Telcos Fail to Manage Canadians’ Personal Information Responsibly: Report

Canadians recognize that their private communications are “incredibly sensitive,” and they are very concerned about who has access and how much of their private information they have access to. Well, they should be: law enforcement and government agencies have been collecting vast amounts of data from telcos without much transparency, a recent report released today by Citizen Lab reveals (via CBC).

rogers transparency report 2014.png

“We conclude that serious failures in transparency and accountability indicate that corporations are failing to manage Canadians’ personal information responsibly,” says the report released by Citizen Lab today that examines how Canadian telecommunications data is monitored, collected and analyzed by groups such as police, intelligence and government agencies.

The study — funded by the Canadian Internet Registration Authority — raises the question about the appropriateness of the powers or mandates of law enforcement agencies. Christopher Parsons, lead author of the study and a postdoctoral researcher at Citizen Lab, says the legislation is outdated, so there is no way to know what the requests were about, what data was requested, and whether information about another person was involved.

“That really indicates that the interception reports, while they’re very rigorous, they’re such a limited data set that they really don’t explain to parliamentarians or the public the extent or kind of surveillance that are commonplace in Canada today,” Parsons said.

In other words: while Parsons welcomes the transparency reports published by telcos, he points to the discrepancies these reports have across different types of data. A possible answer could be that telcos have not yet developed a common standard for reporting.

What’s more alarming, though, as highlighted by Parsons, is that these reports reveal the regularity with which government authorities request data from telcos. What they do not reveal — and this is where he raises the red flag — is the extent of data accessed: while one request could be for a single data record created yesterday, that request could also encompass all subscriber data records that were created over many years. In other words: disclosing the number of requests doesn’t equal revealing the amount of data collected (with or without warrant).

The entirety of the research is worth a read. You can access it by following this link.