Text: Small Text  Normal Text  Large Text  Larger Text

    Blog Archive

    PrevPrevApril 2014NextNext
    SMTWTFS
      12345
    6789101112
    13141516171819
    20212223242526
    27282930

    How Telcos and ISPs Hand Over Subscriber Data Thousands of Times Each Year Without a Warrant

    PDF  | Print |  E-mail
    Tuesday April 01, 2014
    Appeared in the Toronto Star on March 29, 2014 as Internet Data Routinely Handed Over Without a Warrant

    The lawful access fight of 2012, which featured then-Public Safety Minister Vic Toews infamously claiming that the public could side with the government or with child pornographers, largely boiled down to public discomfort with warrantless access to Internet subscriber information. The government claimed that subscriber data such as name, address, and IP address was harmless information akin to data found in the phone book, but few were convinced and the bill was ultimately shelved in the face of widespread opposition.

    The government resurrected the lawful access legislation last year as a cyber-bullying bill, but it has been careful to reassure concerned Canadians that the new powers are subject to court oversight.  While it is true that Bill C-13 contains several new warrants that require court approval (albeit with a lower evidentiary standard), what the government fails to acknowledge is that telecom companies and Internet providers already hand over subscriber data hundreds of times every day without court oversight.  In fact, newly released data suggests that the companies have established special databases that grant law enforcement quick access to subscriber information without a warrant for a small fee.

    The latest data comes from a government response to NDP MP Charmaine Borg's effort to obtain information on government agencies requests for subscriber data. While many agencies refused to disclose the relevant information, Canada Border Services Agency revealed that it had made 18,849 requests in one year for subscriber information including geo-location data and call records.

    The CBSA obtained a warrant in 52 instances with all other cases involving a simple request without court oversight. The telecom and Internet providers fulfilled the requests virtually every time - 18,824 of 18,849 - and the CBSA paid a fee of between $1.00 and $3.00 for each request.

    The CBSA revelations follow earlier information obtained under the Access to Information Act that the RCMP alone made over 28,000 requests for subscriber information in 2010 without a warrant. These requests go unreported - subscribers don't know their information has been disclosed and the Internet providers and telecom companies aren't talking either.

    The recent disclosures also reveal that the telecom companies have established law enforcement databases that provide ready access to subscriber information in a more efficient manner. For example, the Competition Bureau reports that it "accessed the Bell Canada Law Enforcement Database" 20 times in 2012-13. 

    The absence of court oversight may surprise many Canadians, but the government actively supports the warrantless disclosure model. In 2007, it told the Privacy Commissioner of Canada that an exception found in the private sector privacy law to allow for warrantless disclosure was "designed to allow organizations to collaborate with law enforcement and national security agencies without a subpoena, warrant or court order." The cyber-bullying bill further supports the warrantless disclosure model since it contains a provision that grants Internet providers and telecom companies full immunity from any civil or criminal liability for voluntarily disclosing subscriber information.

    While much of the warrantless disclosure data remains shrouded in secrecy - many government departments refuse to divulge details about their practices and the telecom companies and Internet providers have declined requests to come clean - the latest revelations confirm fears that subscriber information is disclosed tens of thousands of times every year without court oversight.

    The law may grant the companies the right to disclose subscriber information without a warrant, but the pervasive warrantless disclosure is still deeply troubling and represents an abdication of their responsibility to safeguard the privacy interests of their subscribers.

    Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.


    Tags:
    , , ,
    Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare
     

    Government Launches Consultation on Rules for ISP Notice-and-Notice System Amid Shift in Priorities

    PDF  | Print |  E-mail
    Thursday October 10, 2013
    Industry Canada and Canadian Heritage launched a consultation yesterday on the rules associated with the Internet service provider notice-and-notice system that was established in Bill C-11, the copyright reform bill enacted in June 2012. Responses to the consultation are due by November 8, 2013. Most of the bill took effect in November 2012, but the government delayed implementation of the ISP rules, with expectation of a consultation and regulations to follow. It has taken nearly a full year, but the consultation was sent to undisclosed stakeholders with the promise to bring the notice-and-notice system into effect "in the near future."

    The notice-and-notice system allows copyright owners to send infringement notices to ISPs, who will be legally required to forward the notification to their subscribers. If an ISP fails to forward the notifications, it must explain why or face the prospect of damages that run as high as $10,000. ISPs must also retain information on the subscriber for six months (or 12 months if court proceedings are launched). Copyright owners may also send notifications to search engines, who must remove content that has been removed from the original source within 30 days. The notices must meet a prescribed form that includes details on the sender, the copyright works and the alleged infringement.

    Despite some expectation that the consultation would place several issues on the table - form issues for notices, data retention, and costs for notices among them - the language used in the consultation letter suggests that the government is likely to simply bring the rules as articulated in the law into effect with no further regulations at all. It states:

    Tags:
    , , ,
    Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare
    View
     

    Canadian Government Quietly Pursuing New ISP Code of Conduct

    PDF  | Print |  E-mail
    Wednesday October 09, 2013
    With the cost of cybercrime in Canada on the rise - a new report released last week by Symantec, a security software vendor, pegged the cost at $3.1 billion annually - my weekly technology law column (Toronto Star version, homepage version) reports that the Canadian government is quietly working behind-the-scenes to create a new Internet service provider code of conduct. If approved, the code would be technically be voluntary for Canadian ISPs, but the active involvement of government officials suggests that most large providers would feel pressured to participate.

    The move toward an ISP code of conduct would likely form part of a two-pronged strategy to combat malicious software that can lead to cybercrime, identity theft, and other harms. First, the long-delayed anti-spam legislation features new disclosure requirements for the installation of software along with tough penalties for non-compliance. Recent comments from Industry Minister James Moore suggest that the government is ready to bring that law into effect. Second, the code of conduct would require participants to provide consumers with assistance should their computers become infected.


    Tags:
    , ,
    Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare
    View
     

    Canadian Government Quietly Pursuing New ISP Code of Conduct

    PDF  | Print |  E-mail
    Tuesday October 08, 2013
    Appeared in the Toronto Star on October 5, 2013 as Ottawa Pushing ISP Code of Conduct

    With the cost of cybercrime in Canada on the rise - a new report released last week by Symantec, a security software vendor, pegged the cost at $3.1 billion annually - the Canadian government is quietly working behind-the-scenes to create a new Internet service provider code of conduct. If approved, the code would be technically be voluntary for Canadian ISPs, but the active involvement of government officials suggests that most large providers would feel pressured to participate.

    The move toward an ISP code of conduct would likely form part of a two-pronged strategy to combat malicious software that can lead to cybercrime, identity theft, and other harms. First, the long-delayed anti-spam legislation features new disclosure requirements for the installation of software along with tough penalties for non-compliance. Recent comments from Industry Minister James Moore suggest that the government is ready to bring that law into effect. Second, the code of conduct would require participants to provide consumers with assistance should their computers become infected.

    The proposed code, which is modeled on a similar Australian initiative dubbed the iCode, has been placed on a policy fast-track, with officials hoping to create a final version by the end of the year. The Australian version features a standardized notification system that requires ISPs to alert customers that their computer or electronic device may be compromised by malicious software (often referred to as botnets). The notification may include sending the customer to an information webpage advising them of the threat and the steps needed to address the problem. Repeated notifications may result in the customer having their Internet access suspended.

    The Australian iCode also involves the creation of a comprehensive resource for ISPs on new cybersecurity threats and a reporting mechanism from ISPs to a centralized agency that gathers threat information. The approach has garnered support from other countries. South Africa adopted the iCode last year, while both Japan and Germany have implemented similar programs.

    Yet not everyone is convinced that the iCode system actually works. When the U.S. began considering the Australian system in 2011, experts questioned its effectiveness.  For example, the SANS Institute looked at the Australian results and concluded that the reduction in botnets was "insignificant." Moreover, Symantec highlighted the danger of fraudulent notifications, arguing that they could "aggravate the problem rather than alleviate it."

    Notwithstanding the concerns, the Canadian government appears convinced that an ISP code of conduct is long overdue. According to government documents, Industry Canada quietly gathered the major Canadian ISPs in late July to present the concept of an industry code and the experience in other countries. The presentation noted that unlike current Canadian initiatives that do not include direct consumer support, the proposed code would require consumer assistance in addition to the creation of education programs, information sharing, and reporting requirements.

    Last month, stakeholders were brought back for a follow-up meeting where government officials presented an ambitious timeline that envisions final approval on the code within the next three months.

    One way to speed up the process appears to be the exclusion of any public participation. The government timeline offers several opportunities for ISPs and other stakeholders it has identified to comment on the draft code, but does not feature any public consultations or opportunities for feedback.

    Despite the active government involvement, officials have worked hard to emphasize that the code would be voluntary, claiming that the approach will demonstrate industry consensus and that "the regime is not being imposed on the sector by the government." However, with the public excluded from the process and industry fears that the code could gradually expand into other issues, the rushed effort for a Canadian ISP code of conduct may need to slow down and give way to a more open, inclusive and transparent initiative.

    Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.


    Tags:
    , ,
    Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterTagsShare
     
    << Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

    Results 1 - 4 of 127