Friday, March 28, 2014

A hint at the extent of warrantless access to customer data in Canada

Earlier this week, the Halifax Chronicle Herald published a story about information that has come to light about the extent to which law enforcement agencies are seeking -- and getting -- access to private information without a warrant. (See Ottawa has been spying on you | The Chronicle Herald)

MP Charmaine Borg tabled a question in Parliament looking for particulars about how often government agencies look for and get information about customers of telecommunications services. Perhaps not surprisingly, CSIS and CSE refused to answer. The RCMP refused to provide information, saying it does not track this information. The full document is available here [PDF].

What is most interesting about the document is the extent that the Canadian Border Services Agency, the organization that polices Canada's borders, asked for and received telco customer information without a warrant. It happened over 18,000 times and telcos refused only a handful of times, mainly if they didn't have the information requested.

If I had been asked which government agencies seek warrantless access to customer data, I would have put CBSA pretty low on the list and would think they would represent a drop in the bucket. If that's the case, and the "drop in the bucket" is 18,000 requests, we must be looking at a VERY LARGE bucket.

What's also troubling is that unless charges are laid, nobody ever finds out that their information has been obtained by law enforcement. And, in fact, there's a gag order that would prevent you from getting that information from your telco. I highly doubt that CBSA laid 18,000 charges last year, so there are thousands of Canadians whose information has been accessed and they will never know about it.

Not surprisingly, some of the best analysis of this comes from Chris Parsons, a post-doctoral fellow at the CitizenLab at the University of Toronto. Read his full discussion of this here: Mapping the Canadian Government’s Telecommunications Surveillance.

In the media, this story was first reported in the Chronicle Herald by Paul McLeod:

Ottawa has been spying on you


Published March 25, 2014 - 8:19pm

Last Updated March 25, 2014 - 8:54pm

Telecom firms handing over data without warrants

Telecommunications companies gave individual customer data to the Canada Border Services Agency over 18,000 times in one year.

This information includes the content of voice mails and text messages, websites visited and the rough location of where a cellphone call was made, according to government data.

For cases involving those types of requests, Canada Border Services sought a warrant for the information. But in the vast majority of releases, the agency asked for and received basic subscriber information without obtaining a warrant.

From April 2012 through March 2013, the agency asked telecoms for information 18,849 times. Of those, 99 per cent were for subscriber information that did not involve a warrant.

Telecoms handed over the data in all but 25 cases.

“I find that shocking,” said privacy expert David Fraser, a lawyer with McInnes Cooper in Halifax.

“If you cannot convince a judge or a justice of the peace or a magistrate that you are entitled to that information, then you should not be getting that information.”

Documents show Canada Border Services appears to have an agreement with telecoms wherein basic subscriber information is handed over without the need for a warrant.

According to the agency, this type of information includes “identity and address details provided to the (service provider) when the cellular account was created.”

This includes the name and address of a cellphone user, when the individual activated their phone, their account number and what kind of payment plan is used (such as if their device is prepaid or postpaid).

Canada Border Services requested this information 18,729 times during that fiscal year.

Other information requested included text message content (77 times), voice mails (10 times), geolocation requests (63 times), websites visited or IP addresses (78 times), transmission data (113 times) and cellphone logs (128 times).

The agency says information from telecoms is key to modern crime investigations.

Its parent department, Public Safety Canada, says that when agencies ask for information, “they do so in full respect of

Canadian laws, which are some of the strongest in the world at protecting privacy.”

Public Safety says that while most information requires a warrant to obtain it, information such as a customer’s name and address carries “a lower expectation of privacy and, as such, may be requested (without a warrant) according to Canadian law.”

Subscribers are not normally notified if their information has been handed over to authorities.

Fraser, who authors a blog on Canadian privacy laws, said this arrangement violates citizens’ basic rights to privacy.

He said Canadians already rejected this kind of intrusion in the debate around Bill C-30, the government’s Internet surveillance bill. The Conservatives introduced but then killed the bill due to public backlash.

“We had all of that outrage because that piece of legislation would have legitimized this practice,” said Fraser.

“Even without that legislative cover, we have CBSA looking for this information, but even more outrageously getting it from telecommunications companies.”

Of the 25 times telecoms rejected information requests, some denials were due to phones no longer being active or a customer changing service providers.

The information given to Canada Border Services is kept for up to two years unless it is involved in criminal charges. In those cases, information is kept for up to seven years.

The RCMP, the Canadian Security Intelligence Service and Communications Security Establishment Canada were all asked by Parliament, via a member’s question, to provide the same details about such requests.

They all refused for different reasons.

The RCMP said it does not track how often it asks telecoms for information.

Communications Security Establishment Canada, in charge of foreign intelligence and securing Canadian government electronic information, said providing the information would reveal Canada’s intelligence capabilities. The body is prohibited from spying on Canadians.

The Canadian Security Intelligence Service, a spy agency that investigates suspected threats to Canadian security, admitted it may ask telecoms to provide “subscriber information and access to the content of communications.”

But CSIS said it is not allowed to provide such information because it would be a breach of national security.

I was also interviewed about this for Radio Canada International: Canadian’s private telecom information, not so private.

No comments: