Industry Canada has published guidelines for telecommunications companies to provide transparency reports. The guidelines are ostensibly meant to help companies that want to disclose the regularity, rationale, and extent of Canadian governmental requests for private telecommunications data. The guidelines may actually, however, establish government-sanctioned flaws in transparency reporting and prevent companies from meaningfully informing their customers about government telecommunications surveillance.
We begin this post by briefly summarizing the importance and value of transparency reporting and why Canadian companies should adopt and publish transparency reports. Second, we outline how Industry Canada’s guidelines may enhance transparency reporting. Third, we summarize the significant deficits linked to the guidelines and conclude by discussing how the guidelines could be improved to bring about meaningful and holistic corporate telecommunications transparency reporting.
Background to Transparency Reporting
We discussed the importance of transparency reporting in our recent report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians.” Transparency reporting involves companies publicly disclosing data that holds a public interest; telecommunications transparency reports are generally meant to provide complex information in an accessible and factual manner so that subscribers can subsequently make reasonable judgements based on the disclosures. Canadian telecommunications transparency reports have largely focused on policing and security issues to date, and have been released by Rogers, TELUS, Sasktel, TekSavvy, MTS Allstream, and Wind Mobile.
The Citizen Lab and the Telecom Transparency Project have actively encouraged telecommunications companies to release transparency reports. Together, these organizations have written public letters to telecommunications service providers, developed and launched a tool so that Canadians can learn about providers’ data retention and disclosure policies, conducted interviews concerning transparency and surveillance issues in Canada, and filed access to information and privacy requests to understand government surveillance practices. The result of our efforts to date are captured in a report that we released in June 2015, as are a series of recommendations for how members of the telecommunications industry could improve their transparency reports. In the following sections we examine the extent to which Industry Canada’s recently issued guidance aligns with our policy recommendations.
In our report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” we discussed the regularity at which government agencies gain access to telecommunications data. Save for the Canadian Border Services Agency, federal government agencies that are principally responsible for conducting domestic telecommunications surveillance, such as the Royal Canadian Mounted Police, could not account for how often they use their surveillance powers.
In the course of investigating government access to telecommunications data we also contacted regional policing departments. This post expands on findings we provided in our report to discuss, in depth, the data provided by responsive police departments. We conclude by asserting that new legislation must be introduced and passed so that Canadians become aware of the magnitude of contemporary telecommunications surveillance that policing organizations are involved in on a yearly basis.
Requests to Police Departments
We filed requests to Canadian police departments to determine how often individual departments were exercising telecommunications surveillance powers. Though our report principally focused on federal government agencies’ surveillance, we had hoped to effectively juxtapose provincial/municipal telecommunications surveillance against their federal brethren. We ultimately decided to not conduct a detailed juxtaposition in the report because an insufficient number of police departments responded to our legally-binding requests for access to government data in time for publication.
We filed requests for information to police departments operating in Nova Scotia, Ontario, Alberta, and British Columbia. These requests identified the provincial statutes we were relying on to request information. We paid fees to the various police departments to initiate the processing of the requests. The only two police departments that were responsive to our requests were the Halifax and Vancouver police departments. The most notable non-responsive departments police the cities of Calgary and Toronto.
Red en Defensa de los Derechos Digitales (R3D) has released a report that compares Mexican ISPs’ transparency and privacy practices. The work parallels the Karisma Foundation’s report about Columbian ISPs’ transparency and privacy practices; both the Mexican and Columbian organizations’ reports are based on the Electronic Frontier Foundation’s “Who Has Your Back” reporting format. The format is designed to visually summarize the practices taken by Internet companies so that end-users can easily evaluate how companies protect their users.
This post briefly summarizes R3D’s findings and then proceeds to discuss whether Mexican companies’ transparency report genuinely enable corporate accountability. Based on academic literatures, a strong argument can be made that the aggregated Mexican transparency report that have been issued by the Mexican telecommunications companies does not make the companies particularly accountable to their customers. The post concludes by raising questions about the status of third-party comparisons of corporate privacy and transparency practices: why are intermediaries like R3D, Karisma Foundation, Electronic Frontier Foundation, or IX Maps so important? And what are the deficits of contemporary comparisons of corporate transparency and privacy practices?
Summary of R3D Findings
RD3’s report examines privacy policies and codes of practices from the eight Mexican telecommunications companies that, in aggregate, compose 98% of Mexico’s mobile, fixed line, and broadband markets. Out of a possible six ‘stars’ only one company (Movistar) received two stars (the most of any company); half for requiring a warrant for data requests, half for publishing a transparency report, and a full star for advocating for privacy. The worst company, Megacable, received just a half-star for requiring a warrant for data requests.
Companies could receive either a full star, half-star, quarter-star or no star in each of the categories that are noted in Figure One. The evaluation criteria for receiving these grades follows the figure.