The Conservative government is proposing changes to Canadian law that critics say will make it easier for authorities to gain access to personal information on telecommunications users without a warrant.
Two pieces of legislation are making their way through Parliament even as newly disclosed material shows that government agencies obtained customer data from Canadian telecommunications companies at least 800,000 times in a single year, with at least one firm installing a "mirror" on its network to more easily route data to authorities. The new disclosure underscores the sheer volume of government requests for access to information – and how easily those requests are fulfilled.
"This is happening on a massive scale and rather than the government taking a step back and asking is this appropriate … we instead have the government going in exactly the opposite direction – in a sense doubling down on these disclosures," said Michael Geist, a law professor at the University of Ottawa.
C-13, a bill expressly aimed at tackling cyberbullying, is expected to expand warrant-less disclosure of Internet or cellular subscriber information to law enforcement. That's because it offers immunity from criminal or civil liability to telecommunications companies that preserve personal information or disclose it without a warrant, Prof. Geist said.
S-4, the Digital Privacy Act, would extend the authority to disclose subscriber information without a warrant to private organizations and not just law-enforcement agencies. Mr. Geist says it would allow telecom companies to disclose personal information on consumers – without their consent and without a court order – to any organization investigating a contractual breach or possible violation of law.
"We already have some music industry lawyers talking about how this will make it easier to sue people and to, in a sense, circumvent the courts as they seek to obtain subscriber data as part of potential lawsuits," Prof. Geist said.
Taking heat in the Commons Wednesday after the magnitude of disclosures that telecom companies have made to government authorities, Prime Minister Stephen Harper played down the figures and said all the requests for subscriber information are legal.
"Telecommunications companies obviously do co-operate with law enforcement and other authorities from time to time in various investigations and surveillance," he said. "There is independent surveillance, independent oversight to make sure that these laws are respected."
The new figures flow from questions that the Office of the Privacy Commissioner of Canada put to leading Canadian telecommunications companies three years ago. The records were disclosed this week following an access to information request from Prof. Geist.
Bell spokesman Mark Langton assured Canadians the telecom company is not giving out what is considered confidential information without a warrant. "These types of requests are made based on phone number – we would provide authorized agencies with name and address connected to the account as well as the name of the service provider if it's not Bell and we have that info. It's an approach approved and regulated by the CRTC, which considers this basic 411-style information to be non-confidential."
Prof. Geist said the new legal immunity provisions for telecom companies appear to be designed to head off growing public unease over the practice. "This is designed to provide those telecom companies with comfort that they are not going to face any liability. To me that only encourages the kind of activity we're now learning about."
One Canadian company told officials it has installed "what is essentially a mirror" on its network, so that it can send some raw data traffic directly to "federal authorities."
"Mirroring is when you take a one-to-one copy of a traffic stream," explained Chris Parsons, an expert state surveillance tools at the Citizen Lab at the University of Toronto. He said that such technology can be used as a tool of mass surveillance, but that in this case it appears to have been used selectively, so as to route lawfully requested information to authorities.
"The more concerning use, which I don't believe we saw in those documents, would be if they were digging through my [Internet] packets," he said.
A patchwork of laws, practices and agreements currently govern such handovers of customer data in Canada, creating confusion – even among the experts – about what the state can claim in terms of lawful interception, and even who pays for the searches and the collation of data.
"Some LEAs [Law enforcement agencies] have refused to pay where the request is authorized by a court," one corporation complained, according to the survey.
Other telecom companies said they effectively offer a menu of paid interception services – "schedules of tariffs and fees associated with recoverable costs" – to government and police agencies.
The Office of the Privacy Commissioner sent letters to the companies requesting this information in 2011 because the agency was then conducting a review on a law known as PIPEDA, which critics suggest facilitates warrantless handovers of customer data to authorities.
Earlier this year, NDP MP Charmaine Borg put similar questions to federal government agencies in Parliament, asking them to respond to how often they compelled phone and Internet companies to turn over information.
Most federal agencies replied that they were unable to provide hard numbers. Only one government department, the Canada Border Services Agency. disclosed useful statistics, saying it made nearly 19,000 requests each year – and that it was almost always seeking basic subscriber information.