Earlier this week, I wrote a column (Toronto Star version, homepage version) arguing that Canada’s telecom companies should come clean about their disclosures of customer information. That column was in response to a public letter from leading civil liberties groups and academics sent to Canada’s leading telecom companies asking them to shed new light into their data retention and sharing policies. The letter writing initiative, which was led by Christopher Parsons of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs, is the latest attempt to address the lack of transparency regarding how and when Canadians’ personal information may be disclosed without their knowledge to law enforcement or intelligence agencies.
That initiative has now effectively been joined by the Office of the Privacy Commissioner of Canada and NDP MP Charmaine Borg. Chantal Bernier, the interim Privacy Commissioner of Canada, released recommendations yesterday designed to reinforce privacy protections in the age of cyber-surveillance. The report includes the following recommended reform to PIPEDA:
require public reporting on the use of various disclosure provisions under PIPEDA where private-sector entities such as telecommunications companies release personal information to national security entities without court oversight.
In addition, Borg has filed an order paper question (Q-233) seeking detailed data on requests to telecom companies from various government agencies.
As my column notes, concerns with telecom secrecy has become particularly pronounced in recent months as a steady stream of revelations that have painted a picture of ubiquitous surveillance that captures “all the signals all the time”, sweeping up billions of phone calls, texts, emails, and Internet activity with dragnet-style efficiency.
Canada’s role in the surveillance activities remains a bit of mystery, yet there is little doubt that Canadian telecom and Internet companies play an important part as intermediaries that access, retain, and possibly disclose information about their subscribers’ activities.
In the United States, companies such as Verizon and AT&T have announced plans to issue regular transparency reports on the number of law enforcement requests they receive for customer information. The telecom transparency reports come following a similar trend from top Internet companies such as Google, Twitter, Microsoft, and Facebook.
The first Verizon report was released last week and it revealed that there are hundreds of thousands of requests for subscriber information every year. Last year this included more than 30,000 demands for location data, the majority of which lacked a warrant.
By contrast, Canada’s telecom companies remain secretive about their participation in the surveillance activities, with no transparency reports and no public indications of their willingness to disclose customer information without a court order.
The scope of such participation is potentially very broad. Not only is there the prospect of co-operation with Canadian intelligence agencies, but Canadian networks and services are frequently configured to allow for U.S. surveillance of Canadian activities.
For example, Bell and Rogers link their email systems for residential customers to U.S. giants with Bell linked to Microsoft and Rogers linked to Yahoo. In both cases, the inclusion of a U.S. email service provider may allow for U.S. surveillance of Canadian email activity. Moreover, Bell requires other Canadian Internet providers to exchange Internet traffic outside the country at U.S. exchange points, ensuring that the data is potentially subject to U.S. surveillance.
Secret disclosures of subscriber information extend beyond surveillance programs run by Canadian and U.S. intelligence agencies. Under Canadian law, telecom companies and Internet providers are permitted to disclose customer information without a court order as part of a lawful investigation. According to data obtained under Access to Information, the RCMP has successfully obtained such information tens of thousands of times.
In fact, Bill C-13, the so-called “cyberbullying” bill, includes a provision that is likely to increase the number of voluntary disclosures without court oversight since it grants telecom companies and Internet providers complete immunity from any civil or criminal liability for those disclosures.
The privacy implications of this secret disclosure system are enormous, potentially touching on the private data of hundreds of thousands of Canadians. Yet the policies seemingly operate between the cracks in the law, permitting some disclosures without court oversight, blocking notifications to those who are affected, and even providing financial compensation from taxpayers to the telecom companies for their co-operation.â€¨
Canadian privacy law requires telecom companies and Internet providers to adhere to an openness principle that includes making “readily available to individuals specific information about (its) policies and practices relating to the management of personal information.” Those companies have failed to comply with the spirit of this principle, suggesting that Privacy Commissioner of Canada should consider supplementing last week’s civil society letter with an investigation of her own. a href=