News

Canadian Telcos Asked to Disclose Subscriber Data Every 27 Seconds

Every 27 seconds. Minute after minute, hour after hour, day after day, week after week, month after month. Canadian telecommunications providers, who collect massive amounts of data about their subscribers, are asked to disclose basic subscriber information to Canadian law enforcement agencies every 27 seconds. In 2011, that added up to 1,193,630 requests. Given the volume, most likely do not involve a warrant or court oversight (2010 RCMP data showed 94% of requests involving customer name and address information was provided voluntarily without a warrant).

In most warrantless cases, the telecommunications companies were entitled to say no. The law says that telecom companies and Internet providers may disclose personal information without a warrant as part of a lawful investigation or they can withhold the information until law enforcement has obtained a warrant. According to newly released information, three telecom providers alone disclosed information from 785,000 customer accounts in 2011, suggesting that the actual totals were much higher. Moreover, virtually all providers sought compensation for complying with the requests.

These stunning disclosures, which were released by the Office of the Privacy Commissioner of Canada, comes directly from the telecom industry after years of keeping their disclosure practices shielded from public view. In fact, the industry was reluctant to provide the information to even the Privacy Commissioner.

According to correspondence I obtained under the Access to Information Act, after the Commissioner sent letters to the 12 biggest telecom and Internet providers seeking information on their disclosure practices, Rogers, Bell and RIM proposed aggregating the information to keep the data from individual companies secret. The response dragged on for months, with Bell admitting at one point that only four providers had provided data and expressing concern about whether it could submit even the aggregated response since it would be unable to maintain anonymity [I’ve released the full ATIP I received here].

The correspondence also confirms that the telecom providers were concerned about how the government and law enforcement would react to public disclosures. In one email, Bell says that “we are walking a delicate line between supporting privacy and not antagonizing Public Safety/LEAs [law enforcement agencies], so the materials will be pretty factual, not much commentary.”

While the current situation, which amounts to disclosure of subscriber information thousands of times each day often without a warrant, is enormously problematic, the situation is about to get even worse.

First, Bill C-13, the government’s lawful access bill that heads to committee this week, will expand warrantless disclosure of subscriber information to law enforcement by including an immunity provision from any criminal or civil liability (including class action lawsuits) for companies that preserve personal information or disclose it without a warrant. The immunity provision makes it more likely that disclosures will occur without a warrant since the legal risks associated with such disclosures are removed.

Second, Bill S-4, the newly-introduced Digital Privacy Act, proposes extending the ability to disclose subscriber information without a warrant from law enforcement to private sector organizations. The bill includes a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law. This applies both past breaches or violations as well as potential future violations. The disclosure occurs in secret without the knowledge of the affected person.

Third, the industry has steadfastly refused to address the lack of transparency concerns regarding its practices. Providers admit that they do not notify customers that their information has been requested, thereby denying them the ability to challenge the demand in court. Moreover, documents released earlier this year suggested that companies such as Bell have even established a law enforcement database that may provide authorities with direct access to subscriber information.  The systems may create great efficiencies for law enforcement – click, access subscriber data, and receive a bill from the telecom company – but they suggest a system that is entirely devoid of oversight with even the Privacy Commissioner excluded from ensuring compliance with the law.

29 Comments

  1. Reality Bytes says:

    Wholesalers no different
    While you use Bell as an example of non-transparency, the wholesalers such at Distributel and Teksavvy are no different.

    Matter of fact, at least Bell took the time to write Citizen Labs in regards to disclosures while the likes of Teksavvy and Distributel blew them off, ran away, and hid.

    Seems to me that the likes of Teksavvy are more keen to “protect their image and brand” than they are at being open and transparent to their customers who keep them in business.

    And for all you know, wholesalers like Teksavvy and Distributel may also have accessible Dbases just like Bell does.

    Not one of them are open or transparent. Not one.

  2. 1,193,630 requests
    That works out roughly to one request per 35 Canadians. Put that into perspective for yourself: does it seem likely that one out of every 35 canadians would exhibit behaviour that makes them suspicious? Perhaps I’m naive or unobservant, but intuitively I’m going to say NO.

    Whatever criteria the enforcement agencies have for triggering these requests, it is not stringent enough. This is an abuse of power, and shame on telcos for submitting to it.

    I’d love to see a pie chart which categorizes these 1 million requests by type/reason.

  3. P.I.T.A.
    im going to create an auto script that downloads a giant penis every 26 seconds so they get the proper fill of what they should

    when brough tto court and told im gay ill sue for slander and liable and defamation of cahracter and show said script

    THIS MESSAGE BROUGHT TO YOU BY P.I.T.A.

    Penis in there ass

    ( sorry mike and everyone else but someone has to say this )

  4. Profit point
    With the providers seeking compensation for such a large number of compliances it strikes me that providing the information has become an organized source of profit, and not merely a means of recovering the costs of compliance.

  5. NET LORD: No, no, noone had to say that.

  6. I agree with Reality Bytes on this.

    MG Wrote: “Providers admit that they do not notify customers that their information has been requested, thereby denying them the ability to challenge the demand in court.”

    As per Teksavvy vs Voltage current laws state there are two ways this can be handled, the first is what TSI did, by giving effected customers a week or two to obtain council to show up at the court house to challenge the motion in Toronto? That doesn’t seem fair to me.

    Second is to have the company oppose the motion and fight on the customers behalf which is what TSI hasn’t done to date. Wondering why MG we don’t have a much strong statement on current laws regarding a company’s responsibility within current law to oppose a motion that is deemed unlawful? Isn’t the above statement realistic of the ideology that telecom providers or private companies should take a hands off approach to fighting for their customers private information which could very well be exactly the cause of this lobbied piece of legislation? Is simply notification that your information has been disclosed enough for Canadian consumers when it comes to our private information? Many I’ve spoken with, including in the privacy community think companies need to do way more then just “notification”.

    “Moreover, documents released earlier this year suggested that companies such as Bell have even established a law enforcement database that may provide authorities with direct access to subscriber information.”

    As with what @Reality Bytes has said, it’s very reasonable to believe that the indie providers are doing the exact same as the big guys here. It doesn’t make any sense why Government and law enforcement would only target the Bell, Rogers and Telus for the purposes of “law enforcement”. The others have to be in play with this as well.

    This is a very carefully crafted blog post MG. Wonder why it’s been written this way, rather than actually condemning this practice of warrant-less disclosure outright. I find that rather interesting.

  7. Hey, shouldn’t democracies have rules prohibiting this kind of thing?
    It almost makes you wish that we Canadians had some kind of Charter of Rights and Freedoms guaranteeing that everyone has the right to be secure against unreasonable search or seizure…

    Hey, wait a…. Doh!

  8. wannabe
    It used to be that Harper wanted to be like George W. Bush (Mini Bush). Now it seems he’s looking up to Putin.

  9. Jack Dodds says:

    When we hear that “subscriber information” has been disclosed, the impression that is given is that the telephone customer’s name and address has been provided to law enforcement. However, the CWTA response to the OPC request includes this:

    “One provider noted that it does not use Deep Packet Inspection equipment or software for the purposes of responding to requests from federal authorities. Interception of communications over data networks is accomplished by sending what is essentially a mirror image of the packet data as it transits the network of data nodes. This packet data is then sent directly to the agency who has obtained lawful access to the information. Deep packet inspection is then performed by the law enforcement agency for their purposes.”

    How can that not require a court order?

  10. @Jack Dodds
    That’s interesting. DPI technology has a problem with encryption, it can’t effectively read encrypted headers or decrypt headers in real time. That’s one of the reasons why DPI isn’t used in throttling anymore. All the more reason to sign up for a secure VPN service and use when mobile.

  11. Oh the irony….
    Quoting MG:

    “According to correspondence I obtained under the Access to Information Act, after the Commissioner sent letters to the 12 biggest telecom and Internet providers seeking information on their disclosure practices, Rogers, Bell and RIM proposed aggregating the information to keep the data from individual companies secret. The response dragged on for months, with Bell admitting at one point that only four providers had provided data and expressing concern about whether it could submit even the aggregated response since it would be unable to maintain anonymity”.

    So, let’s see. In other words….

    We big four telecom and internet providers are dishing out personal details about our subscribers to law enforcement agencies without challenging them or requiring warrants – in fact, we are even looking for ways to automate the disclosures and profit from these requests – but when the Privacy Commissioner of Canada asked us for general details we lawyered up and provided aggregate data on an inflated number of respondent organizations because, well, er, ahem, …it’s private.

    Priceless!

  12. Reality Bytes says:

    Oh the irony…
    @Pericles,
    “We big four telecom and internet providers are dishing out personal details about our subscribers to law enforcement agencies without challenging them or requiring warrants…”

    It’s not just the “big four”. It’s a dozen of them. I don’t know how you magically turned a dozen into four. So let us not pretend that the biggest wholesalers and resellers like Teksavvy or Distributel are not doing the same.

    What I want to know is how much is given away without a court order.

    In addition to this, I would like to know how an individual can go about finding out if their info was given away without a court order.

  13. If CSIS orders a wire tap, production of text messages, or IP addresses from a telco or ISP it may very well be considered “top secret” in the interests of national security. I’m sure we would all like to know which terrorist, spy, or organized crime member is being tracked and what kind of juicy things they are up to but that could jeopardize the investigation and put people’s safety at risk.

    If a pedophile is using the internet to trap a child I don’t want the police to have to wait till Court opens up the next morning to go and get a warrant to force an ISP to disclose the IP address. An innocent child could be molested or dead by then.

    There has to be a middle ground that allows law enforcement agencies to do their job quickly and thoroughly while protecting the privacy of law-abiding Canadians who don’t want anybody to know they ordered extra anchovies on their pizza.

  14. Oh the irony
    @ Reality Bytes
    “I don’t know how you magically turned a dozen into four.”

    It wasn’t magic. MG said: “The response dragged on for months, with Bell admitting at one point that only four providers had provided data”.

    I am sure that you are correct, Reality Bytes, that there are other providers involved. My point is merely that they delayed and obfuscated for months and screened their respective roles behind an aggregation of the data. They are not quite so fast on the disclosure trigger with their own info…

    And I agree too, that the warrantless disclosure of who-knows-what is the most disturbing part of this.

  15. @ Cynic – I think many including myself agree with you that there needs to be a balance, however the sheer number of requests on this strongly suggests that the system is being abused by law enforcement, Government and telecom. The provision they are using in law allows access to information under what you are talking about. The sheer numbers here would suggest either:

    A) 1 in 30 Canadians is a child pornographer, a terrorist, or a murderer

    Or

    B) and most likely the case is the system and law is being abuse by law enforcement, government and telecom providers.

    @ Pericles. I think there is a bit of a conflict of interest especially with some who appear to be fighting on consumer rights issues on this situation, that are supported by the indie providers. I think consumers need to be aware and not to forget the fact that some of those indie providers haven’t even responded when questioned, let alone delayed responding. All telecom providers should be on the hook for stuff like this, and consumers need to keep a watchful eye on those that deflect attention more towards the government and the big four, and away from the indie providers when those very providers are supposed to be championing consumer rights and setting an example of what consumers expect from a telecom company (since that is their main selling point to Canadian consumers).

    They all have their hands in the cookie jar, and it’s important going forward that we come up with balanced law as a result, and not law that appears to be balanced by those deflecting attention from any company involved with any of this.

    If Openmedia were to stop supporting those they already do that have their hand in this, then maybe we’d have true consumer representation on this issue politically when the time comes, however I don’t see that happening in a case that clearly conflicts with Openmedia’s principles, and that of what their corporate sponsors have been up too. Should be interesting to see how they respond.

  16. Reality Bytes says:

    Oh the irony
    Odds of getting struck by lightning in your lifetime: 1 in 3,000

    Odds of winning the 6/49: 1 in 13,983,816

    Odds of bowling a 300 game: 1 in 11,500

    Odds of getting a hole in one: 1 in 5,000

    Odds of drowning in a bathtub: 1 in 685,000

    Odds of having your identity stolen: 1 in 200

    Odds of getting the flu this year: 1 in 10

    Odds of getting hemorrhoids: 1 in 25

    Odds that a Canadian Telco will give away your info because the Harper gov thinks you’re a terrorist (or copyright extremist): 1 in 29

  17. Toothless Oversight
    A watchdog with no teeth is just what the government and LEA’s wanted and that’s what they got. Canadian LEA’s don’t have the resources to sort through that much info, so it begs the question: who is the information being funneled to?
    My guess is Snowden has the answer….

  18. @cynic
    There are judges on call for emergency search warrants. I doupt they would say no to a wire tape for pedophile. They may however say no to a wiretap of a polic offers divorces spouse or spouse going through a divorce.

    and sehingr

  19. What’s the right number
    We’re all ready to set our hair on fire because law enforcement agencies (LEA) ordered more than a million pieces of data from telcos and ISPs last year. Sure, it seems like a big number but is it really? I am actually surprised it is as low as it is.

    LEAs reported more than 2 million crimes last year of which 415,000 were “violent crimes”. If we want LEAs to do their job investigating those crimes to protect the public and bring the bad guys to justice should we surprised that they might find phone records and IP addresses helpful in their investigations?

    Surprisingly, 39.4% of Canadians have used illegal drugs (I’m sure many will say they didn’t inhale). The cops aren’t interested in the users but they are certainly interested in the dealers who are destroying hundreds of lives everyday, for profit. Would phone records or IP addresses be helpful in tracking down the dealers and breaking the supply chain?

    To help put things in perspective, Canadians sent over 100 billion text messages last year and talked for more than 25 billion minutes on their phones. Our Canadian LEAs ordered accessed less than 0.08% of those communications. Considering the amount of illegal/criminal activity in Canada that number looks low to me.

  20. DIS STUPID THO
    DIS STUPID THO

  21. Devil's Advocate says:

    Amazing how many are still asleep
    Anyone who actually believes ANY of this is really about “fighting crime” needs a serious wake up call…

    …And you will eventually get that call, thanks to your compliance. Of course, it will be too late by then, and you will have taken the rest of us down with you, also thanks to YOUR compliance.

  22. Pericles says:

    Amazing how many…
    @devil’s advocate

    I think you probably mean “complacency”

  23. Devil's Advocate says:

    Complacency vs. Compliance
    @Pericles:

    ‘I think you probably mean “complacency”‘

    Compliance could be viewed as an act resulting from complacency, I’m sure. While I don’t advocate complacency, I was referring to how people just simply comply with something, just enough to make it an established norm.

    com·pli·ance noun kəm-ˈplī-ən(t)s
    – the act or process of doing what you have been asked or ordered to do
    – the act or process of complying

    Full Definition of COMPLIANCE…
    1. a: the act or process of complying to a desire, demand, proposal, or regimen or to coercion
    b: conformity in fulfilling official requirements

    2. : a disposition to yield to others
    3. : the ability of an object to yield elastically when a force is applied : flexibility

    Examples of COMPLIANCE

    She was rewarded for her compliance.
    There has been a low rate of compliance with the new law.

    🙂

  24. @Devil’s Advocate

    So it’s ok for cops to sit outside your house and peak into your windows or rifle through your garbage if they have reason to believe you are up to no good. But they better not look at your emails because that would be “crossing the line”.

    And the cops better not look at the text messages of that 50 year old creep that has been stalking your 12 year old daughter because that would be an invasion of his privacy. His privacy is more important to you than the safety of our daughter.

  25. davegravy says:

    @Cynic Misleading statistics
    How many unique individuals are involved in those crimes? How many times do we hear about someone who’s charged with “x” counts of “y” crime?

    The most honest law abiding citizens in our country break laws every day, most of which don’t justify these info requests.

    How many of these violent crimes are low-degree assault for which obtaining and reviewing electronic records are inappropriate and a waste of LEA resources: Slapping, pushing, shoving, punching, uttering threats, spitting?

    I don’t know the answer, but intuitively I’d say 1/30 is inappropriate and a more thorough investigation of these practices should be conducted.

  26. davegravy says:

    @Cynic
    For garbage placed on public property and anything which is visible from a public property vantage point, there is no expectation of privacy and yes – it is OK for cops to do those things. It’s hard to tell cops they can’t look at something that everyone else can see.

    I have a small child and I’m much more concerned about the police state he may have to grow up in than the unlikely chance he will be targeted by a paedophile or be blown up by a terrorist bombing. Power corrupts. I’ve witnessed, first hand, how that corruption can manifest if it’s not kept in check – and it is scary indeed.

  27. Cyclical arguments
    @davegravy

    How many crimes involves multiple requests for information by the police? One criminal investigation could involve the retrieval of hundreds of records/transactions from just one person. Maybe that number of one million “requests” that Mr. Geist is talking only involves 10,000 different people. Nobody seems to know the answer to the question but we all appear to want to assume the worst, that the feds are reading my 80 year old grandmother’s email because they have nothing better to do.

    Your suggestion that once your property leaves your hands (as garbage) that it is free for anyone to look at could be extended to other mediums. What about that text message that leaves your phone and travels over public airwaves? Or how about your email that travels through 8 different ISP’s in 3 countries before it reaches it’s destination – does that mean it is no longer private? Any one who owns/operates one of those servers can look at your email if they chose to. The government could build the infrastructure to monitor all those transactions themselves but instead they order phone companies and ISPs to collect it for them.

    As much as we want to believe we live in a free society we really don’t. The Courts have been ordering wiretaps since phones were invented over a hundred years ago and we’ve had various levels of security screening at airports since the 1960’s. Sometimes all those security agencies are successful in stopping terrorists and occasionally they miss some. We just need to figure out what level of security surveillance we are comfortable with and whether we can stomach the costs of the alternative. In addition to the tens of thousands of lives lost in the attacks and subsequent military action in Afghanistan, the NY times estimated that economic damage to the US economy from the 9/11 attacks was $3.3 trillion. While this is an interesting academic exercise the questions are far more difficult in the real world.

  28. Watching the seeded responders work
    Its amazing how so few of you remember that seeding the crowd with supporters is a time honored and ALWAYS used tradition by all organizations. Yet you don’t seem to think about it while bothering to respond to obviously seeded comments

  29. anti cynic says:

    Cynic, are you some sort of cop? Or do you just hate your rights and freedoms?