Why Is the Canadian Government Issuing Over 1 Million Annual Requests to Telecom Companies for Our Data?

Canada's telecom giants don't seem particularly invested in protecting your privacy. Photo via the author.
When news broke earlier this year that CSEC had been tracking Canadians through free airport WiFi, the mainstream media largely missed the point. Not only had Canada’s NSA been using airport hotspots to gather personal information about Canadians, they had also been gathering data from other corporate sources to create behavioural patterns designed to track the comings and goings of whoever it is their targets are. That’s a bit more invasive than simply snooping on folks looking at cat videos, who are waiting for their connecting flight to Orlando.

If you go through the original presentation about CSEC’s so-called airport spying program, which was leaked by Eddie Snowden, you can see that CSEC uses the example of a kidnapper who’s on the lam, and whose position can be pinpointed by CSEC tracking programs. Not only is this somewhat of an overreach for CSEC (because isn’t finding kidnappers a police responsibility?) but it also indicates that there are corporate partners throughout North America helping CSEC gather information on Canadians. Listed in that presentation are Bell Sympatico, Boingo, and Neustar—a company that was the subject of a VICE Canada report earlier this year.

Within that same free airport WiFi presentation was an allusion to a ‘Canadian Special Source,’ that had provided data to CSEC, which was widely speculated to be a “large telecommunications provider in Canada.” This created a firestorm (within the small circles in this country that actually research and follow online surveillance, that is) of speculation as to which company that ‘Special Source’ is, and it provoked further research into the amount of data that Canadian telecom providers turn over to the government.

Christopher Parsons, a postdoctoral fellow at U of T’s Citizen Lab, along with a group of other researchers, sent formal letters to Bell, Rogers, Telus, and every other telecom provider in Canada asking them to quantify the amount of requests that they received from law enforcement agencies for customer data in 2012 and 2013, how their protocol and processes for these requests work, how long they keep subscriber data, and so on. Unsurprisingly, they were almost unanimously stonewalled by the telecom companies in this country, stating: “The companies that have responded to the letters as of March 5, 2014 have generally declined to provide specific responses to the questions posed of them.”

While these letters may not have sounded a widespread, public alarm, news broke late last night that Canadian government agencies issued 1.2 million requests for customer data in 2011 alone. This data came from the federal privacy commissioner, who received anonymous figures from nine different telecom companies in Canada. As the Toronto Star reported: “It’s not clear from the report what information was sought by agencies, how much data was released, or what judicial oversight—if any—was involved.”

One source we can turn to, for some clarity, is the Google Transparency Report—an annual rundown of the amount of requests coming from law enforcement agencies to the company whose motto is to avoid evil at all costs. In 2011, Canadian authorities issued 91 requests for user data. This number dropped slightly in 2012, to 88 requests. And in 2013, that number spiked up to 101 requests. On average, Google reports that they respond to about 25 percent of these requests with actual data, but in the first half of 2011, 48 percent of these requests were granted, and in the second half of 2010, Google responded to 55 percent of requests.

With such comparatively low numbers of user data requests to Google (that are apparently rising, nonetheless), it’s more than concerning to see more than a million annual requests to telecom companies across the country from federal government agencies—for entirely vague reasons. Canada’s telecom companies are clearly in an awkward legal position, as a representative from Bell told the Star that, “Any request for information about lawful access activities should be made to the law enforcement agencies involved.” Oh, thanks for clearing that up, Bell. I can’t wait to pay my next phone bill!

These corporate non-answers are reminiscent of last year’s awakening that companies like Verizon, AT&T, and Sprint are not only complicit in NSA spying, but that they receive cash to cooperate. When the news of the NSA’s highly invasive PRISM program broke out of Ed Snowden’s treasure trove last year, Yahoo, Facebook, and others denied knowing about the program. Some of these same companies are now lobbying for the right to be more transparent about the amount of law enforcement requests they receive per year, which according to Ed Black, the president of the Computer & Communications Industry Association, “will allow companies to show what they have been doing is more limited than some have assumed and, that when appropriate, they have challenged and pushed back.” But, given that some of these same companies were paid by the NSA to be “PRISM compliant,” it’s hard to believe their intentions are true.

VICE reached out to the Canadian Security and Intelligence Service (CSIS) and asked if they ever requested information from either Canadian telecom companies or Google. Their response was typically curt, refusing to add any further comment and directing us to a 2011-2013 Public Report from the agency that provides no insight into whether CSIS requests information from telecom companies in Canada or abroad. The report does say that CSIS is aware of a “wide range of targeting against the private sector in Canada,” by hostile actors, whose targets include “high-technology industries… the telecommunications sector.”

We also contacted Ronald Deibert this morning, founder of the Citizen Lab, and a Canadian cybersecurity expert. Regarding the latest news about telecom disclosures, he told me: “This latest information confirms what many of us have for long suspected: that Canadian telcos operate in a culture within which the digital exhaust we entrust to them on a daily basis is routinely shared with agencies of the Canadian state. Canadian telcos have apparently forgotten that judicial protections are essential to a liberal democracy, except when it comes to protecting their own asses from liability.”

Despite this rampant, warrantless sharing of data between telecom companies and government agencies, Canadians don’t seem to be overly concerned about this sliding standard of personal privacy occurring under all of our noses. We have seen recent attempts by the Conservative government to normalize online surveillance with the scapegoat of cyberbullying, in a bill that would also protect internet providers from being sued for complying with warrantless surveillance. The bill, C-13, has not been voted on. But evidently, the Canadian political climate is being pushed towards a reality where surveillance is normalized; so it is now a question of whether or not this train can be reversed.

With a federal election around the corner, hopefully privacy can be pushed as a major issue of debate that Mulcair, Trudeau, and whoever the Conservatives trot out, can trip over each other to discuss. That said, without a more public outcry over the vague but substantial cooperation between telecom companies and government agencies, this may just continue to proceed—largely unchecked.

With additional reporting by Ben Makuch.

@patrickmcguire