Thursday, May 01, 2014

We seriously need transparency about law enforcement demands

Earlier this week, Interim Privacy Commissioner Chantal Bernier dropped a bombshell: Law enforcement agencies asked nine Canadian telcos for personal information 1.2 MILLION times and received data in more than three quarters of those cases. On its face, that number is staggering. It appears even more staggering when you figure that this is only a sub-set of Canadian telcos. But these numbers say virtually nothing about what kind of information we're talking about, what kinds of requests are made, under what circumstances, how many of them are with a warrant and how many are without, how many are based on intrusive and judicially unaccountable orders such as those under the Income Tax Act and the Customs Act? How many relate to the administration of laws, how many relate to law enforcement and how many are for national security purposes?

We know that hundreds of times a year, Canadian telcos provide private customer information to the police without a warrant under a protocol that I believe to be unlawful. (We'll see what the Supreme Court of Canada ultimately has to say about this practice in R v Spencer heard in December of last year.) We also know that not all telcos have adopted this protocol.

In this post-Snowden age and without credible information, we simply assume the worst and -- too often -- these assumptions are borne out.

In response, some telcos are providing some very general information (In my neck of the woods, Atlantic Canada's largest telcos, Bell Aliant and Eastlink both say they don't provide private information without a warrant or other legal compulsion.) But they are generally tight-lipped about what information they can provide, citing that it is law enforcement sensitive.

When the industrious researchers at the Citizen Lab tried to get this information from telcos directly, they were largely told to ask the government. MP Charmaine Borg, when trying to get clear information from federal law enforcement agencies, only received a paltry amount of data.

I don't buy it. And I can't accept it. We saw a huge furore over warrantless access to subscriber information when the federal government proposed Bill C-30. We're seeing a big fuss over this revelation related to the 1.2 million requests. We're about to start debating the new cyberbullying act that revives much of C-30's "lawful access" and we're ramping up to debate S-4, the Digital Privacy Act which extends voluntary disclosures of sensitive personal information beyond law enforcement. We cannot have an informed and educated debate about these incredibly important topics without real information.

So why aren't telcos and law enforcement agencies coming clean? We saw Google take the lead with its Transparency Report, which has been followed by other technology companies including as Twitter and Facebook. The list of companies actually includes telecommunications companies such as AT&T and Time Warner Cable in the US and Telstra in Australia [PDF]. But, to my knowledge, no Canadian company provides any data akin to a transparency report. Do government and law enforcement agencies want us to be in the dark? The cynic in my is starting to think so.

We need more transparency and accountability. We need one Canadian telco to take the courageous first step of producing a comprehensive transparency report, with full details of its methodology and terminology so that other telcos can step out of the shadows and provide comparable useful data. It's probably in their interests, since the speculation that is swirling around is likely worse than the reality. I don't know how or when a Canadian telco will step up, but Canadians should be calling on their providers to come clean with this information.

No comments: