Auditor: Canadian Law Enforcement's Statistics On ISP Subscriber Data Requests Completely Unreliable

from the obfuscation-by-statistical-shrugs dept

Intrusive surveillance programs -- especially domestic surveillance programs -- are sold to wary legislators with promises of stringent oversight and periodic reporting. That's how they're sold. The reality is nowhere near as assuring.

The warrantless acquisition of Canadian ISP subscriber information was so thoroughly exploited by law enforcement that by 2011, subscriber data was being requested every 27 seconds. The recent addition of a warrant requirement has slowed these requests to a comparative crawl and resulted in cases being dropped by the Royal Canadian Mounted Police (RCMP). With this information no longer available on demand, law enforcement is apparently having to prioritize its cases. You know a system has gone off the rails when agencies would rather cherry pick enforcement efforts than deal with something so "onerous" as a warrant application.

No matter what the process entails, there's supposed to be oversight in place to prevent abusive behavior and/or civil liberties violations. In Canada, the oversight body is willing, but the law enforcement body is weak… and riddled with massive holes.

Last fall, Daniel Therrien, the government’s newly appointed Privacy Commissioner of Canada, released the annual report on the Privacy Act, the legislation that governs how government collects, uses, and discloses personal information. The lead story from the report was the result of an audit of the Royal Canadian Mounted Police practices regarding warrantless requests for telecom subscriber information.

The audit had been expected to shed new light into RCMP information requests. Auditors were forced to terminate the investigation, however, when they realized that Canada’s national police force simply did not compile the requested information. When asked why the information was not collected, RCMP officials responded that its information management system was never designed to capture access requests.
So, there is no audit. And without a periodic audit, there can be no oversight. There may be an entity in place to collate reported data, but what's being reported is incomplete and inaccurate. And not in any small way. The problem appears to be systemic, ingrained and possibly deliberately misleading. Some meaningful details have been redacted from the memo, but the mostly intact closing paragraph is far from comforting.
In conclusion, based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.
And the oversight entity? Apparently, almost as untrustworthy. Michael Geist points out that crucial wording was omitted from the Privacy Commissioner's official report.
The incident highlights the limits of Canadian oversight over law enforcement and surveillance activities. The use of the privacy commissioner’s audit power is frequently lauded as a mechanism to ensure that government does not run afoul of the law. Yet despite identifying inaccurate and incomplete data on a high profile privacy issue, the public audit report does not use the terms “inaccurate” or “incomplete.”
The commissioner may have kept these damning terms (temporarily) out of the public's eye in the official report, but even the more hedged version deployed there does nothing to instill confidence in the RCMP's ability to handle this access responsibly or to submit to any form of accountability.
Ultimately, our efforts to review files, combined with our interviews with RCMP personnel, did not allow us to determine whether the RCMP, as a whole, was compliant, or non-compliant, with the provisions of the Privacy Act with respect to the collection of subscriber information without a warrant. Moreover, other than through a manual review of all case files stored, the RCMP does not have a means to demonstrate its compliance in this regard.
Even if the Privacy Commissioner is unwilling to say it, the conclusions speak for themselves. The RCMP is "non-compliant." Stringent procedures that were implemented to ensure accountability have been largely ignored. The RCMP tries to claim it's really just a "software program," but that assertion doesn't explain why more than four years down the road from the cited 2010 report, nothing has changed.

There is a likely explanation for this lack of careful reporting by the RCMP. For one, it helps obscure the paper trail. It also makes the possibility of mounting a legal challenge on its domestic data-gathering a much more daunting prospect. The RCMP may be unable to show what it's doing right, but its lack of proper documentation helps ensure it will be equally as hard to prove it's doing anything wrong.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: canada, data requests, law enforcement, privacy


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    That One Guy (profile), 4 Mar 2015 @ 7:06pm

    This /should/ be easy

    If a main defense of a program is how thorough and comprehensive the oversight of it is, in order to curb and prevent abuse of it, and it turns out that the oversight is non-existent, especially if the reason for that is the agencies themselves refusing to co-operate, then the response should be simple enough: Shut down the program until real oversight is put in place.

    Don't 'take the matter under advisement' or 'suggest (more toothless and ignored) changes', the oversight isn't there, that was a primary defense for the programs, therefor shut down the program.

    link to this | view in chronology ]

  • identicon
    Anonmylous, 4 Mar 2015 @ 10:28pm

    Well if the RCMP don't have records of how often and for what reasons they are requesting private data from the ISPs regarding their subscribers...why not ask the ISPs for that data?

    Oh wait, that'd then put that "daunting prospect" of "mounting a legal challenge on its domestic data-gathering" back onto the RCMP and they're obviously too technologically backward to figure out how to audit their own records.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Mar 2015 @ 7:23am

    The RCMP may not have records, but they are very well armed. Go ahead, try and stop them.

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Mar 2015 @ 8:38am

    Why so surprised?

    You know a system has gone off the rails when agencies would rather cherry pick enforcement efforts than deal with something so "onerous" as a warrant application.

    You don't need the scare quotes around the word 'onerous' there. The previous "every 27 seconds" number may represent how fast their mouths can move. There are a lot more words required when applying for a warrant.

    "Triage", or "prioritize" are less freighted synonyms for "cherry pick" in this case. Since the legislation requiring warrants didn't come with accompanying increases in personnel to handle cases, "cherry picking" is a natural consequence of the increased workload. Saying "they would rather" implies that they had a choice between triage and working overtime on the same number of cases.

    link to this | view in chronology ]

  • icon
    Udom (profile), 5 Mar 2015 @ 9:43am

    In the current political climate I don't expect much improvement. An individual can make a formal request to their ISP for their individual records of such requests, of course, but we need to see the aggregate. In a related story, a Canadian arriving at the Halifax airport from the Dominican Republic has been arrested for refusing to provide his cellphone password to Border Services. He faces a possible year in prison if convicted. http://tinyurl.com/pq8xqfz (CBC)

    Border Services are the guys who were revealed to have made 700,000 requests to ISPs for the web surfing records of Canadians at the border and casually provided them to the americans.

    link to this | view in chronology ]

  • icon
    GEMont (profile), 5 Mar 2015 @ 12:12pm

    i.i.i.i.i.

    As one of the founding members of Five Eyes, Canadian Military and Police forces must by (secret) law abide by the rules laid down for conduct of all members of the Five Eyes Global Government.

    Thus, while the RCMP may indeed be breaking Canadian National Law by refusing to comply with Canadian oversight rules, it is acting fully in accordance with the real Laws that govern its actions - the (secret) laws of the Five Eyes Global Government Control Board.

    ---

    link to this | view in chronology ]

  • identicon
    Anonymous Coward, 5 Mar 2015 @ 1:18pm

    Oh goody, we can expect to see an article about Australia's oversight body failing in their task to oversee the collect-all metadata program in the future then too.

    link to this | view in chronology ]

  • icon
    GEMont (profile), 11 Mar 2015 @ 4:03am

    Because they control the law, they no longer fear the law.

    "...expect to see an article about Australia's oversight body failing in their task..."

    And New Zealand's as well.

    They can all act now without fear of consequences, because most of the laws of the Five Eyes nations have been quietly altered to allow the fascists unimpeded operational freedom.

    This means they will be caught red handed in the cookie jar more often, because getting caught will no longer result in a penalty of any sort.

    But apparently Britain is the real Brains of the operation and the USA is only the Obvious Villain everyone is supposed to learn to loathe, since most of the world already hates the US Rulers anyway.

    Like the POTUS, who is the figurehead you're supposed to love or hate, so that his billionaire employers can avoid public scrutiny altogether.

    I assume that the Five Eyes employs a number of variably dependant Non-White, Non-English-speaking countries as "minionations", who do the real dirty wet-work behind the scenes as well, since that is standard operational procedure for this kind of fascist pogrom.

    Old system.
    Very successful.

    ---

    link to this | view in chronology ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.