Even after a few days of digestion, it’s still hard to decide on the most alarming part of this week’s big privacy revelations. In case you missed it, it turns out that Canadian law enforcement agencies are requesting basic subscriber information without a warrant from telecommunications providers on a mass level – in 2011, it was a whopping 1.1 million times. As University of Ottawa professor Michael Geist calculates, that’s one request every 27 seconds. By that math, there will be 10 or so requests made in the time it takes to read this post.
Aside from that big initial number is the equally concerning 785,000: that’s how many times just three companies disclosed the requested information. When all other providers – the ones who didn’t own up to it – are factored in, the total number is doubtlessly higher. As shocking as the enforcement agencies’ demands are, it’s at least equally outrageous that telecom companies are so easily rolling over and coughing up their customers’ data when they are not required to do so. It sure looks like they almost never say “no.”
To this end, the Canadian government is moving to implement Bill C-13, which would give telecom companies immunity from criminal or civil liability for doing exactly this sort of thing. I’m no lawyer, but the fact that such a move is on might suggest that they are indeed liable until such a law is enacted.
One other thing to keep in mind is that these are three-year-old numbers. With the companies providing the data so readily in 2011, it’s reasonable to assume the number of requests have only increased steadily since then. Could the requests in 2013 number into the multiple millions?
Perhaps the most outrageous part of this is that service providers are in many cases charging law enforcement agencies for their information requests, with those agencies frequently complying. That appears to be the ultimate perversity: police forces around the country are giving taxpayer dollars to telecom companies, who then enable them to spy on those same taxpayers. It sounds like a conspiracy out of a Tom Clancy book, except it’s all too real.
Information on what those fees are is vague and varied, according to the disclosures made to the Privacy Commissioner. Some say they deal with it on a case-by-case basis while others appear to have a standard rate card that is sent to interrogators.
I asked Christopher Parsons, a researcher with the Citizen Lab at the University of Toronto, if he had any idea how much money the companies are making off taxpayers in this manner, and whether it could be a substantial revenue stream. He responded to say he didn’t know, but there was some inkling given in responses by the Canadian Border Services Agencies to questions posed by Member of Parliament Charmaine Borg earlier this year:
“When requesting subscriber information, [telecom service providers] generally provide responses to CBSA within 2–3 days and at a cost of $1.00-$3.00 a record. Exigent requests for this information can cost between $1.00-$10.00 a record. Refusals to provide this information manifest if the subscriber does not publicly list their telephone number(s); in such cases, CBSA may seek a warrant to compel the disclosure of the information. The CBSA did not indicate whether it pays for access to non-subscriber information data.”
Those figures may not be representative of all enforcement agencies, but a quick back-of-the-envelope calculation based on the number of requests made in 2011 suggests it could be anywhere between $1 million and $10 million, which is not insignificant. Again, this is money that taxpayers are paying police and then telecom companies to have their privacy invaded without a warrant. This isn’t so much a gravy train as it is a crazy train.
Parsons added anecdotally: “I’ve spoken with one (former) VP at a telecom carrier and they insisted that they operated on a cost recovery basis, and never get back all the money that it was costing them. They declined, however, to provide hard numbers. I don’t think that it’s necessarily a viable stream but I guess anything’s possible.”
The financial side of this whole issue aside, the Citizen Lab believes it’s time for people themselves to seek answers from the telecom companies, who have so far been obfuscating with experts, government bodies and the press on exactly what sorts of information they’re sharing. Canadians have the right to demand such information under Principle 4.9 of Schedule 1 and section 8 of federal privacy legislation, the Personal Information Protection and Electronic Documents Act, Parsons says. To that end, he has created a template letter and supplied the addresses of various companies’ privacy officers that they can be sent to.
Refusing to reveal to a customer what information is being shared about them would be a violation of federal privacy law, Parsons says. The answers to all of this will come out one way or another.