Last month I, along with a series of academic researchers and civil liberties organizations, asked Canada’s leading Telecommunications Services Providers (TSPs) to disclose how, why, and how often they provide telecommunications information pertaining to their subscribers to state agencies. We received responses from ten of sixteen companies a little over a month later. Many of the companies steadfastly refused to provide any information beyond assertions that they protected Canadians’ privacy, that they were largely prohibited from providing any specific information because of national security or confidentiality of investigative techniques reasons, and that the signatories to the letter would be better suited contacting the government directly.
Less directly, I’ve heard from a series of high-profile figures in Canada’s telecommunications industry and national security community. Some figures in the telecommunications industry expressed concern about Canadians’ privacy but indicated that they lacked the time, inclination, resources, or sufficient buy-in to ascertain what they could do to render their companies’ practices more transparent. TELUS is on record as stating they would “request the Government to clarify and limit the scope of current confidentiality requirements and to consider measures to facilitate greater transparency.” Members of the national security community worried about enhancing Canadians’ trust in what they do, but remained uncertain about what they could specifically recommend to their peers. Almost all the people I’ve spoken with have indicated that they would appreciate some kind of practical ‘here’s what could be done’ document that they could use to develop an internal business case for an expanded transparency regime.
This post offers some guidance for how companies can improve their transparency practices, along with why particular proposals should be adopted. Specifically, I identify three things that companies do in the order of least to most challenging tasks. They could disclose data retention periods, make their lawful access handbooks available to the public, and produce full-bodied transparency reports. Critically, the first two of these proposals would just require publicizing documentation that Canada’s TSPs already retain. After outlining all three proposals, I conclude by explaining why corporate transparency needs to be complemented by government accountability.
Disclosure of Data Retention Periods
Canadians rely on their telecommunications providers for many facets of their daily lives. They place phone call, listen to voicemails, send text messages, find their location using GPS and proximity to wifi access points and cellular towers, browse the Web and access Internet services more generally, and are engaged in ongoing business relationships with their wired and wireless TSPs. As a result of these transactions, TSPs are in a situation to know an awful lot about Canadians, though few Canadians outside of select TSP employees are fully aware of just how much is known or retained about Canadians’ telecommunications activities. I propose that TSPs should expand who is aware of retention periods to include all Canadians.
Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), corporations are expected to limit use, disclosure, and retention of personal information (Principle 5) and be open about their practices and policies “relating to the management of personal information” (Principle 8). Moreover, upon request “an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.” Combined, these principles lay down a powerful rationale for why companies should proactively outline the length of time that they retain subscribers’ telecommunications information: because their subscribers can already ask about retention periods related to their own personal information, and once asked the companies are legally expected to provide a definitive response. All companies that responded to our letters indicated strong support of Canada’s privacy laws: it shouldn’t be too much for them to demonstrate this by actually adhering to PIPEDA’s core principles.
Beyond demonstrating their compliance to the full spirit and intention of PIPEDA, TSPs might be motivated to publish their retention periods to avoid the more hostile press responses that might follow from subscribers en masse asking about TSPs’ retention periods. By outlining how long data is retained companies can explain and justify, on their own terms, why they retain data for as long as they do. Thus, they might explain that the retention of SMS messages or extensive call logs is to identify fraud, or that retained mobile location information captured by cell towers is used for capital investment analysis. If, however, retention periods are only unearthed following subscribers exercising their rights then any subsequent coverage of corporate data retention periods might be less positive and more challenging for TSPs to shape.
Publish Government Access Handbooks
Law enforcement agencies will sometimes turn to TSPs in the course of an investigation. Companies in the United States and Canada alike have, in turn, developed policies that inform how corporate officers will respond to these agencies’ requests. In the United States more and more companies are proactively publishing their law enforcement access handbooks for a pair of reasons: first, because disclosing the information prevents journalists from turning an errantly disclosed guide into an embarrassing story or article; second, because publishing these handbooks proves to the public that there is a routine and diligent process for handling government requests.
Canadian companies already have processes and policies to respond to state agencies’ requests. Bell Canada, in particular, has led the way to standardize voluntary requests for subscriber data while also establishing an internal group that exclusively deals with lawful access requests. Other companies, privately, admit to also having policies to respond to governmental requests. A good government access handbook would include the following kinds of information:
- How is a data request served to the company? Can a request be emailed, faxed, or must it be mailed or couriered?
- What kinds of data requests can be made (e.g. voluntary, formal requests, emergency requests)? What are the requirements to fill each kind of request; is specific information required of the requesting party before the company can process a voluntary, versus formal, versus emergency request for data? Does the company distinguish between public and non-public information about its subscribers or subscribers’ activities and, if so, how?
- What information must be included when making a data request for a particular subscriber’s information? Are different kinds of information required for different kinds of requests (e.g. phone numbers for some requests, email addresses for others, and IP addresses for yet other kinds of requests)?
- What contact information must a government authority provide in order to submit a request? Are badge numbers, agency phone numbers or email addresses, or mailing information required?
- What information might be disclosed in relation to the request-types the company identified in (2)? Such disclosures might be categorized according to voluntary, formal, or emergency requests, or based on specific kinds of requests the company has received in the past.
- Does the company notify its customers after their data is requested by, or disclosed to, a state agency? And if normal practice is to notify members, under what conditions does the company waive this policy?
- How does the company respond to international requests for information? Are there particular policies or practices that must be met before the company will disclose information to foreign government agencies?
- What should a government agency do if it has an emergency/exigent request for data? Is there a specific company form that must be filled out before the company can fulfil such a request?
- How long does it take the company to respond to each type of request? Are there limitations to the company’s capacity to respond to requests? Are there ways of accelerating disclosure periods?
- Is there a cost incurred by a government agency when the company responds to a data disclosure request? Are such costs incurred regardless of whether pertinent information is found in the company’s databases? What are the costs that government agencies can expect to incur?
Any guide that responded to the above questions would clarify to state agencies, corporate customers, and service subscribers alike what procedures and policies are in place to respond to government requests for subscriber-related telecommunications data. Many of Canada’s telecommunications companies have pre-existing policies and handbooks that are meant to standardize government access to the company’s data. By publicizing the corporate handbook customers will better understand how the company complies with both social norms (e.g. voluntary disclosure of subscriber data in specific cases) and legal requirements (e.g. a warrant or other court order is required to access certain kinds of telecommunications information). Revealing how these companies operate would also exhibit their commitment to the PIPEDA principle of openness because subscribers would better understand how the company manages customer and customer-related information.
Develop a Transparency Report
Transparency reports are being adopted by American and international telecommunications companies. Companies such as AT&T, Verizon, Sonic.net, and Telstra already publish such reports, and Vodafone is slated to soon begin issuing transparency reports. In addition to traditional wireline and wireless companies, ‘Internet-first’ companies like Google, Dropbox, Facebook, LinkedIn, and others also publish reports that identify why and how often state agencies request access to telecommunications data pertaining to companies’ subscribers. In most of the companies’ cases, their reports have either evolved, or are expected to evolve, as they refine their internal reporting mechanisms and as courts or governments expand the range and specificity of data that can be publicly disclosed. Ideally, any transparency report includes information that helps people who read the report to understand the conditions attached to third-parties accessing the data in question.
In terms of specific data disclosed, a Canadian transparency report might be divided between federal and non-federal agency requests for subscriber-related information. A company might also have a separate table that identified attempts by to access telecommunications data as part of civil cases. Table One gives an example of what kind of information a Canadian TSP transparency report might include.
[table caption=”Table One: Federal Requests” tablesorter=”0″]
Request Type, # Government Requests, # Accounts Requested, # Emergency Requests, # Voluntary Requests, # Court Order Requests, # Warrants
Device geolocation, “”,””,””,””,””,””
Call detail records, “”,””,””,””,””,””
Cell tower logs, “”,””,””,””,””,””
Subscriber information, “”,””,””,””,””,””
[table caption=”Table One: Federal Requests (Con’t)” tablesorter=”0″]
Request Type, # Requests Refused, # Requests Partially Filled, # Requests Fully Filled, # Requests of Metadata Records, # Requests for Content, # Requests for Real time Data, # Requests for Retroactive Data
Device geolocation, “”,””,””,””,””,””,””
Call detail records, “”,””,””,””,””,””,””
Cell tower logs, “”,””,””,””,””,””,””
Subscriber information, “”,””,””,””,””,””,””
Below the table, a company could then discuss or explain:
- kinds of reasons for not responding to state agencies’ requests for information
- why there might be variation between the number of requests versus the number of accounts that are affected
- whether the company notified customers following a government request for information
- descriptions of the kinds of data requests, and the conditions that must generally be met before the company discloses such data
Tables similar to Table One, with similar discussions or explanations following the table, could be developed for provincial agencies requests for information, as well as for requests for data emerging from civil cases.
The transparency report could also include information about how long the company chooses to retain a variety of data-types (which would be derived from the first proposal I offered, the publication of data retention periods). Moreover, a rationale might be provided to describe whether and, if so why, data retention periods had changed since the last transparency report was issued. Table Two gives an example of how data retention periods might be publicized.
[table caption=”Table Two: Data Retention Periods” tablesorter=”0″]
Type of Data, Retention Period, Rationale for Retention Period
Call detail records,””,””
Cell tower logs,””,””
There is room for further growth of these kinds of transparency reports. Details about whether non-Canadian organizations sought (and received) access to telecommunications data, how many requests were issued on national security grounds, the numbers of inappropriate requests made, costs of fulfilling requests, average times to respond to requests, and full range of data fields associated with different record-types could also be included in a maximally robust transparency report. Nevertheless, even absent this expanded range of information, the more limited data noted in tables one and two would help to clarify the extent to which telecommunications companies provide information to Canadian state agencies.
Corporate Transparency is Not Enough
To be clear, companies are not presently under a legal obligation to publicly publish their data retention periods, publish lawful access handbooks, or produce transparency reports. However, challenges or questions put to various federal institutions might ultimately compel companies to more holistically explain how they manage their customers’ personal information and, in the process, incite or compel companies to provide the information denoted at least the first two proposals I’ve outlined. The point of each of these proposals, ultimately, is to help consumers better understand how their personal information is safeguarded and handled; at this point, consumers simply do not understand even the most basic contours of how such data is managed.
Increased corporate transparency is not, however, a panacea to understanding the full range of state agencies’ surveillance practices. Whereas corporate transparency offers a degree of insight into existing government practices the core value is empowering individuals to understand how and why their personal data is managed. To this end, government accountability is also needed: government agencies should be expected to produce yearly reports to their respective legislative bodies (Parliament or provincial Legislative Assemblies) that identify the extent to which they are requesting, and receiving access to, Canadians’ telecommunications records. In subsequent work, I will propose some ways that governments can also improve their accountability to the Canadian public concerning government access to telecommunications data.
Ultimately, Canadians are reliant on TSPs to conduct a significant amounts of their daily lives. And companies are already obligated to either disclose some data to subscribers upon request (e.g. retention periods) and maintain internal records concerning business practice-related policies (e.g. government access handbooks). Following through on public commitments to Canadians’ privacy, and working to adhere to industry best practices, should also compel Canadian TSPs to develop transparency reports voluntarily, rather than waiting for damaging information to harm their brands and thus incite the development of such reports. Canadian TSPs have the opportunity to demonstrate they are genuinely concerned about Canadians’ privacy. It’s long past time for them to act.