Auditor: Canadian Law Enforcement's Statistics On ISP Subscriber Data Requests Completely Unreliable
from the obfuscation-by-statistical-shrugs dept
Intrusive surveillance programs -- especially domestic surveillance programs -- are sold to wary legislators with promises of stringent oversight and periodic reporting. That's how they're sold. The reality is nowhere near as assuring.
The warrantless acquisition of Canadian ISP subscriber information was so thoroughly exploited by law enforcement that by 2011, subscriber data was being requested every 27 seconds. The recent addition of a warrant requirement has slowed these requests to a comparative crawl and resulted in cases being dropped by the Royal Canadian Mounted Police (RCMP). With this information no longer available on demand, law enforcement is apparently having to prioritize its cases. You know a system has gone off the rails when agencies would rather cherry pick enforcement efforts than deal with something so "onerous" as a warrant application.
No matter what the process entails, there's supposed to be oversight in place to prevent abusive behavior and/or civil liberties violations. In Canada, the oversight body is willing, but the law enforcement body is weak… and riddled with massive holes.
Last fall, Daniel Therrien, the government’s newly appointed Privacy Commissioner of Canada, released the annual report on the Privacy Act, the legislation that governs how government collects, uses, and discloses personal information. The lead story from the report was the result of an audit of the Royal Canadian Mounted Police practices regarding warrantless requests for telecom subscriber information.So, there is no audit. And without a periodic audit, there can be no oversight. There may be an entity in place to collate reported data, but what's being reported is incomplete and inaccurate. And not in any small way. The problem appears to be systemic, ingrained and possibly deliberately misleading. Some meaningful details have been redacted from the memo, but the mostly intact closing paragraph is far from comforting.
The audit had been expected to shed new light into RCMP information requests. Auditors were forced to terminate the investigation, however, when they realized that Canada’s national police force simply did not compile the requested information. When asked why the information was not collected, RCMP officials responded that its information management system was never designed to capture access requests.
In conclusion, based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.And the oversight entity? Apparently, almost as untrustworthy. Michael Geist points out that crucial wording was omitted from the Privacy Commissioner's official report.
The incident highlights the limits of Canadian oversight over law enforcement and surveillance activities. The use of the privacy commissioner’s audit power is frequently lauded as a mechanism to ensure that government does not run afoul of the law. Yet despite identifying inaccurate and incomplete data on a high profile privacy issue, the public audit report does not use the terms “inaccurate” or “incomplete.”The commissioner may have kept these damning terms (temporarily) out of the public's eye in the official report, but even the more hedged version deployed there does nothing to instill confidence in the RCMP's ability to handle this access responsibly or to submit to any form of accountability.
Ultimately, our efforts to review files, combined with our interviews with RCMP personnel, did not allow us to determine whether the RCMP, as a whole, was compliant, or non-compliant, with the provisions of the Privacy Act with respect to the collection of subscriber information without a warrant. Moreover, other than through a manual review of all case files stored, the RCMP does not have a means to demonstrate its compliance in this regard.Even if the Privacy Commissioner is unwilling to say it, the conclusions speak for themselves. The RCMP is "non-compliant." Stringent procedures that were implemented to ensure accountability have been largely ignored. The RCMP tries to claim it's really just a "software program," but that assertion doesn't explain why more than four years down the road from the cited 2010 report, nothing has changed.
There is a likely explanation for this lack of careful reporting by the RCMP. For one, it helps obscure the paper trail. It also makes the possibility of mounting a legal challenge on its domestic data-gathering a much more daunting prospect. The RCMP may be unable to show what it's doing right, but its lack of proper documentation helps ensure it will be equally as hard to prove it's doing anything wrong.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: canada, data requests, law enforcement, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
This /should/ be easy
Don't 'take the matter under advisement' or 'suggest (more toothless and ignored) changes', the oversight isn't there, that was a primary defense for the programs, therefor shut down the program.
[ link to this | view in chronology ]
Oh wait, that'd then put that "daunting prospect" of "mounting a legal challenge on its domestic data-gathering" back onto the RCMP and they're obviously too technologically backward to figure out how to audit their own records.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Why so surprised?
You don't need the scare quotes around the word 'onerous' there. The previous "every 27 seconds" number may represent how fast their mouths can move. There are a lot more words required when applying for a warrant.
"Triage", or "prioritize" are less freighted synonyms for "cherry pick" in this case. Since the legislation requiring warrants didn't come with accompanying increases in personnel to handle cases, "cherry picking" is a natural consequence of the increased workload. Saying "they would rather" implies that they had a choice between triage and working overtime on the same number of cases.
[ link to this | view in chronology ]
Border Services are the guys who were revealed to have made 700,000 requests to ISPs for the web surfing records of Canadians at the border and casually provided them to the americans.
[ link to this | view in chronology ]
i.i.i.i.i.
Thus, while the RCMP may indeed be breaking Canadian National Law by refusing to comply with Canadian oversight rules, it is acting fully in accordance with the real Laws that govern its actions - the (secret) laws of the Five Eyes Global Government Control Board.
---
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Because they control the law, they no longer fear the law.
And New Zealand's as well.
They can all act now without fear of consequences, because most of the laws of the Five Eyes nations have been quietly altered to allow the fascists unimpeded operational freedom.
This means they will be caught red handed in the cookie jar more often, because getting caught will no longer result in a penalty of any sort.
But apparently Britain is the real Brains of the operation and the USA is only the Obvious Villain everyone is supposed to learn to loathe, since most of the world already hates the US Rulers anyway.
Like the POTUS, who is the figurehead you're supposed to love or hate, so that his billionaire employers can avoid public scrutiny altogether.
I assume that the Five Eyes employs a number of variably dependant Non-White, Non-English-speaking countries as "minionations", who do the real dirty wet-work behind the scenes as well, since that is standard operational procedure for this kind of fascist pogrom.
Old system.
Very successful.
---
[ link to this | view in chronology ]