Cyber intrusions are fast becoming the norm at the world’s most sophisticated companies, including some that have security as their main mission.Kevin Van Paassen
Prominent privacy and digital-security researchers are mounting a campaign to learn more about the customer information that Canadian telecommunications companies are handing over to police and intelligence agencies.
The researchers – led by Chris Parsons, a postdoctoral fellow at the University of Toronto's Citizen Lab – have written an open letter to Bell, Rogers, Telus, Shaw and a dozen other companies, pushing for details about the kinds of requests that government officials are making – and how much the telcos are obliging them.
Typically, police and intelligence agents who want to pursue specific investigations are required to get eavesdropping warrants or production orders, judicially signed directives that oblige the companies to bug certain devices or hand over customer records.
Global telecommunications have exploded in recent years, and so have the means for states to engage in surveillance – sometimes without warrants. As more and more people migrate to smartphone and Internet-based communications, concerns about surveillance are growing.
The letter was mailed out by Mr. Parsons to 16 telcos this week as part of an initiative being supported by several prominent university professors and such groups as the B.C. Civil Liberties Association, Open Media and Pen Canada.
"Canadians have had only vague understandings of how, why, and how often Canadian telecommunications providers have disclosed information to government agencies," Mr. Parsons wrote in an explanatory article on the Citizen Lab website.
"Given the importance of such systems to Canadians' lives, and the government's repeated allegations that more access is needed to ensure the safety of Canadians, more data is needed for scholars, civil rights organizations, and the public."
The letter specifically asks the telcos for the number of requests for customer data from government agents that they have received, agreed to and rejected. It also asks the carriers for the requests they have received involving:
- Cellphone geolocation information;
- Call detail records;
- Text message contents;
- Dumps of information from cellular phone towers;
- Transmission data (or “metadata”).
The companies are also being asked whether they are using their own surveillance gear or off-the-shelf devices, and how much they charge government agents who come seeking such records.
"We have just received the request and we are still reviewing it," Shawn Hall, a spokesman for Telus, said on Wednesday. He stressed that "Telus takes great care to safeguard customer privacy and will challenge court orders that we think overreach."
Patricia Trott, a spokeswoman for Rogers, said her company's chief privacy officer has not received the researchers' letter yet. However, she echoed Mr. Hall's response. "We take privacy matters very seriously and comply with all regulations. Our policy is that we require a properly executed warrant to disclose customer information."
Sometimes exigent circumstances allow carriers to hand over customer phone data directly to the police, such as in cases where a child is at risk, a hostage is taken, or somebody places a distress call directly to 911.
In 2000, Parliament passed the Personal Information Protection and Electronic Documents Act, which allows Internet providers to provide the police with the names and addresses of subscribers to suspicious Internet Protocol (IP) addresses, which are usually anonymous.
The co-operation rate is high: For example, in 2007, the RCMP received from Interpol 229 Canadian IP addresses that had viewed child porn on a German website. According to the Canadian Association of Chiefs of Police, 182 of those addresses were voluntarily identified by Internet providers at the police's request.
Besides legislation, there are other mechanisms that could facilitate the state's access to corporate databases.
For example, federal regulators dictate that mobile-phone companies maintain basic surveillance capabilities as a condition of getting licences to operate. And Canadian and U.S. surveillance agencies have even been capturing some telecommunications trails in bulk, after getting top politicians to redefine – in secret – just what constitutes a telecommunication these days.
The privacy researchers' letter-writing campaign takes a page from U.S. Democratic Congressman Ed Markey, who has been using his office to pry similar information loose from American companies. No parliamentarians have joined in the Canadian effort so far.
Globally, fears about states tapping directly into telecommunications information have been stoked by recent leaks about the U.S. National Security Agency, which, while ostensibly banned from spying on citizens, has been caught hacking into Google and Yahoo servers, even while collecting U.S. phone logs through a secret court ruling obliging American carriers to hand over such information.
Mr. Parsons, who said he knew of no Canadian parallels to that practice, did point out that that Verizon released statistics on Wednesday about the kinds of requests it is entertaining from U.S. authorities: 321,000 requests for information in 2013 alone, including nearly 8,000 requests for real-time information about call logs, and only 1,500 requests for actual wiretaps.
For government authorities, eavesdropping on specific conversations may be falling out of vogue in favour of obtaining customer metadata surrounding such communications.
The Globe and Mail reported last year that a federal surveillance agency, Communications Security Establishment Canada, is collecting some citizen "metadata" to advance its foreign-intelligence investigations – but where, how and under whose authority the CSEC would be getting such information has never been made explicit.
Over the past decade, Parliament contemplated three "lawful access" bills that sought to refine the ground rules governing what telcos hand over to police and intelligence officials. But none of this legislation has passed.
Mr. Parsons pointed out that the Conservative government's "cyberbullying" legislation would seek build a legal shield around telcos that pass borderline types of information along to the government – so that they could not be prosecuted or sued for doing so.
With a report from Tu Thanh Ha
Colin Freeze