[Advisors] FW: [liberationtech] The Murky State of Canadian Telecommunications Surveillance

[michael gurstein]

From: liberationtech-bounces at lists.stanford.edu
[mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Ronald
Deibert
Sent: Thursday, March 06, 2014 7:31 AM
To: liberationtech
Subject: [liberationtech] The Murky State of Canadian Telecommunications
Surveillance

 

Hi Liberation Tech

 

The following update may be of interest to some on the list, regarding a
project on telco / isp transparency led by Citizen Lab's Christopher Parsons

 

https://citizenlab.org/2014/03/murky-state-canadian-telecommunications-surve
illance/

 

Apologies if there is any formatting weirdness on my email.  I copied and
pasted from the blog post.

 

Cheers

Ron

 


The Murky State of Canadian Telecommunications Surveillance


March 6, 2014

Tagged:  <https://citizenlab.org/tag/canada/> Canada,
<https://citizenlab.org/tag/privacy/> Privacy,
<https://citizenlab.org/tag/surveillance/> Surveillance

Categories:  <https://citizenlab.org/category/research-news/articles/>
Articles,  <https://citizenlab.org/category/research-news/> Research News

On January 20, 2014 the Citizen Lab along with leading Canadian academics
and civil liberties groups
<https://citizenlab.org/2014/01/towards-transparency-canadian-telecommunicat
ions/> sent letters to Canada's most prominent Internet service providers.
We asked the companies to reveal the extent to which they voluntarily, and
under compulsion, disclose information about their subscribers to state
agencies, as well as for information about business practices and data
retention periods. The requested information would let researchers, policy
analysts, and civil liberties groups better understand the current
telecommunications landscape and engage in evidence-based policy analysis of
current and proposed government surveillance activities. The companies were
asked to provide responses by March 3, 2014.

A considerable amount of attention has been given to state access to
telecommunications data since January 20. Organizations such as the
<http://www.theglobeandmail.com/news/national/telecom-firms-being-asked-what
-data-they-are-giving-to-police-intelligence-agencies/article16455076/>
Globe and Mail wrote that Canadians deserve to know who is listening to
their communications, and reporting by
<http://www.thewirereport.ca/news/2014/02/10/rules-could-stymie-inquiry-of-t
elecoms%E2%80%99-info-disclosure-to-government/27839> The Wire Report found
that while telecommunications companies believed they might not be able to
respond to all the questions in the letters, at least some responses might
be provided without running afoul of government gag laws. However, The Wire
Report also found that some sources believed they were forbidden from
disclosing any information about the assistance they provide to government
agencies, with one stating they were "completely resigned."

At the same time as the letters were being examined by the companies, a
series of high-profile telecommunications-related stories broke in the
media. In the United States, leading
<http://transparency.verizon.com/us-data> telecommunications
<http://about.att.com/content/csr/home/frequently-requested-info/governance/
transparencyreport.html> carriers released 'transparency reports' that put
some information in the public arena concerning how often the companies
disclose information to American state agencies. In Canada, there were
revelations that the Communications Security Establishment Canada (CSEC) had
<http://www.cbc.ca/news/politics/csec-used-airport-wi-fi-to-track-canadian-t
ravellers-edward-snowden-documents-1.2517881> surreptitiously monitored the
movements of Canadians
<http://arstechnica.com/tech-policy/2014/01/new-snowden-docs-show-canadian-s
pies-tracked-thousands-of-travelers/> vis-a-vis mobile devices that
connected to wireless routers. These revelations sparked
<http://www.theglobeandmail.com/news/politics/nothing-wrong-with-monitoring-
airport-wi-fi-harper-security-adviser-says/article16670551/> renewed
interest in the origins of CSEC's data, whether Canadian telecommunications
companies either voluntarily or under compulsion provide data to CSEC, the
<http://www.theglobeandmail.com/news/national/the-globe-goes-inside-canadas-
top-secret-spy-agency/article17175386/> nature of CSEC's 'metadata'
collection process, and the rationales driving data exchanges between
telecommunications companies and state agencies more generally. The Office
of the Privacy Commissioner of Canada also
<http://www.priv.gc.ca/information/sr-rs/201314/sr_cic_e.asp> tabled a
report that outlined a series of ways to improve accountability and
transparency surrounding state access to telecommunications data. Finally,
MP Charmaine Borg, the New Democratic Party Member of Parliament for the
riding of Terrebonne-Blainville in Quebec,
<http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=E&Mode=1&
Parl=41&Ses=2&DocId=6391359&File=11> issued a series of questions to the
federal government that are meant to render transparent how federal agencies
request information from telecommunications companies.


Who Responded


As of today, ten of sixteen companies have responded to the letters sent on
January 20, 2014. Only one company, Distributel, has asked for additional
time to formalize a response; this post will be amended once we receive
their comments. Companies that sent responses include:

*
<https://citizenlab.org/wp-content/uploads/2014/03/Response-from-Bell-Allian
t.pdf> Bell Aliant (.pdf)
*
<https://citizenlab.org/wp-content/uploads/2014/03/Bell-Canada-Lawful-Access
-Request-Letter.pdf> Bell Canada (.pdf)
*
<https://citizenlab.org/wp-content/uploads/2014/03/Cogeco-Cable-March-3-2014
.pdf> COGECO Cable Inc. (.pdf)
*
<https://citizenlab.org/wp-content/uploads/2014/03/Time-extension-request-fr
om-Distributel.pdf> Distributel (Request for additional time) (.pdf)
*
<https://citizenlab.org/wp-content/uploads/2014/03/Response-from-Eastlink.pd
f> Eastlink (.pdf)
*
<https://citizenlab.org/wp-content/uploads/2014/03/Letter-from-MTS-Allstream
.pdf> MTS Allstream (.pdf)
*
<https://citizenlab.org/wp-content/uploads/2014/03/Response-from-Rogers.pdf>
Rogers Group of Companies (.pdf)
*
<https://citizenlab.org/wp-content/uploads/2014/03/Response-from-Shaw.pdf>
Shaw Media Inc. (.pdf)
*
<https://citizenlab.org/wp-content/uploads/2014/03/TELUS-Response-to-Parsons
-et-al-Letter-20-Jan-2014.pdf> TELUS Communications Company (.pdf)
*
<https://citizenlab.org/wp-content/uploads/2014/03/QuebecorVideotron.pdf>
Videotron/Quebecor Media (.pdf)

To date, the following companies have not responded to the letters:

*	Fido Solutions
*	Globalive Wireless Management Corp. (Wind)
*	Primus Telecommunications Canada Inc.
*	Sasktel
*	TekSavvy Solutions Inc.
*	Xplorenet Communications Inc

We remain optimistic that the remaining companies will provide written
responses to the letters. This post will be updated as we receive additional
replies. Significantly, one of the largest Telecommunications service
providers servicing western Canada, Sasktel, has not responded.


Limited Findings


The companies that have responded to the letters as of March 5, 2014 have
generally declined to provide specific responses to the questions posed of
them. Most (though not all) companies indicated that they were generally
committed to protecting their subscribers' privacy, though few provided
specific details concerning what they do to protect their subscribers'
privacy in relation to the questions that were posed in the letters. TELUS
was noteworthy insofar as it referenced its challenge of a general warrant
to access text message data, and Bell Canada in that they noted that a law
enforcement agency group evaluates all requests for subscribers'
telecommunications data.

Companies generally avoided or refused to respond to specific questions put
them them. As an example, and in response to the multi-page letter,
Eastlink's entire response was:

Consistent with our obligations under the Personal Information Protection
and Electronic Documents Act, Eastlink does not disclose any information to
government agencies except pursuant to a warrant or other order that legally
compels us to disclose the information, or in very exceptional emergency
circumstances as also permitted under PIPEDA.

In the case of Rogers Communications, the company provided a more detailed
response to the media when asked about the letters by the Globe & Mail than
in their response to the letters themselves. Specifically, the company's
spokesperson was
<http://www.theglobeandmail.com/news/national/telecom-firms-being-asked-what
-data-they-are-giving-to-police-intelligence-agencies/article16455076/>
quoted as saying that Rogers takes "privacy matters very seriously and
comply with all regulations. Our policy is that we require a properly
executed warrant to disclose customer information." The company's formal
response to the letter they received, in contrast, neither indicates their
concern for Canadians privacy or that they require a warrant to disclose
customer information. Instead, the company suggests that their ability to
provide information about state agencies' access to wireless communications
data is limited by theSolicitor General's Enforcement Standards and, more
generally, that "there are restrictions around the disclosure of information
about access and intercept requests that Rogers receives from government
agencies." No specifics were provided about these restrictions, their legal
origins and justifications, or the company's own position(s) concerning such
restrictions. No information about the company's data management, retention,
or disclosure practices was provided.

Responses from Bell Aliant, Bell Canada, Cogeco, TELUS, and Videotron
similarly lack substantive responses to most of the questions posed to them.
While these companies all stated their commitment to maintaining their
subscribers' privacy, they also declined to indicate how long they retained
data or information about their subscribers, the specific protocols or
policies they used in evaluating state agencies' requests for data, whether
the companies receive any restitution for the surveillance, or the fields of
data that are retained or disclosed following a request or demand by state
agencies. In all cases, companies justified their refusals on grounds of
confidentiality of investigative techniques or because of national security
concerns. Many companies also asserted that they they were ill-suited to
provide any response because the companies (e.g. Bell Canada) "are not in a
good position to balance the competing principles and interests triggered by
detailed public disclosures about the volume and nature of lawful access
requests." TELUS, similarly, wrote that "[g]overnment agencies are better
positioned to balance transparency considerations with other important
considerations such as the need for confidentiality in relation to
investigative techniques, and other law enforcement or national security
concerns."

Ultimately, the companies that received these letters have not
comprehensively identified how or why responding to questions would either
interfere with investigative confidentiality or threaten national security.
None of the responsive companies, save for TELUS, indicated that they had
(or would) asked the federal government (or other levels of government)
whether disclosures would endanger national security or investigative
techniques. Instead, the companies asserted that they were ill-suited to
provide information about their business practices and (in some cases)
suggested filing requests with various levels of government for information
about those governments' practices. The sole exception was TELUS, which
wrote that the company would "request the Government to clarify and limit
the scope of current confidentiality requirements and to consider measures
to facilitate greater transparency."


Examples of Unanswered Questions


It is helpful to consider some of the questions to fully appreciate why
responding to them is unlikely to compromise investigative techniques or
undermine national security interests. For all questions, we asked the
companies to "please provide either a response, indicate that you cannot
respond, or indicate that you will not respond." For almost all questions,
it seems, companies are unwilling to assert whether they cannot or will not
respond; instead, they have deliberately left unclear whether they are
legally barred from providing responses to specific questions or have simply
decided that they would prefer not to respond to these these questions. Even
this level of data disclosure would be helpful because it would let
researchers understand the extent to which companies are operating under gag
rules or, alternately, are choosing to voluntarily gag themselves.

As an example of a question that was posed, we asked whether service
providers received "money or other forms of compensations in exchange for
providing information to government agencies" as well as subsequent,
increasingly detailed, questions about compensation policies. Companies
could have provided very broad responses to such a question (i.e. only
responding 'yes' or 'no' to whether they are compensated for assisting state
agencies) without endangering ongoing or past cooperation with authorities.
They also could have stated that they will not respond to the question,
indicating that though they were legally permitted to respond they had made
the decision to remain silent instead.

As another example, we asked whether the respective companies notify their
customers "when government agencies request their [subscribers'] personal
information? If so, how many customers per year have you notified?"
Revealing whether subscribers are notified in the first place would clearly
not jeopardize investigations and would instead reveal a business practice
that either was, or was not, in place. Companies might have stated they
could not respond for legal reasons or, alternately, that they will not
respond to the question. Whereas the former response would indicate that the
government was preventing disclosure the latter might suggest the
businesses' own interests precluded a response. Unfortunately, we are left
without any idea of even if companies could notify subscribers when
authorities make warrantless or warrant-based requests for subscriber data,
let alone whether these companies actually do notify their customers.


The Clearest Research Findings


Of all the questions asked, and all the companies that have responded, the
clearest example of a direct responses came from Bell Canada and TELUS.
Specifically, one of the questions sent to the Bell Canada read:

Does your company have a dedicated group for responding to data requests
from government agents? Are members of this group required to have special
clearances in order to process such requests? What is the highest level
company official that has direct and detailed knowledge of the activities of
this group?

Bell Canada wrote in response:

To ensure that customer information is only disclosed in circumstances
permitted by PIPEDA and required by law, all such requests are vetted by
Bell Canada's lawful access group and, where there is any doubt, by my
office. The lawful access group exercises careful scrutiny over disclosure
requests. Where necessary, the lawful access group has required government
agencies to withdraw their disclosure requests where the request appears
unreasonable in its scope or lacks the reasonable grounds required by law.
In the past, when there were concerns about the statutory power of law
enforcement agencies (LEAs) to request warrantless access to customer
information under exigent circumstances, Bell Canada led the way to
implement an industry-wide process requiring LEAs to document the basis for
each such access request

As a result, we know (and have on record) that Bell has a dedicated group
tasked to vet requests and that a senior counsel and privacy ombudsperson is
sometimes involved in responding to such state agencies' requests. We also
know that Bell Canada does sometimes push back against government requests
for data, and that the industry-wide process of LEA documentation was driven
by Bell. Bell's disclosure reveals that the company does not believe that
revealing this information inhibits either national security processes or
investigative techniques, in contrast to even its sister corporation, Bell
Aliant. We have no information about whether other telecommunications
service providers do (or do not) have similar groups, or whether they
similarly push back against inappropriate disclosure requests.

In the case of TELUS, the company committed to asking "the Government to
clarify and limit the scope of current confidentiality requirements and to
consider measures to facilitate greater transparency " while also
acknowledging that "when TELUS receives court orders from law enforcement
agencies, they can often be far reaching." This combination of responses is
significant for two reasons. First, it suggest that TELUS is making a policy
commitment that is unique: no other company responded by suggesting that it
had, or was prepared to, ask for clarity concerning what could and could not
be publicly disclosed. Second, it reveals that requests from law enforcement
authorities may be overly broad, something that only Bell Canada also noted
in their response to the letter they received.

TELUS' response was also interesting because the company proposed a new
policy approach to responding to state agencies' requests for subscribers'
information. Specifically, TELUS' response read that far reaching requests
from state agencies might be restrained should the Canadian policy
environment adopt:

a model similar to that which exists in the United States where law
enforcement agencies pay the costs associated with the production of the
records which they obtain. The imposition of a moderate cost in this regard
acts as a check and balance to ensure that court orders are focused and thus
limited to those records which are considered by law enforcement agencies to
be absolutely necessary. This would help to deter orders that are too broad
in scope and that may unnecessarily impact the privacy of citizens.

The model that TELUS is advocating has been proposed by privacy advocates
both in the United States and in Canada; the theory undergirding the model
is that it would motivate law enforcement agencies to decide whether they
wanted to invest precious resources on potentially broad ranging data
requests or on other resources (e.g. street officers, vehicle maintenance,
etc). No other company indicated a preference for an alternate payment
model, though TELUS did not explicitly note whether they currently respond
to government agencies' requests for subscribers' information on a
cost-recovery basis or as a cost of doing business.


Broader Implications


Canadians are reliant on telecommunications service providers to conduct
their daily affairs. We
<https://citizenlab.org/2014/01/towards-transparency-canadian-telecommunicat
ions/> wrote the following when outlining why these letters were developed
and sent to Canada's largest service providers:

. interested Canadians have had only vague understandings of how, why, and
how often Canadian telecommunications providers have disclosed information
to government agencies. Given the importance of such systems to Canadians'
lives, and the government's repeated allegations that more access is needed
to ensure the safety of Canadians, more data is needed for scholars, civil
rights organizations, and the public to understand, appreciate, and reach
informed conclusions about the legitimacy of such allegations.

At this point, Canadians know a small amount more about state agencies'
access to telecommunications data compared to before the letters were sent:
namely, we know that Bell Canada has a group responsible for handling
requests from law enforcement agencies, and that most companies firmly
believe that they cannot or will not provide any substantive responses about
state access to telecommunications data. We also know that TELUS is
interested in ascertaining how much they can, and cannot, disclose to the
public as well as policy mechanisms the company believes would limit over
broad requests for subscribers' information. Several of the companies,
including Videotron, Cogeco Cable, and Bell Aliant, maintain that they are
committed to working with government bodies when it comes to responding to
public sector access-to-information laws, though all of these companies fail
to make the case for why all of the information that was asked about in the
letters must first be mediated through federal or provincial access to
information processes.

Ultimately, it is somewhat surprising that even the companies which
coordinated the ' <http://www.fairforcanada.ca/> Fair For Canada' lobbying
campaign against Verizon entering the Canadian market were not more
forthcoming with their responses. The campaign was orchestrated by Bell,
Rogers, and TELUS, and included a strong statement that suggested that the
respective companies were deeply committed to protecting Canadians' privacy.
Specifically, the campaign website read:

Across the country, Canadians use their wireless devices to make calls, send
text messages and emails, and browse the internet every day. That
information should be safe, secure, and private.

Will American companies say no to requests from U.S. government agencies,
for customers' personal data?

Canadian wireless providers have a solid track record of protecting your
data in compliance with Canadian laws. But what will happen with regard to
the data of Canadians in the hands of foreign-owned wireless carriers? What
laws will regulate the protection of your information? This is not a trivial
issue. It is one that should be of concern to all Canadians.

More detailed responses to our letters would have clarified what laws are in
place or exploited that enable state-authorized infringements on Canadians'
privacy, the conditions under which Canadians' personal information is
accessed by state authorities, the kinds of data that Canadian companies
retain about their subscribers, and whether the companies notify subscribers
after state agencies request access to people's personal information. While
it is a valuable question to ask "what will happen with regard to the data
of Canadians in the hands of foreign-owned wireless carriers?" it would be
equally helpful if the lobbying companies could respond, comprehensively, to
"what happens with regard to the data of Canadians in the hands of
domestically-owned telecommunications service providers?" To date, no such
comprehensive response has been provided by these companies to the public.


Next Steps


Few of the respondent companies directly responded to many (if any) of the
questions posed to them. So we will begin by asking companies to more
clearly explain how responding to different questions might violate existing
confidentiality agreements, gag laws, or other legal restraints that hinder
companies from discussing responses to the questions posed. We will also
explicitly ask if the companies would simply prefer to not respond to the
questions, outside of legal prohibitions. We will also be following up with
companies that failed to provide any response and ask whether they intend to
provide responses or not. And once Distributel provides their response we
will update this post to account for what they have written.

Beyond communicating with the telecommunications service providers directly,
we may speak with other branches of government in order to clarify what
private telecommunications services providers can and cannot disclose to the
public. Bell Canada, in particular, rationalized its limited response on the
grounds that

In the absence of guidance from the applicable authorities (including the
Office of the Privacy Commissioner of Canada), it is not clear what level of
disclosure is permitted under applicable law.

Presumably, if federal institutions such as the Office of the Privacy
Commissioner of Canada clarify whether Canadian privacy law permits or
mandates companies to make "readily available to individuals specific
information about [company] policies and practices relating to the
management of personal information" as it relates to telecommunications
data, and that such openness extends to many of the questions raised in our
letters, then telecommunications service providers might be more comfortable
with rendering transparent how they disclose Canadians' personal information
to state authorities. Indeed, if the efforts of TELUS are successful,
companies may better understand the precise extent to which they can be
transparent about state agencies' access to their subscribers'
telecommunications information. Or, at the very least, such clarifications
by federal institutions might encourage these companies to provide
researchers, policy analysts, civil liberties groups, and the public with a
more robust account of the conditions under which the companies disclose
subscribers' information to state agencies as part of their management of
Canadians' personal information.







 


 

Ronald Deibert

Director, the Citizen Lab 

and the Canada Centre for Global Security Studies

Munk School of Global Affairs

University of Toronto

(416) 946-8916

PGP: http://deibert.citizenlab.org/pubkey.txt

http://deibert.citizenlab.org/
twitter.com/citizenlab
r.deibert at utoronto.ca



 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://victoria.tc.ca/pipermail/advisors/attachments/20140309/1b065050/attachment-0001.html>