Are you being watched? You bet you are.
Canadian government agencies ask telecommunications companies and Internet providers for private information about their customers about 1.2 million times every year. The information is coughed up most of the time without a warrant, according to a report by Canada’s privacy commissioner.
The companies have refused to say how many times the information was disclosed with a warrant, but it appears the courts were rarely used. The Canada Border Services Agency, for example, obtained customer data from telecom companies 19,000 times in one year. It obtained a warrant in less than 200 of those cases.
It’s also unknown why the information was sought or what percentage of the requests were connected to criminal investigations or issues of national security. Neither the telecoms nor the government are required to let people know their privacy was breached.
Telecommunication companies can demand a warrant, but they are not obliged to do so. The law also does not require the government to get a warrant for basic subscriber information, which allows police to link Internet activity to a customer’s identity.
The Conservatives’ Internet surveillance bill, which died a quick death under public pressure more than a year ago, actually would have increased transparency by requiring the government to report all disclosures, including those obtained without a warrant. It was an imperfect bill, but it had the virtue of starting a conversation about how to balance privacy with the need for new investigative powers in the digital age.
Two new bills have since come out of Ottawa that raise fresh concerns about the ability, not just of government, but also the private sector, to obtain without a warrant basic subscriber information.
Bill C-13, which deals with cyberbullying, would grant full immunity from criminal liability to telecoms that voluntarily release information to investigators. It’s a form of bullying itself, which will lead to even more warrantless searches.
Of greater concern, however, is Bill S4, the Digital Privacy Act, which would allow private organizations to acquire information from telecoms and Internet providers without a warrant. A copyright holder, for example, would find it easier to identify someone who is stealing privileged material online.
The legislation assumes there is a lower expectation of privacy when it comes to so-called basic subscriber information.
That’s probably true, but it doesn’t mean Canadians have absolutely no expectation of accountability and transparency.
Communication companies should be required to disclose to their customers a third party has obtained their information when it is handed out without a warrant. Warrants should be required if the information is sought during a criminal investigation, except in special circumstances. And data acquired with a warrant should also be disclosed after an appropriate period of time, depending on the circumstances.
The main objective of the Digital Privacy Act is necessary and long overdue. It would require organizations to disclose breaches of security that put Canadians at risk for identity theft or other criminal activity online. The legislation includes stiff penalties for companies that fail to comply.
Both bills, however, will require amendments to ensure Canadians are protected from fishing expeditions and overzealous investigators. The government can start by explaining why it seeks subscriber information about Canadians more than one million times a year.
Right now, it’s not clear what’s going on, and that’s a problem.
» A version of this editorial ran recently in the Winnipeg Free Press.