Canada's ISPs Are Finally Revealing How Often the Government Requests User Data

Image via Flickr user Beraldo Leal.
Two Canadian telecommunications companies—Rogers Communications and TekSavvy Solutions—are the country's first to disclose the number of requests they receive from government agencies each year, and also detail what customer data they will and will not hand over upon request.

On Thursday morning, Rogers Communications revealed that it had received a total of 174,917 requests in 2013, but omitted the number of those requests the company had responded to. The night before, Chatham, Ontario-based cable and DSL internet service provider TekSavvy revealed that it had received 52 requests for subscriber information from government agencies in 2012 and 2013, and responded to 17—or 33 percent.

This is particularly huge news in Canada since there's been a cone of silence around all Canadian ISPs in the face of mounting evidence they cooperate with law enforcement agencies requesting user data. Last year former Privacy Commissioner Jennifer Stoddart, wrote that her office understood the number of disclosures to be "substantial." At the end of April, interim Privacy Commissioner Chantal Bernier released a document indicating that three of nine companies representing a “substantial portion” of the Canadian telecom market received nearly 1.2 million requests in 2011 alone.

Academics, lawyers, privacy experts and politicians have all been calling on Canadian internet and wireless providers to clarify the types of subscriber information they collect and retain. They also wanted know the number of requests made by law enforcement agencies each year, since reports of wide-ranging U.S. and Canadian government surveillance first surfaced last June.

"Just being able to have this type of information out there is a really important confidence enhancing tool, because it lets people see what's actually happening. And it gives insight into what is currently completely shrouded in secrecy," said Tamir Israel, a staff lawyer at the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic (CIPPIC).

TekSavvy's disclosure data was published in a letter to the Munk School of Global Affairs's Citizen Lab released late Wednesday evening, in response to questions submitted by Citizen Lab researcher Christopher Parsons and other privacy academics in late January. TekSavvy has promised that regular transparency reports are still to come.

"I’m hopeful that this will provide the clear rationale for other companies to come forward with equivalent responses," Parsons said in an interview. "This is especially the case for companies such as TELUS, which stated in their responses they were investigating how much information they could place on the public record."

Neither TELUS nor Bell have yet responded to a request from Motherboard for comment.

The Rogers and TekSavvy reports differ greatly, not only in the number of requests, but also the level of detail contained within them.

According to TekSavvy's 16-page document, 19 of the 52 requests were made by federal law enforcement agencies, with the remainder made by municipal and provincial forces. All were in the context of a criminal investigation and only subscriber information—the subscriber's phone number, email and/or postal address—was requested.

No requests for other types of data—including real-time interception or wiretapping, transmission data (such as the duration of a connection, port number used or communications routing data), and the names of sites visited or IP addresses accessed—were made.

It is worth noting that, of the 17 requests that TekSavvy responded to, 16 were voluntary and did not require a court order or warrant. TekSavvy has since changed its policies so that such disclosures will now be made "only in response to a warrant, production order," or in exceptional circumstances, such as a live bomb threat, where a warrant would likely be granted if time allowed.

Rogers's three-page document is considerably less detailed, but breaks down requests for data into six areas: customer name and address checks, court orders and warrants, government requirement letters, emergency requests, child sexual exploitation emergency assistance requests, and court orders to comply with foreign requests made under the Mutual Legal Assistance Treaty.

Basic requests for subscriber information—which are made without a court order or warrant—make up half of all requests, with the government looking for a customer's name, address and listed phone number, but not his or her IP address. Court orders and warrants, meanwhile, make up over 40 percent of requests.

One of the worries regarding Bill C-13—a controversial cyberbullying law that also expands government surveillance powers and may soon become law—is that legal immunity would be granted to those who voluntarily disclose data to the government, opening such requests up to abuse. A complementary piece of legislation, Bill S-4, would prevent such disclosures from being made public.

Even under existing law, stipulations on what wireless carriers can and cannot disclose are still vague and open to interpretation, Israel explained.

For example, because TekSavvy does not offer wireless services, it is not subject to the Solicitor General's Enforcement Standards—a set of broad unpublished regulations that limit the types of requests that companies such like Rogers and Bell can and cannot discuss.

It may also explain why Rogers is willing to detail the number of requests it has received, but not the number of which it has responded to.

"A lot of the companies have said they're concerned about liability if they facilitate this type of public transparency," Israel said. "It seems like it's incumbent upon the government to step up and address those concerns.