Come back with a warrant by Rosalyn Davis (CC BY-NC-SA 2.0) https://flic.kr/p/aoPzWb

Come back with a warrant by Rosalyn Davis (CC BY-NC-SA 2.0) https://flic.kr/p/aoPzWb

Columns

Warrantless Access to Subscriber Information: Has the Tide Turned on Canada’s Privacy Embarrassment?

In a year in which privacy issues have captured near weekly headlines, one concern stands out: warrantless access to Internet and telecom subscriber information. From revelations that telecom companies receive over a million requests each year to the Supreme Court of Canada’s landmark decision affirming that there is a reasonable expectation of privacy in subscriber information, longstanding law enforcement and telecom company practices have been placed under the microscope for the first time.

Last week, the Privacy Commissioner of Canada released a report that shed further light on the law enforcement side of warrantless disclosure requests, raising disturbing questions about the lack of record keeping and politically motivated efforts to drum up data on the issue.

My weekly technology law column (Toronto Star version, homepage version) notes that the Office of the Privacy Commissioner of Canada notified the Royal Canadian Mounted Police last October that it was planning to conduct preliminary investigative work on the collection of warrantless subscriber information from telecom companies. The plan was to assess RCMP policies and to determine the frequency and justification for warrantless requests.

Despite interviewing dozens of personnel, investigators were unable to obtain specific numbers as the RCMP simply did not compile the requested information. When asked why the information was not collected, law enforcement officials noted that its information management system was never designed to capture access requests.

While that may help explain the absence of data, investigators also found that the RCMP issued an internal memorandum in 2010 instructing officers to begin collecting such information. Why the change in approach?

It would appear that the new policy was directly linked to lawful access legislation that was facing public criticism over provisions that would have required telecom and Internet companies to disclose subscriber information without a warrant (the law at the time permitted voluntary disclosure but left discretion over whether to disclose to the telecom or Internet provider). Critics of the lawful access bill noted that there was little evidence that mandated disclosure was needed. In response, the RCMP attempted to pull together the missing data, but later abandoned the effort when the lawful access bill died on the order paper.

When combined with non-transparent telecom provider policies and government legislative initiatives seeking to expand disclosure, the RCMP revelations should give all Canadians concerned with their informational privacy pause. We now know that entering this year, law enforcement and government departments were requesting access to subscriber information without a warrant over a hundred thousand times every month. We also know that telecom companies were keeping their responses to the requests secret, that law enforcement was not tracking its access requests, and that the government was determined to expand the system by encouraging voluntary disclosure of personal information through a pair of bills that are still before Parliament.

Despite the sorry state of subscriber privacy at the start of 2014, the situation has improved in recent months. Pressure on the telecom companies to offer greater transparency on their practices has led both Rogers and Telus to regularly disclose aggregated data on subscriber requests. Moreover, the Supreme Court of Canada’s Spencer decision confirmed that there is a reasonable expectation of privacy in telecom and Internet subscriber information.

Those are positive steps, yet at least three major issues remain unresolved. First, there are still some telecom companies that have not issued transparency reports, most notably Bell Canada, the country’s largest telecom provider.

Second, the RCMP remains somewhat coy about how it plans to address warrantless disclosure requests in the future. As part of the Privacy Commissioner of Canada investigation, it undertook only to study mechanisms for reporting requests. Potential recommendations are not due until April 2015.

Third, the government remains committed to encouraging voluntary warrantless disclosure of subscriber information. Justice Minister Peter MacKay’s Bill C-13, which is now at the Senate, grants full civil and criminal immunity for organizations that voluntarily disclose personal information to law enforcement, while Industry Minister James Moore’s Bill S-4, which will be studied later this month by the House of Commons Industry Committee, expands voluntary warrantless disclosure between private sector organizations.

5 Comments

  1. Devil's Advocate says:

    Way back, when commercial data mining began, I was called everything from a conspiracy nutjob to, simply, crazy for pointing out how allowing such activity could numb the general public to privacy issues and set the stage for complete abuse all around.

    And, numb and indifferent is exactly what everyone was for a good while.

    Now, we see the whole world (at least, the half of the world that even understands the implications of this stuff) scrambling to find ways to recover its privacy, which has effectively been stolen on so many fronts.

  2. Devil's Advocate says:

    “…some telecom companies that have not issued transparency reports, most notably Bell Canada…”

    And, here’s a behemoth that serves as the most blatant example of where things are today because of the above-mentioned indifference by a clueless public…

    1) We have providers like Bell that have become too large and too much in control of the infrastructure;

    2) Said providers get to run massive telemarketing campaigns with no oversight, while also being the operator of the DNCL!

    3) Said providers are also being permitted to provide content (as if that’s somehow not a conflict of interest);

    4) Said providers not only have the ability to affect your service, rip off its customers with impunity, scrutinize the internet activites and data of its users, and legally profile its users (“for billing purposes, of course!”), but also provide special interest groups (like “law enforcement” or “trusted partners”) a look at all this without a warrant, or even a word to anyone directly related to the information they’re releasing.

    I could go on a lot more, but the bottom line is, nobody seemed to question things that were taking place earlier on, and this is what we get for that kind of mass complacency.

  3. J. Peterson says:

    Thank you to Prof. Michael Geist for pursuing this issue.

    I believe that that looser and judicially unsupervised access to subscriber internet information will result in unintended leaks to scammers, extortionists, and criminals and other unscrupulous interests who will harass and exploit Canadian Family Internet Users.

  4. Pingback: Copywrong » Why the Digital Privacy Act Will Expand Personal Information Disclosure Without Court Oversight

  5. thanks to Prof Michael for issuing this article, very informative