Draft: Do Transparency Reports Matter for Public Policy?

TransparancyTelecommunications transparency reports detail the frequency at which government agencies request information from telecommunications companies. Though American companies have been releasing these reports since 2009, it wasn’t until 2014 that Canadian companies began to follow suit. As part of my work at the Citizen Lab I’ve analyzed the Canadian reports against what makes an effective transparency report, with ‘effectiveness’ relating to achieving public policy goals as opposed to ‘having an effect’ in terms of generating media headlines.

Today I’m publishing a draft paper that summarizes my current analyses. The paper is titled, “Do Transparency Reports Matter for Public Policy? Evaluating the effectiveness of telecommunications transparency reports” and is available for download. I welcome feedback on what I’ve written and look forward to the conversations that it spurs in Canada and further abroad.

Abstract:

Telecommunications companies across Canada have begun to release transparency reports to explain what data the companies collect, what data they retain and for how long, and to whom that data is, or has been, disclosed to. This article evaluates the extent to which Canadian telecommunications companies’ transparency reports respond to a set of public policy goals set by civil society advocates, academics, and corporations, namely: of contextualizing information about government surveillance actions, of legitimizing the corporate disclosure of data about government-mandated surveillance actions, and of deflecting or responding to telecommunications subscribers’ concerns about how their data is shared between companies and the government. In effect, have the reports been effective in achieving the aforementioned goals or have they just had the effect of generating press attention?

After discussing the importance of transparency reports generally, and the specificities of the Canadian reports released in 2014, I argue that companies must standardize their reports across the industry and must also publish their lawful intercept handbooks for the reports to be more effective. Ultimately, citizens will only understand the full significance of the data published in telecommunications companies’ transparency when the current data contained in transparency reports is contextualized by the amount of data that each type of request can provide to government agencies and the corporate policies dictating the terms under which such requests are made and complied with.

Download Telecommunications Transparency in Canada 1.5 (Public Draft)  (Alternate SSRN link)

Responding the the Crisis in Canadian Telecommunications

In the middle of an identity crisisOn April 29, 2014 the Interim Privacy Commissioner of Canada, Chantal Bernier, revealed that Canadian telecommunications companies have disclosed enormous volumes of information to state agencies. These agencies can include the Royal Canadian Mounted Police, Canadian Security Intelligence Service, Canadian Border Services Agency, as well as provincial and municipal authorities. Commissioner Bernier’s disclosure followed on news that federal agencies such as the Canadian Border Services Agency requested access to Canadians’ subscriber data over 19 thousand times in a year, as well as the refusal of Canadian telecommunications companies to publicly disclose how, why, and how often they disclose information to state agencies.

This post argues that Canadians are not powerless. They can use existing laws to try and learn whether their communications companies are disclosing their personal information to state agencies. I begin by explaining why Canadians have a legal right to compel companies to disclose the information that they generate and collect about Canadians. I then provide a template letter that Canadians can fill in and issue to the telecommunications companies providing them with service, as well as some of the contact information for major Canadian telecommunications companies. Finally, I’ll provide a few tips on what to do if companies refuse to respond to your requests and conclude by explaining why it’s so important that Canadians send these demands to companies providing them with phone, wireless, and internet service.

Continue reading

Towards Transparency in Canadian Telecommunications

Ethernet CablesTelecommunications services providers that offer Internet and phone service play central roles in the daily lives of Canadians. The services that these companies provide are essential for contemporary living; we rely on these services to access our email, make or receive our phone calls and text messages, check and update our social media feeds, and figure out how to get where we are going by way of GPS. Our lives are predominantly channeled through these companies’ digital networks, to the extent that Canadian telecommunications service providers are functionally the gatekeepers Canadians must pass by before accessing the Internet, or phone networks, at large. Today, Canadian scholars and civil liberties organizations have come together to ask that many of Canada’s most preeminent telecommunications companies disclose the kinds, amounts, and regularity at which state agencies request telecommunications data pertaining to Canadians.

Canadian state agencies often request access to the subscriber and telecommunications data held by these Canadian companies, as befits the companies’ privileged roles in our lives. [1] Sometimes access is gained using a court order, sometimes it is not. Sometimes requests are for circumspect amounts of information, and other times for greater volumes of data. To date, however, interested Canadians have had only vague understandings of how, why, and how often Canadian telecommunications providers have disclosed information to government agencies. Given the importance of such systems to Canadians’ lives, and the government’s repeated allegations that more access is needed to ensure the safety of Canadians, more data is needed for scholars, civil rights organizations, and the public to understand, appreciate, and reach informed conclusions about the legitimacy of such allegations.

Our call for telecommunications transparency is in line with actions taken in the United States, where politicians such as Representative Markey have successfully asked telecommunications service providers to explain the types of requests made by American state agencies for telecommunications data, the regularity of such requests, and the amounts of data disclosed. [2] Moreover, American companies are developing more and more robust ‘transparency reports’ to clarify to their subscribers how often, and on what grounds, the companies disclose subscriber information to American state authorities. There is no reason why similar good practices cannot be instantiated in Canada as well.

Over the past decade, Canadians have repeatedly heard that law enforcement professionals and state security agents need enhanced access to telecommunications data in order to go about their jobs.[3] And Canadians have read about how our own signals intelligence service, the Communications Security Establishment Canada, has been and continues to be involved in surveillance operations that ‘incidentally’ capture Canadians’ personal information. [4] Despite these developments in Canada, there is not a substantially greater degree of actual transparency into how and why Canadian telecommunications service providers disclose information to agents of the Canadian government.

It is in light of this ongoing lack of transparency surrounding telecommunications providers’ disclosure of information to state authorities that we, a series of academics and civil rights groups, have issued public letters to many of Canada’s largest or most significant Internet and mobile communications providers. We hope that Canada’s telecommunications community will welcome these letters in the spirit they are intended: to make clearer to Canadians the specific conditions under which the Canadian government can and does access telecommunications information pertaining to Canadians, the regularity at which such access is granted, and the conditions under which telecommunications companies disclose information to state agencies.

The responses to these letters will enable superior scholarly analyses of Canadian state agency practices, evaluations of proposed federal legislation, and analysis of government agencies to currently access data that is held or transmitted by Canadian telecommunications companies. These responses will also better comparisons between the Canadian and American situations; too often, scholars, advocates, and policy analysts have been forced to transpose American realities onto what might be occurring in Canada. With real Canadian data in hand, it will be possible to more affirmatively differentiate between the state surveillance practices in Canada and the US, as well as to assess existing and proposed mechanisms that state agencies use to access telecommunications data pertaining to Canadians.

These letters were issued by letter mail and, where possible, by e-mail on January 20, 2014. We have requested that the companies respond, or provide a commitment to respond, by March 3, 2014. Below are .pdf copies of the letters that we sent; we look forward to hearing back from the recipients.

Letters sent to Canadian telecommunications service providers


  1. Nicholas Koutros and Julien Demers, “Big Brother’s Shadow: Historical Decline in Reported Use of Electronic Surveillance by Canadian Federal Law Enforcement,” SSRN, February 3, 2013, accessed December 13, 2013, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2220740; Andrea Slane and Lisa Austin, “What’s in a Name? Privacy and Citizenship in the Voluntary Disclosure of Subscriber Information in Online Child Exploitation Investigations,” Criminal Law Quarterly (57) (2011); Ian Kerr and Daphne Gilbert, “The Role of ISPs in the Investigation of Cybercrime,” in Information Ethics in the Electronic Age: Current Issues in Africa and the World, ed. Johannes J. Britz and Tom Mendina (Jefferson, North Carolina: McFarland & Company Inc, 2004).  ↩
  2. Eric Litchblau, “More Demands on Cell Carriers in Surveillance,” New York Times, July 8, 2012, accessed January 19, 2014, http://www.nytimes.com/2012/07/09/us/cell-carriers-see-uptick-in-requests-to-aid-surveillance.html; Brian X. Chen, “A Senator Plans Legislation to Narrow Authorities’ Cellphone Data Requests,” New York Times, December 9, 2013, accessed January 19, 2014, http://www.nytimes.com/2013/12/09/technology/a-senator-plans-legislation-to-narrow-authorities-cellphone-data-requests.html.  ↩
  3. Jesse Kline, “Vic Toews draws line on lawful access: You’re with us, or the child pornographers,” National Post, February 14, 2012, accessed January 19, 2014, http://fullcomment.nationalpost.com/2012/02/14/vic-toews-draws-line-on-lawful-access-youre-with-us-or-the-child-pornographers/; Jane Taber, “New cyberbullying laws should pass this spring, Justice Minister says,” The Globe and Mail, January 9, 2014, accessed January 19, 2014, http://www.theglobeandmail.com/news/politics/new-cyberbullying-laws-should-pass-this-spring-justice-minister-says/article16253334/.  ↩
  4. Ian MacLeod, “Spy agency admits it spies on Canadians ‘incidentally’,” Ottawa Citizen, January 6, 2014, accessed January 19, 2014, http://www.ottawacitizen.com/news/agency+admits+spies+Canadians+incidentally/9356255/story.html.  ↩

[box style=”blue”]Note: This post first appeared on the Citizen Lab website[/box]

Is Iran Now Actually Using Deep Packet Inspection?


Photo by Hamed Saber

I’ve previously written about whether the Iranian government uses deep packet inspection systems to monitor and mediate data content. As a refresher, the spectre of DPI was initially raised by the Wall Street Journal in a seriously flawed article several years ago. In addition to critiquing that article, last year I spent a while pulling together various data sources to outline the nature of the Iranian network infrastructure and likely modes of detecting dissident traffic.

Since January 2010, the Iranian government  may have significantly modified their network monitoring infrastructure. In short, the government seems to have moved from somewhat ham-fisted filtering systems (e.g. all encrypted traffic is throttled/blocked) to a granular system (where only certain applications’ encrypted traffic is blocked). In this post I’ll outline my past analyses of the Iranian Internet infrastructure and look at the new data on granular targeting of encrypted application traffic. I’ll conclude by raising some questions that need to be answered about the new surveillance system, and note potential dangers facing Iranian dissidents if DPI has actually been deployed.

Continue reading

The Consumable Mobile Experience

We are rapidly shifting towards a ubiquitous networked world, one that promises to accelerate our access to information and each other, but this network requires a few key elements. Bandwidth must be plentiful, mobile devices that can engage with this world must be widely deployed, and some kind of normative-regulatory framework that encourages creation and consumption must be in place. As it stands, backhaul bandwidth is plentiful, though front-line cellular towers in American and (possibly) Canada are largely unable to accommodate the growing ubiquity of smart devices. In addition to this challenge, we operate in a world where the normative-regulatory framework for the mobile world is threatened by regulatory capture that encourages limited consumption that maximizes revenues while simultaneously discouraging rich, mobile, creative actions. Without a shift to fact-based policy decisions and pricing systems North America is threatened to become the new tech ghetto of the mobile world: rich in talent and ability to innovate, but poor in the actual infrastructure to locally enjoy those innovations.

At the Canadian Telecom Summit this year, mobile operators such as TELUS, Wind Mobile, and Rogers Communications were all quick to pounce on the problems facing AT&T in the US. AT&T regularly suffers voice and data outages for its highest-revenue customers: those who own and use smart phones that are built on the Android, WebOS (i.e. Palm Pre and Pixi), and iOS. Each of these Canadian mobile companies used AT&T’s weaknesses to hammer home that unlimited bandwidth cannot be offered along mobile networks, and suggested that AT&T’s shift from unlimited to limited data plans are indicative of the backhaul and/or spectrum problems caused by smart devices. While I do not want to entirely contest the claim that there are challenges managing exponential increases in mobile data growth, I do want to suggest that technical analysis rather than rhetorical ‘obviousness’ should be applied to understand the similarities and differences between Canadian telcos/cablecos and AT&T.

Continue reading

Choosing Winners with Deep Packet Inspection

I see a lot of the network neutrality discussion as one surrounding the conditions under which applications can, and cannot, be prevented from running. On one hand there are advocates who maintain that telecommunications providers – ISPs such as Bell, Comcast, and Virgin – shouldn’t be responsible for ‘picking winners and losers’ on the basis that consumers should make these choices. On the other hand, advocates for managed (read: functioning) networks insist that network operators have a duty and responsibility to fairly provision their networks in a way that doesn’t see one small group negatively impact the experiences of the larger consumer population. Deep Packet Inspection (DPI) has become a hot-button technology in light of the neutrality debates, given its potential to let ISPs determine what applications function ‘properly’ and which see their data rates delayed for purposes of network management. What is often missing in the network neutrality discussions is a comparison between the uses of DPI across jurisdictions and how these uses might impact ISPs’ abilities to prioritize or deprioritize particular forms of data traffic.

As part of an early bit of thinking on this, I want to direct our attention to Canada, the United States, and the United Kingdom to start framing how these jurisdictions are approaching the use of DPI. In the process, I will make the claim that Canada’s recent CRTC ruling on the use of the technology appears to be more and more progressive in light of recent decisions in the US and the likelihood of the UK’s Digital Economy Bill (DEB) becoming law. Up front I should note that while I think that Canada can be read as ‘progressive’ on the network neutrality front, this shouldn’t suggest that either the CRTC or parliament have done enough: further clarity into the practices of ISPs, additional insight into the technologies they use, and an ongoing discussion of traffic management systems are needed in Canada. Canadian communications increasingly pass through IP networks and as a result our communications infrastructure should be seen as important as defence, education, and health care, each of which are tied to their own critical infrastructures but connected to one another and enabled through digital communications systems. Digital infrastructures draw together the fibres connecting the Canadian people, Canadian business, and Canadian security, and we need to elevate the discussions about this infrastructure to make it a prominent part of the national agenda.

Continue reading