On Tuesday Canada’s privacy commissioner revealed (subscribers only) that government agencies made nearly 1.2 million requests for subscriber information from telecom companies per year, yet the companies’ different methods of tracking such requests and various qualifications mean the real number may be substantially different.
According to a letter sent to Canada’s privacy commissioner by a law firm representing the Canadian Wireless Telecommunications Association (CWTA) in 2011 and made public for the first time on Tuesday, the aggregate number of subscriber information requests is tracked at some companies by the number of affected customers, at another by the number of records produced, and at another by the province where the request originates.
One provider gave only the number of responses it made to the government agencies, not the number of requests made.
The letter itself noted that the 1.2 million could include duplicates, omissions or overlaps.
Some media reports have claimed that the 1.2 million represents the total number of requests for data in 2011, yet this is not stated explicitly anywhere in the letter. The law firm, Gowling Lafleur Henderson LLP, calls the number an “aggregate average,” but an average of what? This data appears to only apply to 2011, which would mean that it does represent the total number of requests for that year, except that number is not an average but rather an aggregate.
Of the nine companies that provided data on the number of government requests, only three provided the number of users or accounts that were subject to disclosure, which added up to 784,756. So nine companies received nearly 1.2 million requests, maybe, while three companies provided 785,000 responses, probably, on an unknown number of users. One company said the average number of subscribers per request was 1.74, meaning requests included multiple people more often than not.
The absolute numbers are the first look Canadians have had at the scope of so-called lawful access, but they are far from illuminating.
None of the telecom companies that responded in the letter broke down the requests by those made without a warrant, for which only basic subscriber information such as such as name, addresses and phone numbers can be released, and those made with a warrant, which can allow law enforcement agencies to track cellphones and monitor call logs.
The government’s anti-cyberbullying legislation now before Parliament extends protection for telecom companies in data sharing, providing immunity to all civil and criminal liability for those who hand over information requested by law enforcement or public agencies.
All nine organizations said in the 2011 letter that they did not notify customers when their information was handed over, even if the law allows it.
In March, the government made public limited information on lawful access requests for subscriber data at several agencies that showed it received data on 18,849 requests between April 2012 and March 2013, the overwhelming majority of which were for basic subscriber information that is accessible without a warrant.
According to the CWTA, all communication to the companies was done by the law firm, and the CWTA has no more information on lawful access than was included in the 2011 letter.