Transparency

Does Mexico’s Transparency Report Promote Accountability?

/ Christopher Parsons

7666659340_d3096c746a_k-199x300Red en Defensa de los Derechos Digitales (R3D) has released a report that compares Mexican ISPs’ transparency and privacy practices. The work parallels the Karisma Foundation’s report about Columbian ISPs’ transparency and privacy practices; both the Mexican and Columbian organizations’ reports are based on the Electronic Frontier Foundation’s “Who Has Your Back” reporting format. The format is designed to visually summarize the practices taken by Internet companies so that end-users can easily evaluate how companies protect their users.

This post briefly summarizes R3D’s findings and then proceeds to discuss whether Mexican companies’ transparency report genuinely enable corporate accountability. Based on academic literatures, a strong argument can be made that the aggregated Mexican transparency report that have been issued by the Mexican telecommunications companies does not make the companies particularly accountable to their customers. The post concludes by raising questions about the status of third-party comparisons of corporate privacy and transparency practices: why are intermediaries like R3D, Karisma Foundation, Electronic Frontier Foundation, or IX Maps so important? And what are the deficits of contemporary comparisons of corporate transparency and privacy practices?

Summary of R3D Findings

RD3’s report examines privacy policies and codes of practices from the eight Mexican telecommunications companies that, in aggregate, compose 98% of Mexico’s mobile, fixed line, and broadband markets. Out of a possible six ‘stars’ only one company (Movistar) received two stars (the most of any company); half for requiring a warrant for data requests, half for publishing a transparency report, and a full star for advocating for privacy. The worst company, Megacable, received just a half-star for requiring a warrant for data requests.

Companies could receive either a full star, half-star, quarter-star or no star in each of the categories that are noted in Figure One. The evaluation criteria for receiving these grades follows the figure.

BAC1841D-E5B7-472F-9FB7-1544E3C3D550-1024x554

Continue reading

Draft: Do Transparency Reports Matter for Public Policy?

/ Christopher Parsons

TransparancyTelecommunications transparency reports detail the frequency at which government agencies request information from telecommunications companies. Though American companies have been releasing these reports since 2009, it wasn’t until 2014 that Canadian companies began to follow suit. As part of my work at the Citizen Lab I’ve analyzed the Canadian reports against what makes an effective transparency report, with ‘effectiveness’ relating to achieving public policy goals as opposed to ‘having an effect’ in terms of generating media headlines.

Today I’m publishing a draft paper that summarizes my current analyses. The paper is titled, “Do Transparency Reports Matter for Public Policy? Evaluating the effectiveness of telecommunications transparency reports” and is available for download. I welcome feedback on what I’ve written and look forward to the conversations that it spurs in Canada and further abroad.

Abstract:

Telecommunications companies across Canada have begun to release transparency reports to explain what data the companies collect, what data they retain and for how long, and to whom that data is, or has been, disclosed to. This article evaluates the extent to which Canadian telecommunications companies’ transparency reports respond to a set of public policy goals set by civil society advocates, academics, and corporations, namely: of contextualizing information about government surveillance actions, of legitimizing the corporate disclosure of data about government-mandated surveillance actions, and of deflecting or responding to telecommunications subscribers’ concerns about how their data is shared between companies and the government. In effect, have the reports been effective in achieving the aforementioned goals or have they just had the effect of generating press attention?

After discussing the importance of transparency reports generally, and the specificities of the Canadian reports released in 2014, I argue that companies must standardize their reports across the industry and must also publish their lawful intercept handbooks for the reports to be more effective. Ultimately, citizens will only understand the full significance of the data published in telecommunications companies’ transparency when the current data contained in transparency reports is contextualized by the amount of data that each type of request can provide to government agencies and the corporate policies dictating the terms under which such requests are made and complied with.

Download Telecommunications Transparency in Canada 1.5 (Public Draft)  (Alternate SSRN link)

CSIS’s New Powers Demand New Accountability Mechanisms

/ Christopher Parsons

6165458242_97e0572d03_oThe Government of Canada recently tabled Bill C-44, the Protection of Canada from Terrorists Act, in response to a series of court defeats concerning how the Canadian Intelligence and Security Service (CSIS) collects intelligence about Canadian residents. The federal courts took CSIS to task after Justice Richard Mosley realized that warrants issued to CSIS, which enabled CSIS to collaborate with Canada’s foreign signal intelligence agency to monitor Canadians abroad, were also being used to enlist the assistance of other nations’ signals intelligence agencies. In addition to the warrants not being issued with such foreign collaboration in mind there was — and remains — a judicial belief that CSIS’ lawyers deliberately misled the court when requesting the warrants.

The tabled legislation would not alleviate the ruling that CSIS lawyers misled the court. It would, however, authorize CSIS to apply for warrants which authorize the service to monitor Canadians abroad even if doing so would violate the laws of foreign nations. Moreover, CSIS would be empowered to request the assistance of foreign organizations in monitoring the aforementioned Canadians. The Act would also provide the government the power to prevent courts from publicly examining informants as well as to revoke citizenship under certain situations. Finally, the legislation further clarifies (and arguably extends) prohibitions on revealing the identity of CSIS officers. Continue reading

It’s Time for BlackBerry to Come Clean

/ Christopher Parsons

BlackBerry N10On April 10, 2014, Blackberry’s enterprise chief publicly stated that his company had no intention of releasing transparency reports concerning how often, and under what terms, the company has disclosed Blackberry users’ personal information to government agencies. BlackBerry’s lack of transparency stands in direct contrast to its competitors: Google began releasing transparency reports in 2009, and Apple and Microsoft in 2013. And BlackBerry’s competitors are rigorously competing on personal privacy as well, with Apple recently redesigning their operating system to render the company unable to decrypt iDevices for government agencies and having previously limited its ability to decrypt iMessage communications. Google will soon be following Apple’s lead.

So, while Blackberry’s competitors are making government access to telecommunications data transparent to consumers and working to enhance their users’ privacy, BlackBerry remains tight-lipped about how it collaborates with government agencies. And as BlackBerry attempts to re-assert itself in the enterprise market — and largely cede the consumer market to its competitors — it is unclear how it can alleviate business customers’ worries about governments accessing BlackBerry-transited business information. Barring the exceptional situation where data from BlackBerry’s network is introduced as evidence in a court process businesses have no real insight of the extent to which Blackberry is compelled to act against its users’ interests by disclosing information to government agencies. And given that the company both owns an underlying patent for, and integrated into its devices’ VPN client, a cryptographic algorithm believed vulnerable to surreptitious government spying it’s not enough to simply refuse to comment on why, and the extent to which, BlackBerry is compelled to help governments spy on its customer base.

We know that BlackBerry has been legally and politically bludgeoned into developing, implementing, and providing training courses on intercepting and censoring communications sent over its network. At the same time, we know that many employees at BlackBerry genuinely care about developing secure products and delivering them to the world; reliable, secure, and productive communications products are ostensibly the lifeblood that keeps the company afloat. So why, knowing what we know about the company’s ethos and the surveillance compulsions it has faced in the past, is it so unwilling to be honest with its current and prospective enterprise customers and develop transparency reports: for fear that customers would flee the company upon realizing the extent to which BlackBerry communications are accessed or monitored by governments, because of gag-orders they’ve agreed to in order to sell products in less-democratic nations, or just because they hold their customers is contempt?

Accountability and Government Surveillance

/ Christopher Parsons / 3 Comments

Charmaine Borg, MPThe issue of lawful access has repeatedly arisen on the Canadian federal agenda. Every time that the legislation has been introduced Canadians have opposed the notion of authorities gaining warrantless access to subscriber data, to the point where the most recent version of the lawful access legislation dropped this provision. It would seem, however, that the real motivation for dropping the provision may follow from the facts on the ground: Canadian authorities already routinely and massively collect subscriber data without significant pushback by Canada’s service providers. And whereas the prior iteration of the lawful access legislation (i.e. C–30) would have required authorities to report on their access to this data the current iteration of the legislation (i.e. C–13) lacks this accountability safeguard.

In March 2014, MP Charmaine Borg received responses from federal agencies (.pdf) concerning the agencies’ requests for subscriber-related information from telecommunications service providers (TSPs). Those responses demonstrate extensive and unaccountable federal government surveillance of Canadians. I begin this post by discussing the political significance of MP Borg’s questions and then proceed to granularly identify major findings from the federal agencies’ respective responses. After providing these empirical details and discussing their significance, I conclude by arguing that the ‘subscriber information loophole’ urgently needs to be closed and that federal agencies must be made accountable to their masters, the Canadian public.

Continue reading

Practical Steps Towards Telecommunications Transparency

/ Christopher Parsons

CorporationLast month I, along with a series of academic researchers and civil liberties organizations, asked Canada’s leading Telecommunications Services Providers (TSPs) to disclose how, why, and how often they provide telecommunications information pertaining to their subscribers to state agencies. We received responses from ten of sixteen companies a little over a month later. Many of the companies steadfastly refused to provide any information beyond assertions that they protected Canadians’ privacy, that they were largely prohibited from providing any specific information because of national security or confidentiality of investigative techniques reasons, and that the signatories to the letter would be better suited contacting the government directly.

Less directly, I’ve heard from a series of high-profile figures in Canada’s telecommunications industry and national security community. Some figures in the telecommunications industry expressed concern about Canadians’ privacy but indicated that they lacked the time, inclination, resources, or sufficient buy-in to ascertain what they could do to render their companies’ practices more transparent. TELUS is on record as stating they would “request the Government to clarify and limit the scope of current confidentiality requirements and to consider measures to facilitate greater transparency.” Members of the national security community worried about enhancing Canadians’ trust in what they do, but remained uncertain about what they could specifically recommend to their peers. Almost all the people I’ve spoken with have indicated that they would appreciate some kind of practical ‘here’s what could be done’ document that they could use to develop an internal business case for an expanded transparency regime.

This post offers some guidance for how companies can improve their transparency practices, along with why particular proposals should be adopted. Specifically, I identify three things that companies do in the order of least to most challenging tasks. They could disclose data retention periods, make their lawful access handbooks available to the public, and produce full-bodied transparency reports. Critically, the first two of these proposals would just require publicizing documentation that Canada’s TSPs already retain. After outlining all three proposals, I conclude by explaining why corporate transparency needs to be complemented by government accountability.

Continue reading