Transparency

The Murky State of Canadian Telecommunications Surveillance

/ Christopher Parsons

Telephone PoleOn January 20, 2014 the Citizen Lab along with leading Canadian academics and civil liberties groups sent letters to Canada’s most prominent Internet service providers. We asked the companies to reveal the extent to which they voluntarily, and under compulsion, disclose information about their subscribers to state agencies, as well as for information about business practices and data retention periods. The requested information would let researchers, policy analysts, and civil liberties groups better understand the current telecommunications landscape and engage in evidence-based policy analysis of current and proposed government surveillance activities. The companies were asked to provide responses by March 3, 2014.

A considerable amount of attention has been given to state access to telecommunications data since January 20. Organizations such as the Globe and Mail wrote that Canadians deserve to know who is listening to their communications, and reporting by The Wire Report found that while telecommunications companies believed they might not be able to respond to all the questions in the letters, at least some responses might be provided without running afoul of government gag laws. However, The Wire Report also found that some sources believed they were forbidden from disclosing any information about the assistance they provide to government agencies, with one stating they were “completely resigned.”

At the same time as the letters were being examined by the companies, a series of high-profile telecommunications-related stories broke in the media. In the United States, leading telecommunications carriers released ‘transparency reports’ that put some information in the public arena concerning how often the companies disclose information to American state agencies. In Canada, there were revelations that the Communications Security Establishment Canada (CSEC) had surreptitiously monitored the movements of Canadians vis-a-vis mobile devices that connected to wireless routers. These revelations sparked renewed interest in the origins of CSEC’s data, whether Canadian telecommunications companies either voluntarily or under compulsion provide data to CSEC, the nature of CSEC’s ‘metadata’ collection process, and the rationales driving data exchanges between telecommunications companies and state agencies more generally. The Office of the Privacy Commissioner of Canada also tabled a report that outlined a series of ways to improve accountability and transparency surrounding state access to telecommunications data. Finally, MP Charmaine Borg, the New Democratic Party Member of Parliament for the riding of Terrebonne—Blainville in Quebec, issued a series of questions to the federal government that are meant to render transparent how federal agencies request information from telecommunications companies.

Continue reading

More Voices Call for Transparency in Canadian Telecommunications

/ Christopher Parsons

Ottawa - HDRLast week I, along with a collection of Canadian experts and civil liberties groups, sent letters to many of Canada’s leading telecommunications companies. Those letters ask the companies to explain why, how often, and under what conditions they provide information to government authorities. Such information is pressing given the routine reappearance of telecommunications surveillance legislation on the government’s Order Paper. Specifically, lawful access legislation has been introduced by successive federal governments, with the requested power extensions justified on grounds that authorities cannot effectively police online criminal behaviour, on grounds that telecommunications companies do not always provide subscriber information when government authorities request it, and on grounds that such legislation will prevent terrorism/serious crimes/kidnapping/pedophilia/cyber bullying.

Only with empirical data about how, and why, state authorities presently access telecommunications data will Canadians be able to knowledgeably ascertain whether these expanded state powers are needed. Moreover, with data in hand about companies’ disclosures of subscriber information consumers can make informed choices when choosing their telecommunications providers. Specifically, such information would let consumers compare companies’ privacy practices and choose companies’ services based on privacy (along with other consumer) grounds. While many have been supportive of this public letter initiative, almost all the people that I have spoken to about the letters have voiced their skepticism that the companies would be motivated to respond. I remain optimistic that the companies will respond to demonstrate their privacy bona fides and tell their side of the story. Moreover, the requests for information about how and why state agencies access telecommunications data have been amplified today from two different sources. Continue reading

Towards Transparency in Canadian Telecommunications

/ Christopher Parsons / 2 Comments

Ethernet CablesTelecommunications services providers that offer Internet and phone service play central roles in the daily lives of Canadians. The services that these companies provide are essential for contemporary living; we rely on these services to access our email, make or receive our phone calls and text messages, check and update our social media feeds, and figure out how to get where we are going by way of GPS. Our lives are predominantly channeled through these companies’ digital networks, to the extent that Canadian telecommunications service providers are functionally the gatekeepers Canadians must pass by before accessing the Internet, or phone networks, at large. Today, Canadian scholars and civil liberties organizations have come together to ask that many of Canada’s most preeminent telecommunications companies disclose the kinds, amounts, and regularity at which state agencies request telecommunications data pertaining to Canadians.

Canadian state agencies often request access to the subscriber and telecommunications data held by these Canadian companies, as befits the companies’ privileged roles in our lives. [1] Sometimes access is gained using a court order, sometimes it is not. Sometimes requests are for circumspect amounts of information, and other times for greater volumes of data. To date, however, interested Canadians have had only vague understandings of how, why, and how often Canadian telecommunications providers have disclosed information to government agencies. Given the importance of such systems to Canadians’ lives, and the government’s repeated allegations that more access is needed to ensure the safety of Canadians, more data is needed for scholars, civil rights organizations, and the public to understand, appreciate, and reach informed conclusions about the legitimacy of such allegations.

Our call for telecommunications transparency is in line with actions taken in the United States, where politicians such as Representative Markey have successfully asked telecommunications service providers to explain the types of requests made by American state agencies for telecommunications data, the regularity of such requests, and the amounts of data disclosed. [2] Moreover, American companies are developing more and more robust ‘transparency reports’ to clarify to their subscribers how often, and on what grounds, the companies disclose subscriber information to American state authorities. There is no reason why similar good practices cannot be instantiated in Canada as well.

Over the past decade, Canadians have repeatedly heard that law enforcement professionals and state security agents need enhanced access to telecommunications data in order to go about their jobs.[3] And Canadians have read about how our own signals intelligence service, the Communications Security Establishment Canada, has been and continues to be involved in surveillance operations that ‘incidentally’ capture Canadians’ personal information. [4] Despite these developments in Canada, there is not a substantially greater degree of actual transparency into how and why Canadian telecommunications service providers disclose information to agents of the Canadian government.

It is in light of this ongoing lack of transparency surrounding telecommunications providers’ disclosure of information to state authorities that we, a series of academics and civil rights groups, have issued public letters to many of Canada’s largest or most significant Internet and mobile communications providers. We hope that Canada’s telecommunications community will welcome these letters in the spirit they are intended: to make clearer to Canadians the specific conditions under which the Canadian government can and does access telecommunications information pertaining to Canadians, the regularity at which such access is granted, and the conditions under which telecommunications companies disclose information to state agencies.

The responses to these letters will enable superior scholarly analyses of Canadian state agency practices, evaluations of proposed federal legislation, and analysis of government agencies to currently access data that is held or transmitted by Canadian telecommunications companies. These responses will also better comparisons between the Canadian and American situations; too often, scholars, advocates, and policy analysts have been forced to transpose American realities onto what might be occurring in Canada. With real Canadian data in hand, it will be possible to more affirmatively differentiate between the state surveillance practices in Canada and the US, as well as to assess existing and proposed mechanisms that state agencies use to access telecommunications data pertaining to Canadians.

These letters were issued by letter mail and, where possible, by e-mail on January 20, 2014. We have requested that the companies respond, or provide a commitment to respond, by March 3, 2014. Below are .pdf copies of the letters that we sent; we look forward to hearing back from the recipients.

Letters sent to Canadian telecommunications service providers

  1. Nicholas Koutros and Julien Demers, “Big Brother’s Shadow: Historical Decline in Reported Use of Electronic Surveillance by Canadian Federal Law Enforcement,” SSRN, February 3, 2013, accessed December 13, 2013, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2220740; Andrea Slane and Lisa Austin, “What’s in a Name? Privacy and Citizenship in the Voluntary Disclosure of Subscriber Information in Online Child Exploitation Investigations,” Criminal Law Quarterly (57) (2011); Ian Kerr and Daphne Gilbert, “The Role of ISPs in the Investigation of Cybercrime,” in Information Ethics in the Electronic Age: Current Issues in Africa and the World, ed. Johannes J. Britz and Tom Mendina (Jefferson, North Carolina: McFarland & Company Inc, 2004).  ↩
  2. Eric Litchblau, “More Demands on Cell Carriers in Surveillance,” New York Times, July 8, 2012, accessed January 19, 2014, http://www.nytimes.com/2012/07/09/us/cell-carriers-see-uptick-in-requests-to-aid-surveillance.html; Brian X. Chen, “A Senator Plans Legislation to Narrow Authorities’ Cellphone Data Requests,” New York Times, December 9, 2013, accessed January 19, 2014, http://www.nytimes.com/2013/12/09/technology/a-senator-plans-legislation-to-narrow-authorities-cellphone-data-requests.html.  ↩
  3. Jesse Kline, “Vic Toews draws line on lawful access: You’re with us, or the child pornographers,” National Post, February 14, 2012, accessed January 19, 2014, http://fullcomment.nationalpost.com/2012/02/14/vic-toews-draws-line-on-lawful-access-youre-with-us-or-the-child-pornographers/; Jane Taber, “New cyberbullying laws should pass this spring, Justice Minister says,” The Globe and Mail, January 9, 2014, accessed January 19, 2014, http://www.theglobeandmail.com/news/politics/new-cyberbullying-laws-should-pass-this-spring-justice-minister-says/article16253334/.  ↩
  4. Ian MacLeod, “Spy agency admits it spies on Canadians ‘incidentally’,” Ottawa Citizen, January 6, 2014, accessed January 19, 2014, http://www.ottawacitizen.com/news/agency+admits+spies+Canadians+incidentally/9356255/story.html.  ↩

[box style=”blue”]Note: This post first appeared on the Citizen Lab website[/box]

Transparent Practices Don’t Stop Prejudicial Surveillance

/ Christopher Parsons

In February I’m attending iConference 2012, and helping to organize a workshop titled “Networked Surveillance: Access Control, Transparency, Power, and Circumvention in the 21st Century.” The workshop’s participants will consider whether networked surveillance challenges notions of privacy and neutrality, exploits openness of data protocols, or requires critical investigations into how these surveillance technologies are developed and regulated. Participants will be arriving from around the world, and speaking to one (or more) of the workshop’s four thematics: Access Control, Transparency, Power, and Circumvention. As part of the workshop, all participants must prepare a short position statement that identifies their interest in network surveillance while establishing grounds to launch a conversation. My contribution, titled “Transparent Practices Don’t Stop Prejudicial Surveillance,” follows.

Transparent Practices Don’t Stop Prejudicial Surveillance

Controversies around computer processing and data analysis technologies led to the development of Fair Information Practice Principles (FIPs), principles that compose the bedrocks of today’s privacy codes and laws. Drawing from lessons around privacy codes and those around Canadian ISPs’ surveillance practices, I argue that transparency constitutes a necessary but insufficient measure to mitigate prejudicial surveillance practices and technologies. We must go further and inject public values into development cycles while also intentionally hobbling surveillance technologies to rein in their most harmful potentialities.

Continue reading

Deep Packet Inspection and Consumer Transparency

/ Christopher Parsons

Image by David Clow

Rogers Communications modified their packet inspection systems last year, and ever since customers have experienced degraded download speeds. It’s not that random users happen to be complaining about an (effectively) non-problem: Rogers’ own outreach staff has confirmed that the modifications took place and that these changes have negatively impacted peer to peer (P2P) and non-P2P applications alike. Since then, a Rogers Communications senior-vice president, Ken Englehart, has suggested that any problems customers have run into are resultant of P2P applications themselves; no mention is made of whether or how Rogers’ throttling systems have affected non-P2P traffic.

In this brief post, I want to quickly refresh readers on the changes that Rogers Communications made to their systems last year, and also note some of the problems that have subsequently arisen. Following this, I take up what Mr. Englehart recently stated in the media about Rogers’ throttling mechanisms. I conclude by noting that Rogers is likely in compliance with the CRTC’s transparency requirements (or at least soon will be), but that such requirements are ill suited to inform the typical consumer.

Continue reading

Beyond Fear and Deep Packet Inspection

/ Christopher Parsons

securitybooksOver the past few days I’ve been able to attend to non-essential reading, which has given me the opportunity to start chewing through Bruce Schneier’s Beyond Fear. The book, in general, is an effort on Bruce’s part to get people thinking critically about security measures. It’s incredibly accessible and easy to read – I’d highly recommend it.

Early on in the text, Schneier provides a set of questions that ought to be asked before deploying a security system. I want to very briefly think through those questions as they relate to Deep Packet Inspection (DPI) in Canada to begin narrowing a security-derived understanding of the technology in Canada. My hope is that through critically engaging with this technology that a model to capture concerns and worries can start to emerge.

Question 1: What assets are you trying to protect?

  • Network infrastructure from being overwhelmed by data traffic.

Question 2: What are the risks to these assets?

  • Synchronous bandwidth-heavy applications running 24/7 that generate congestion and thus broadly degrade consumer experiences.

Question 3: How well does security mitigate those risks?

Continue reading