Canadian Law Enforcement Asking For ISP Subscriber Data Every 27 Seconds; Pending Legislation Looking To Up That Number

from the whatever-they-don't-get-will-make-a-stop-in-the-US dept

Mon, May 5th 2014 8:32pm — Tim Cushing

Canada's image as the The Most Polite Nation In The World would seem to be a front that masks a malignant nastiness under the surface. If these numbers are to be believed, Canada is little more than a criminal organization masquerading as a constitutional monarchy.

Minute after minute, hour after hour, day after day, week after week, month after month. Canadian telecommunications providers, who collect massive amounts of data about their subscribers, are asked to disclose basic subscriber information to Canadian law enforcement agencies every 27 seconds. In 2011, that added up to 1,193,630 requests. Given the volume, most likely do not involve a warrant or court oversight (2010 RCMP data showed 94% of requests involving customer name and address information was provided voluntarily without a warrant)...

According to newly released information, three telecom providers alone disclosed information from 785,000 customer accounts in 2011, suggesting that the actual totals were much higher.

Every 27 seconds. And that number is two years out of date. If Canada is anything like the USA, these requests have increased at a pace far exceeding the birth rate. And much like the US, most of the information is gathered without a warrant or government oversight.

Canadian ISPs are "free" to turn down warrantless requests, but turning down law enforcement isn't as easy as some people would make it appear. (These "people" are those that argue for the surveillance state by saying, "X can always challenge the request," as if that were actually a viable option.) No one wants to be facing additional scrutiny from aggrieved entities who were asked to go come back with a signed order.

The correspondence also confirms that the telecom providers were concerned about how the government and law enforcement would react to public disclosures. In one email, Bell says that "we are walking a delicate line between supporting privacy and not antagonizing Public Safety/LEAs [law enforcement agencies], so the materials will be pretty factual, not much commentary."

Plus, the ISPs charge a fee to retrieve subscriber information, which probably doesn't generate a ton of income, but doesn't hurt the bottom line either.

As Michael Geist notes, there's been some pushback from ISPs, but that push hasn't made much headway. And proposed legislation will only make things worse. Two bills headed to committee both ask for the same thing: an expansion of warrantless disclosure -- one under the unintentionally ironic title of "Digital Privacy Act."

So, there's already plenty of data being grabbed by local entities. Now, there's also a good chance that peering issues are pushing Canadian data through American pipes -- which would put this right into the hands of the NSA, FBI, etc. A study on Canadian ISP transparency found that a sizable portion of Canadian internet traffic makes a hop across the border.

About routing, the report states: “Fewer than half (8/20) of the ISP privacy policies refer to the location and jurisdiction for the information they store. Only one (Hurricane) gives an indication of where it routes customer data and none make explicit that they may route data via the US where it is subject to NSA surveillance”.

“Boomerang” routing – where data leaves Canada, traverses US networks (who might choose to ignore PIPEDA) and returns to Canada – accounts for as much as 25 per cent of traffic, the report states. The report claims that traffic traversing the US is “almost certainly subject to NSA surveillance”.

Just as disappointing, not a single one of Canada's ISPs scored a passing grade on transparency. The highest score belonged to Teksavvy, which scored 3.5… out of 10. Unsurprisingly, smaller, newer ISPs scored higher than the incumbents, but when the high score doesn't even hit the 50% mark, it's not much of a victory. The authors found that not a single Canadian ISP fully complied with the Personal Information Protection and Electronic Documents Act (PIPEDA). In fact, only slightly more than half had even made a "commitment" to following the act's stipulations.

Much like the US, the largest ISPs are overly compliant with national security and law enforcement agencies, often going above what's asked in order to more quickly facilitate requests. Geist notes that one of Canada's largest ISPs, Bell, has assembled a database specifically to give law enforcement instant access to the information of thousands of subscribers. Inbound legislation, if unchanged, will only encourage more cooperation like Bell's, if only to free up company employees from fulfilling thousands of requests. It's the users who remain cut out of this loop, even though it's their data everyone wants.

DataPrivacyTransparencyofCanadianISPs (PDF)DataPrivacyTransparencyofCanadianISPs (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: canada, customer info, information requests, isps, law enforcement, privacy

19 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

This comment has been flagged by the community. Click here to show it

Anonymous Coward, 5 May 2014 @ 9:13pm

Run out of American cop stories, Cushing?
[ link to this | view in chronology ]
- Anonymous Coward, 5 May 2014 @ 9:51pm
  
  Re:
  Run out of American cop stories �?
  Milwaukee, May 1, via Balko today. PoliceMisconduct had it a couple days ago from UPI, looks like.
  
  Happy now?
  [ link to this | view in chronology ]
- This comment has been flagged by the community. Click here to show it
  
  Anonymous Coward, 6 May 2014 @ 1:04am
  
  Re:
  Run out of shit to eat, average_joe?
  [ link to this | view in chronology ]
velox (profile), 5 May 2014 @ 11:45pm

ISP 'compliance' isn't really the right word. 'Customer Service' is the more appropriate term, since the ISP's are selling this data to law enforcement. Anything that makes their customers happy is good for business.

Think about it. The ISP's are charging you for the right to sell-out your own privacy and freedom. (And they likely aren't just selling your private information to government, but also to advertising and analytics companies as well.)
[ link to this | view in chronology ]
Lord justice, 6 May 2014 @ 2:20am

You know what? While a gross violation of privacy, this actually makes me feel a little safer in Canada. Sure, they probably have my data...But it's completely buried under all the other data as well. The RCMP is making themselves completely ineffectual at actually doing anything with this data.
[ link to this | view in chronology ]
- Anonymous Coward, 6 May 2014 @ 5:39am
  
  Re:
  So because there are to many people for the brigands to steal from before they can get to you, you are cool with it?
  
  More brigands will show up so that you can be properly processed as well.
  
  Get your head out of the dirt.
  [ link to this | view in chronology ]
My Name Here, 6 May 2014 @ 3:28am

another cool story
Yes indeed, another cool story, but one that gollifies the numbers and doesn't real address the main points.

First off, and key here, is that "telecommunications" means everything from internet to phone, cable, and any other means by which information can flow. So many of these could be nothing more than requests related to harassing phone calls or sales calls against numbers on the do no call lists. A single missing persons inquiry could lead to dozens of sets of basic account information being pulled based on numbers called by the missing person on their cell phone, as an example.

By mixing all of these things together, it gives a mistaken impression of a room full of people just asking for information for the hell of it. It's just not the case.

Without breaking down the requests into some sort of detail, Mr Geist is using truthiness to try to push against what he sees as poor laws. However, in lumping data together and not considering use (or the likelihood of obtain a warrant anyway) he creates a false impression of a pez dispenser of information. There is no indication of the types of requests, so there is no way to know how many of them would show a similar result if a warrant was requested.

Figures don't lie but careful pruning and clumping of data can create almost any bad impression you like.
[ link to this | view in chronology ]
- Anonymous Coward, 7 May 2014 @ 6:31pm
  
  Re:
  No one believes you, you whining Prenda fanboy.
  [ link to this | view in chronology ]
- GEMont (profile), 11 May 2014 @ 12:32pm
  
  Re: another cool story
  Perhaps "My Name Here" can aid the public in its search for details by posting the information that will show the public exactly how these demands for information by the CanGov break down into the various categories s/he claims have been lumped together.
  
  Oh!
  What's that you say?
  That is not publicly available information!
  
  So nobody but the CanGov could actually disclose the numbers involved in all these categories - such as how many of the inquiries were about harassing phone calls or no-call-list checks.
  
  But, the CanGov will not release those numbers.
  
  So in truth, nobody mixed all these numbers up to give a bad impression of the problem. This is simply all of the information we presently have on this intrusion into Canadian Privacy by the Canadian Government and no actual details as to the breakdown of inquiry types were made available yet.
  
  Hope this comment cancels your shill-pay for this thread.
  [ link to this | view in chronology ]
Ninja (profile), 6 May 2014 @ 4:10am

By now they must have asked for information on virtually the entirety of the Canadian ISP subscribers.

These mass surveillance shenanigans would make very little sense without hovering over the conspiracy side. Too often conspiracy theories are being found to be true lately.
[ link to this | view in chronology ]
- That One Guy (profile), 6 May 2014 @ 9:27am
  
  Re:
  Really, when you think about it, the most rational explanation for activities like this is simple: the government and/or the police force see the public as the enemy.
  
  Sure it might sound tin-foil hattish, but honestly, nothing else makes even the slightest sense.
  [ link to this | view in chronology ]
One Bell to Rule Them All, 6 May 2014 @ 5:24am

"Canada is little more than a criminal organization masquerading as a constitutional monarchy."

Wrong! The ruling party is little more than a criminal organization.

Bell Canada owns most of the newspapers, most of the TV stations, most of the ISP businesses, most of the telephone system, most of the cable business, most of the cellphone business.

So far the Bell conglomerate has been a benign fungus on the country and the body politic. As long as it can make guaranteed profits, it seems content. Heaven forbid it morph to the virulent killer strain that infects the current ruling party. When Bell starts drawing up enemies lists, look out.
[ link to this | view in chronology ]
Michael, 6 May 2014 @ 7:17am

It's really one request every 54 seconds.

They have to request the same thing twice - once in English and once in French.
[ link to this | view in chronology ]
Varsil, 6 May 2014 @ 7:44am

Uhh...
"Two bills headed to committee both ask for the same thing: an expansion of warrantless disclosure -- one under the unintentionally ironic title of "Digital Privacy Act." "

Unintentionally ironic? I think you mean Orwellian. It's a name that could have come straight from the Ministry of Truth.
[ link to this | view in chronology ]
- Anonymous Coward, 6 May 2014 @ 8:09am
  
  Re: Uhh...
  The number you have dialled is no longer in service, but We believe you actually meant, "Ministry of Propaganda"
  
  The new number is . . .
  [ link to this | view in chronology ]
Anonymous Coward, 6 May 2014 @ 8:06am

I was an ISP before.

I was thinking, have Canadian Law Enforcement run an ISP, and then they can have their own TOS.

* SEEN BY: 1:203/XXXX
* ROUTE BY: sonic pengwyn bitches
[ link to this | view in chronology ]
Chris Brand, 6 May 2014 @ 9:45am

One easy thing Canadians can do to help
For Canadians, there's a useful recipe for seeing whether *your* data has been disclosed at https://citizenlab.org/2014/05/responding-crisis-canadian-telecommunications/

The more people that follow it, the more the service providers will realise that there is a down-side to giving this data up too freely.

And of course let your MP know that you care about this!
[ link to this | view in chronology ]
Anonymous Coward, 6 May 2014 @ 10:57am

There are 31,536,000 seconds in a (non-leap) year. That means 1,168,000 requests per year in a country with a population of 35,344,962. The crime rate in Canada is 8269 per 100,000 persons which means a total of 2,932,218.04752 crimes per year. Requests for ISP data are being made in 39.8333268901% of criminal cases. While this is oversimplification, it doesn't seem that bad.
[ link to this | view in chronology ]
- John Fenderson (profile), 6 May 2014 @ 11:12am
  
  Re:
  There's not nearly enough information there to reach even the tentative conclusion you come to. You're assuming that requesting ISP records is reasonable and relevant to all crimes. I'd be shocked if it were true for even most crimes, let alone all. This error makes things seem better than they really are. Also, there are likely to be multiple requests per criminal case. This error makes things seem worse than they really are.
  
  Those numbers don't support even a reasonable speculation for or against.
  [ link to this | view in chronology ]