ISPs

The (In)effectiveness of Voluntarily Produced Transparency Reports

/ Christopher Parsons

Payphones by Christopher Parsons (All Rights Reserved)

I have a paper on telecommunications transparency reports which has been accepted for publication in Business and Society for later this year.

Centrally, the paper finds that companies will not necessarily produce easily comparable reports in relatively calm political waters and that, even should reports become comparable, they may conceal as much as they reveal. Using a model for evaluating transparency reporting used by Fung, Graham, and Weil in their 2007 book, Full Disclosure: The Perils and Promises of Transparency, I find that the reports issued by telecommunications companies are somewhat effective because they have led to changes in corporate behaviour and stakeholder interest, but have have been largely ineffective in prodding governments to behave more accountably. Moreover, reports issued by Canadian companies routinely omit how companies themselves are involved in facilitating government surveillance efforts when not legally required to do so. In effect, transparency reporting — even if comparable across industry partners — risks treating the symptom — the secrecy of surveillance — without getting to the cause — how surveillance is facilitated by firms themselves.

A pre-copyedited version of the paper, titled, “The (In)effectiveness of Voluntarily Produced Transparency Reports,” is available at the Social Sciences Research Network.

Industry Canada Transparency Report Guidelines Intensely Problematic

/ Christopher Parsons

5548494699_47f9267020_o-300x200Industry Canada has published guidelines for telecommunications companies to provide transparency reports. The guidelines are ostensibly meant to help companies that want to disclose the regularity, rationale, and extent of Canadian governmental requests for private telecommunications data. The guidelines may actually, however, establish government-sanctioned flaws in transparency reporting and prevent companies from meaningfully informing their customers about government telecommunications surveillance.

We begin this post by briefly summarizing the importance and value of transparency reporting and why Canadian companies should adopt and publish transparency reports. Second, we outline how Industry Canada’s guidelines may enhance transparency reporting. Third, we summarize the significant deficits linked to the guidelines and conclude by discussing how the guidelines could be improved to bring about meaningful and holistic corporate telecommunications transparency reporting.

Background to Transparency Reporting

We discussed the importance of transparency reporting in our recent report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians.” Transparency reporting involves companies publicly disclosing data that holds a public interest; telecommunications transparency reports are generally meant to provide complex information in an accessible and factual manner so that subscribers can subsequently make reasonable judgements based on the disclosures. Canadian telecommunications transparency reports have largely focused on policing and security issues to date, and have been released by Rogers, TELUS, Sasktel, TekSavvy, MTS Allstream, and Wind Mobile.

The Citizen Lab and the Telecom Transparency Project have actively encouraged telecommunications companies to release transparency reports. Together, these organizations have written public letters to telecommunications service providers, developed and launched a tool so that Canadians can learn about providers’ data retention and disclosure policies, conducted interviews concerning transparency and surveillance issues in Canada, and filed access to information and privacy requests to understand government surveillance practices. The result of our efforts to date are captured in a report that we released in June 2015, as are a series of recommendations for how members of the telecommunications industry could improve their transparency reports. In the following sections we examine the extent to which Industry Canada’s recently issued guidance aligns with our policy recommendations.

Continue reading

‘Defending the Core’ of the Network: Canadian vs. American Approaches

/ Christopher Parsons

U.S. Cyber Command recently conducted on Fort Meade its first exercise in collaboration with cyber subject-matter experts from across the National Security Agency, National Guard, Department of Homeland Security and FBI.In our recent report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” we discussed how the Communications Security Establishment (CSE) developed and deployed a sensor network within domestic and foreign telecommunications networks. While our report highlighted some of the concerns linked to this EONBLUE sensor network, including the dangers of secretly extending government surveillance capacity without any public debate about the extensions, as well as how EONBLUE or other CSE programs programs collect information about Canadians’ communications, we did not engage in a comparison of how Canada and its closest allies monitor domestic network traffic. This post briefly describes the EONBLUE sensor program, what may be equivalent domestic programs in the United States, and the questions that emerge from contrasting what we know about the Canadian and American sensor networks.

What is EONBLUE?

EONBLUE was developed and deployed by the CSE. The CSE is Canada’s premier signals intelligence agency. The EONBLUE sensor network “is a passive SIGINT system that was used to collect ‘full-take’ data, as well as conduct signature and anomaly based detections on network traffic.” Prior Snowden documents showcased plans to integrate EONBLUE into government networks; the network has already been integrated into private companies’  networks. Figure one outlines the different ‘shades of blue’, or variations of the EONBLUE sensors:

EONBLUE Sensors

Continue reading

Draft: Do Transparency Reports Matter for Public Policy?

/ Christopher Parsons

TransparancyTelecommunications transparency reports detail the frequency at which government agencies request information from telecommunications companies. Though American companies have been releasing these reports since 2009, it wasn’t until 2014 that Canadian companies began to follow suit. As part of my work at the Citizen Lab I’ve analyzed the Canadian reports against what makes an effective transparency report, with ‘effectiveness’ relating to achieving public policy goals as opposed to ‘having an effect’ in terms of generating media headlines.

Today I’m publishing a draft paper that summarizes my current analyses. The paper is titled, “Do Transparency Reports Matter for Public Policy? Evaluating the effectiveness of telecommunications transparency reports” and is available for download. I welcome feedback on what I’ve written and look forward to the conversations that it spurs in Canada and further abroad.

Abstract:

Telecommunications companies across Canada have begun to release transparency reports to explain what data the companies collect, what data they retain and for how long, and to whom that data is, or has been, disclosed to. This article evaluates the extent to which Canadian telecommunications companies’ transparency reports respond to a set of public policy goals set by civil society advocates, academics, and corporations, namely: of contextualizing information about government surveillance actions, of legitimizing the corporate disclosure of data about government-mandated surveillance actions, and of deflecting or responding to telecommunications subscribers’ concerns about how their data is shared between companies and the government. In effect, have the reports been effective in achieving the aforementioned goals or have they just had the effect of generating press attention?

After discussing the importance of transparency reports generally, and the specificities of the Canadian reports released in 2014, I argue that companies must standardize their reports across the industry and must also publish their lawful intercept handbooks for the reports to be more effective. Ultimately, citizens will only understand the full significance of the data published in telecommunications companies’ transparency when the current data contained in transparency reports is contextualized by the amount of data that each type of request can provide to government agencies and the corporate policies dictating the terms under which such requests are made and complied with.

Download Telecommunications Transparency in Canada 1.5 (Public Draft)  (Alternate SSRN link)

Responding the the Crisis in Canadian Telecommunications

/ Christopher Parsons

In the middle of an identity crisisOn April 29, 2014 the Interim Privacy Commissioner of Canada, Chantal Bernier, revealed that Canadian telecommunications companies have disclosed enormous volumes of information to state agencies. These agencies can include the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canadian Border Services Agency, as well as provincial and municipal authorities. Commissioner Bernier’s disclosure followed on news that federal agencies such as the Canadian Border Services Agency requested access to Canadians’ subscriber data over 19 thousand times in a year, as well as the refusal of Canadian telecommunications companies to publicly disclose how, why, and how often they disclose information to state agencies.

This post argues that Canadians are not powerless. They can use existing laws to try and learn whether their communications companies are disclosing their personal information to state agencies. I begin by explaining why Canadians have a legal right to compel companies to disclose the information that they generate and collect about Canadians. I then provide a template letter that Canadians can fill in and issue to the telecommunications companies providing them with service, as well as some of the contact information for major Canadian telecommunications companies. Finally, I’ll provide a few tips on what to do if companies refuse to respond to your requests and conclude by explaining why it’s so important that Canadians send these demands to companies providing them with phone, wireless, and internet service.

Continue reading

Accountability and Government Surveillance

/ Christopher Parsons / 3 Comments

Charmaine Borg, MPThe issue of lawful access has repeatedly arisen on the Canadian federal agenda. Every time that the legislation has been introduced Canadians have opposed the notion of authorities gaining warrantless access to subscriber data, to the point where the most recent version of the lawful access legislation dropped this provision. It would seem, however, that the real motivation for dropping the provision may follow from the facts on the ground: Canadian authorities already routinely and massively collect subscriber data without significant pushback by Canada’s service providers. And whereas the prior iteration of the lawful access legislation (i.e. C–30) would have required authorities to report on their access to this data the current iteration of the legislation (i.e. C–13) lacks this accountability safeguard.

In March 2014, MP Charmaine Borg received responses from federal agencies (.pdf) concerning the agencies’ requests for subscriber-related information from telecommunications service providers (TSPs). Those responses demonstrate extensive and unaccountable federal government surveillance of Canadians. I begin this post by discussing the political significance of MP Borg’s questions and then proceed to granularly identify major findings from the federal agencies’ respective responses. After providing these empirical details and discussing their significance, I conclude by arguing that the ‘subscriber information loophole’ urgently needs to be closed and that federal agencies must be made accountable to their masters, the Canadian public.

Continue reading