Last fall, Daniel Therrien, the government’s newly appointed Privacy Commissioner of Canada, released the annual report on the Privacy Act, the legislation that governs how government collects, uses, and discloses personal information. The lead story from the report was the result of an audit of the Royal Canadian Mounted Police practices regarding warrantless requests for telecom subscriber information.
The audit had been expected to shed new light into RCMP information requests. Auditors were forced to terminate the investigation, however, when they realized that Canada’s national police force simply did not compile the requested information. When asked why the information was not collected, RCMP officials responded that its information management system was never designed to capture access requests.
While that raised serious concerns – the RCMP has since promised to study mechanisms for reporting requests with recommendations expected in April – my weekly technology law column (Toronto Star version, homepage version) reports that documents recently obtained under the Access to Information Act reveal that the publicly released audit results significantly understated the severity of the problem. Indeed, after the draft final report was provided to the RCMP in advance for comment, several of the findings were toned down for the public release.
Behind the scenes, however, documents suggest that Privacy Commissioner of Canada auditors were deeply concerned with what they found. In fact, just two days before the public release of the audit, one of the lead auditors wrote a memorandum to file to ensure that there was a paper trail chronicling what actually took place.
The memorandum specifically references a 2010 RCMP document that purported to list tens of thousands of warrantless subscriber information requests. The document indicated that 94 per cent of requests involving customer name and address information was provided voluntarily without a warrant.
The Privacy Commissioner of Canada auditors apparently expected that document, which was previously released under the Access to Information Act, to serve as the starting point for their review of RCMP practices. The internal memorandum notes that “we expected that these statistics would be accurate, complete, and up-to-date and that they would allow us to review RCMP files related to such warrantless requests.”
Once the auditors began examining the data, however, they found something entirely different. The internal memorandum states that “based on the evidence below we found, on the contrary, that the statistics provided for 2010 (and later for 2011-2013) were inaccurate, incomplete, not current, and they were not useful identifying PROS files for review.”
The internal memorandum continues by citing specific problems with the RCMP evidence, acknowledging that “problems with the reliability of data were also provided by way of interviews with senior officials.” The details of those interviews are redacted, however, the memorandum states that “from these discussions we also found that statistics for warrantless access are inaccurate because of lack of reporting, multiple reporting or overlapping reporting.”
The conclusion leaves little doubt about the problems the auditors encountered. It goes far further than the publicly released report, noting that “based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.”
In short, the Privacy Commissioner of Canada set out to audit the RCMP in the hope of uncovering the details behind requests for subscriber information. What it encountered instead was inaccurate data and an effort to downplay the problems within the public report.
The incident highlights the limits of Canadian oversight over law enforcement and surveillance activities. The use of the privacy commissioner’s audit power is frequently lauded as a mechanism to ensure that government does not run afoul of the law. Yet despite identifying inaccurate and incomplete data on a high profile privacy issue, the public audit report does not use the terms “inaccurate” or “incomplete.”
The shortcomings in both practice and oversight point to the need for a strong legislative and policy response. As a starting point, the RCMP should provide detailed guidance on its policy on customer name and address requests and regularly report on those requests. Moreover, mandatory reporting requirements for telecommunications companies on subscriber disclosures could be added to Bill S-4, the government’s privacy reform package that is currently before the House of Commons.