Last week I, along with a collection of Canadian experts and civil liberties groups, sent letters to many of Canada’s leading telecommunications companies. Those letters ask the companies to explain why, how often, and under what conditions they provide information to government authorities. Such information is pressing given the routine reappearance of telecommunications surveillance legislation on the government’s Order Paper. Specifically, lawful access legislation has been introduced by successive federal governments, with the requested power extensions justified on grounds that authorities cannot effectively police online criminal behaviour, on grounds that telecommunications companies do not always provide subscriber information when government authorities request it, and on grounds that such legislation will prevent terrorism/serious crimes/kidnapping/pedophilia/cyber bullying.
Only with empirical data about how, and why, state authorities presently access telecommunications data will Canadians be able to knowledgeably ascertain whether these expanded state powers are needed. Moreover, with data in hand about companies’ disclosures of subscriber information consumers can make informed choices when choosing their telecommunications providers. Specifically, such information would let consumers compare companies’ privacy practices and choose companies’ services based on privacy (along with other consumer) grounds. While many have been supportive of this public letter initiative, almost all the people that I have spoken to about the letters have voiced their skepticism that the companies would be motivated to respond. I remain optimistic that the companies will respond to demonstrate their privacy bona fides and tell their side of the story. Moreover, the requests for information about how and why state agencies access telecommunications data have been amplified today from two different sources.
First, Charmaine Borg, the New Democratic Party Member of Parliament for the riding of Terrebonne—Blainville in Quebec, has introduced a series of questions to the federal government. The questions are meant to render transparent how federal agencies request information from telecommunications companies, with the questions being posed to specific agencies. The questions follow:
With regard to requests by government agencies to telecommunications service providers (TSP) to provide information about customers’ usage of communications devices and services: (a) in 2012 and 2013, how many such requests were made; (b) of the total referred to in (a), how many requests were made by (i) RCMP, (ii) Canadian Security Intelligence Service, (iii) Competition Bureau, (iv) Canada Revenue Agency, (v) Canada Border Services Agency, (vi) Communications Security Establishment Canada; (c) for the requests referred to in (a), how many of each of the following types of information were requested, (i) geolocation of device (broken down by real-time and historical data), (ii) call detail records (as obtained by number recorders or by disclosure of stored data), (iii) text message content, (iv) voicemail, (v) cell tower logs, (vi) real-time interception of communications (i.e. wire-tapping), (vii) subscriber information, (viii) transmission data (e.g. duration of interaction, port numbers, communications routing data, etc.), (ix) data requests (e.g. web sites visited, IP address logs), (x) any other kinds of data requests pertaining to the operation of TSPs’ networks and businesses, broken down by type; (d) for each of the request types referred to in (c), what are all of the data fields that are disclosed as part of responding to a request; (e) of the total referred to in (a), how many of the requests were made (i) for real-time disclosures, (ii) retroactively, for stored data, (iii) in exigent circumstances, (iv) in non-exigent circumstances, (v) subject to a court order; (f) of the total referred to in (a), (i) how many of the requests did TSPs fulfill, (ii) how many requests did they deny and for what reasons; (g) do the government agencies that request information from TSPs notify affected TSP subscribers that information pertaining to their telecommunications service has been accessed by the government, (i) if so, how many subscribers are notified per year, (ii) by which government agencies; (h) for each type of request referred to in (c), broken down by agency, (i) how long is the information obtained by such requests retained by government agencies, (ii) what is the average time period for which government agencies request such information (e.g. 35 days of records), (iii) what is the average amount of time that TSPs are provided to fulfil such requests, (iv) what is the average number of subscribers who have their information disclosed to government agencies; (i) what are the legal standards that agencies use to issue the requests for information referred to in (c); (j) how many times were the requests referred to in (c) based specifically on grounds of (i) terrorism, (ii) national security, (iii) foreign intelligence, (iv) child exploitation; (k) what is the maximum number of subscribers that TSPs are required by government agencies to monitor for each of the information types identified in (c); (l) has the government ever ordered (e.g. through ministerial authorization or a court order) the increase of one of the maximum numbers referred to in (k); (m) do TSPs ever refuse to comply with requests for information identified in (c) and, if so, (i) why were such requests refused, (ii) how do government agencies respond when a TSP refuses to comply; and (n) in 2012 and 2013, did government agencies provide money or other forms of compensation to TSPs in exchange for the information referred to in (a) and, if so, (i) how much money have government agencies paid, (ii) are there different levels of compensation for exigent or non-exigent requests?
Separate to the NDP, today the Federal Privacy Commissioner of Canada has proposed ways to reinforce privacy protections and oversight to account for existing deficiencies in how state security, policing, and intelligence agencies currently operate. As noted in her report, the Commissioner suggests that there should be:
public reporting on the use of various disclosure provisions under PIPEDA where private-sector entities such as telecommunications companies release personal information to national security entities without court oversight.
In effect, the Office is calling for a (minimal) kind of transparency report: when a court does not oversee the voluntary or administrative disclosure of information from telecommunications service providers to government agencies, then those requests should be recorded and provided as a matter of public record. Currently there are regular ‘lawful disclosures’ of information from telecommunications service providers to state agencies but without clear guidance on just how much information is disclosed or the reason(s) for each of the disclosures. It is possible that other mechanisms, perhaps for the purposes of national security, also exist to encourage telecommunications service providers to disclose subscriber information to government agencies. While the Privacy Commissioner’s suggestion is more limited in scope than the questions that I and others included in our letters to telecommunications service providers, and more constrained even than the questions issued by MP Borg, they are nevertheless another indication that information about how, when, and under what conditions service providers disclose information to state authorities is highly sought after.
In aggregate, then, I think that we can say that there are more and more calls for service providers and government to help Canadians understand the conditions under which, and regularity at which, they disclose information to state authorities. And there is so little aggregate information that researchers, civil liberties advocates, motivated Parliamentarians, and independent Federal Commissioners are all asking for similar or related information. The recurrence of such requests indicates a real appetite for empirical data about how, when, why, and how much subscriber information is transferred from private telecommunications companies to federal agencies. Hopefully between calls on government and questions posed to telecommunications companies, Canadians from all walks of life will soon be better situated to understand the current dimensions of state access to, and use of, the information that is collected, processed, and stored by Canadian telecommunications companies. And, with such information in hand, Canadians will be able to make better decisions as citizens, when choosing to support or reject calls for expanded state surveillance, and as consumers, when choosing a telecommunications service provider that best aligns with their own understandings and expectations of privacy.
- Note that I have expanded the questions, into a more vertical list, to improve readability. No other changes were made to the text. ↩
- Office of the Privacy Commissioner of Canada. (2014). “Special Report to Parliament – Checks and Controls: Reinforcing PRivacy Protection and Oversight for the Canadian intelligence Community in an Era of Cyber-surveillance,” Office of the Privacy Commissioner of Canada, January 28, 2014, accessed January 28, 2014, http://www.priv.gc.ca/information/sr-rs/201314/sr_cic_e.pdf. ↩