The government’s recent decision to kill its online surveillance legislation marked a remarkable policy shift. The outcry over the plan to require Internet providers to install surveillance capabilities within their networks and to disclose subscriber information on demand without court oversight sparked an enormous backlash, leading to the tacit acknowledgment that the proposal was at odds with public opinion.
While many Canadians welcomed the end of Bill C-30, my weekly technology law column (Toronto Star version, homepage version) notes the year-long battle over the bill placed the spotlight on an ongoing problem with the current system of voluntary disclosure of subscriber information: Internet providers and telecom companies disclose customer information to law enforcement tens of thousands of times every year without court oversight.
The law permits these disclosures with no reporting requirements or accountability mechanisms built into the process. According to data obtained under the Access to Information Act, the RCMP alone made over 28,000 requests for customer name and address information in 2010. These requests go unreported – subscribers don’t know their information has been disclosed and the Internet providers and telecom companies aren’t talking either.
Bill C-30 would have introduced new reporting requirements for these disclosures, which might have allowed for insights into what Internet providers and police are doing with subscriber information. The proposed reporting requirements needed some tweaking – there was nothing to stop police from by-passing the reporting requirements by voluntarily collecting the information – but the commitment to increased transparency on personal information disclosures was a long overdue reform.
Those provisions may have died with Bill C-30, but the government should move quickly to establish a statutorily mandated reporting system for disclosures of personal information by telecom and Internet providers.
Some Internet companies have voluntarily established transparency programs. Google was the first to do so, having posted transparency reports every six months since 2009. The company’s latest transparency report provides information on requests to remove data from its search index, copyright complaints, and demands from governmental authorities for user data.
The most recent Canadian data indicates that the company receives nearly 100 requests for user data each year from governmental authorities. Over the past 18 months, Google complied with only one-quarter of such requests.
Twitter recently followed Google’s example by issuing its own transparency report. While the U.S. had by far the most requests for user data, Canada ranked third worldwide (tied with the United Kingdom) with 11 requests in the first six months of 2012. Much like Google, Twitter complied with only a minority of requests.
While companies such as Google and Twitter voluntarily report requests for user data, Canada’s telecom giants remain silent, offering no details on the number of requests, the rate of compliance, or how many Canadians are affected by the disclosures.
In fact, in the months leading up to the introduction of Bill C-30, Canadian telecom companies formed a secret working group designed to create an open channel for talks between telecom providers and government. Rather than focusing on customer privacy, those meetings included discussions on developing a compensation formula for the costs associated with disclosing subscriber information.
Both government and the providers should move to address Canada’s telecom transparency gap. The government could revive the disclosure reporting requirements by including those provisions in either Bill C-55 (a warrantless surveillance bill tabled on the same day the government announced that it was killing Bill C-30) or Bill C-12 (the languishing privacy reform bill).
The telecom providers, led by Bell, Rogers, Telus, and Videotron, should follow the example established by Google and Twitter by closing the telecom transparency gap. Their customers deserve regular reports on their disclosure practices as well as aggregate data on actual disclosures of customer information without court oversight.