"We conclude that serious failures in transparency and accountability indicate that corporations are failing to manage Canadians' personal information responsibly," says the report released by Citizen Lab today that examines how Canadian telecommunications data is monitored, collected and analyzed by groups such as police, intelligence and government agencies.
The report also criticizes the government's "irresponsibility surrounding accountability" with respect to telecommunications surveillance. It warns that that could endanger the development of Canada's digital economy and breed cynicism among citizens.
"Access to our private communications is incredibly sensitive," said Christopher Parsons, lead author of the study and a postdoctoral researcher at Citizen Lab, which conducts research on information technology in the context of human rights and global security.
The report, funded by the Canadian Internet Registration Authority, showed Canadians recognize this and are very concerned.
But despite that, evidence suggests governments and law enforcement have been demanding millions of subscriber records from telecom firms in recent years.
"It raises real questions about the appropriateness of the powers or perhaps the appropriateness of the mandates or aggressiveness of the agencies that currently look to keep Canadians safe," Parsons said.
He noted there's no way to know what the requests were about, how many there were or whether any one person's data was requested, as Canadian law doesn't require police to record or report any of that information.
Outdated laws require government departments and agencies to report telecommunications interceptions, but not access to stored communications such as emails and text messages, nor "non-sensitive" information such as records of calls dialed and received.
The Canada Border Services Agency is one of the few government departments that tracks such requests. In 2012 and 2013, it made 18,849 requests for telecommunications information. None were interceptions, the study found.
"That really indicates that the interception reports, while they're very rigorous, they're such a limited data set that they really don't explain to parliamentarians or the public the extent or kind of surveillance that are commonplace in Canada today," Parsons said.
A Supreme Court decision last year has forced police to start getting a warrant before requesting subscriber information from telecoms. While that has slashed the number of police requests for data, Parsons warns that new legislation that is currently before the Senate could make it easy for telecom data to be shared among police and government agencies.
New bill a concern
Bill C-51 would allow, for example, the Canada Revenue Agency to request information about a telecom customer related to a tax issue, then pass it on to the CBSA, RCMP or CSIS to probe something only marginally related, Parsons said.
Meanwhile, oversight bodies such as the privacy commissioner of Canada have no way to share information with other oversight bodies, such as the Security Intelligence Review Committee, which oversees CSIS.
And while the privacy commssioner can go to court to force private companies to comply with Canadian privacy laws, it can't do that with government departments or agencies under the Privacy Act, Parsons said.
Another concern cited in the report is that governments and telecommunications companies have spent the past decade or so negotiating behind closed doors about technology to allow interceptions and the types of interceptions that should be mandated into law.
"I think that's incredibly inappropriate," Parsons said. Such interceptions are "something that we just need to do in contemporary law and order environment, but doesn't have to take place in secretive back rooms." He believes discussions about it should involve the public.
The report offers a long list of recommendations for corporations and government as to how they can become more transparent and accountable about telecommunications surveillance.
For example, Parsons hopes that Canadian telecommunications companies, which have just started releasing transparency reports about requests for customer data, will begin to issue more standardized and detailed reports as they do in the U.S.
He added, "I think we're absolutely behind."