Last week I released a new report, The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians, through the Telecommunications Transparency Project. The Project is associated with the Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs, University of Toronto, and the report was funded through the Canadian Internet Registration Authorities’s .CA Community Investment Program.
The report examines how contemporary telecommunications surveillance is governed in Canada. In it, we ask how much telecommunications surveillance is occurring in Canada, what actors are enabling the surveillance, to what degree those actors disclose their involvement in (and the magnitude of) surveillance, and what degree of oversight is given to the federal governments’ surveillance practices. We conclude that serious failures in transparency and accountability indicate that corporations are failing to manage Canadians’ personal information responsibly and that government irresponsibility surrounding accountability strains its credibility and aggravates citizens’ cynicism about the political process. In aggregate, these failings endanger both the development of Canada’s digital economy and aggravate the democratic deficit between citizens and their governments.
Key findings include:
- Canadian authorities have received expansive new powers, with more planned, that have increased authorities’ powers to conduct telecommunications surveillance. Moreover, the ‘official’ modes of surveillance (used by police and other domestic agencies to conduct surveillance) may soon be amplified should C-51 be passed into law and CSE consequently expands its domestic and foreign collaborations with CSIS
- Canadian telecommunications and government representatives work within international standards-setting forums to develop new modes of intercepting communications. Rogers Communications, in particular, has been involved in a European standards body (ETSI) and has proposed ways of defeating some forms of end-to-end encryption, discussed challenges of deploying a lawful-intercept compliant Dropbox competitor, and raised concerns about how Canadian lawful access legislation may force updates to how lawful interception is conceived
- Telecom companies’ transparency reports are a good, first, step but are lacking details needed to contextualize how often, and what kinds of, surveillance is being conducted on Canadians. Details on the kinds of legal requests (e.g. for interceptions, for stored data, etc), their annual totals, as well as subscribers affected must be added in future reports. Moreover, these companies must release information about how long they retain data as well as how they work with government to lawfully disclose Canadians’ telecommunications data to government agencies
- Federal government watchdogs – such as CSE’s oversight commission, CSIS’s review board (SIRC), and the Privacy Commissioner of Canada – are largely unable to assure Canadians that telecommunications surveillance is occurring lawfully. These agencies cannot effectively coordinate with one another, have stunted mandates, and are under resourced. These limitations are made worse by the fact that the annual interception reports tabled by federal and provincial governments are relics of the 1970s: they do not include the contemporary modes of surveillance that are most commonly used by government agencies and, in the case of provinces, are rarely placed online. Consequently it is almost impossible to know how many interceptions of government communications, let alone other kinds of telecommunications surveillance, take place annually in Canada
- The result of the large amount of surveillance, often authorized by secret regulation or enabled through largely closed-door standards negotiations, is that neither Canadians nor their elected representatives can effectively debate or raise questions about contemporary surveillance practices. Consequently, companies’ products may be treated with skepticism and, more significantly, the democratic deficit between citizens and their governments may broaden
The policy recommendations that conclude the report are focused around transparency, accountability, and effective oversight. Core recommendations include:
- Companies must enhance how they explain their data management practices. This includes more detailed transparency reporting that fixes the aforementioned deficits in current reports, as well as all companies actually releasing such reports
- Governments currently are not accountable for the surveillance their agencies conduct; statutory reporting of all modes of telecommunications surveillance should be passed into law, so that the interception reports meaningfully reflect today’s surveillance reality
- Institutions that are responsible for overseeing and reviewing contemporary government surveillance need expanded powers and mandates; they must be able to communicate and work with one another, be resourced (financially and legislatively) to investigate and enforce their recommendations, and a parliamentary committee should be struck that can compel review agencies to provide special reports on topics the committee believes are important. This latter recommendation would ensure that parliament – and the representatives of Canadians – actually know and can steer some of the surveillance activities undertaken by often-secretive agencies such as CSIS and CSE
Research for the report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” was funded through the Canadian Internet Registration Authority’s .CA Community Investment Program. Through the Community Investment Program, .CA funds projects that demonstrate the capacity to improve the Internet for all Canadians. The .CA team manages Canada’s country code top-level domain on behalf of all Canadians. A Member-driven organization, .CA represents the interests of Canada’s Internet community internationally.