Industry Canada has published guidelines for telecommunications companies to provide transparency reports. The guidelines are ostensibly meant to help companies that want to disclose the regularity, rationale, and extent of Canadian governmental requests for private telecommunications data. The guidelines may actually, however, establish government-sanctioned flaws in transparency reporting and prevent companies from meaningfully informing their customers about government telecommunications surveillance.
We begin this post by briefly summarizing the importance and value of transparency reporting and why Canadian companies should adopt and publish transparency reports. Second, we outline how Industry Canada’s guidelines may enhance transparency reporting. Third, we summarize the significant deficits linked to the guidelines and conclude by discussing how the guidelines could be improved to bring about meaningful and holistic corporate telecommunications transparency reporting.
Background to Transparency Reporting
We discussed the importance of transparency reporting in our recent report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians.” Transparency reporting involves companies publicly disclosing data that holds a public interest; telecommunications transparency reports are generally meant to provide complex information in an accessible and factual manner so that subscribers can subsequently make reasonable judgements based on the disclosures. Canadian telecommunications transparency reports have largely focused on policing and security issues to date, and have been released by Rogers, TELUS, Sasktel, TekSavvy, MTS Allstream, and Wind Mobile.
The Citizen Lab and the Telecom Transparency Project have actively encouraged telecommunications companies to release transparency reports. Together, these organizations have written public letters to telecommunications service providers, developed and launched a tool so that Canadians can learn about providers’ data retention and disclosure policies, conducted interviews concerning transparency and surveillance issues in Canada, and filed access to information and privacy requests to understand government surveillance practices. The result of our efforts to date are captured in a report that we released in June 2015, as are a series of recommendations for how members of the telecommunications industry could improve their transparency reports. In the following sections we examine the extent to which Industry Canada’s recently issued guidance aligns with our policy recommendations.
Potential Benefits of Industry Canada Guidance
The second recommendation from our recent report suggested that telecommunications service providers (TSPs) should standardize their transparency reporting across the industry. We wrote that, “[s]tandardization would enhance the effectiveness of reports by making them directly comparable. Without such standardization, the effectiveness of the prorates for public policy decision-making is diminished. As such, TSPs should commit to a series of multi-stakeholder meetings, including people from academia, civil societies, government, and the corporate sector, at which they develop standardized transparency report.”
One the one hand, that the government of Canada is releasing guidance on transparency reporting could standardize the reports being issued by telecommunications service providers. That’s a good thing, insofar as the providers’ reports could be more easily compared against one another if they all adopt the Industry Canada format. However, Industry Canada has set a ceiling and not a floor for reports; the government department has not identified the minimum amount of data that a telecommunications provider has to include in order to produce a transparency report.
Moreover, Industry Canada’s transparency reporting guidance did not entail a proper multi-stakeholder process: neither academics nor civil society were meaningfully consulted, if at all, on developing the guidelines. This failure represents a process flaw which has prevented serious limitations of the government’s guidance from either not being heard, not being debated, or simply set aside. The problems emergent from this process could have been remedied — or at least aired and addressed — if a multi-stakeholder process had been adopted.
Problem #1: No Requirement to Publish Transparency Reports
The first recommendation of our report called for all Canadian TSPs to “release transparency reports so that Canadians can understand how these companies handle their personal information.” Nothing in the Industry Canada guidance compels a company to produce a transparency report. As such, these reports will continue to be acts of corporate generosity rather than the result of complying with obligations of accountability on communications companies. Without stronger language from Industry Canada it is unclear whether, and if so why, additional companies will begin actually producing transparency reports.
Problem #2: No Mention of Publishing Data Retention Periods
The third recommendation of our report was for TSPs to “commit to publicly disclosing their data retention periods for all of their products so customers can understand how their information is handled” while also clarifying just how much data is accessible to government authorities when they request or compel it from TSPs. Nothing in the guidance mentions data retention periods. There is a risk that TSPs interpret the absence of data retention guidance as the government implicitly asserting TSPs should not include such information alongside or as part of their annual transparency reports.
Problem #3: No Mention of Publishing Government Access Handbooks
Recommendation four of our report was that TSPs publish “their law enforcement guidelines in order to reduce confusion that government agencies may have concerning what data is stored, for how long, and under what terms it is released. Publishing these guidelines would also strengthen the public’s trust that there are practices and policies in place to restrict government agencies’ overbroad or inappropriate requests for subscribers’ personal information.”
Industry Canada did not mention the appropriateness of companies publicly producing these handbooks as part of, or alongside, the companies’ transparency reports. Nor do Industry Canada’s guidelines indicate how or to what extent companies can report on takedowns or blocking of access to content. The guidelines also do not authorize telecommunications companies to provide qualitative examples, which might indicate unusual requests they have received: under these guidelines, could Rogers report on their constitutional challenge to government tower data requests? The absence of guidance around law enforcement handbooks may be interpreted by companies that they cannot release such information, which would have a deleterious impact on citizens’ understanding of government access to telecommunications data and the processes corporations have put in place to limit such access.
Problem #4: No Mention of Publishing Compensation Guidelines
Many Canadian telecommunications companies receive some kind of payment for disclosing subscriber information to government agencies; we recommended in our report that TSPs publish their compensation tariffs “so that government agencies and the public can understand the costs of contemporary surveillance practices and to begin to understand what the cost of conducting such surveillance is to taxpayers.” Industry Canada’s guidance does not indicate that companies can — or should — share compensation-related information with the public. There is the risk that, given the absence of such guidance from Industry Canada, TSPs may interpret the government as implicitly asserting such information should be excluded from annual transparency reports.
Problem #5: No Mention of Government Equipment Clauses
Past legislative adventures would have authorized the government to insert surveillance equipment in private companies’ networking infrastructures. Snowden documents have indicated that the Communications Security Establishment (CSE) have deployed equipment in telecommunication providers’ networks. Given these realities we recommended that companies “state in their transparency reports, sustainability reports, or in other corporate document that such equipment has not been installed. Such a clause could comfort Canadians, confirming that their chosen TSP is responsible for the process of collecting information about its subscribers when the law requires.” Industry Canada’s guidance makes no mention of whether TSPs can, or should, include government equipment clauses, representing yet another weakness of the government’s guidance.
Problem #6: Arbitrary Exertion of Authority
It is unclear under what authority Industry Canada can set this ‘guidance’ or the consequences that companies might face for not adhering to it. Moreover, the inability for companies to differentiate between federal-, national security-, or provincial-related requests appears arbitrary: while it’s unclear what investigations are jeopardized by differentiating between which level of government is requesting data, or the kind of investigation for which data is being requested, it’s very clear that without this kind of granularity Canadians cannot know which government agencies are actually engaged in telecommunications surveillance. The limitations applied in the Industry Canada guidance prevent Canadians or their parliamentary/legislative representatives from holding the government to account. Moreover, nothing in the guidance itself indicates why Industry Canada, as opposed to Public Safety Canada or Justice, is responsible for this policy initiative.
Problem #7: Arbitrary Limitations on Reporting Figures
The guidance states that, when receiving fewer than 101 requests, a company can only report requests as between 0-100. TekSavvy Solutions previously declared it had fewer than 100 requests in a two year period: there is no evidence that these disclosures threatened any government investigations. And the federal government’s own Electronic Surveillance reports have shown that there have been less than 100 authorizations for electronic surveillance of different types between 2008 and 2012. Figure One showcases how Public Safety Canada currently presents such authorizations to the public and Parliament:
At no point has the Government of Canada asserted that releasing information in the Electronic Surveillance reports has led to an investigation being compromised. The same is true of figures released by large multi-national companies: when Google, Twitter, and other companies reported exactly how few requests from Canadian authorities they received, the associated authorities have never stated that these revelations either endangered or compromised investigations.
Moreover, Industry Canada has instructed TSPs to delay their annual reports by six months; thus a report on government requests for 2014 could come out June 2015 or later. The government’s rationale is that such a delay will mean no investigations are compromised, as they could be by rapid releases of transparency-related information. Why, if this suggestion is followed, would declaring the specific number of government requests (when they are under 101 requests) endanger or risk ongoing investigations?
Problem #8: Unclear Modifications to Existing Communications Interception Standards
Mobile telecommunications providers agree to abide by the Solicitor General’s Enforcement Standards (SGES), which includes a gag on discussing government telecommunications interceptions. While successive copies of the SGES have been released under Access to Information and Privacy requests, the government has not committed to publicly publishing these standards. As we noted in our previous report, “Public Safety Canada has suggested it would secretly modify the SGES to expand the breadth of communications that would have to be intercept able without significant consultation” and that, consequently, the “federal government should commit to making the current SGES public and to engaging in public consultations prior to updating the Standards.” If companies are now permitted to release transparency reports — and in effect break the gag that is built into the Standards — does this mean that the SGES itself has been updated? Or do the new transparency report guidelines trump the SGES? Or when releasing transparency reports are companies prohibited from disclosing wireless-related government surveillance requests? The government can remedy this confusion by simply publishing and committing to publicly updating the Solicitor General’s Enforcement Standards going forward.
Problem #9: Failure to Expand Subscriber Notification
Government agencies request access to telecommunications data hundreds of thousands of times a year, yet Canadians only learn of the surveillance when the collected data is either used against them in a legal proceeding or when notified that they were subject to a government wiretap order. The government could have obligated, or at least made it easier, for telecom companies to notify specific subscribers of government surveillance activities but failed to do so, thus leaving Canadians subject to surveillance without ever knowing whether they were personally affected.
Problems #10: Failure of Government to Update its Own Reporting
The current interception reports published by government agencies do not account for most of the government’s contemporary surveillance practices. We have previously written that, “[g]iven the shift of government agencies’ surveillance techniques towards those favouring access to stored communications database, access to non-content information, and agencies’ failures to proactively disclose their techniques and the regularity at which they use these techniques, Parliament should amend the Criminal Code to require all government agencies to record and publicly report on their use of non-interception modes of surveillance.” There is nothing in Industry Canada’s guidance which indicates the government is planning to be more accountable to Canadians: instead, the government department is placing restrictions on private companies while the government writ-large remains largely unaccountable for its use of telecommunications surveillance powers.
Reforming Guidance for Holistic Transparency Reporting
Government guidance and regulation can be helpful in advancing corporate transparency behaviours. Because of government regulation, companies are currently compelled to report on their financial affairs, about their compliance with health and safety regulations, and about their compliance with environmental laws. Unlike in other jurisdictions, the telecommunications transparency dialogues in Canada are characterized by not being multi-stakeholder. The Canadian government still has an opportunity to try and convene such a multi-stakeholder set of discussions and it must do so in order to better address the problems raised in our review of the Industry Canada Transparency Report Guidelines. Any such discussions must focus on how to create holistic and sufficiently detailed transparency reports. As it stands, the government’s current guidance effectively imposes additional barriers on corporate reporting about government surveillance while, simultaneously, the government has failed to statutorily require itself to more appropriately report on its own actions.
Industry Canada’s publication does recognize that it may update its guidance going forward; it would behoove the department to seriously begin multi-stakeholder consultations in order to address the problems we have raised in our evaluation of its guidance policy. Our report, “The Governance of Telecommunications Surveillance: How Opaque and Unaccountable Practices and Policies Threaten Canadians,” includes a range of recommendations that could significantly enhance corporations’ transparency reports; we recommend that the government and other stakeholders read those recommendations and consider implementing them or, at the very least, discussing them at a multi-stakeholder dialogue on telecommunications transparency reporting in Canada.
Some of the research mentioned in this post was funded through the Canadian Internet Registration Authority’s .CA Community Investment Program. Through the Community Investment Program, .CA funds projects that demonstrate the capacity to improve the Internet for all Canadians. The .CA team manages Canada’s country code top-level domain on behalf of all Canadians. A Member-driven organization, .CA represents the interests of Canada’s Internet community internationally.