The recent revelations regarding massive telecom and Internet provider disclosures of subscriber information has generated a political firestorm with pointed questions yesterday to Prime Minister Stephen Harper in the House of Commons. While Harper tried to provide reassurances that warrants were obtained where necessary, the reality is that the law includes a massive exception that permits voluntary, warrantless disclosure of subscriber information. That suggests that the majority of the nearly 1.2 million requests in 2011 were not accompanied by a warrant. Moreover, the telecom and Internet providers have shrouded their activities in secrecy, refusing to disclose the disclosures to affected subscribers and hiding behind aggregated data to avoid scrutiny of their individual practices.
The issue is likely to continue to attract attention, particularly since the government is seeking to expand the warrantless disclosure framework in Bill C-13 (the lawful access bill) and Bill S-4 (the Digital Privacy Act). One further issue that should not be lost within the disclosure is the stunning admission that at least one Canadian provider may be allowing the government to mirror or copy of its subscriber communications. In response to a question on the use of deep packet inspection, one provider states:
“Interception of communications over data networks is accomplished by sending what is essentially a mirror image of the packet data as it transmits the network of data nodes. This packet data is then sent directly to the agency who has obtained lawful access to the information. Deep packet inspection is then performed by the law enforcement agency for their purposes.”
This is an incredible admission – allowing the government to mirror subscriber communications and sending it directly to law enforcement agencies who can they do what they want with it? Are there legal grounds for these disclosures? Who is doing this? Was this a required alternative to major ISPs who do not use deep packet inspection? Is this RIM, who also participated in the aggregated data request? Many, many questions without any clear answers. Given the uncertainty and the enormous privacy implications, the Privacy Commissioner of Canada is surely entitled to investigate this admission using her current powers under PIPEDA.