Publication

New Report Shines Light On Limitations of Canadians’ Data Access Rights

/ Christopher Parsons

The Citizen Lab has released a new report, “Approaching Access: A look at consumer personal data requests in Canada,” which was written by myself and my colleagues, Andrew Hilts and Masashi Crete-Nishihata. The report examines how different industries respond to Canadians’ requests to access their personal information. Such requests empower individuals to better understand what data is collected about them, the ways in which is it used, and to whom it is subsequently disclosed. While privacy policies or terms of service can be vague, the intent behind such laws is that they will let individuals understand specifically how their personal information is used.

Without knowing who is collecting personal data, for what purpose, or for how long, or the grounds under which they share it, a consumer cannot exercise their rights nor evaluate whether an organization is appropriately handling their data. Canada’s commercial privacy legislation, the Protection of Personal Information and Electronic Documents Act (PIPEDA), empowers Canadians to issue legally-binding Data Access Requests (DARs) to private companies to answer exactly these kinds of questions. This report is the result of a three year study of DARs in Canada that shows what happens when telecommunications companies, fitness trackers, and online dating services are asked by consumers to provide transparency into their data privacy practices and policies.

Between 2014-2016 we recruited participants to systematically issue DARs to telecommunications companies, fitness trackers, and online dating services used by Canadians to evaluate a series of research questions:

  • What proportion of companies contacted would respond to DARs at all?
  • What proportion of companies that did respond to DARs would respond in a relatively complete manner to all questions asked?
  • What proportion of companies that did respond to DARs would provide individuals with copies of their personal information at no or minimal cost?
  • What commonalities or differences would be found in responses to individuals in each industry group studied, and across industries?
  • To what extent would individuals who received responses be satisfied with the information they received and what, if anything, might be done to improve organizations’ disclosures to enhance individuals’ satisfaction?

Inconsistent Responses across Companies and Industries

Participants received responses from companies but the information provided varied widely across companies and industries. Variations included:

  • the specificity with which requester questions are answered;
  • what types of data are returned;
  • whether or not data retention periods are published; and
  • clarity about data disclosures to third parties, including government authorities.

Barriers to Access

Participants also encountered barriers to accessing the private information that companies retained about them. These barriers included:

  • identity verification procedures;
  • secure data transfer requirements;
  • costs offloaded to requesters; and
  • push-back by some non-Canadian companies as to whether their services to Canadian consumers in Canada are, in fact, bound by Canadian privacy law.

Towards Improved Data Access in Canada

Our report concludes with recommendations for how businesses can improve their DAR processes and related data transparency efforts, and allow citizens to more effectively exercise stewardship over their personal data.

We make seven key recommendations:.

  1. Companies should prepare and produce data retention schedules that identify specific types of information they collect and the period of time for which they retain it.
  2. Companies should prepare and publish government access handbooks that identify the different kinds of personal information they hold, and establish the specific legal powers and processes to be undertaken before the company will disclose a subscriber’s personal information.
  3. Companies should prepare transparency reports that disclosure the regularity, and rationale for which, government agencies request access to subscriber-related information.
  4. Companies should collaborate within their respective industries to establish common definitions for personal data mini-collections to which common policies are applied, such as subscriber data, metadata, content of communications, etc.
  5. Companies should not assume they know which communications method their customers would prefer to use when discussing a DAR letter. They should first ask the customer what their preferred method is, and only then pose questions to clarify the requester’s inquiries.
  6. Companies should publish data inventories describing all the kinds of personal information that they collect, and freely provide copies of a small set of representative examples of records for each kind of personal information to subscribers upon request.
  7. Either individual organizations or industry groups should communicate with non-corporate stakeholders to help streamline the request process, or to help establish requesters’ expectations. This effort might involve developing Application Programming Interfaces (APIs) to expedite the issuance and response to DAR letters, or working to modify language used by web applications to more accurately reflect the data that might be handled by organizations in the course of commercial activity.

DARs provide a valuable method for understanding the kinds of information which are collected, retained, processed, and handled by private companies. This report provides a look at how companies respond to these access rights and which also draws lessons from both within specific industry groupings and across industries. Given the amounts of digital information that individuals confide to third parties on a daily basis it is imperative that they can gain access to such information upon request, especially when companies do not publish clear guidance as to their broader data collection, retention, handling, or disclosure practices.

Our report showcases how DARs can provide insight into corporate practices. But, at present processes surrounding DAR-handling and -processing are immature. Advancing DAR practices and policies requires either private-sector coordination to advance individuals’ access to their personal information, or regulatory coordination to clarify how private organizations ought to provide access to the information of which they are stewards.

DOWNLOAD THE FULL REPORT

Project Support

This research is led by the Citizen Lab at the Munk School of Global Affairs, University of Toronto. The project was funded via Open Effect by CIRA’s 2015-16 Community Investment Program. Additional funding was provided by the Office of the Privacy Commissioner of Canada through its Contributions Program.

Thank you to Adam Senft and Bram Abramson for review and copyediting. We are grateful to Ron Deibert for research guidance and supervision. This research would not have been possible without the Access My Info users who participated in this study.

Authors

Dr. Christopher Parsons received his Bachelor’s and Master’s degrees from the University of Guelph, and his Ph.D from the University of Victoria. He is currently a Research Associate at the Citizen Lab at the Munk School of Global Affairs as well as the Managing Director of the Telecom Transparency Project at the Citizen Lab.

Andrew Hilts is a Senior Researcher and Developer at the Citizen Lab at the Munk School of Global Affairs, University of Toronto. His research and software development focuses on empowering citizens to exercise their digital rights online.

Masashi Crete-Nishihata is Research Director at the Citizen Lab, Munk School of Global Affairs, University of Toronto. He researchers the socio-political impact of information controls

The (In)effectiveness of Voluntarily Produced Transparency Reports

/ Christopher Parsons

Payphones by Christopher Parsons (All Rights Reserved)

I have a paper on telecommunications transparency reports which has been accepted for publication in Business and Society for later this year.

Centrally, the paper finds that companies will not necessarily produce easily comparable reports in relatively calm political waters and that, even should reports become comparable, they may conceal as much as they reveal. Using a model for evaluating transparency reporting used by Fung, Graham, and Weil in their 2007 book, Full Disclosure: The Perils and Promises of Transparency, I find that the reports issued by telecommunications companies are somewhat effective because they have led to changes in corporate behaviour and stakeholder interest, but have have been largely ineffective in prodding governments to behave more accountably. Moreover, reports issued by Canadian companies routinely omit how companies themselves are involved in facilitating government surveillance efforts when not legally required to do so. In effect, transparency reporting — even if comparable across industry partners — risks treating the symptom — the secrecy of surveillance — without getting to the cause — how surveillance is facilitated by firms themselves.

A pre-copyedited version of the paper, titled, “The (In)effectiveness of Voluntarily Produced Transparency Reports,” is available at the Social Sciences Research Network.

Computer network operations and ‘rule-with-law’ in Australia

/ Christopher Parsons

‘Cyberman’ by Christian Cable (CC BY-NC 2.0) at https://flic.kr/p/3JuvWv

Last month a paper that I wrote with Adam Molnar and Erik Zouave was published by Internet Policy Review. The article, “Computer network operations and ‘rule-with-law’ in Australia,” explores how the Australian government is authorized to engage in Computer Network Operations (CNOs). CNOs refer to government intrusion and/or interference with network information communications infrastructures for the purposes of law enforcement and national security operations.

The crux of our argument is that Australian government agencies are relatively unconstrained in how they can use CNOs. This has come about because of overly permissive, and often outdated, legislative language concerning technology that has been leveraged in newer legislation that expands on the lawful activities which government agencies can conduct. Australian citizens are often assured that existing oversight or review bodies — vis a vis legislative assemblies or dedicated surveillance or intelligence committees — are sufficient to safeguard citizens’ rights. We argue that the laws, as currently written, compel review and oversight bodies to purely evaluate the lawfulness of CNO-related activities. This means that, so long as government agencies do not radically act beyond their already permissive legislative mandates, their oversight and review bodies will assert that their expansive activities are lawful regardless of the intrusive nature of the activities in question.

While the growing capabilities of government agencies’ lawful activities, and limitations of their review and oversight bodies, have commonalities across liberal democratic nations, Australia is in a particularly novel position. Unlike its closest allies, such as Canada, the United States, New Zealand, or the United Kingdom, Australia does not have a formal bill of rights or a regional judicial body to adjudicate on human rights. As we write, “[g]iven that government agencies possess lawful authority to conduct unbounded CNO operations and can seek relatively unbounded warrants instead of those with closely circumscribed limits, the rule of law has become distorted and replaced with rule of law [sic]”.

Ultimately, CNOs represent a significant transformation and growth of the state’s authority to intrude and affect digital information. That these activities can operate under a veil of exceptional secrecy and threaten the security of information systems raises questions about whether the state has been appropriately restrained in exercising its sovereign powers domestically and abroad: these powers have the capability to extend domestic investigations into the computers of persons around the globe, to facilitate intelligence operations that target individuals and millions of persons alike, and to damage critical infrastructure and computer records. As such, CNOs necessarily raise critical questions about the necessity and appropriateness of state activities, while also showcasing the state’s lack of accountability to the population is is charged with serving.

Read the “Computer network operations and ‘rule-with-law’ in Australia” at Internet Policy Review.

Beyond ATIP: New Methods for Researching State Surveillance Practices

/ Christopher Parsons

9781894037679I’ve had a book chapter, titled “Beyond ATIP: New Methods for Researching State Surveillance,” published in Access To Information And Social Justice: Critical Research Strategies for Journalists, Scholars, and Activists. The book was edited by Jamie Brownlee and Kevin Walby and is available for purchase at a variety of brick and mortar, as well as online, book vendors. The book combines political and practical aspects of Access to Information and Privacy (ATIP) research in a single volume. In addition to exposing how ATIP-related documents have led to major, nation-affecting, news stories the book helps Canadian citizens use and navigate the federal access to information processes.

My contribution argued the ATIP process must be supplemented when  investigating particularly secretive government practices. I drew from work that I conducted at the Citizen Lab as part of the Telecommunications Transparency Project, specifically focusing on activities undertaken between January-August 2014.

Full Abstract

This chapter focuses on the challenges of studying the difficult and often obscure issues of Canadian state and corporate surveillance. Researchers routinely turn to Access to Information and Privacy (ATIP) requests to cut through this obscurity, but the laws are often too weak, too poorly enforced, or too full of deliberate loopholes and blind spots to provide comprehensive awareness about surveillance. Thus, additional methodological techniques are needed to pierce the veil of government secrecy. But what kinds of techniques can be successful, what are their limitations, and how effective are they? How can researchers better understand the kinds of surveillance programs that the federal government is conducting now, and has conducted in the past? I begin by discussing the merits and drawbacks of federal ATIP legislation, a legal tool that is routinely used to learn about the scope and dimensions of state surveillance. In light of the ATIP regime’s relative limits in revealing the contours of federal surveillance, I discuss how researchers can use a variety of political, regulatory, and legal techniques to increase government accountability and corporate transparency. Importantly, the methodological proposals I assess have the effect of adding as opposed to replacing data received under ATIP. By adopting an expanded set of methodological techniques, researchers can better fill out and make sense of the often limited revelations that emerge from the ATIP process.

Purchase the book from Amazon.ca // Pre-order from Amazon.com

Image credit: Book cover from Jamie Brownlee and Kevin Walby (Eds.). http://arpbooks.org/books/detail/access-to-information-and-social-justice

Stuck on the Agenda: Drawing Lessons from the Stagnation of “Lawful Access” Legislation in Canada

/ Christopher Parsons

9780776622071_web_1Earlier this year I had a book chapter, titled “Stuck on the Agenda: Drawing Lessons from the Stagnation of “Lawful Access” Legislation in Canada” published in Law, Privacy and Surveillance in Canada in the Post-Snowden Era. The book was edited by Michael Geist and is freely available in .pdf format from the University of Ottawa Press. The edited collection brings together many of Canada’s leading thinkers on privacy and national security issues, with authors outlining how Canadian-driven intelligence operations function, the legal challenges facing Canadian signals intelligence operations, and ways to reform Canada’s ongoing signals intelligence operations and the laws authorizing those operations.

The book arguably represents the best, and most comprehensive, examination of the Communications Security Establishment (CSE) in recent history. While not providing insiders’ accounts, many of the chapters draw from access to information documents, documents provided to journalists by Edward Snowden, and publicly available information concerning how intelligence operations are conducted by Canadian authorities. In aggregate they critically investigate the actual and alleged intelligence practices undertaken by Canadian authorities.

My contribution focuses on the politics associated with Canada’s lawful access legislation, and identifies some of the political conditions that may precede successful opposition to legislation that expands or reifies both domestic and foreign intelligence surveillance practices. Specifically, the chapter begins by outlining how agenda-setting operates and the roles of different agendas, tactics, and framings. Next, it turns to the Canadian case and identifies key actors, actions, and stages of the lawful access debates. The agenda-setting literature lets us identify and explain why opponents of the Canadian legislation were so effective in hindering its passage and what the future holds for opposing similar legislative efforts in Canada. The final section steps away from the Canadian case to suggest that there are basic as well as additive general conditions that may precede successful political opposition to newly formulated or revealed government surveillance powers that focus on either domestic or signals intelligence operations. You can read the chapter on pages 256-283.

Download the book from University of Ottawa Press

Image credit: Book Cover from Michael Geist (Ed.) (CC BY-NC-SA 3.0) http://www.press.uottawa.ca/law-privacy-and-surveillance

Beyond Privacy: Articulating the Broader Harms of Pervasive Mass Surveillance

/ Christopher Parsons

2852616711_57c5d04259_b

I’ve published a new paper titled “Beyond Privacy: Articulating the Broader Harms of Pervasive Mass Surveillance” in Media and Communication. Media and Communication is an open access journal; you can download the article from any location, to any computer, free of cost. The paper explores how dominant theories of privacy grapple with the pervasive mass surveillance activities undertaken by western signals intelligence activities, including those of the NSA, CSE, GCHQ, GCSB, and ASD. I ultimately argue that while these theories provide some recourse to individuals and communities, they are not sufficiently holistic to account for how mass surveillance affects the most basic elements a democracy. As such, I suggest that academic critics of signals intelligence activities can avail themselves to theory from the Frankfurt School to more expansively examine and critique contemporary signals intelligence surveillance practices.

Full Abstract

This article begins by recounting a series of mass surveillance practices conducted by members of the “Five Eyes” spying alliance. While boundary- and intersubjectivity-based theories of privacy register some of the harms linked to such practices I demonstrate how neither are holistically capable of registering these harms. Given these theories’ deficiencies I argue that critiques of signals intelligence surveillance practices can be better grounded on why the practices intrude on basic communicative rights, including those related to privacy. The crux of the argument is that pervasive mass surveillance erodes essential boundaries between public and private spheres by compromising populations’ abilities to freely communicate with one another and, in the process, erodes the integrity of democratic processes and institutions. Such erosions are captured as privacy violations but, ultimately, are more destructive to the fabric of society than are registered by theories of privacy alone. After demonstrating the value of adopting a communicative rights approach to critique signals intelligence surveillance I conclude by arguing that this approach also lets us clarify the international normative implications of such surveillance, that it provides a novel way of conceptualizing legal harm linked to the surveillance, and that it showcases the overall value of focusing on the implications of interfering with communications first, and as such interferences constituting privacy violations second. Ultimately, by adopting this Habermasian inspired mode of analysis we can develop more holistic ways of conceptualizing harms associated with signals intelligence practices than are provided by either boundary- or intersubjective-based theories of privacy.

Download the Paper

Photo credit: Retro Printers by Steven Mileham (CC BY-NC 2.0) https://flic.kr/p/5m5pyK