Columns

Five Measures to Help Counter the Tidal Wave of Secret Telecom Disclosures

The House of Commons engaged in an extensive debate on privacy yesterday in response to an NDP motion that would require the government to disclose the number of warrantless disclosures made by telecom companies. I’ll have more on the debate shortly (it’s worth reading), but the government has made it clear that it will not be supporting the motion.

My weekly technology law column (Toronto Star version, homepage version) notes that the revelations of massive telecom and Internet provider disclosures of subscriber information generated a political firestorm with pointed questions to Prime Minister Stephen Harper in the House of Commons about how the government and law enforcement agencies could file more than a million requests for Canadian subscriber information in a single year.

The shocking numbers come directly from the telecom industry after years of keeping their disclosure practices shielded from public view. They reveal that Canadian telecom and Internet providers are asked to disclose basic subscriber information every 27 seconds. In 2011, that added up to 1,193,630 requests, the majority of which were not accompanied by a warrant or court order. The data indicates that telecom and Internet providers gave the government what it wanted – three providers alone disclosed information from 785,000 customer accounts.

The issue is likely to continue to attract attention, particularly since the government is seeking to expand the warrantless disclosure framework in Bill C-13 (the lawful access bill) and Bill S-4 (the Digital Privacy Act).

The issue is likely to continue to attract attention, particularly since the government is seeking to expand the warrantless disclosure framework in Bill C-13 (the lawful access bill) and Bill S-4 (the Digital Privacy Act).

Bill C-13 will expand warrantless disclosure of subscriber information to law enforcement by including an immunity provision from any criminal or civil liability (including class action lawsuits) for companies that preserve personal information or disclose it without a warrant.

Bill S-4, the newly-introduced Digital Privacy Act, proposes extending the ability to disclose subscriber information without a warrant from law enforcement to private sector organizations. The bill includes a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law.

With the government moving toward more warrantless disclosure and telecom companies hiding their practices behind aggregated data, the Canadian situation seems likely to get worse from privacy perspective.  Yet there are many measures that could be adopted to restore some balance and address mounting concerns about the lack of transparency associated with the widespread disclosure activities.

First, new government transparency requirements could be implemented so that the secrecy associated with hundreds of thousands of disclosure requests is eliminated. The government should require law enforcement agencies to record and report all requests for subscriber information with quarterly public releases of aggregate data (basically the gist of the NDP motion).

Telecom and Internet providers should also issue regular transparency reports. Leading Internet companies such as Google and Twitter publicly release disclosure information as do large U.S. telecom companies such as AT&T and Verizon.  If they can do it, Canadian providers such as Bell, Rogers, and Telus should do the same.

Second, telecom and Internet providers should stop automating the disclosure of subscriber information. The automated systems, which include mirroring network traffic and sending it directly to law enforcement or creating law enforcement monitoring databases that can be accessed with minimal or no review, encourage bulk disclosure of subscriber information with no effective oversight.

Third, telecom and Internet providers should be required to advise affected individuals about warrantless disclosures of their personal information unless a court prohibits them from doing so. Such a requirement would inform Canadians when their information is being disclosed and provide them with the opportunity to contest it if they see fit.

Fourth, Canadians could also use existing law more aggressively to demand that telecom providers reveal any instances of prior disclosures of their information. The law allows an individual to file a request with an organization for access to their personal information, including any details on past disclosures. Failure to comply would violate Canada’s private sector privacy law.

Fifth, the Privacy Commissioner of Canada should use her audit powers to investigate the secretive disclosure practices among telecom and Internet providers. The recent revelations provide ample evidence to justify exercising the audit powers to lift the veil of secrecy over how Canadian telecom and Internet providers manage subscriber information. 

While transparency reports and external audits will not eliminate mass warrantless disclosures, they will place the issue in the spotlight and force both government and the telecom providers to explain why they do so little to safeguard Canadians’ privacy.

8 Comments

  1. pat donovan says:

    class of all classes
    class just died. You want a secure com system? Install it and hope you don’t get blackberried.

    faster internet? pay for it.
    heath care? try mexico, or quebec privates.

    this is more than a class society; it is a divided class society.

    the food is already dirty; how long before the water goes too?

    pat

  2. Curious One says:

    Questions
    I have a question in regards to your point #4.

    Chris Parson made an excellent template to give your current provider, but what about *past* providers?

    For example, let’s say you left Bell Canada 7 years ago. Can you also give that letter to them asking the same info?

    Why I ask this is because when Bell had the data breach a few months ago it was found out that Bell has been keeping data that is 5 years out of date (email addy’s, passwords, CC numbers etc).

    So if Bell has already been retaining and preserving data that is over 5 years old would they not also retain and preserve all data?

    Should someone who has not been with them in 7 years also file that letter with them?

    As far as accounting records go, the law states to keep it a minimum of 7 years. I don’t see how Email addy’s and passwords apply to revenue Canada requirements. So is Bell also not in compliance with a couple of things here under pipeda already anyhow?

  3. Outraged. says:

    The US?
    I’d love to know what percent of the requests are to satisfy US requests. I’d also love to know what agreements Canada has with the US regarding exchange of such data.

  4. Curious One says:

    Questions
    I guess there are no takers for point #4 it will go unanswered.

    Since Bell stated it already collects what you do online (where you go and what you search for) as stated to the CRTC, what is the retention period for all this?

    It seems to me, per the Bell data breach a few months ago, that the retention period is indefinite.

    I don’t see Dr. Geist mentioning retention of data in any of the 5 points he brought up.

    Is data retention not important? Why does Bell keep it years after a service is terminated?

  5. Pericles says:

    Records retention
    @Curious One said:

    Should someone who has not been with them in 7 years also file that letter with them?

    Why not? If you ask for your PI, and they still have it, you are entitled to it, subject to any legitimate exemptions.

    This is an excerpt from Privacy sense web site: http://www.privacysense.net/deleting-personal-information-pipeda/

    Minimum and Maximum Retention Periods

    The fifth privacy principle of PIPEDA — Limiting Use, Disclosure, and Retention — states that an organization should implement minimum and maximum retention periods for personal information and should only retain personal information for as long as it is required to fulfill its intended purposes.
    An organization may choose to hold all personal information it collects for a minimum of one year after its intended use and disclosure. It should be long enough to allow an individual to request his or her personal information, especially if it has been used to make a decision about that individual (e.g. a pre-employment check).
    An organization may also be subject to legislative requirements with respect to retention periods.
    If an organization is subject to an access request it should retain that information for as long as is necessary to allow the individual to exhaust any recourse under PIPEDA.
    Once an organization has retained personal information for a maximum period, it must destroy, erase (delete), or make the information anonymous.

    Destroying, Deleting, and Anonymizing Personal Information

    Clause 4.5.3 of PIPEDA’s Limiting Use, Disclosure, and Retention principle states:
    Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. Organizations shall develop guidelines and implement procedures to govern the destruction of personal information.
    Rather than deleting or erasing full records containing personal information, many organizations find benefit in “anonymizing” personal information instead. This allows organizations to retain statistics about records while at the same time removing all traces of personal information from a record.

  6. Curious One says:

    @Pericles, what you quoted is what I also read. Which in turn led to my questions above.

    It’s what i am having trouble wrapping my head around.

    Quote:
    Clause 4.5.3 of PIPEDA’s Limiting Use, Disclosure, and Retention principle states:
    Personal information that is no longer required to fulfil the identified purposes should be destroyed, erased, or made anonymous. /Quote

    Per the Bell data breach, Bell has been found to be hoarding data that is no longer required for service, or intended use.

    So that was one nugget found.

    Another nugget is their relevant ads program. Since Bell is Dbasing all you do online and what you search for I tried to find what the retention of this would be. I found nothing.

    Pipeda doesn’t really address, in my opinion, indefinite collection. Nor is Bell telling anyone what the retention is.

    Seems like it’s one of two things:
    1. Bell is ignoring pipeda (as seen during the data breach and holding 5 year old out-dated data)

    2. What would be the Retention period of data they hoard on people for the “relevant ads program”? After how many years is the data no longer required to fulfil the identified purpose?

    3. Wade Oosterman of Bell Canada stated that the data hoarded by the relevant ads program would only be divulged with a court order. Yet we are now finding out Bell gave away millions of records w/o court oversight.

    Retention, and a clear documented retention period is no where to be found. If the data breach is any indication, it seems Bell is hoarding data indefinitely.

    No?

  7. Much more pressure needs to be put on the indie providers to cough up what they know. TPIA can turn the tide with respect to this by standing up for consumer rights, in fact one would expect this from that crowd, rather than this silence.

  8. Pericles says:

    Retention
    @Curious one said:

    Per the Bell data breach, Bell has been found to be hoarding data that is no longer required for service, or intended use.

    I share your concerns about retention. And retention rules are an important aspect of this discussion. In the absence of clear retention rules, data will be kept and new uses for it will be conceived. But It seems to me that the key universal privacy principle that is being violated here is the secondary use of the data.

    Based on PIPEDA principle, it seems to me that company cannot even ask me to consent to a use and disclosure of my information that is not directly connected to the purposes for which it was originally collected, I.e., the provision of the service. It’s supposed to be against the rules to use it for other things or sell it, even if you fool me into agreeing with a lengthy privacy notice/consent statement that I probably won’t read or understand.

    Quote
    4.3.3
    An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use, or disclosure of information beyond that required to fulfil the explicitly specified, and legitimate purposes.
    End quote