By Christopher Parsons

On January 20, 2014 the Citizen Lab along with leading Canadian academics and civil liberties groups sent letters to Canada’s most prominent Internet service providers. We asked the companies to reveal the extent to which they voluntarily, and under compulsion, disclose information about their subscribers to state agencies, as well as for information about business practices and data retention periods. The requested information would let researchers, policy analysts, and civil liberties groups better understand the current telecommunications landscape and engage in evidence-based policy analysis of current and proposed government surveillance activities. The companies were asked to provide responses by March 3, 2014.

A considerable amount of attention has been given to state access to telecommunications data since January 20. Organizations such as the Globe and Mail wrote that Canadians deserve to know who is listening to their communications, and reporting by The Wire Report found that while telecommunications companies believed they might not be able to respond to all the questions in the letters, at least some responses might be provided without running afoul of government gag laws. However, The Wire Report also found that some sources believed they were forbidden from disclosing any information about the assistance they provide to government agencies, with one stating they were “completely resigned.”

At the same time as the letters were being examined by the companies, a series of high-profile telecommunications-related stories broke in the media. In the United States, leading telecommunications carriers released ‘transparency reports’ that put some information in the public arena concerning how often the companies disclose information to American state agencies. In Canada, there were revelations that the Communications Security Establishment Canada (CSEC) had surreptitiously monitored the movements of Canadians vis-a-vis mobile devices that connected to wireless routers. These revelations sparked renewed interest in the origins of CSEC’s data, whether Canadian telecommunications companies either voluntarily or under compulsion provide data to CSEC, the nature of CSEC’s ‘metadata’ collection process, and the rationales driving data exchanges between telecommunications companies and state agencies more generally. The Office of the Privacy Commissioner of Canada also tabled a report that outlined a series of ways to improve accountability and transparency surrounding state access to telecommunications data. Finally, MP Charmaine Borg, the New Democratic Party Member of Parliament for the riding of Terrebonne—Blainville in Quebec, issued a series of questions to the federal government that are meant to render transparent how federal agencies request information from telecommunications companies.

Who Responded

As of today, ten of sixteen companies have responded to the letters sent on January 20, 2014. Only one company, Distributel, has asked for additional time to formalize a response; this post will be amended once we receive their comments. Companies that sent responses include:

To date, the following companies have not responded to the letters:

  • Globalive Wireless Management Corp. (Wind)
  • Primus Telecommunications Canada Inc.
  • Sasktel
  • TekSavvy Solutions Inc.
  • Xplorenet Communications Inc

We remain optimistic that the remaining companies will provide written responses to the letters. This post will be updated as we receive additional replies. Significantly, one of the largest Telecommunications service providers servicing western Canada, Sasktel, has not responded.

Limited Findings

The companies that have responded to the letters as of March 5, 2014 have generally declined to provide specific responses to the questions posed of them. Most (though not all) companies indicated that they were generally committed to protecting their subscribers’ privacy, though few provided specific details concerning what they do to protect their subscribers’ privacy in relation to the questions that were posed in the letters. TELUS was noteworthy insofar as it referenced its challenge of a general warrant to access text message data, and Bell Canada in that they noted that a law enforcement agency group evaluates all requests for subscribers’ telecommunications data.

Companies generally avoided or refused to respond to specific questions put them them. As an example, and in response to the multi-page letter, Eastlink’s entire response was:

Consistent with our obligations under the Personal Information Protection and Electronic Documents Act, Eastlink does not disclose any information to government agencies except pursuant to a warrant or other order that legally compels us to disclose the information, or in very exceptional emergency circumstances as also permitted under PIPEDA.

In the case of Rogers Communications, the company provided a more detailed response to the media when asked about the letters by the Globe & Mail than in their response to the letters themselves. Specifically, the company’s spokesperson was quoted as saying that Rogers takes “privacy matters very seriously and comply with all regulations. Our policy is that we require a properly executed warrant to disclose customer information.” The company’s formal response to the letter they received, in contrast, neither indicates their concern for Canadians privacy or that they require a warrant to disclose customer information. Instead, the company suggests that their ability to provide information about state agencies’ access to wireless communications data is limited by the Solicitor General’s Enforcement Standards and, more generally, that “there are restrictions around the disclosure of information about access and intercept requests that Rogers receives from government agencies.” No specifics were provided about these restrictions, their legal origins and justifications, or the company’s own position(s) concerning such restrictions. No information about the company’s data management, retention, or disclosure practices was provided.

Responses from Bell Aliant, Bell Canada, Cogeco, TELUS, and Videotron similarly lack substantive responses to most of the questions posed to them. While these companies all stated their commitment to maintaining their subscribers’ privacy, they also declined to indicate how long they retained data or information about their subscribers, the specific protocols or policies they used in evaluating state agencies’ requests for data, whether the companies receive any restitution for the surveillance, or the fields of data that are retained or disclosed following a request or demand by state agencies. In all cases, companies justified their refusals on grounds of confidentiality of investigative techniques or because of national security concerns. Many companies also asserted that they they were ill-suited to provide any response because the companies (e.g. Bell Canada) “are not in a good position to balance the competing principles and interests triggered by detailed public disclosures about the volume and nature of lawful access requests.” TELUS, similarly, wrote that “[g]overnment agencies are better positioned to balance transparency considerations with other important considerations such as the need for confidentiality in relation to investigative techniques, and other law enforcement or national security concerns.”

Ultimately, the companies that received these letters have not comprehensively identified how or why responding to questions would either interfere with investigative confidentiality or threaten national security. None of the responsive companies, save for TELUS, indicated that they had (or would) asked the federal government (or other levels of government) whether disclosures would endanger national security or investigative techniques. Instead, the companies asserted that they were ill-suited to provide information about their business practices and (in some cases) suggested filing requests with various levels of government for information about those governments’ practices. The sole exception was TELUS, which wrote that the company would “request the Government to clarify and limit the scope of current confidentiality requirements and to consider measures to facilitate greater transparency.”

Examples of Unanswered Questions

It is helpful to consider some of the questions to fully appreciate why responding to them is unlikely to compromise investigative techniques or undermine national security interests. For all questions, we asked the companies to “please provide either a response, indicate that you cannot respond, or indicate that you will not respond.” For almost all questions, it seems, companies are unwilling to assert whether they cannot or will not respond; instead, they have deliberately left unclear whether they are legally barred from providing responses to specific questions or have simply decided that they would prefer not to respond to these these questions. Even this level of data disclosure would be helpful because it would let researchers understand the extent to which companies are operating under gag rules or, alternately, are choosing to voluntarily gag themselves.

As an example of a question that was posed, we asked whether service providers received “money or other forms of compensations in exchange for providing information to government agencies” as well as subsequent, increasingly detailed, questions about compensation policies. Companies could have provided very broad responses to such a question (i.e. only responding ‘yes’ or ‘no’ to whether they are compensated for assisting state agencies) without endangering ongoing or past cooperation with authorities. They also could have stated that they will not respond to the question, indicating that though they were legally permitted to respond they had made the decision to remain silent instead.

As another example, we asked whether the respective companies notify their customers “when government agencies request their [subscribers’] personal information? If so, how many customers per year have you notified?” Revealing whether subscribers are notified in the first place would clearly not jeopardize investigations and would instead reveal a business practice that either was, or was not, in place. Companies might have stated they could not respond for legal reasons or, alternately, that they will not respond to the question. Whereas the former response would indicate that the government was preventing disclosure the latter might suggest the businesses’ own interests precluded a response. Unfortunately, we are left without any idea of even if companies could notify subscribers when authorities make warrantless or warrant-based requests for subscriber data, let alone whether these companies actually do notify their customers.

The Clearest Research Findings

Of all the questions asked, and all the companies that have responded, the clearest example of a direct responses came from Bell Canada and TELUS. Specifically, one of the questions sent to the Bell Canada read:

Does your company have a dedicated group for responding to data requests from government agents? Are members of this group required to have special clearances in order to process such requests? What is the highest level company official that has direct and detailed knowledge of the activities of this group?

Bell Canada wrote in response:

To ensure that customer information is only disclosed in circumstances permitted by PIPEDA and required by law, all such requests are vetted by Bell Canada’s lawful access group and, where there is any doubt, by my office. The lawful access group exercises careful scrutiny over disclosure requests. Where necessary, the lawful access group has required government agencies to withdraw their disclosure requests where the request appears unreasonable in its scope or lacks the reasonable grounds required by law. In the past, when there were concerns about the statutory power of law enforcement agencies (LEAs) to request warrantless access to customer information under exigent circumstances, Bell Canada led the way to implement an industry-wide process requiring LEAs to document the basis for each such access request

As a result, we know (and have on record) that Bell has a dedicated group tasked to vet requests and that a senior counsel and privacy ombudsperson is sometimes involved in responding to such state agencies’ requests. We also know that Bell Canada does sometimes push back against government requests for data, and that the industry-wide process of LEA documentation was driven by Bell. Bell’s disclosure reveals that the company does not believe that revealing this information inhibits either national security processes or investigative techniques, in contrast to even its sister corporation, Bell Aliant. We have no information about whether other telecommunications service providers do (or do not) have similar groups, or whether they similarly push back against inappropriate disclosure requests.

In the case of TELUS, the company committed to asking “the Government to clarify and limit the scope of current confidentiality requirements and to consider measures to facilitate greater transparency ” while also acknowledging that “when TELUS receives court orders from law enforcement agencies, they can often be far reaching.” This combination of responses is significant for two reasons. First, it suggest that TELUS is making a policy commitment that is unique: no other company responded by suggesting that it had, or was prepared to, ask for clarity concerning what could and could not be publicly disclosed. Second, it reveals that requests from law enforcement authorities may be overly broad, something that only Bell Canada also noted in their response to the letter they received.

TELUS’ response was also interesting because the company proposed a new policy approach to responding to state agencies’ requests for subscribers’ information. Specifically, TELUS’ response read that far reaching requests from state agencies might be restrained should the Canadian policy environment adopt:

a model similar to that which exists in the United States where law enforcement agencies pay the costs associated with the production of the records which they obtain. The imposition of a moderate cost in this regard acts as a check and balance to ensure that court orders are focused and thus limited to those records which are considered by law enforcement agencies to be absolutely necessary. This would help to deter orders that are too broad in scope and that may unnecessarily impact the privacy of citizens.

The model that TELUS is advocating has been proposed by privacy advocates both in the United States and in Canada; the theory undergirding the model is that it would motivate law enforcement agencies to decide whether they wanted to invest precious resources on potentially broad ranging data requests or on other resources (e.g. street officers, vehicle maintenance, etc). No other company indicated a preference for an alternate payment model, though TELUS did not explicitly note whether they currently respond to government agencies’ requests for subscribers’ information on a cost-recovery basis or as a cost of doing business.

Broader Implications

Canadians are reliant on telecommunications service providers to conduct their daily affairs. We wrote the following when outlining why these letters were developed and sent to Canada’s largest service providers:

… interested Canadians have had only vague understandings of how, why, and how often Canadian telecommunications providers have disclosed information to government agencies. Given the importance of such systems to Canadians’ lives, and the government’s repeated allegations that more access is needed to ensure the safety of Canadians, more data is needed for scholars, civil rights organizations, and the public to understand, appreciate, and reach informed conclusions about the legitimacy of such allegations.

At this point, Canadians know a small amount more about state agencies’ access to telecommunications data compared to before the letters were sent: namely, we know that Bell Canada has a group responsible for handling requests from law enforcement agencies, and that most companies firmly believe that they cannot or will not provide any substantive responses about state access to telecommunications data. We also know that TELUS is interested in ascertaining how much they can, and cannot, disclose to the public as well as policy mechanisms the company believes would limit over broad requests for subscribers’ information. Several of the companies, including Videotron, Cogeco Cable, and Bell Aliant, maintain that they are committed to working with government bodies when it comes to responding to public sector access-to-information laws, though all of these companies fail to make the case for why all of the information that was asked about in the letters must first be mediated through federal or provincial access to information processes.

Ultimately, it is somewhat surprising that even the companies which coordinated the ‘Fair For Canada’ lobbying campaign against Verizon entering the Canadian market were not more forthcoming with their responses. The campaign was orchestrated by Bell, Rogers, and TELUS, and included a strong statement that suggested that the respective companies were deeply committed to protecting Canadians’ privacy. Specifically, the campaign website read:

Across the country, Canadians use their wireless devices to make calls, send text messages and emails, and browse the internet every day. That information should be safe, secure, and private.

Will American companies say no to requests from U.S. government agencies, for customers’ personal data?

Canadian wireless providers have a solid track record of protecting your data in compliance with Canadian laws. But what will happen with regard to the data of Canadians in the hands of foreign-owned wireless carriers? What laws will regulate the protection of your information? This is not a trivial issue. It is one that should be of concern to all Canadians.

More detailed responses to our letters would have clarified what laws are in place or exploited that enable state-authorized infringements on Canadians’ privacy, the conditions under which Canadians’ personal information is accessed by state authorities, the kinds of data that Canadian companies retain about their subscribers, and whether the companies notify subscribers after state agencies request access to people’s personal information. While it is a valuable question to ask “what will happen with regard to the data of Canadians in the hands of foreign-owned wireless carriers?” it would be equally helpful if the lobbying companies could respond, comprehensively, to “what happens with regard to the data of Canadians in the hands of domestically-owned telecommunications service providers?” To date, no such comprehensive response has been provided by these companies to the public.

Next Steps

Few of the respondent companies directly responded to many (if any) of the questions posed to them. So we will begin by asking companies to more clearly explain how responding to different questions might violate existing confidentiality agreements, gag laws, or other legal restraints that hinder companies from discussing responses to the questions posed. We will also explicitly ask if the companies would simply prefer to not respond to the questions, outside of legal prohibitions. We will also be following up with companies that failed to provide any response and ask whether they intend to provide responses or not. And once Distributel provides their response we will update this post to account for what they have written.

Beyond communicating with the telecommunications service providers directly, we may speak with other branches of government in order to clarify what private telecommunications services providers can and cannot disclose to the public. Bell Canada, in particular, rationalized its limited response on the grounds that

In the absence of guidance from the applicable authorities (including the Office of the Privacy Commissioner of Canada), it is not clear what level of disclosure is permitted under applicable law.

Presumably, if federal institutions such as the Office of the Privacy Commissioner of Canada clarify whether Canadian privacy law permits or mandates companies to make “readily available to individuals specific information about [company] policies and practices relating to the management of personal information” as it relates to telecommunications data, and that such openness extends to many of the questions raised in our letters, then telecommunications service providers might be more comfortable with rendering transparent how they disclose Canadians’ personal information to state authorities. Indeed, if the efforts of TELUS are successful, companies may better understand the precise extent to which they can be transparent about state agencies’ access to their subscribers’ telecommunications information. Or, at the very least, such clarifications by federal institutions might encourage these companies to provide researchers, policy analysts, civil liberties groups, and the public with a more robust account of the conditions under which the companies disclose subscribers’ information to state agencies as part of their management of Canadians’ personal information.