Transcript Slide 1

NETWORK WARS
Presentation
to the
11th CACR Information Security Workshop &
3rd Annual Privacy and Security Workshop
Privacy and Security: Totally Committed
November 7, 2002
Network Wars
Richard C. Owens
Executive Director
Centre for Innovation Law and Policy
78 Queen’s Park
Toronto, ON M5S 2C5
Canada
Ph:
(416) 978-7151
Fax: (416) 978-2648
E-mail: [email protected]
2
Anti-terrorism Plan: Canada’s
Response to Terror
• Plan? Pre/post Sept. 11 amalgam of
programmes
• Bill C-36, Anti-terrorism Act (“ATA”).
• Public Safety Act (PSA).
• Convention on Cybercrime.
• International Convention for Suppression of
Terrorism Financing
• Other Activities\Budget Allocations\
Programmes.
3
Anti-terrorism Plan
• Focus on:
– effects on protection of personal information
– effects on information technology
• government
• ISP’s/Private sector
Centre for Innovation Law and Policy is a multi
disciplinary institute for the study of laws related
to innovation--including computer laws.
4
Anti-terrorism Act
• ATA introduced October 15, 2001.
• Highly controversial; debate limited and Bill
passed.
• Security of Freedom conference and book-University of Toronto Faculty of Law.
5
Anti-terrorism Act
• Extremely complex bill; amends many other
pieces of legislation, intermixes section
numbers.
• 146 sections.
6
ATA: Security of Information Act
• The Security of Information Act is entirely
new legislation to replace the outdated
and unused Official Secrets Act.
• Not just restrictions on “official secrets”-includes sections dealing with “economic
espionage”.
7
ATA: Security of Information Act
(continued)
•
Offence of “Communicating a Trade
Secret”
Every person commits an offence who, at the direction of, for the
benefit of, or in association with, a foreign economic entity,
fraudulently or without colour of right and to the detriment of
Canada’s economic interests, international relations or national
defence or national security,
(a) communicates a trade secret to another person,
group or organisation; or
(b) obtains, retains, alters or destroys a trade secret.
8
ATA: Security of Information Act
(continued)
• Definition of “Trade Secret”
Any information, including a formula, pattern, compilation,
program, method, technique, process, negotiation position or
strategy or any information contained or embodied in a
product, device or mechanism that:
(a) is or may be used in trade or business;
(b) is not generally known in that trade or business;
(c) has economic value from not being generally
known; and
(d) is the subject of efforts that are reasonable
under the circumstances to maintain its secrecy.
9
ATA: Security of Information Act
(continued)
-- First Canadian statutory definition of trade secret.
– First Canadian criminalization of release of trade
secrets.
– Very broad provision--could easily include permitting
the download of restricted software.
– “Foreign economic entity” includes “an entity that is
controlled, in law or in fact, or is substantially owned,
by a foreign state or a group of foreign states”--I.e.,
most universities and university spin-off’s
• Retention alone constitutes the offence.
10
ATA
(continued)
• (Act also criminalises release of information
relating to a patent assigned to the Minister of
Defence under the provisions of section 20 of
the Patent Act, as well as information relating to
the terms of the assignment of the patent).
11
ATA: Security of Information Act
(continued)
• Increasing the Capacity of a Foreign Entity 16(1)
Every person commits an offence who, without lawful authority,
communicates to a foreign entity or to a terrorist group information
that the Government of Canada or of a province is taking measures
to safeguard if
(a) the person believes or is reckless as to whether the
information is information that the government of Canada
or of a province is taking measures to safeguard; and
(b) the person intends, by communicating the information, to
increase the capacity of a foreign entity or terrorist group
to harm Canadian interests or is reckless as to whether
the communication of the information is likely to increase
the capacity of a foreign entity or terrorist group to harm
Canadian interests.
12
ATA: Security of Information Act
(continued)
–“Lawful authority” is a high
standard.
–“Taking measures to safeguard” is
a very low standard.
–“Foreign entity” is very broadly
defined to include any state
controlled enterprise.
13
ATA: Security of Information Act
(continued)
– Another offence is that of “Harming Canadian
interests” 16(2) – essentially similar
components as 16(1); this offence needs to
result in actual harm to Canadian interests,
but has lesser intention requirement.
14
ATA: Security of Information Act
(continued)
•
Harming Canadian Interests:
Every person commits an offence who, intentionally and without lawful
authority, communicates to a foreign entity or a terrorist group information
that the Federal or a provincial government is taking measures to
safeguard if
(a) the person believes or is reckless as to
whether the information is information that the
government is taking measures to safeguard; and
(b) (b) harm to Canadian interests results.
No “telecommunications exemption” exceptions for
professionals; no exceptions for public interest
advocacy; no exceptions for business people
acting in their own enlightened self interest.
15
ATA: Criminal Code
• Orders to Block and or Delete Content
(320.1):
If a judge is satisfied by information on oath that there are reasonable grounds for
believing that there is material that is hate propaganda within the meaning of
subsection 320(8) or data within the meaning of 342.1(2) that makes hate
propaganda available, that is stored on, and made available to the public through a
computer system within the meaning of subsection 342.1(2) that is within the
jurisdiction of the court, the judge may order the custodian of the computer system
to:
(a) give an electronic copy of the material to the court;
(b) ensure that the material is no longer stored on and made available through
the computer system; and
(c) provide information necessary to identify and locate the person that posted the
material.
16
ATA: Criminal Code
(continued)
• Orders to Block and or Delete Content
(continued)
- CCTA (Canadian Cable Television Association)
submissions suggested removing the words
“stored on and”, because of the difficulty of
assuring that all content was removed from mirror
sites, caches, backup servers and the like.
- Breach of the order can result in contempt of court
penalties.
- One Al Quaeda-linked site taken down
17
ATA: Criminal Code
(continued)
• Orders to Block and or Delete Content
(continued)
– Related to Canada’s laws against hate
propaganda, sections 318-320.1, of the
Criminal Code.
18
ATA: Communications Security
Establishment
• The ATA includes entirely new legislation governing the CSE, the
equivalent of the NSA in the United States.
• Purpose of the CSE is:
(a) to acquire and use information from the global information
infrastructure for the purpose of providing foreign
intelligence, in accordance with Government of Canada
intelligence priorities;
(b) to provide advice, guidance and services to help ensure the
protection of electronic information and of information
infrastructures of importance to the Government of Canada;
and
(c) to provide technical and operational assistance to federal law
enforcement and security agencies in the performance of their
lawful duties.
19
ATA: Communications Security
Establishment (continued)
• CSE is intended to collect foreign
intelligence from the “global information
infrastructure”, which is defined to include:
– …electromagnetic emissions, communications systems, information
technology systems and networks, and any data or technical information
carried on, contained in or relating to those emissions, systems or
networks.
• However, there are new privacy
restrictions on the CSE,as a result of its
new ability to intercept signals of Canadian
origination (hitherto restricted by the
Criminal Code).
20
ATA: Communications Security
Establishment (continued)
• Such interceptions can be authorised by
the minister (and they will be), if:
–
–
–
–
The Interception is necessary
The information could not be readily obtained by other means
consent could not be readily obtained
satisfactory measures are in place to ensure that only essential
information will be used or retained; [n.b.--not intercepted]
– satisfactory measures are in place to protect the privacy of
Canadians [in the minister’s discretion, subject to
commissioner [supernumerary judge] oversight.
21
ATA: Communications Security
Establishment (continued)
• These arise from the fact that protecting
Canada’s networks, CSE will be intercepting
communications directed to damaging Canada’s
networks, which cannot in advance be known to
originate in Canada.
• The e-mail address or packet address may
indicate Canadian origination and the
information therein may therefore be protected
by Canada’s privacy laws.
22
ATA: Communications Security
Establishment (continued)
• As yet, no experience with how this
section will be applied--meetings are going
on now within the federal government.
23
ATA: Federal Privacy Legislation
• Federal privacy legislation requires disclosure of
information held about an individual to that individual
upon request.
• The Anti-terrorist Act, by introducing a new section 38 of
the Canada Evidence Act, grants the Attorney General
the discretionary power to issue a certificate overriding a
court order for disclosure of information.
• The Federal Privacy Act is also amended to provide for
the confidentiality of information which is a subject of a
certificate under section 38.
• Prevents “back door” release of information from another
jurisdiction; limits oversight by Privacy Commissioner.
24
ATA: Canadian Human Rights
Act
• ATA (amends the Canadian Human Rights Act
section 88) to provide:
(2) For greater certainty, subsection (1) applies in respect of a
matter that is communicated by means of a computer or a
group of interconnected or related computers, including the
Internet, or any similar means of communication, but does not
apply in respect of a matter that is communicated in whole or in
part by means of the facilities of a broadcasting undertaking .
• Removed ambiguity from Canadian Human Rights Act
with which Canadian Human Rights Commission
wrestled in the Zundel case.
25
ATA: Criminal Code
• Additions to section 83 to the Criminal Code provide for offenses
relating to financing terrorism.
• Extremely broad:
Every one who, directly or indirectly, wilfully and without lawful justification or
excuse, provides or collects property intending that it be used or knowing that it
will be used, in whole or in part, in order to carry out
(a) an act or omission that constitutes an offence referred to in
subparagraphs (a)(i) to (ix) of the definition of “terrorist activity'” in
subsection 83.01(1); or
(b) any other act or omission intended to cause death or serious bodily
harm to a civilian or to any other person not taking an active part in the
hostilities in a situation of armed conflict, if the purpose of that act or
omission, by its nature or context, is to intimidate the public, or to compel
a government or an international organization to do or refrain from doing
any act,
is guilty of an indictable offence and is liable to imprisonment for a term of not
more than 10 years.
26
ATA: Criminal Code
• 83.03 is similar, but makes to a person who “makes
available property or financial or other related services”
Every one who, directly or indirectly, collects property, provides or
invites a person to provide, or makes available property or financial
or other related services
(a) intending that they be used, or knowing that they will be
used, in whole or in part, for the purpose of facilitating or
carrying out any terrorist activity, or for the purpose of
benefiting any person who is facilitating or carrying out
such an activity; or
(b) knowing that, in whole or part, they will be used by or will
benefit a terrorist group,
is guilty of an indictable offence and is liable to imprisonment for a
term of not more than 10 years .
27
ATA: Criminal Code
• 83.04 refers to everyone who “uses” or
“possesses” property knowing it will be used.
• These sections are extremely broad; could apply
to an Internet services provider providing a
website for an organization subsequently
deemed to be a terrorist organization.
• As one commentator said, “Could apply to
serving food in a restaurant”.
28
Public Safety Act(#1)
• Omnibus legislation amending several acts.
• Amends Aeronautics Act to permit communication of the
names of U.S. bound passengers.
• Amendments to the National Defence Act provides
authority to the Canadian Forces to protect their
computer systems and networks from attack or
manipulation.
• Revisions to Immigration Act require transportation
companies to provide information to the government
about passengers on route to Canada. (now part of
Immigration and refugee protection Act)
• Reintroduced October 31, 2002
29
Other Parts of the Plan
• Convention on cybercrime.
– Consultation on Lawful Access
• International convention for suppression of
terrorism financing.
30
Other Parts of the Plan
• OCIPEP--Office of Critical Infrastructure
Protection and Emergency Preparedness
–
–
–
–
Y2K threat (remember?).
Coordinates cyber security exercises with the United States.
Provides technical advice, R&D, etc.
Monitors cyber attacks and other threats to government systems
and issues alerts
– Coordinates federal response to threats/incidents
– Publicises system vulnerabilities.
– Efforts criticised by Auditor General
31
Other Parts of the Plan (continued)
• Systems integrity testing services, CSE.
• Cooperation on security amongst
government, private sector.
• Cooperation on protocols for release of
information in accordance with privacy
legislation, telecommunications regulation
and criminal procedure. (Consurtation on
Lawful Access.
32
For Much More Information...
www.innovationlaw.org
33