One day after NDP MP Charmaine Borg received a government response to her request for more data on subscriber requests and disclosures, Liberal MP Irwin Cotler received a response to his request for information. While there is some overlap between the documents, Cotler asked some important specific questions about the number of requests, which providers face requests, and the results of the information disclosed. Departments such as CSIS and CSEC unsurprisingly declined to provide much information, but several other departments were more forthcoming.
The results paint a disturbing picture: massive numbers of requests often with little or no record keeping, evidence to suggest that the disclosures frequently do not lead to charges, requests that extend far beyond telecom providers to include online dating and children’s gaming sites, and inconsistent application of the Supreme Court of Canada’s recent Spencer decision.
The Department of Justice provided data on requests arising from the International Assistance Group, which submits requests on behalf of foreign states. In 2013, there were more than 100 requests for subscriber information. Perhaps most interesting is the wide variety of providers and websites that have faced requests. In addition to the large telecom companies, there have been requests to Plenty of Fish (an online dating site), Club Penguin (a children’s game site), Kik (an online messaging service), Yahoo.ca, and Contact Privacy (a site that protects the privacy of domain name registrants).
The Department of Defence was unable to provide specific information, acknowledging there may be thousands of requests. Most notably, the department indicated that it has changed it policy on subscriber requests in light of the Spencer decision. The report signed by Defence Minister Rob Nicholson notes:
Until now, Military Police typically requested such information through a voluntary request for disclosure from the provider in accordance with the Personal Information Protection and Electronic Documents Act. In some cases, judicial authorizations by way of production order or search warrant were obtained. In light of the recent decision of the Supreme Court of Canada in R. v. Spencer, judicial authorization will be obtained in the future for all such requests.
In contrast, Public Safety Canada indicates that “the Government of Canada is still examining this decision.” Further, Public Safety tries to downplay the privacy importance of subscriber information, arguing that it “is akin to speaking to witnesses at the scene of the crime.” It also claims that “subscriber information is useful in 100% of the cases in which it is requested.” The submission also notes that law enforcement and CSIS met with many Canadian telecom providers in early June (days before the release of the Spencer decision) to discuss issues such as subscriber information disclosures.
While Public Safety claims 100% usefulness, the data from other departments suggests that hundreds of requests for subscriber information rarely, if ever, lead to actual charges of a crime. For example, Environment Canada made over 400 requests for subscriber information in 2012, leading to disclosures involving hundreds of people. The disclosures did not lead to a a single person being charged with an offence under Canadian law. In fact, over the past five years only one person has been charged despite hundreds of requests for subscriber information.
Similarly, the Competition Bureau has made nearly 100 requests for subscriber information over the past five years. The Bureau acknowledges that it does not seek a warrant for basic subscriber information. It also states that “in no case did the disclosure of data lead to action or proceedings being commenced by the Bureau.”
Record keeping of subscriber requests is also non-existent in some departments. For example, the Department of Fisheries indicates that it requests subscriber information, frequently to identify the registered owner of a seized cellphone. The department does not track the number requests, to whom the requests are made, or if the information leads to any charges.
Finally, the CRTC’s response is interesting since it provided detailed information, but noted that its requests are linked to accessing subscriber information in connection with complaints with the do-not-call list. A wide variety of providers have been asked to provide information including U.S. giants such as AT&T, Comcast, Verizon, and Google, though those tend to be isolated requests. Among Canadian providers, Bell faces by far more the most requests for subscriber information (more than Rogers, Telus, Sasktel, and Shaw combined). The numbers also point to the relatively small number of investigations relative to complaints. For example, last year there were a total of 411 requests, though the CRTC receives more than 10,000 complaints every month.
The overall picture painted by the data shows remarkable inconsistency by government departments and agencies about when they ask for subscriber information, whether they seek a warrant, the records that they keep, and the effectiveness of requests. Given the privacy importance of subscriber data, the Privacy Commissioner of Canada should consider launching a detailed audit on department practices with the goal of establishing consistent policies that respect the privacy rights of all Canadians.