Throughout our lifetimes, we provide information about ourselves to both the public and private sectors in a variety of different contexts. When we file a tax return or get a driver’s licence, we know that the government in some file or another will retain the information we provide. Similarly, when we use a credit card, sign a phone contract, or join a customer loyalty program, we know that the corporation we are doing business with is probably keeping a record of our encounters and what we tell them. If we have concerns about the collection and use of this information, those concerns tend to differ depending on whether we are dealing with the government or a corporation. And, in Canada, different privacy laws apply to personal information depending on whether it is held by a public agency or a private business.
Although there are technical, organizational, and legal limits on what information may travel where (for example, a warrant is required before accessing private spaces and information, and we expect the private sector to limit collection and also allow us to address any inaccuracies in the information)—it is clear that data are now flowing freely between public and private agencies. Indeed, data from one sector so often pop up in the other sector, it can be difficult to differentiate between government and corporate surveillance. Since governments and corporations have very different rationales and mandates, the implications for accountability are huge.
The blurring of the public and private sectors is itself driven by two major factors. First, there is a widespread belief that government and the private sector should work in tandem to maximize efficiency and productivity. Because of this belief, many tasks that were once performed by government are now outsourced to companies. The second crucial factor is that new technologies facilitate the breakdown of traditional institutional distinctions both across and within sectors, allowing data to flow in both directions without the traditional oversight requirement of a judicial warrant. So the breakdown of the barriers between the public and private sectors is both a cause and a consequence of increasing surveillance.
The patterns are complex and multiple. However, to highlight these trends, we have identified three new practices that are breaking down the institutional barriers between public and private agencies:
Lawful Access in Canada
One of the most compelling—and controversial—examples of the consequences of this free flow of data between the public and private sectors revolves around proposed “lawful access” provisions designed to make it easier for police to access the data generated by customers through the use of networked communications platforms. Some of these provisions manifest as changes to laws that regulate the disclosure of information between private companies and pubic authorities. Others, perhaps more sinisterly, refer to how public authorities can gain backdoor access by acquiring information from the network. This either occurs with (or without) the consent of private sector organizations themselves.
Legislative changes, proposals, and pressure in lawful access
In Canada, for example, the number of times that Canadian public authorities (such as CSIS, the RCMP, and the CBSA) requested information from telecommunications companies about 1.2 million times per year.1 That’s one request every 27 seconds. Almost overwhelmingly, sharing occurs without the knowledge or consent of the customers of these services. And furthermore, once that information is turned over to public authorities, it becomes very difficult to ascertain whether CSIS or the RCMP might have a file on you based on information gleaned from your mobile phone provider or transit company where you work. Governments are attempting to alleviate any legal responsibility held by private sector organizations in the event that harms could be sustained because of this sharing.
In 2013, Bill C-13, “The Cyberbullying Bill”, was introduced into Canadian Parliament. Bill C-13 contains several lawful access provisions and continues to illustrate the difficult privacy implications of public-private data sharing partnerships. However, understanding lawful access in Canada requires that we turn the clock a few years to 2011. In that year, an Omnibus Crime Bill package, bundling together three bills, was brought before the Canadian Parliament. The relevant sections of the bill proposed that Internet service providers (ISPs), which provide access to the Internet, be required to turn over, for “security” reasons, certain subscriber data (such as the identity of a person using a particular IP address) to the state without a warrant.2 The proposed law, which in effect made ISPs take on a de facto police function, elicited deeply concerned responses from both federal and provincial privacy commissioners, who combined their concerns in a letter to Canada’s deputy minister of Public Safety. A media campaign on television and the Internet called “Stop Online Spying” sprang into life to raise awareness of the far-reaching negative consequences of passing such legislation, and 145,000 Canadians signed an online petition to voice their concerns. As a result, the provisions were shelved, and a number of months after the debacle the government indicated that it would not be pursuing the matter further
Currently, lawful access legislation is back, appearing (most significantly) as the aforementioned Bill C-13. This bill removes warrantless mandatory disclosure of basic subscriber information and absolves the requirements for telecommunication companies to build intercept capability within their infrastructure. However, the bill still introduces a new system for voluntary disclosure of subscriber information that provides legal immunity for the companies, and removes any requirement that would have authorities keep a record of the number of times they are requesting information. In addition, the bill introduces lower thresholds for authorities to access metadata and locational information. As Micheal Geist notes,
“the government may have removed the mandatory warrantless disclosure requirements, but it has inserted a provision that may expand the number of requests to preserve or disclose personal information without a warrant and created legal incentives for Internet providers and telecom companies to comply "voluntarily"."3
Bill C-13 (and its previous manifestations) are an excellent example of the consequences of the evolving (and dissolving) line between the public and private sectors and co-opting companies into the business of government. Critics argue that Canadian citizens, ISPs, social networks, and even handsets and cars would be turned into spy tools for the state under such legislation. The trend toward public-private blurring alters time-honoured expectations about the kind of relationship citizens in a democracy can enjoy with their government.
These legislative conflicts also reveal the extent to which private companies can be regarded as essential tools for law enforcement. Social Networking Services are a prime resource for law enforcement—as accessible platform for investigators to collect information—but also as a vast databank that data about users can be disclosed from. Some companies, aware of the public relations risks that are associated with ‘over-sharing’ with law enforcement, have sought to publicly communicate the scale of these relationships. Google, for instance, regularly reports the number of law enforcement requests for information about its users by country. Note, however, that Canadian companies such as Distributel and TekSavvy resist warrantless access to user data. Smaller Internet service providers without extensive legal staff might find it far more difficult to refuse requests for user data.
This chapter comes to the stark conclusion that, in twenty-first-century Canada, surveillance is expanding steadily as personal data flow, in unprecedented ways, between private and public bodies. The blurring between these agencies may be illustrated in many ways, but the effect of driving more surveillance is common to each case. Public and private bodies have different mandates and different modes of accountability, and personal data become vulnerable to misuse and abuse as the data streams flow in new directions.
Data gathered for one purpose may easily be used for another when public and private organizations share data, which flies in the face of basic fair information practices. Also, accountability for personal-data handling becomes a real challenge when different legal regimes supposedly govern public and private entities. From the viewpoint of the ordinary citizen, it means that you can rarely ever know when personal information collected by government or police might become visible to commercial bodies or when data collected from a customer transaction could end up in a dispute over government benefits or could prevent you from boarding a flight. The complex and shifting network of relationships among public agencies, private corporations, and many other institutions in the vast grey area in between complicates the analysis, renders simplistic metaphors about Big Brother meaningless, challenges the ordinary citizen, and taxes our privacy laws. Read the full trend in the free download of the Transparent Lives: Surveillance in Canada book