A Canadian privacy and security group isn’t impressed with the answers it got from Canadian Internet service providers about their policies on disclosing information about subscribers to government agencies.

“They’re not quite as robust as we had hoped,” Christopher Parsons of the University of Toronto’s Citizen Lab said in an interview Thursday.

“We had imagined the lowest threshold would be the various companies indicating when they could not respond to specific questions (from us) and where for corporate business reasons they would not respond.

“Unfortunately the responses that were provided lacked that kind of clarity, even.”

But he hopes that in follow-ups the ISPs will say “if they’re not able to respond because of (federal) gag rules, or they’re gagging themselves.”

Read the full report here

In January Citizen Lab sent letters to 16 leading wired and wireless ISPs asking them “to reveal the extent to which they voluntarily, and under compulsion, disclose information about their subscribers to state agencies, as well as for information about business practices and data retention periods.”

In particular it wants to know specifically what federal regulations or law forbid them from informing the public about what they do.

Disclosure about what ISPs are doing has become more important with recent revelations by former NSA contractor Edward Snowden about Canadian and the U.S. government electronic capabilities. The Harper government was forced to drop its lawful access legislation, which critics said gave too broad powers to law enforcement agencies for getting Internet subscriber information.

Ten replied by the March 4 deadline, including BCE Inc.’s Bell Canada, Rogers Communications, Telus Corp., Shaw Communications and Quebecor Media (which owns Quebec’s Videotron cable and wireless networks).

Some, like Maritime cable and wireless network owner Eastlink, were “thrifty” with their answers, Parsons said.

Others were more detailed. Bell gave this response when asked what it discloses:

“To ensure that customer information is only disclosed in circumstances permitted by PIPEDA (the federal Personal Information Protection and Electronic Documents Act) and required by law, all such requests are vetted by Bell Canada’s lawful access group and, where there is any doubt, by my office.

“The lawful access group exercises careful scrutiny over disclosure requests. Where necessary, the lawful access group has required government agencies to withdraw their disclosure requests where the request appears unreasonable in its scope or lacks the reasonable grounds required by law.

“In the past, when there were concerns about the statutory power of law enforcement agencies (LEAs) to request warrantless access to customer information under exigent circumstances, Bell Canada led the way to implement an industry-wide process requiring LEAs to document the basis for each such access request.”

What this reveals, the report noted, is that Bell sometimes pushes back against certain government requests for data.

Just as important is that Bell feels publicly disclosing this won’t damage national security, the report adds.

The report also praised Telus for committing to ask Ottawa to clarify and limit the scope of federal confidentiality requirements. At the same time Telus’ reply also noted that sometimes it gets court orders for subscriber information that is “often far reaching.”

One way of restricting law enforcement agencies from making broad requests, Telus suggested, is following a U.S. requirement that police pay for the costs ISPs incur.

Sponsor: CanadianCIO

A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA