Internet firms coy about sharing data with others
Companies refuse to say who wants information and what they do to protect customers’ privacy
OTTAWA — Internet companies have rejected a call by privacy advocates to reveal the extent to which they share subscriber information with police, security services and government.
The Citizen Lab at Toronto’s Munk School of Global Affairs reported Thursday that Canada’s most prominent Internet service providers have largely dismissed its requests to publicly explain the nature, scope and circumstances of demands by state agencies for private customer data.
The lab, joined by a dozen leading Canadian Internet and privacy academics and civil rights organizations, sent letters in January to 16 Internet and phone companies asking how often, when and why they disclose private and personal information to state agents.
Ten companies replied, but generally avoided or refused to respond to the specific questions put to them, said Christopher Parsons, a post- doctoral fellow at the lab who organized the campaign.
“Most, though not all, companies indicated that they were generally committed to protecting their subscribers’ privacy, though few provided specific details concerning what they do to protect their subscribers’ privacy,” Parsons said in an online statement.
The project follows a January report to Parliament from the Office of the Privacy Commissioner calling for reforms to federal privacy legislation to curb the “over-collection of personal data” by federal security intelligence services, police and departments.
Police and other authorities have several methods to get telecoms and Internet service providers to hand over customer data, starting with voluntary compliance. They can also use court-issued search warrants, a “letter of request for information” under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and little-known solicitor general’s enforcement standards under federal spectrum licensing regulations.
The privacy commissioner’s report recommended public reporting of all instances where national security authorities request telecoms and other federally regulated private entities to release personal in- formation under PIPEDA and without court oversight.
While there is no way of knowing for certain the number, scale, frequency of, or reasons for such disclosures, the privacy office believes they are “substantial.”
Meanwhile, Parsons said com- panies explained their refusals on grounds of confidentiality of investigative techniques or because of national security concerns. But they “have not comprehensively identified how or why responding to questions would either interfere with investigative confidentiality or threaten national security.”
Responses from Bell Canada and TELUS were illuminating in other ways. Bell revealed it has a group responsible for handling requests from law enforcement agencies. TELUS said it is interested in determining how much it can and cannot disclose to the public and wrote the company would “request the government to clarify and limit the scope of current confidentiality requirements and to consider measures to facilitate greater transparency.”
The response from Canadian telecoms and Internet companies contrasts with an emerging openness by U.S. counterparts, some of whom have begun issuing annual transparency reports detailing how often authorities ask them for user data.