Columns Archive

Five Measures to Help Counter the Tidal Wave of Secret Telecom Disclosures

Appeared in the Toronto Star on May 3, 2014 as Five Measures to Safeguard Consumers’ Telecom and Internet Privacy

Last week’s revelations of massive telecom and Internet provider disclosures of subscriber information generated a political firestorm with pointed questions to Prime Minister Stephen Harper in the House of Commons about how the government and law enforcement agencies could file more than a million requests for Canadian subscriber information in a single year.

The shocking numbers come directly from the telecom industry after years of keeping their disclosure practices shielded from public view. They reveal that Canadian telecom and Internet providers are asked to disclose basic subscriber information every 27 seconds. In 2011, that added up to 1,193,630 requests, the majority of which were not accompanied by a warrant or court order. The data indicates that telecom and Internet providers gave the government what it wanted – three providers alone disclosed information from 785,000 customer accounts.

The issue is likely to continue to attract attention, particularly since the government is seeking to expand the warrantless disclosure framework in Bill C-13 (the lawful access bill) and Bill S-4 (the Digital Privacy Act).

Bill C-13 will expand warrantless disclosure of subscriber information to law enforcement by including an immunity provision from any criminal or civil liability (including class action lawsuits) for companies that preserve personal information or disclose it without a warrant.

Bill S-4, the newly-introduced Digital Privacy Act, proposes extending the ability to disclose subscriber information without a warrant from law enforcement to private sector organizations. The bill includes a provision that allows organizations to disclose personal information without consent (and without a court order) to any organization that is investigating a contractual breach or possible violation of any law.

With the government moving toward more warrantless disclosure and telecom companies hiding their practices behind aggregated data, the Canadian situation seems likely to get worse from privacy perspective.  Yet there are many measures that could be adopted to restore some balance and address mounting concerns about the lack of transparency associated with the widespread disclosure activities.

First, new government transparency requirements could be implemented so that the secrecy associated with hundreds of thousands of disclosure requests is eliminated. The government should require law enforcement agencies to record and report all requests for subscriber information with quarterly public releases of aggregate data.

Telecom and Internet providers should also issue regular transparency reports. Leading Internet companies such as Google and Twitter publicly release disclosure information as do large U.S. telecom companies such as AT&T and Verizon.  If they can do it, Canadian providers such as Bell, Rogers, and Telus should do the same.

Second, telecom and Internet providers should stop automating the disclosure of subscriber information. The automated systems, which include mirroring network traffic and sending it directly to law enforcement or creating law enforcement monitoring databases that can be accessed with minimal or no review, encourage bulk disclosure of subscriber information with no effective oversight.

Third, telecom and Internet providers should be required to advise affected individuals about warrantless disclosures of their personal information unless a court prohibits them from doing so. Such a requirement would inform Canadians when their information is being disclosed and provide them with the opportunity to contest it if they see fit.

Fourth, Canadians could also use existing law more aggressively to demand that telecom providers reveal any instances of prior disclosures of their information. The law allows an individual to file a request with an organization for access to their personal information, including any details on past disclosures. Failure to comply would violate Canada’s private sector privacy law.

Fifth, the Privacy Commissioner of Canada should use her audit powers to investigate the secretive disclosure practices among telecom and Internet providers. The recent revelations provide ample evidence to justify exercising the audit powers to lift the veil of secrecy over how Canadian telecom and Internet providers manage subscriber information. 

While transparency reports and external audits will not eliminate mass warrantless disclosures, they will place the issue in the spotlight and force both government and the telecom providers to explain why they do so little to safeguard Canadians’ privacy.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

Comments are closed.