How Do Telecoms Share Data with Government? They Won't Say

Canada's biggest telecom companies spend tens of millions of dollars to promote their unlimited talk and text plans and high-speed Internet, but they clam up when asked about sharing customers' information with the prying eyes of government.

That is what University of Toronto postdoctoral fellow Christopher Parsons found when 16 companies were asked for their policies and procedures. All but six companies responded, and none answered all of Parsons' questions about how they reveal subscribers' information to federal agencies.

"I had hoped there would be a little bit more clarity, I'm disappointed but perhaps not surprised," Parsons said. "We don't know specifically what ISPs are legally permitted to tell Canadians and what they have chosen not to."

In his report "The Murky State of Canadian Telecommunications Surveillance," Parsons found that most companies claimed they were committed to protecting subscribers' privacy, but few were specific about how they achieve that goal.

The report was conducted as the Conservatives' Bill C-13 winds its way through Parliament. Privacy and civil liberties advocates worry that the so-called Protecting Canadians from Online Crime Act is a rehash of the failed Bill C-30 because it makes it easier for police to gain information without a warrant.

Telus, a ray of sunshine?

Letters were sent to telecoms on Jan. 20 from the Citizen Lab at the Munk School of Global Affairs with a March 3 deadline for reply. The companies that replied were generally evasive and did not identify how or why responding to questions would interfere with investigations or threaten national security. Bell Canada, Bell Aliant, Cogeco, Telus and Videotron did not say how long they retain subscribers' data.

"In all cases, companies justified their refusals on grounds of confidentiality of investigative techniques or because of national security concerns," said Parsons' report. "Many companies also asserted that they were ill-suited to provide any response because the companies (e.g. Bell Canada) 'are not in a good position to balance the competing principles and interests triggered by detailed public disclosures about the volume and nature of lawful access requests.'"

Telus chief compliance and privacy officer Heather Hawley's letter mentioned the company had difficulties with warrants to access text messages and Bell Canada senior counsel and privacy ombudsman Bill Abbott wrote that an internal law enforcement group, including a lawyer and ombudsperson, vets government requests for subscribers' data.

Telus was singled out as an exception, because it wrote that the company would "request the government to clarify and limit the scope of current confidentiality requirements and to consider measures to facilitate greater transparency."

"Telus's letter is cause for heart," Parsons said. "While they didn't provide the hard data we were looking for, they do commit to trying to get information from government about what they can and cannot disclose. I see that as a ray of sunshine in a sea of gloom."

Who didn't respond?

Parsons noted that Rogers' response didn't indicate the company's concern for privacy or that it requires a warrant to trigger disclosure of customer information to law enforcement.

In his letter, Rogers' regulatory vice-president and chief privacy officer Kenneth Engelhart cited Standard 17 of Public Safety Canada's Solicitor Generals Enforcement Standards, which prohibits wireless service providers from disclosing lawful intercept practices.

"You may want to consider making your request to the various government agencies directly," Engelhart wrote. "As you may also be aware, the federal Privacy Commissioner recently recommended to Parliament that government agencies proactively provide public reporting on lawful access and intercept requests and disclosures."

The six companies that did not respond by deadline were Fido Solutions, Wind Mobile, Primus, Sasktel, TekSavvy Solutions and Xplorenet Communications.

Last August, the Wall Street Journal reported that U.S. federal authorities arranged with Qwest Communications International to intercept email and text messages in and out of Salt Lake City before and during the 2002 Winter Olympics. Telus did not respond to The Tyee for comment about whether it was involved in a similar practice during the Vancouver Games. Bell, the Games' sponsor, said it only provides information to police under a court order. Communications Security Establishment Canada denied it was involved in such a surveillance operation for Vancouver 2010.