Saturday, June 07, 2014

Canadian telcos release transparency reports

In the past week, in a significant development, both Teksavvy and Rogers have released information that provides much greater insights into government demands for personal information from telecommunications companies.

Teksavvy is one of the largest independent internet service providers and they released their report in the form of a comprehensive response to the letter sent to them by the Citizen Lab's Chris Parsons (See: Citizen Lab calls for transparency by Canadian telcos). Many may remember that Teksavvy was the ISP that went to court to challenge a demand by a Hollywood studio for information about users who were alleged to have violated copyright.

Rogers is one of Canada's largest "full service" telecommunications service providers, offering landline and mobile telephone services, in addition to cable internet. Their report is slightly less detailed, presumably because they are very constrained by the government (by the Solicitor General's guidelines on lawful interception).

This is a great advance in transparency and a good first step. It also provides some useful information for the discussion and debate about warrantless disclosures of personal information by telecommunications service providers. The reports both show that in the period under discussion, both Rogers and Teksavvy disclosed customer information without a warrant in a range of circumstances.

The Teksavvy report shows they provided customer names and addresses when provided with an IP address in at least 16 out of the 17 such disclosures. The circumstances of those disclosures are not reported. (To be fair, they say in their letter that they will no longer do this.) The Rogers report shows they did the same in what they called

Child sexual exploitation emergency assistance requests:

Legal authority: The Criminal Code and PIPEDA. Details: We assist police during child exploitation investigations. Examples of info provided: Confirming a customer’s name and address when provided with an IP address so that police can get a search or arrest warrant to stop the sexual exploitation of a child.

The numbers of these warrantless disclosures are very high: 711 such disclosures. These are presumably controversial PIPEDA Requests, which a number of ISPs have agreed to cooperate with law enforcement when they are told it is connected with a child exploitation investigation. They cite PIPEDA as the authority, though the section in question (s. 7(3)(c.1)) does not require disclosure and is only applicable when the law enforcement agency has shown its "lawful authority" to demand the information. There is not yet any consensus about what "lawful authority" actually means.

For some really great reporting on these transparency reports, check out:

Now that Rogers in particular has made this disclosure, I'm looking forward to the other large telcos following suit.

No comments: