Auditor: Canadian Law Enforcement's Statistics On ISP Subscriber Data Requests Completely Unreliable
from the obfuscation-by-statistical-shrugs dept
Intrusive surveillance programs — especially domestic surveillance programs — are sold to wary legislators with promises of stringent oversight and periodic reporting. That’s how they’re sold. The reality is nowhere near as assuring.
The warrantless acquisition of Canadian ISP subscriber information was so thoroughly exploited by law enforcement that by 2011, subscriber data was being requested every 27 seconds. The recent addition of a warrant requirement has slowed these requests to a comparative crawl and resulted in cases being dropped by the Royal Canadian Mounted Police (RCMP). With this information no longer available on demand, law enforcement is apparently having to prioritize its cases. You know a system has gone off the rails when agencies would rather cherry pick enforcement efforts than deal with something so “onerous” as a warrant application.
No matter what the process entails, there’s supposed to be oversight in place to prevent abusive behavior and/or civil liberties violations. In Canada, the oversight body is willing, but the law enforcement body is weak… and riddled with massive holes.
Last fall, Daniel Therrien, the government’s newly appointed Privacy Commissioner of Canada, released the annual report on the Privacy Act, the legislation that governs how government collects, uses, and discloses personal information. The lead story from the report was the result of an audit of the Royal Canadian Mounted Police practices regarding warrantless requests for telecom subscriber information.
The audit had been expected to shed new light into RCMP information requests. Auditors were forced to terminate the investigation, however, when they realized that Canada’s national police force simply did not compile the requested information. When asked why the information was not collected, RCMP officials responded that its information management system was never designed to capture access requests.
So, there is no audit. And without a periodic audit, there can be no oversight. There may be an entity in place to collate reported data, but what’s being reported is incomplete and inaccurate. And not in any small way. The problem appears to be systemic, ingrained and possibly deliberately misleading. Some meaningful details have been redacted from the memo, but the mostly intact closing paragraph is far from comforting.
In conclusion, based on our review of statistics and interviews with senior officials at the RCMP we were unable to rely upon the numbers provided for warrantless access requests, nor was there any linkage between reports of such requests and the actual operational files containing such requests.
And the oversight entity? Apparently, almost as untrustworthy. Michael Geist points out that crucial wording was omitted from the Privacy Commissioner’s official report.
The incident highlights the limits of Canadian oversight over law enforcement and surveillance activities. The use of the privacy commissioner’s audit power is frequently lauded as a mechanism to ensure that government does not run afoul of the law. Yet despite identifying inaccurate and incomplete data on a high profile privacy issue, the public audit report does not use the terms “inaccurate” or “incomplete.”
The commissioner may have kept these damning terms (temporarily) out of the public’s eye in the official report, but even the more hedged version deployed there does nothing to instill confidence in the RCMP’s ability to handle this access responsibly or to submit to any form of accountability.
Ultimately, our efforts to review files, combined with our interviews with RCMP personnel, did not allow us to determine whether the RCMP, as a whole, was compliant, or non-compliant, with the provisions of the Privacy Act with respect to the collection of subscriber information without a warrant. Moreover, other than through a manual review of all case files stored, the RCMP does not have a means to demonstrate its compliance in this regard.
Even if the Privacy Commissioner is unwilling to say it, the conclusions speak for themselves. The RCMP is “non-compliant.” Stringent procedures that were implemented to ensure accountability have been largely ignored. The RCMP tries to claim it’s really just a “software program,” but that assertion doesn’t explain why more than four years down the road from the cited 2010 report, nothing has changed.
There is a likely explanation for this lack of careful reporting by the RCMP. For one, it helps obscure the paper trail. It also makes the possibility of mounting a legal challenge on its domestic data-gathering a much more daunting prospect. The RCMP may be unable to show what it’s doing right, but its lack of proper documentation helps ensure it will be equally as hard to prove it’s doing anything wrong.