Unpacking the Potential Costs of Bill C-30

Expense Sheet The Government of Canada has, at least temporarily, backed away from pushing through its tabled lawful access legislation. While many critiques of the legislation abound – some of which I’ve recently noted surrounding warrantless access to subscriber information – there have been limited critiques of the actual financial costs associated with the bill. While some public commentators have suggested that the legislation will threaten small Internet service providers’ financial viability, there has yet to be a formal, detailed, and public financial accounting of lawful access-related costs.

I’m incapable of offering this accounting. The same is true for every other Canadian, whether they are a government bureaucrat, private citizen, corporate agent, or government Minister, because the legislation itself remains murky. Thus, rather than suggest that the legislation will cost X dollars, in this post I outline why people cannot cost out the bill if they solely rely on existing public information.

I begin this post by quickly outlining what the Canadian government suggests that the legislation will cost. Having done so, I move to critique the origins of the government’s numbers. This entails first examining the issue of interception capabilities, second, of storage costs, and third, of the status of Telecommunication Service Providers’ existing lawful access capacities. I conclude by noting the lack of clarity surrounding C-30’s breadth and the need for clarity during the legislative, rather than regulation-setting, stage of the bill’s development.

The Government of Canada’s Estimated Costs

In February 2012, the Canadian government announced that the lawful access legislation would cost roughly $80 million dollars over 4 years, with costs running around $6.7 million/year afterwards. When confronted about the origins – and veracity – of these numbers the Parliamentary Secretary to the Minister of Transport, Infrastructure and Communities asserted that they are based on Bill C-30 as it is written today (video interview). The government’s expected costs stand in contrast to corporations’ estimates, insofar as some members of the Canadian Wireless Telecommunications Association have told their president that costs could run as high as millions of dollars, per member. The government hasn’t disavowed these numbers, with the Minister of Public Safety instead asserting that cost estimates “would be best coming from the internet service providers. I wouldn’t want to presume what it would cost a smaller internet service provider or a larger one. Simply, I don’t know.”

As I will discuss in what follows, Canadians have very good reasons to doubt the estimate that has been provided by the government. This said, Canadians also have good reason to question the figures that companies and industry associations are presently providing. When a piece of surveillance legislation, CALEA, was passed in the United States in the mid-90s, corporations estimated costs at between $3 and $5 billion dollars. The federal government asserted that costs would only be $500 million to $1 billion. A decade later the U.S. Department of Justice, Office of the Inspector General Audit Division, stated that it was skeptical as to whether CALEA’s implementation cost can be determined with any degree of specificity,” whereas industry lowered costs to around $1.3-1.7 billion. Importantly, a full decade later, the Inspector General could not determine actual compliance with CALEA. While the FBI asserted high levels of compliance it lacked an audit structure that could confirm (or refute) the data it presented.

CALEA only applied to some telecommunications companies. Over a decade later full compliance didn’t exist. The Canadian Government is proposing a rapid integration of surveillance equipment into Telecommunication Service Providers’ networks; in 18 months, TSPs operating in Canada are expected to be compliant with the legislation unless granted an extension by the Minister of Public Safety.

Required Interception Capabilities

The present legislation is unclear concerning what, specific, interception capabilities TSPs will be required to implement. In the United States, CALEA was meant to make Internet service providers (ISPs) capable of monitoring 10% of the nation’s telephone lines. The legislation tabled in Canada lacks this specificity. Let’s now turn to consider some elements of the legislation and their associated, potential, costs.

Per section 7, interception equipment must be able to isolate an individual’s data stream. It must also be capable of isolating particular elements of an individuals’ data from the aggregate data that they are transmitting via the TSP. This effectively means that John Doe would have to be picked out of Shaw’s hundreds of thousands of customers and, if required by the authorities, only his Facebook data might be captured amidst all the data transmissions John Doe is involved in. In effect, section 7 requires that interception equipment be capable of targeting specific individuals and specific flows of data. Of concern, however, is the degree of granularity to which subscriber data streams may need to be separated. Will this be at the level of “all Facebook traffic” or “all Facebook traffic communications with X other user,” or some other level of data segregation?

Per section 8, interception capabilities cannot degrade over time. This can lead to costs on the basis that equipment may have to be replaced or upgraded as new means of data obfuscation become more common.

Per section 9, interception capabilities must continue to meet government requirements as a TSP upgrades their service. This includes a TSP expanding their service: if there is a ten-fold increase in subscribers, the TSP will be likely be required to target a similar percentage of their subscriber-base. While the legislation makes note that Section 9 may legally require purchasing more licenses, it fails to note that maintaining interception capabilities may demand entirely new equipment if equipment that was previously purchased can’t scale to the new user base. The implications of this section are manyfold. First, if a startup or company suddenly goes viral, then it has to not just deal with the basic business costs of rapid corporate expansion (i.e. providing the business service to new customers) but also with extensive surveillance-related costs that act as a drag on the business’ bottom line. Second, this section imposes a barrier to innovation in Canada, insofar as next-generation startups and technology entrepreneurs may be motivated to launch their product/service in a nation lacking the proposed surveillance laws and corresponding obligations.

Per section 11, new software that is deployed must remain compliant with interception demands. This means that innovative expansions of service must first meet Canadian surveillance law prior to being made available to customers. While new products and services might be available to non-Canadian customers, there may be delays while licenses, capacities, and so forth are purchased/developed to surveil Canadians. This could threaten digital innovation in Canada and would, one expects, stand in opposition to the government’s oft-promised-but-never-delivered Digital Economy Strategy.

Per section 14, the Minister can order a greater than existing global number of intercepts; the government will either pay the TSP’s costs in upgrading their maximum total possible intercepts or will provide the equipment to the TSP. To clarify: if a TSP was monitoring 5% of its subscriber-base as required by C-30 related regulations, but the government demands that 10% be monitored, then government will pay for, or will provide, the equipment to meet this new global maximum. Thus, even if the initial regulations establish a hard number of minimum and/or maximum intercepts that businesses must be capable of meeting, those costs may not be the ‘final’ costs if the government decides it wants to pay from its own purse for surveillance in excess of ‘normal’ government regulations.

In aggregate, what does this mean? It means that we cannot know costs of this legislation because it’s unclear just how granularly TSPs must segregate their customers’ data for law enforcement/intelligence purposes. Different levels of granularity are accompanied by different levels of expense. If interception cannot degrade over time then TSPs will need to pay to keep pace with next-generation communication standards: they cannot purchase equipment now and rely on it indefinitely. It’s unclear how quickly companies would have to ‘catch up’ to new communications processes and standards.

Requiring new software to be compliant with C-30 increases development costs and could lead to geoblocking Canadians from internationally popular services that do not comply with Canadian surveillance laws. Imagine if Skype and other ‘free’ VoIP clients refused to comply and were consequently barred from the Canadian marketplace: the basic costs of communications throughout Canada would increase, reducing capital that businesses could commit towards innovation, research, and marketing of next-generation products. Finally, the Minister has the right to demand greater-than-required-by-regulation interception capabilities. This prevents any final, definitive, costing because we can never know when the Minister may decide that TSPs must exceed ‘normal’ interception requirements.

Costs of Data Storage

While TSPs are required to develop and maintain interception capabilities under Bill C-30, they are also required to retain or preserve intercepted data if served with a preservation demand. A preservation demand can be issued if an officer has reason to suspect that a crime has been, or will be, committed in Canada. They can also be issued if an officer is working with a foreign government/agency to assist them in identifying/tracking a person who has committed an offence in that foreign jurisdiction. If data is preserved on grounds that it may be related to a Canadian Criminal Code infraction then the TSP must retain data for 21 days; after that time data can expire, or be deleted. In the case of foreign offences, data can be deleted 90 days after the demand is submitted. Officers can establish conditions around the preservation – such as preventing the TSP from disclosing that it has received a preservation demand – and can revoke such conditions at any time.

There are considerable costs associated with preservation demands. Data storage for large firms is expensive, even when they purchase redundant disk space in volume. Unlike a ‘regular’ customer, TSPs are unlikely to purchase hard drives from Futureshop or other popular computer retailer: to meet basic disaster management, recovery, and preservation requirements they will presumably adopt enterprise storage solutions. Such solutions are can be incredibly expensive, in terms of hardware, staff to manage the equipment, service and insurance fees, electrical and housing expenses, and so forth.

Almost unquestionably, C-30 will require TSPs to provision disks to be capable of interception, up the number of interceptions that are set down in the regulations that will follow the bill. Thus, even if TSPs are not actively intercepting/storing data right now, the potential capacity to store that data must exist. At the moment, the government is not specific about what amounts, or types, of data would be subject to intercept. Consequently, any company’s ability to cost potential expenses is nigh impossible: if a TSP is expected store up to 10% of their customers’ communications at any one time, and presently lack a short/medium-term enterprise storage solution that meets this criteria, then new storage solutions must be procured and deployed. Moreover, as more data transits through TSPs’ networks the potential capacity demands will proportionately increase, placing TSPs in a situation where increasing the subscriber base, and speeds of data transit, are accompanied by storage costs that have no inherent value for the company, save for complying with Canadian law.

The need to potentially store large quantities of consumer data, in an era where data usage is exploding, could place incredibly high costs on TSPs if they must maintain data storage capabilities. This said, the government might only be expecting an incredibly tiny number of interceptions at any one time; they might be imagining monitoring less than a hundredth of a percentage point of a TSP’s subscriber base at any particular time. Without knowing the specific interception requirements, or kinds/amounts of data that the government wants TSPs to store when served with a preservation demand, costing data storage expenses is practically impossible.

Existing Corporate Capacities

To evaluate how much interception equipment will cost TSPs depends on clarifying Bill C-30 to understand what the government wants, and doesn’t want, companies to do when intercepting material. Evaluating equipment costs also demands that we, or the government, account for TSPs’ existing interception equipment. Further, we must evaluate whether present equipment must be replaced or scaled to meet lawful access obligations. For large Canadian Internet service providers, it’s possible that they may not need to purchase additional interception equipment. This said, if new government regulations surrounding C-30 are more demanding than present capacities, then large ISPs may be forced to scale existing infrastructures or, if that isn’t possible, adopt new interception processes, practices, and technologies.

While equipment costs are one element of interception- and storage-related costs, we cannot forget that maintaining ‘ever-green’ interception capabilities will require technical training, policy evaluation, and new technologies as dominant data flows (e.g. social network traffic, encrypted and anonymized P2P, TOR traffic, etc) change. Depending on how onerous data flow isolation demands are, deep packet inspection equipment may be (effectively) mandated as a go-to surveillance technology, even for ISPs that have deliberately resisted installing the technologies to date. Even companies that have deployed deep packet inspection systems may need to expand their existing surveillance infrastructures if present capacities cannot intercept and mine the aggregate number of connections that are established, by regulation, after the legislation is passed.

All of this having been written, more than just ISPs may have obligations under by Bill C-30. Non-ISP TSPs may be faced with interception and storage related costs that exceed present demands from law enforcement, and these costs may be out of touch with TSPs’ business practices and models. As a result, services that are offered by TSPs may need to be retrofitted to enable interception and, depending on the nature of any such retrofits, costs may rapidly explode.

In aggregate, what this means is that costing Bill C-30 would require a total understanding of existing interception capacities, as they relate to the regulations that the government will establish following the passage of the Bill. Unless the government has silently canvassed all TSPs that operate in Canada, and has their regulations for the Bill already waiting in the wings, the government cannot legitimately cost out the actual interception costs because they do not comprehensively understand TSPs’ existing interception capacities.

Breadth of C-30

The proposed lawful access legislation threatens to impose surveillance obligations on a vast range of companies and services. TSPs are “a person that, independently or as part of a group or association, provides telecommunication services.” These services are “provided by means of telecommunications facilities” that the provider either “owns, leases or has any other interest in or right respecting the telecommunications facilities and any related equipment used to provide the service.” Such facilities route telecommunications data, which is itself defined as “data related to the telecommunications functions of dialling, routing, addressing or signalling that identifies or purports to identify the origin, type, direction, data, time, duration, size, destination or termination of a telecommunication generated or received by means of a telecommunications facility or the type of telecommunications service used.” Taken together, this will mean that Voice over Internet Protocol (VoIP), social networking services, and all other parties that offer telecommunications services to the public may constitute TSPs for the purposes of this legislation.

It remains unclear how fiercely the Canadian government will require foreign-run services to comply with Canadian law: will Skype need to comply with Canadian regulation? Facebook? The next-generation communications system/service that isn’t yet invented? Will failing to comply mean that the service/company is barred from doing business in Canada? We may discover that, in the regulations phase, certain services are more explicitly exempted or drawn into the framework of this legislation, but the challenge is predicting what might occur at that stage. As it stands, many companies will seemingly be affected by the legislation: how will the government address the almost-certain high levels of non-compliance?

Without fully accounting for who is(n’t) affected by obligations under C-30, it is functionally impossible to predict lawful access’ aggregated costs to businesses, the government, or Canadians. Unless the government has an internal memo stating who is, and isn’t, meant to be targeted by the legislation then it is dubious that any numbers presented by the government, today, are very accurate.

The Need for Clarity in the Legislation

Throughout this post the common thread has been a lack of clarity in the legislation. Canadians, and I strongly suspect the government, cannot evaluate the economic costs of this legislation until there is clear understanding of what are, and are not, the specific obligations imposed on specific industries/companies. Similarly, without knowing just how much data might have to be preserved at any time, the government and corporations cannot estimate the basic costs for data storage. It’s possible that estimated costs might be deferred somewhat because of existing, or latent, interception and storage capacities but if the government’s regulations exceed TSPs’ present interception capabilities then there will be minimal deferrals of cost. Finally, the very breadth of the legislation limits estimates of its fiscal costs.

Given the high levels of ambiguity surrounding the Canadian Government’s lawful access legislation, Canadians are right to be suspicious of the low figure of $80 million dollars. Costs will likely escalate, rapidly, though whether the government or corporations will pay for the heightened expenses is questionable. What isn’t questionable is that Canadians will have to, in aggregate, pay millions or billions of dollars to enhance existing government surveillance capabilities. Such costs are disproportionate with the need of the legislation and, quite likely, will hinder or limit innovation and corporate expansion in Canada.

I suspect that the legislation’s cost cannot be ‘simply’ narrowed to the dimensions of financial or civil rights implications within Canada: costs may also be born out in Canadian businesses’ basic capabilities to compete in a global marketplace, insofar as the government is imposing higher costs on businesses rather than trying to encourage business to move money into innovative ICT strategies that would showcase Canadian talent and expertise. If this is the Canadian digital economy strategy – to handicap Canadian businesses and encourage the adoption of revenue negative ICT surveillance technologies – then the Government of Canada’s legislation will likely hit the mark. If they aim for a different strategy then clarity must be brought to the legislation; such clarity should not be left to the regulation-setting phase of Bill C-30. The Canadian Government has yet to demonstrably provide data to Canadians that breaks down expected lawful access-related costs and we, as Canadian, have a right to know just how much our self-funded surveillance may actually cost us.

Christopher Parsons

I’m a Postdoctoral Fellow at the Citizen Lab in the Munk School of Global Affairs at the University of Toronto and a Principal at Block G Privacy and Security Consulting. My research interests focus on how privacy (particularly informational privacy, expressive privacy and accessibility privacy) is affected by digitally mediated surveillance and the normative implications that such surveillance has in (and on) contemporary Western political systems. I’m currently attending to a particular set of technologies that facilitate digitally mediated surveillance, including Deep Packet Inspection (DPI), behavioral advertising, and mobile device security. I try to think through how these technologies influence citizens in their decisions to openly express themselves or to engage in self-censoring behavior on a regular basis.