Transparency reports from Twitter, Facebook, Microsoft, Yahoo! and Google suggest U.S. companies are being far more careful with Canadian data than Canadian telecoms.
According to reports, which have been publicly posted, the U.S. companies collectively provided Canadian authorities with 57.5 per cent of requests for user data between July and December 2013.
The fact that American companies are voluntarily sharing details about the number of requests they receive for private data stands in stark contrast to how things are in Canada, where telecom companies don’t reveal such information.
But the numbers also raise questions about why U.S. industry appears to be more vigilant with the public’s information.
While overall figures aren’t publicly available, recent parliamentary documents show that, from April 2012 to March 2013, the Canadian Border Services Agency asked telecoms for information over 18,000 times — and that the request was almost always fulfilled.
“We like to think in Canada we have better privacy practices, but I think in some areas we are actually behind and there’s a lot more we can do,” said Andrew Clement, professor in the faculty of information at the University of Toronto.
According to recent figures provided by Canada’s privacy commissioner, government agencies asked nine Canadian telecoms and social media companies to turn over peoples’ data nearly 1.2 million times in 2011.
Those numbers were based on information handed over by the nine companies representing a “substantial portion” of the Canadian telecom market, which responded anonymously to the commissioner’s request for information.
Although the figures were released for that year, information on what is disclosed in Canada — including which government and law enforcement agencies are requesting the data — is shrouded in secrecy.
Jennifer Kett, Rogers’ senior manager of communications, said “there are laws that say we can’t provide stats on the number of law enforcement requests we get each year.”
“But we recognize that our customers and Canadians are looking for more information about the number of law enforcement requests we receive, and that’s why we’re looking at how we can provide more details within the law.”
She said Rogers provides private information only when they are compelled to by law or in emergency situations — otherwise the company discloses information only when there is a warrant.
“I can tell you that the Personal Information Protection and Electronic Documents Act does not include provisions that would prevent communicating aggregate data where no individual can be identified or inferred,” said Valerie Lawton, a spokeswoman for the Privacy Commissioner’s Office.
U.S. companies say consumer pressure is one of the reasons why they’ve decided to provide greater transparency surrounding data requests.
“Like other technology companies, we regularly receive requests from governments around the world to disclose certain user data,” Suzanne Philion, a spokesperson for Yahoo!, said in an emailed statement.
“Through our transparency report, we share as much information as we can about government requests for this data. We work hard to protect our users’ information from unclear, improper, overbroad or unlawful government data requests, and are committed to putting our users first.”
Canadian privacy experts say transparency reports are a move in the right direction, but want companies to go even further in disclosing which authorities are requesting the information and what their justification is for doing so.
“The fact that Google and others are producing (transparency reports) I think is great,” said Clement.
But Clement says the reports are “just the tip of the iceberg” and should provide even more details.
The reports are published online twice a year and disclose the number of government requests for user data. They also show the number of user accounts specified in each request and the percentage of the requests where “some” data has been hand over to authorities.
For example, Google received 52 requests for user data from Canadian authorities in the final six months of 2013.
According to their report, they complied with 25 per cent of those requests by providing at least “some” data. The report does not provide information as to what happened to the remaining 75 per cent of the requests.
In comparison, Microsoft received 47 requests for the same time period. According to their report, they complied with 78.7 per cent of the requests. Microsoft, however, went a step further and said it had rejected 10.6 per cent of requests, and did not find the data in another 10.6 per cent of cases.
According to Facebook, in cases where the local law compels the company to disclose information, they share only basic subscriber information.
This can include your name, email address, physical location, IP address, login details, billing information, and other transactional information such as “to,” “from,” and the “date” fields in emails that are sent and received.
The companies have labelled this type of information as “non-content” data, otherwise known as metadata.
It’s not clear why there is such a large discrepancy between data requests from Canadian telecom companies and American tech companies, but experts suggest it is likely a combination of more rigorous legal standards in the United States and the fact that Canadian authorities have to go through the Mutual Legal Assistance Treaty to get access to information held in the U.S.
“The volume of (Canadian) requests, in the absence of the need for judicial warrants or other court oversight, illustrates the routine nature with which government and law enforcement can easily get (Canadian) telecoms to hand over personal information,” said Christopher Parsons, a post-doctoral fellow at the University of Toronto’s Citizen Lab.
Each American company states on their website that they check requests for legal sufficiency and require officials to provide a detailed description of the legal and factual basis for their request, similar to the process police must complete for a judge in order to obtain a police warrant.
In a report published last year by Canada’s privacy watchdog, it made four recommendations to improve the Personal Information Protection and Electronic Documents Act (PIPEDA) including requiring Canadian companies to publicly report the number of disclosures they make to law enforcement.
American companies, for their part, are not waiting for the Canadian government to reform privacy laws and have begun voluntarily publishing these biannual transparency reports in an effort to improve transparency for their users.
In January, the American government made it easier for Internet companies to disclose the number of requests they received.