The Canadian Association of Chiefs of police is proposing a sweeping new encryption law. Photo: CC Yuri Samoilov.
Reading Time: 2 minutes

New law must also consider interconnectedness of modern-day Internet, passwords

The debate surrounding encryption is a complicated one, with a delicate balance having to be struck between giving police the tools to bring justice to criminals and protecting individual rights.

If we want our society to function well, we should want our police forces to have the tools that they need to solve crimes. In that arena, existing laws, especially those surrounding encryption, are being quickly out-paced by the spread of free and easy-to-use encryption programs like TOR.

While there is definitely a need for reform, a new law proposed by the Canadian Association of Chiefs of Police goes too far. The law would allow police, with the consent of a judge, to demand that people hand over their electronic passwords.

A report by the International Association of Chiefs of Police (IACP) notes that increased data collection abilities from access to encrypted communications would lower the rate of wrongful convictions.

However, because of the wide array of material a personal password can provide access to, this could also increase the amount of convictions on crimes outside the scope of the warrant.

If a judge allows police to search the phone of someone indirectly involved in a crime they may end up finding evidence of a completely different offence, even if that person was never arrested or even a suspect in that first crime.

This is especially problematic since Canada has laws to protect against self-incrimination.

Section 13 of the Charter of Rights and Freedom states that “A witness who testifies in any proceedings has the right not to have any incriminating evidence so given used to incriminate that witness in any other proceedings.” If we accept this when people are in court, then we should accept it in facets of everyday life as well.

Not only that, but if such a law were to exist, it would be nearly impossible to guarantee confidentiality in legitimate situations, such as journalists conferring with sources.

The IACP report also acknowledges that there is a “delicate balance that must be struck between protecting the communities they serve and safeguarding individual privacy rights.”

Despite this, even if permissions are granted selectively by a judge it will be nearly impossible to tell how far they will really go.

The nature of the Internet is that everything is connected. Gaining access to someone’s email also gets access to their social media, and who knows what other data, since email is often used as a backstop for lost passwords. You can also use Facebook to sign in to other websites, making your Facebook password your password for those sites as well.

Then there’s the simple fact that people are unoriginal, and often reuse passwords or make passwords similar to each other. Granting access to one password could naturally lead to access to other accounts in this way as well.

What this means is that even if a judge only grants police the right to demand a single password, that password could provide much more access than was originally intended.

While adapting police powers to modern technology is important, any law that does so would have to be much more judicious in the scope of personal information it would allow access to, especially in the case of citizens who are not even suspected of a crime.