The issue of lawful access has repeatedly arisen on the Canadian federal agenda. Every time that the legislation has been introduced Canadians have opposed the notion of authorities gaining warrantless access to subscriber data, to the point where the most recent version of the lawful access legislation dropped this provision. It would seem, however, that the real motivation for dropping the provision may follow from the facts on the ground: Canadian authorities already routinely and massively collect subscriber data without significant pushback by Canada’s service providers. And whereas the prior iteration of the lawful access legislation (i.e. C–30) would have required authorities to report on their access to this data the current iteration of the legislation (i.e. C–13) lacks this accountability safeguard.
In March 2014, MP Charmaine Borg received responses from federal agencies (.pdf) concerning the agencies’ requests for subscriber-related information from telecommunications service providers (TSPs). Those responses demonstrate extensive and unaccountable federal government surveillance of Canadians. I begin this post by discussing the political significance of MP Borg’s questions and then proceed to granularly identify major findings from the federal agencies’ respective responses. After providing these empirical details and discussing their significance, I conclude by arguing that the ‘subscriber information loophole’ urgently needs to be closed and that federal agencies must be made accountable to their masters, the Canadian public.
MP Borg’s Questions
In January 2014 I, along with a series of other academics and civil liberties groups, issued a set of letters to Canada’s largest telecommunications service providers. We asked how, why, and how often government authorities requested access to information about the providers’ subscribers. Shortly after we published our letters MP Charmaine Borg placed a series of questions on the Order Paper. MP Borg’s questions complemented those those that were sent to service providers; she asked the federal government to disclose how, why, and how often federal agencies accessed telecommunications data pertaining to Canadians. Moreover, these institutions were legally compelled to provide her with responses.
The questions that she asked are of critical importance. They represent the first time that a Member of Parliament has so comprehensively and publicly requested detailed procedural and technical information concerning the scope of federal government surveillance. Importantly, many of the kinds of surveillance activities she requested information about are outside of statutory reporting requirements: as a result, government agencies are not typically required to report many of these surveillance activities to the public. By directing her questions to the government it should now be easier for Parliamentary and independent policy analysts/researchers to triangulate subsequent investigations: we now know which agencies to target with access to information requests, the kinds of specific (additional) data that would be helpful, and so forth.
Perhaps most importantly, MP Borg’s questions demonstrate a genuine interest in the details of the federal government’s surveillance practices, and she has elicited responses from agencies that are traditionally silent about their warrant-based and warrantless access to telecommunications data. We also learn, in detail, that some federal agencies are unwilling to provide her with basic information either on the basis that they cannot (because they lack a sufficient internal accountability culture) or because they will not (perhaps because revealing even partial data would indicate the massive and warrantless collection of Canadians’ personal information, or because they believe Parliamentarians need not be replied to). Each of these rationales is deeply concerning because each suggests a lack of agency accountability to Parliament and Canadians alike.
Of note, while MP Borg directed her questions at only four federal agencies – CBSA, CSIS, CSEC, and the RCMP – the government provided responses from a significantly wider range of agencies. The result is that there are a number of agencies that indicate they never request access to telecommunications service provider data, some that simply stated they did not make requests during the period of time MP Borg inquired about, and others that do regularly request information from telecommunications service providers.
The government’s responses to MP Borg’s questions were returned on March 24, 2014. In what follows I identify the major findings from these responses. I first discuss the Communications Security Establishment Canada (CSEC), Canadian Security Intelligence Service (CSIS), Royal Canadian Mounted Police (RCMP), and Canadian Border Service Agency (CBSA). These agencies provided particularly valuable information in response to MP Borg’s questions. I then move to discuss some of the ‘minor findings’ related to the Canadian Revenue Agency (CRA), Competition Bureau, Statistics Canada, and the Transportation Safety Board (TSB).
Communications Security Establishment Canada (CSEC)
CSEC stated that it is prohibited from targeting Canadians but that, as part of its mandate to provide assistance to domestic authorities (under its ‘mandate (c)’ ) it is authorized to, upon request, “lawfully assist and act as an agent of a federal law enforcement or security agency as part of its mandate and, when doing so, is subject to the legal restrictions, instructions, and direction placed on the requesting agency, such as a court warrant.” In the course of providing such assistance it is possible that CSEC may request access to subscriber data or other telecommunications data pertaining to Canadians.
Based on documents previously received through Access to Information, we can infer that historically CSEC would conduct actions under its foreign intelligence mandate (mandate (a) ) to collect information about Canadians; today, the nature of this collection process has been inhibited in some manner (the full restrictions are redacted). It seems as though the shift was principally in which mandate was used to justify the collection of Canadians’ information; Craig Forcese writes that:
we don’t know is what exactly CSEC did under Mandate A that should have been done (in the commissioner’s eyes) under Mandate C. One suspects that if the Commissioner concluded that Mandate A was inapplicable, this was not about collection of foreign intelligence. And so did this cooperation involve direct intercepts of Canadian targets – something that CSEC can do as a proxy for RCMP or CSIS? If it did, did an RCMP or CSIS warrant undergird that collection? If not, is it because even when it comes to domestic metadata collection, the government’s lawyers take the view that no warrant is required? Extrapolating from prior government positions on lawful access reform, warrantless intercept of domestic metadata would not be an uncharacteristic position for the government to take. These are questions of enormous public interest – and hardly the stuff that deserves the heady protection of secrecy law.
What Forcese and other commentators have picked up on is the relative ambiguity concerning CSEC’s collection of information about Canadians. CSEC’s response to MP Borg’s questions largely consists of the Establishment’s well-known talking points. As a result, the full range of what CSEC ‘assistance’ entails remains unclear, which means we cannot know the extent to which CSEC deliberately accesses Canadians telecommunications information, how long it retains such information, whether it enjoys close co-operation with Canada’s telecommunications service providers, how it handles information it collects about Canadians, or whether it pays telecommunications companies for access to such information.
Canadian Security Intelligence Service (CSIS)
CSIS largely declined to respond to MP Borg’s very specific questions on the grounds that the Service is legally prohibited from disclosing information about its actions. Specifically, CSIS based its refusals on Section 19 of the CSIS Act. Section 19(1) and 19(2) state that:
- (1) Information obtained in the performance of the duties and functions of the Service under this Act shall not be disclosed by the Service except in accordance with this section.
- (2) The Service may disclose information referred to in subsection (1) for the purposes of the performance of its duties and functions under this Act or the administration or enforcement of this Act or as required by any other law and may also disclose such information. (emphasis added)
In making its argument against disclosure of information, the Service is asserting that questions set on the Order Paper by Parliamentarians fall outside of scope of 19.(2), despite federal agencies being legally compelled to respond to such questions. This leaves open the question of how, specifically, CSIS differentiates between different legal requirements to respond: if a Parliamentarian’s questions do not need to be answered, then what specific laws might compel the Service to explain and rationalize the information it collects in the performance of its duties and functions?
Despite CSIS’s unwillingness to broadly respond to the MP’s questions, we did learn that the Service contributes to the development of “technical solutions” that facilitate the Service’s wiretap capabilities. Left unstated are the extents to which CSIS partners with telecommunications service providers, international standards bodies, router or telephone vendors, or other parties to develop these solutions. Moreover, while CSIS ‘contributes’ to the development of these tools we do not know if it absorbs the full costs of these technical innovations or whether Canadian TSPs must also shoulder a portion of the costs.
Royal Canadian Mounted Police (RCMP)
Despite law enforcement groups such as the Canadian Association of Chiefs of Police and RCMP historically stating that lawful access legislation is needed, and despite pressure to aggregate statistics indicating a low rate of compliance by telecommunications service providers in responding to authorities’ requests for information, the RCMP persistently failed to respond to MP Borg’s questions. The Mounties rationalized their non-responses on grounds that they do “not maintain a centralized data repository that would allow it to determine the total number of requests to telecommunications service providers for customers’ usage of communications devices and services.” Moreover, while some of this information is collected “when requested to do so, through Access to Information Requests, the Office of the Privacy Commissioner, the federal Minister of Public Safety, and provincial authorities such as attorneys-general” the RCMP failed to provide such information to the Member of Parliament. This is particularly disappointing given that, as of 2010, the RCMP claimed to have a reporting tool meant to capture subscriber data requests. Based on an ATIP in 2011, we know that the RCMP made at least 28,143 request for basic subscriber information in 2010 but, apparently, could not provide equivalent information to the MP.
We also learn that the RCMP cannot explain the kinds of data fields that are disclosed by telecommunications or Internet service providers on the basis that the fields vary “from request to request based on several factors, such as the specific information requested via judicial authorization, or the information held by the provider.” It should be noted that the MP asked the RCMP to specifically identify the kinds of fields disclosed for unique kinds of access requests: the RCMP, instead of providing her with a clear and direct response, refused to differentiate and respond to her questions in the manner she outlined.
Unsurprisingly, the RCMP did collect ‘basic subscriber information’ during the period that MP Borg inquired about. The RCMP “does not notify persons impacted” unless “through the Crown’s obligation to disclose when the investigation results in prosecution.” Despite collecting subscriber records, however, the RCMP only reports on the number of wiretaps it conducts each year. The Mounties decline to provide such information concerning surveillance activities beyond those it is statutorily required to report on. Given that partial numbers from 2010 revealed 28,143 requests for such subscriber information it’s a reasonable inference that tens and tens of thousands of Canadians are having their information disclosed to the RCMP each year without Canadians ever realizing they have somehow fallen under the RCMP’s suspicion.
Curiously, the RCMP maintains that “[t]here is no set maximum number of subscribers that service providers are required to monitor.” Documents that were received under Access to Information reveal that the government previously planned to establish global maximums on the number of communications that a service provider would have to be able to intercept at any given time. In contrast with the RCMP’s statements, it is unclear whether such regulations that followed from the passage of lawful access legislation would restrict the number of intercepts or if it is already widely understood that regardless of what is described in regulations, there will practically be an unfettered ability to activate a limitless number of wiretaps in Canada.
The final major finding is that there is a common cost schedule for accessing basic subscriber information: such information costs $1.00–3.00 per request. However, for all other kinds of requests for information there is “no standard payment schedule” because “compensation may vary from provider to provider based on a number of factors such as the complexity of the request and the service providers’ network architecture.” This does suggest that the RCMP is paying for TSPs to conduct other forms of surveillance and indicates that more information might be disclosed by ATIPs that ask each RCMP division how much they are respectively paying TSPs for surveillance services. Ultimately, however, the RCMP does not keep a central repository – or, it would seem, have the ability to contact its various provincial divisions using telecommunications services – that would capture how much it is paying service providers to conduct surveillance on Canadians.
Canadian Border Services Agency (CBSA)
Of all of the responsive agencies, CBSA provided the most detail concerning their access to Canadians’ information that is held by telecommunications service providers. The Agency made a total of 18,849 requests for information; none were for real-time access to data and thus would not be reported in a government wiretap report. Only 25 requests were denied on the basis of the phone numbers no longer being active or having been ported to another TSP, on the basis that the number was forwarded, or on the basis of ‘other reasons’. Moreover, of the total number of requests, 18,729 were for ‘basic subscriber information’. The full numbers and definitions of these kinds of data are outlined below:
Like all other respondents, the CBSA does not proactively notify individuals who have had their information accessed unless legally required to do so. As a result, “an individual may become aware” that a TSP has disclosed their information to CBSA “if enforcement action is taken against that person and data provided by the TSP is used as evidence in support of charges.” Of the 18,729 individuals who had their information accessed by CBSA only 17 were notified.
When requesting subscriber information, TSPs generally provide responses to CBSA within 2–3 days and at a cost of $1.00-$3.00 a record. Exigent requests for this information can cost between $1.00-$10.00 a record. Refusals to provide this information manifest if the subscriber does not publicly list their telephone number(s); in such cases, CBSA may seek a warrant to compel the disclosure of the information. The CBSA did not indicate whether it pays for access to non-subscriber information data.
There were four other federal agencies of note that access telecommunications subscriber data: the Canadian Revenue Agency (CRA), Statistics Canada, Competition Bureau, and the Transportation Safety Board (TSB). The CRA stated that:
If there have been any instances where such requests [for telecommunications subscriber data] have been made, the CRA does not track this activity in its systems, such that a response could be provided in the manner outlined in the question. To provide a detailed response in the manner requested would require a manual search of a significant amount of data that could not be completed in the time allotted for the provision of responses under Standing Order (39(5)(*a).
In effect, this response suggests that CRA might access Canadians’ telecommunications data through warrantless or court-ordered processes, but that the Agency cannot reveal its actions to the Parliamentarian. It remains unclear whether the “significant amount of data” refers to a general breadth of information that is held by the federal agency or whether, instead, it indicates that CRA so prolifically accesses Canadians’ telecommunications data that parsing it would be an overly onerous task.
In the case of Statistics Canada, the agency collects information about how Canadians use telecommunications services; there were 208 requests for aggregated information between April 1, 2012 and March 31, 2013. Beyond aggregated subscriber information (e.g. number of residential subscribers, long distance minutes, mobile minutes used) the agency also collects information about telecommunications service providers’ networks and businesses. This latter kind of information included operating revenues by type of service, details of the makeup of revenues, operating expenses and salaries and wages, fixed assets and capital expenditures, as well as information about plans and phone use. Canada’s service providers fulfilled requests for aggregated information 190 times and failed to do so 18 times.
When it came to the Competition Bureau, we learn that it does not access telecommunications service provider data in any of the ways outlined in MP Borg’s questions. Instead, the Bureau seems to have solely accessed “the Bell Canada Law Enforcement Database twenty times in the fiscal year 2012–13.” It is unclear what constitutes an ‘access’, how many subscribers might have been affected, what data fields are accessible, whether data is retained by the Competition Bureau, or the conditions Bell Canada places upon access to this database. Of note, no other federal agency that responded to MP Borg’s questions referenced the Bell Law Enforcement Database, or the database of any other major telecommunications service provider. It’s not clear whether the Competition Bureau simply named the Bell database whereas other agencies provided information derived from accessing the Bell or corresponding other industry law enforcement databases, or whether the Competition Bureau has access to a unique kind of portal.
In contrast to the CRA and Competition Bureau, more expansive responses were issued by the Transportation Safety Board (TSB). The TSB estimates that it makes 8–12 requests for telecommunications data each year and that such requests may include information about device geolocation history, call detail records, text message content, voicemail, subscriber information, transmission data (e.g. duration of interactions, port numbers, communications routing data), and data requests (e.g. web sites visited, IP address logs). Such data is accessed in the course of investigating safety incidents, and usually entails data “specific to the date of the occurrence, or the 72 hours leading up to the occurrence.” Like other organizations, the TSB does not have a formal process in place to notify individuals that their subscriber data has been accessed. Unlike other agencies, TSB does not provide any kind of compensation to telecommunications service providers to access the providers’ data.
Urgent Need for Government Accountability
A considerable amount of previously-undisclosed information is on the record as a result of MP Borg’s questions. She has done a considerable service to Parliament and Canadians more generally in extracting details concerning often-unaccountable governmental surveillance operations. In the process it has become evident that Canada’s premier federal law enforcement agency, the RCMP, cannot account for how often it collects Canadians’ personal information without a warrant, the amount of money it spends on such warrantless access, or even the data fields that it routinely collects in the course of its investigations. This suggests that the Mounties are either unable to account for their own funds or are unable to get their divisions to comply with reporting requirements. Alternately, it may indicate that the RCMP is unwilling to either account for their spending of public money or the numbers of times that they access Canadians’ personal information. Each of these conclusions speaks poorly about the state of affairs within this federal agency.
In turning to CSIS, we see that the Service has a highly specific understanding of what laws compel it to disclose information about its practices and collection of Canadians’ personal information. The Service failed to provide a rationale to MP Borg as to why, specifically, questions placed on the Parliamentary Order Paper are insufficient to compel a meaningful response: to whom, specifically, would CSIS provide this information? And under what laws? If the Service is unaccountable to Parliamentarians then who, specifically, does it hold itself genuinely accountable to?
While CBSA is attracting headlines from major presses and by academics, the federal agency is to be congratulated in its accountability. While Canadians can agree or disagree about the appropriateness of the Agency’s warrantless access to Canadians’ personal information it is clear that the Agency maintains an internal culture of accountability. It can provide information on how many times it requests subscriber data and other forms of telecommunications information, explain the kinds of data that are included as part of each of these requests, and provide granular analyses of how long data is retained and how long it takes for TSPs to provide it. Of all the agencies contacted that are involved in the collection of TSP information the CBSA stands out as both the most accountable to Parliament and capable of responding as asked. CBSA should not stand as the pariah amongst the federal agencies but as the model of what other agencies ought to be capable of reporting. Ideally CBSA would go further and publicly provide these statistics without first being prompted, and notify individuals when their subscriber information is accessed. Regardless, it is clear that CBSA took MP Borg’s questions seriously.
What is apparent from reading all of these federal agencies’ responses is that many of them are massively accessing Canadians’ subscriber information. We still don’t understand what motivates these requests or where ‘seed identifiers’ come from: does CBSA, for example request subscriber information after seizing a person’s laptop or cellphone at the border and forensically analyzing call and contact logs? Or does it use other technical or human or open source intelligence methods to gauge who to target? In the case of the RCMP we know that historically they have been massively involved in accessing subscriber information and that, proportionally, they will inform very few individuals unless the subscriber data is used in court. Only Access to Information requests seem to pry detailed numbers from the RCMP; not even questions issued by a Parliamentarian are sufficient to elicit meaningful responses.
When combined with data gained through previously completed Access to Information requests, MP Borg’s questions have significantly broadened our understanding of the unaccountability of federal agencies conducting surveillance on Canadians. We understand that CSEC will (continue to) refuse to clarify how it access telecommunications data when providing assistance to federal law enforcement. We also understand that CSIS does not regard a Parliamentarian’s questions as requiring the Service to respond to specific questions around its access to telecommunications information. And we understand that the RCMP will stonewall Parliamentarians just as they stonewall the public.
These agencies’ unaccountability is absolutely unacceptable. And it’s made worse by the fact that the currently proposed lawful access legislation, C–13, would indemnify ISPs for sharing even more information with state authorities while not requiring these authorities to report on how often, and to what extent, they ‘request’ such information. It appears as though the federal government has engaged in little more than a legislative facade by dropping provisions for warrantless access to subscriber data in the current lawful access legislation: such requests are already largely accommodated by Canada’s telecommunication service providers. By dropping the reporting features of C–30 from C-13, the government is ensuring that widespread access to subscriber data can continue apace without the risk of raising the ire of the Canadian public. The indemnification aspects of C-13 must be dropped and the reporting features of C-30 must be expanded and amended into C-13. Doing anything else would merely feed the Canadian government’s appetite for surveillance without remedying its already deficient accountability mechanisms.
- From page 000019 of this ATIP document (.pdf), we see that in the past CSEC would, “under part (a) of its mandate, conduct [REDACTED] in response to ‘requests for information’ from Government Canada client agencies” whereas, today, “OPS–1–10 prohibits [REDACTED] in response to a client request for information about Canadians. CSEC conducts metadata analysis to obtain security or criminal intelligence in support of CSIS/LEA investigations under part (c) of CSEC’s mandate.” ↩
- See page 000267 of ATIP A-2011-00220 (.pdf). ↩
- See the Investigating and Preventing Criminal Electronic Communications Act: Regulations Policy for more information (.pdf). ↩
[box style=”blue”]Note: This post first appeared on the Citizen Lab website[/box]