Columns

Internet Surveillance Bill is Dead but Canada’s Telecom Transparency Gap is Alive and Well

The government’s recent decision to kill its online surveillance legislation marked a remarkable policy shift. The outcry over the plan to require Internet providers to install surveillance capabilities within their networks and to disclose subscriber information on demand without court oversight sparked an enormous backlash, leading to the tacit acknowledgment that the proposal was at odds with public opinion.

While many Canadians welcomed the end of Bill C-30, my weekly technology law column (Toronto Star version, homepage version) notes the year-long battle over the bill placed the spotlight on an ongoing problem with the current system of voluntary disclosure of subscriber information: Internet providers and telecom companies disclose customer information to law enforcement tens of thousands of times every year without court oversight.

The law permits these disclosures with no reporting requirements or accountability mechanisms built into the process. According to data obtained under the Access to Information Act, the RCMP alone made over 28,000 requests for customer name and address information in 2010. These requests go unreported – subscribers don’t know their information has been disclosed and the Internet providers and telecom companies aren’t talking either.

Bill C-30 would have introduced new reporting requirements for these disclosures, which might have allowed for insights into what Internet providers and police are doing with subscriber information. The proposed reporting requirements needed some tweaking – there was nothing to stop police from by-passing the reporting requirements by voluntarily collecting the information – but the commitment to increased transparency on personal information disclosures was a long overdue reform.

Those provisions may have died with Bill C-30, but the government should move quickly to establish a statutorily mandated reporting system for disclosures of personal information by telecom and Internet providers.

Some Internet companies have voluntarily established transparency programs. Google was the first to do so, having posted transparency reports every six months since 2009. The company’s latest transparency report provides information on requests to remove data from its search index, copyright complaints, and demands from governmental authorities for user data. 

The most recent Canadian data indicates that the company receives nearly 100 requests for user data each year from governmental authorities. Over the past 18 months, Google complied with only one-quarter of such requests.

Twitter recently followed Google’s example by issuing its own transparency report. While the U.S. had by far the most requests for user data, Canada ranked third worldwide (tied with the United Kingdom) with 11 requests in the first six months of 2012.  Much like Google, Twitter complied with only a minority of requests.

While companies such as Google and Twitter voluntarily report requests for user data, Canada’s telecom giants remain silent, offering no details on the number of requests, the rate of compliance, or how many Canadians are affected by the disclosures.

In fact, in the months leading up to the introduction of Bill C-30, Canadian telecom companies formed a secret working group designed to create an open channel for talks between telecom providers and government. Rather than focusing on customer privacy, those meetings included discussions on developing a compensation formula for the costs associated with disclosing subscriber information.

Both government and the providers should move to address Canada’s telecom transparency gap. The government could revive the disclosure reporting requirements by including those provisions in either Bill C-55 (a warrantless surveillance bill tabled on the same day the government announced that it was killing Bill C-30) or Bill C-12 (the languishing privacy reform bill).

The telecom providers, led by Bell, Rogers, Telus, and Videotron, should follow the example established by Google and Twitter by closing the telecom transparency gap. Their customers deserve regular reports on their disclosure practices as well as aggregate data on actual disclosures of customer information without court oversight. 

10 Comments

  1. Charles the Great says:

    The ISP already spy on it users.
    Most of Canada’s ISPs do know what your doing online anyway through their DNS servers which online surveillance done. If this bill did become law there are ways around this and one was just moving to a public DNS server like Google DNS or Open DNS. Other method is to use a VPN.

  2. WTF?!?
    From the second to the last paragraph above, the government introduced a new warrantless surveillance bill on the same day that it was killing the old bill because it said, roughly, “we are listening to Canadians, they have no taste for warrantless surveillance”!

    This reminds me of Chretien’s joke about the Conservatives talking out of both sides of their mouth!

    Mr. Geist, how is it that you are only introducing this to us now, and telling us about the good things that “could be included” in it, rather than what IS in it?
    Have you changed your spots?

  3. @Anonymous
    C-55, introduced with the announcement of the death of C-30 (knock on wood) can be found here:

    http://www.parl.gc.ca/LegisInfo/BillDetails.aspx?Language=E&Mode=1&billId=5970787

    It is only a few pages but, significantly, contains the following:

    > “Section 184.4 of the Act is replaced by the following:
    >
    > 184.4 A police officer may intercept, by means of any electro-magnetic,
    > acoustic, mechanical or other device, a private communication if the
    > police officer has reasonable grounds to believe that
    >
    > (a) the urgency of the situation is such that an authorization could
    > not, with reasonable diligence, be obtained under any other provision
    > of this Part;
    >
    > (b) the interception is immediately necessary to prevent an offence that
    > would cause serious harm to any person or to property; and
    >
    > (c) either the originator of the private communication or the person
    > intended by the originator to receive it is the person who would commit
    > the offence that is likely to cause the harm or is the victim, or intended
    > victim, of the harm.”

    In short, warrantless surveillance is still very much a go in the new bill. C-55 includes reporting requirements as well, which may or may not be satisfactory (for example, one might still want increased Telco transparency, as Mr. Geist suggests), with or without warrantless spying, but these aspects should be debated only if we accept the premise of warrantless surveillance online.

    So, the question to me is: is this premise, as currently articulated, satisfactory?

    IMHO, I am very wary of “warrantless” anything and would much rather attempt to make the warrant process more efficient first, if it is indeed onerous, so I would like to see the discussion start there.

  4. There is a solution
    It’s a nuisance, but it doesn’t require anything drastic like a VPN.

    - Turn on the HTTPS (secure HTTP) option on sites where it is an option. On Google this option is always on.
    - Use Firefox or Chrome because they use SPDY/HTTP2. The sites that have implemented this (amazon,twitter,fb,google,wordpress) have only implemented the secure version. This is the best security currently available.
    - Don’t use your provider’s DNS service. Based on the above article, Google DNS is probably best.

  5. Devil's Advocate says:

    We need to be holding their feet to the fire.
    “I am very wary of “warrantless” anything and would much rather attempt to make the warrant process more efficient first, if it is indeed onerous…”

    We need to be asking the important questions now, lest we want to see our Charter trashed in the way the American Constitution is currently being converted to toilet paper. It’s about time we all started demanding the justification for seeking such privilege in the first place. :

    1. What is currently lacking in the present warrant process?
    2. Would the entitlements they seek infringe on our basic and/or legal rights?

    #1 really needs to be discussed. So far, all we’re hearing is they “need” more power, but without an explanation as to WHY extra powers would be needed, or how the current system actually fails, or who it actually fails.

    If the answer to #2 is “yes”, there is no justification for also making the process potentially “warrantless”. That’s tyranny in the making.

  6. @Devil’s Advocate
    I get the impression everyone’s too busy congratulating themselves on a job well done to be disgusted by C-55′s concentrated version of warrantless snooping. C-55 might as well be called C-FU, since it still grants outright side-stepping of warrants. C-55 will do the same thing as C-30 would have: turn due-process into a swinging gate. Because, “shoot first, ask questions later” is always a good idea, right?

  7. Devil's Advocate says:

    Shoot first does sound good right now
    But we should be asking lots of questions first and if they don’t answer, well… :)

    Seriously, it’s like half the population is always asleep. So many things they’re not paying any attention to, while there are so many in power all over the world waiting to take full advantage of their ignorance.

  8. C-55?
    Are you saying it’s already been shell-gamed to another bill?

  9. @Bytowner
    Yes, on the same day as the government announced the y would not revice C-30, they itroduced C-55 which does not contain the whole gamaut of Internet-specific provisions and punitive fines for ISPs etc, but it does push a single premise which, arguably, was 90% of the legislative meat of C-30 – namely, that “A police officer may intercept, by means of any electro-magnetic, acoustic, mechanical or other device, a private communication” under the general guidelines above.

    You can find the full bill here (which is very short, and readable, but presents that basic idea and proceeds to outline a reporting framework, assuming you accept the premise):

    http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=E&Mode=1&DocId=5975313&File=4

    I do not accept the premise of warrantless access to communications any more than I accept warrantless access to to personal belongings and property.

    The premise presented is that there may be emergency situations that could justify the RCMP snooping without oversight, but disagree and I consider such emergencies as a reason for streamlining the process of obtaining a legitimate warrant, not bypassing them entirely and allowing a token acknowledgement (by way of a deferable report), after the fact. I respect the RCMP’s job but still expect oversight. The whole “warrantless interception” is socially irresponsible and can only be abused, even if the new bill doesn’t get into the rats-nest of ISP-oriented scenarios of the old bill. C-55 will still move us in the wrong direction, and effectively sets the stage for C-30′s effect.

    See the following article for some thoughts on other ways that C-55 could be be used to bring C-30 back in spirit:
    http://www.openmedia.ca/blog/online-spying-dead-new-threats-and-case-vigilance

    The media is being very silent on this one, and painting it as a win for advocacy groups. It’s not so cut and dry, but the fact remains that the government is still going forward with the warrantless aspect.

  10. amazing idea
    Hope you can use Smartpcfixer. I have used it for a long time. It did work.

    smart pc fixer