Transparency Reporting by Private Sector Companies
Comparative Analysis
June 2015
Introduction
Public debates and decisions on privacy need grounding in facts and legal reality. Good transparency reporting based on evidence can support these discussions. Timely, accurate statistical information on government requests and access of personal information – in the form of clear transparency reports at regular intervals – can form the basis for rational consumer choices and build consumer confidence in a growing digital economy and its interface with the state for law enforcement and security purposes.Footnote 1
Summary of existing reporting measures
As of last autumn (2014) six telecommunications companies (Rogers, TELUS, TekSavvy, MTS Allstream, Sasktel and Wind) in Canada each began to publish annual reports which provide statistical details on:
- Customer name/address checks;
- Court order / subpoenas/ warrant;
- Government requirement / legal demand letters (under a federal/provincial law);
- Emergency requests from police in life threatening situations;
- Child sexual exploitation emergency assistance requests, and;
- Court orders to comply with a Mutual Legal Assistance Treaty (MLAT) request.
These categories are generally described in the reports with specific examples, as well as a description of the applicable legal authorities involved and sections for various Frequently Asked Questions. In addition, one firm provided a detailed description of its internal legal processes for assessing requests, while another set out its fee schedule.
As a basis for comparison, the chart below is a crosswalk of reported elements drawn from a collection of major global firms (primarily US) that offer online services. It is important to note that of the firms listed below Apple, Facebook, Google, LinkedIn, Microsoft, Twitter and Yahoo produce granular reports specifically to requests received by Canadian authorities.
Overall, these reports by Canadian, US and global firms are an encouraging development for privacy rights and consumer awareness. Indeed, openness is one of the fundamental privacy principles enshrined under Schedule 1 of PIPEDA. In our Case for Reforming PIPEDA paper issued in 2013, we recommended that organizations should be required to be more transparent, especially where the use of generic “lawful authority” by government investigators is used to request data on Canadian clients.
Organizations | Total requests received | Total requests fulfilled/ complied with |
Details on requests (subpoena, court order, warrant) | Details on disclosures (content, transaction data, subscriber info) | Devices affected by request | Accounts affected | INTL request detailed |
Cases where firm rejected, objected | Cases where notice to user was provided | Link to internal law enforcement policies, handbook | Glossary of terms, definition |
---|---|---|---|---|---|---|---|---|---|---|---|
Private sector – select US and global firms |
|||||||||||
Apple* | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |||
AT&T | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ||||
Comcast | ☑ | ☑ | ☑ | ☑ | |||||||
Dropbox | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ||
Facebook* | ☑ | ☑ | ☑ | ☑ | |||||||
Google* | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ||||
LinkedIn* | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ||||
Microsoft* | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ||||
Time-Warner | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |||
☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |||
Twitter* | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ||||
Vodaphone | ☑ | ☑ | ☑ | ☑ | |||||||
Verizon* | ☑ | ☑ | ☑ | ☑ | |||||||
Yahoo* | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ||||
Private sector - Canadian firms |
|||||||||||
Allstream | ☑ | ☑ | ☑ | ☑ | |||||||
Rogers | ☑ | ☑ | ☑ | ☑ | ☑ | ||||||
TELUS | ☑ | ☑ | ☑ | ☑ | ☑ | ||||||
TekSavvy | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |||
SaskTel | ☑ | ☑ | ☑ | ☑ | ☑ | ☑ | |||||
Wind Mobile | ☑ | ☑ | ☑ |
* An asterisk indicates that the company reports some data elements separately for requests from Canadian authorities
See also Access “Transparency Reporting Index” for full listing.
Analysis
The published Transparency Reports of certain Canadian service providers (alongside the existing reports to Parliament from Public Safety Canada) represent important sources for understanding how federal law enforcement intercepts private communications, conducts certain forms of electronic surveillance and whether these measures prove effective to investigators.
At the same time, the reporting schemes remain patchwork and have some clear gaps; for example, most of the newer surveillance powers in the Criminal Code have not yet been reported on. This is significant because many of these investigative techniques have recently been revisited and their availability broadened to a wider group of investigative organizations, as the Protecting Canadian from Online Crime Act came into force March 2015. These information-gathering techniques include:
- Worn wires: Interception with the consent of one party (section 184.2);
- General production orders: stored records and data production (section 487.012);
- Account data: Production orders for account information (487.013);
- Tracers/GPS location: Location tracking devices (section 492.1)
- Metadata: call number logs or data recorders (section 492.2).
Since 2009, the OPC has advocated for a reporting regime on personal information disclosures to government by commercial organizations. We have addressed these calls to Parliament, government bodies, companies and industry associations. Our 2013 PIPEDA Reform paper called for reporting regime to be enacted, as did the Office’s recommendations to Parliament on Bill S-4, the Digital Privacy Act in 2014-2015.
To be clear, no report structure or public presentation of complex data will cover off every privacy concern from the outset. What is clear from a review of the commercial reports is that since their first publication in 2010, almost every firm has added and adjusted their methodology over time to better fit their business and respond to specific concerns of their customers. After a careful cross-comparison of the data elements noted in the various sections above, we examined those that are currently reported by the more operationally-complex commercial firms, working either in the Canadian market or comparable jurisdictions.
The OPC is of the view that Canada needs a consistent reporting structure and standardized nomenclature for the various categories of personal information and disclosures to government. While legal obligations and/or regulations could impose such requirements, the reporting regime advanced by Industry Canada is a good first step and we expect to see widespread adoption and compliance.
Alternate versions
- PDF (215 KB) Not tested for accessibility
- Date modified: