Government agencies obtained customer data from Canadian telecommunications companies nearly 800,000 times in a single year, newly disclosed material shows, with at least one companies installing a "mirror" on its networks to more easily route data to authorities.
The new disclosure underscores the sheer volume of government requests for access to information about customers of phone and Internet service providers, and how easily those requests are fulfilled.
It flows from questions that the Office of the Privacy Commissioner of Canada put to leading Canadian telecommunications companies three years ago. The records were disclosed this week following an access to information request from University of Ottawa Law professor Michael Geist.
"The magnitude of the number of requests is staggering," Mr. Geist said in an interview. "The deep reluctance of the telcos to disclose this information is part of the story, too."
The Conservative government has a bill before Parliament, known as C-13, which would explicitly shield Canadian telecommunications and other corporations from any civil or criminal liability for handing over data to government authorities.
The released materials flow from 2011 correspondence between the agency and Gowlings, a law firm acting for the Canadian Wireless Telecommunications Association (CWTA).
The lawyers effectively acted as an agent to put the OPC's questions about interception practices to 12 companies, nine of whom responded to the survey.
The disclosure does not identify which companies facilitated what kinds of interception. Nor does it speak to which government agencies are making the requests.
"We are bound to keep all company responses confidential," the correspondence from Gowlings to the privacy commissioner said. "… As a group they represent a substantial proportion of Canada's telecommunications customer connections."
According to the privacy commissioner's survey, the nine companies that responded said that they together fielded 1.1 million requests from "government authorities" in a year (which year is not mentioned), and that the "aggregate users and accounts" subjected to disclosure stood at 784,756.
The bulk of the requests from police and intelligence agencies appear to involve handovers of basic subscriber information – who has which phone number or Internet Protocol address. But other, potentially invasive forms of interception are also alluded to.
One Canadian company told officials it has installed "what is essentially a mirror" on its network, so that it can send some raw data traffic directly to "federal authorities."
"Mirroring is when you take a one-to-one copy of a traffic stream," explained Chris Parsons, an expert state surveillance tools at the Citizen Lab at the University of Toronto. He said that such technology can be used as a tool of mass surveillance, but that in this case it appears to have been used selectively, so as to route lawfully requested information to authorities.
"The more concerning use, which I don't believe we saw in those documents, would be if they were digging through my [Internet] packets," he said.
A patchwork of laws, practices and agreements currently govern such handovers of customer data in Canada, creating confusion – even among the experts – about what the state can claim, and even who pays for the searches and the collation of data.
"Some LEAs [Law enforcement agencies] have refused to pay where the request is authorized by a court," one corporation complained, according to the survey.
Other telecom companies said that they effectively offer a menu of paid interception services – "schedules of tariffs and fees associated with recoverable costs" – to government and police agencies.
The Office of the Privacy Commissioner sent letters to the companies requesting this information in 2011 because the agency was then conducting a review on a law known as PIPEDA, which critics suggest facilitated warrantless handovers of customer data to authorities.
Last year, NDP MP Charmaine Borg put similar questions to federal government agencies in Parliament, asking them to respond to how often they compelled phone and Internet companies to turn over information. Most federal agencies replied that they were unable to provide hard numbers. Only one government department, the Canada Border Services Agency disclosed useful statistics, saying it made nearly 19,000 requests each year – and that was almost always seeking basic subscriber information.