney General the discretionary power to issue a certificate overriding a court order for disclosure of information. The Federal Privacy Act is also amended to provide for the confidentiality of information which is a subject of a certificate under section 38. Prevents “back door” release of information from another jurisdiction; limits oversight by Privacy Commissioner.

25 ATA: Canadian Human Rights Act ATA (amends the Canadian Human Rights Act section 88) to provide: (2) For greater certainty, subsection (1) applies in respect of a matter that is communicated by means of a computer or a group of interconnected or related computers, including the Internet, or any similar means of communication, but does not apply in respect of a matter that is communicated in whole or in part by means of the facilities of a broadcasting undertaking. Removed ambiguity from Canadian Human Rights Act with which Canadian Human Rights Commission wrestled in the Zundel case.

26 ATA: Criminal Code Additions to section 83 to the Criminal Code provide for offenses relating to financing terrorism. Extremely broad: Every one who, directly or indirectly, wilfully and without lawful justification or excuse, provides or collects property intending that it be used or knowing that it will be used, in whole or in part, in order to carry out (a) an act or omission that constitutes an offence referred to in subparagraphs (a)(i) to (ix) of the definition of “terrorist activity'” in subsection 83.01(1); or (b) any other act or omission intended to cause death or serious bodily harm to a civilian or to any other person not taking an active part in the hostilities in a situation of armed conflict, if the purpose of that act or omission, by its nature or context, is to intimidate the public, or to compel a government or an international organization to do or refrain from doing any act, is guilty of an indictable offence and is liable to imprisonment for a term of not more than 10 years.

27 ATA: Criminal Code is similar, but makes to a person who “makes available property or financial or other related services” Every one who, directly or indirectly, collects property, provides or invites a person to provide, or makes available property or financial or other related services (a) intending that they be used, or knowing that they will be used, in whole or in part, for the purpose of facilitating or carrying out any terrorist activity, or for the purpose of benefiting any person who is facilitating or carrying out such an activity; or (b) knowing that, in whole or part, they will be used by or will benefit a terrorist group, is guilty of an indictable offence and is liable to imprisonment for a term of not more than 10 years.

28 ATA: Criminal Code refers to everyone who “uses” or “possesses” property knowing it will be used. These sections are extremely broad; could apply to an Internet services provider providing a website for an organization subsequently deemed to be a terrorist organization. As one commentator said, “Could apply to serving food in a restaurant”.

29 Public Safety Act(#1) Omnibus legislation amending several acts. Amends Aeronautics Act to permit communication of the names of U.S. bound passengers. Amendments to the National Defence Act provides authority to the Canadian Forces to protect their computer systems and networks from attack or manipulation. Revisions to Immigration Act require transportation companies to provide information to the government about passengers on route to Canada. (now part of Immigration and refugee protection Act) Reintroduced October 31, 2002

30 Other Parts of the Plan Convention on cybercrime. –Consultation on Lawful Access International convention for suppression of terrorism financing.

31 Other Parts of the Plan OCIPEP--Office of Critical Infrastructure Protection and Emergency Preparedness –Y2K threat (remember?). –Coordinates cyber security exercises with the United States. –Provides technical advice, R&D, etc. –Monitors cyber attacks and other threats to government systems and issues alerts –Coordinates federal response to threats/incidents –Publicises system vulnerabilities. –Efforts criticised by Auditor General

32 Other Parts of the Plan (continued) Systems integrity testing services, CSE. Cooperation on security amongst government, private sector. Cooperation on protocols for release of information in accordance with privacy legislation, telecommunications regulation and criminal procedure. (Consurtation on Lawful Access.

33 For Much More Information...