Surveillance in Canada 101

This article originally appeared on OpenCanada.org.

The information leaked by Edward Snowden about the U.S. National Security Agency (NSA)’s data collection programs is driving a nation-wide debate in America over the future of privacy and national security. Americans, however, are not the only ones who should be considering the consequences the NSA’s activities. Other countries, including Canada, operate similar surveillance programs and participate in national security data sharing partnerships that crisscross the globe. Given this reality, and the fact that much of Canadians’ online data flows though servers located in the U.S. where it is not subject to any Fourth Amendment protection, we think the tenor of the privacy-security debate within Canada is too quiet. Expanding the debate will require engaging more Canadians with what we know and don’t know about surveillance in Canada. To this end, here is a modest exploration of what we’ve learned since the Snowden story broke.

What kind of data is the Canadian government collecting?

Since 2001 Canada’s government surveillance agency, Communications Security Establishment Canada (CSEC) has been monitoring communications transmitted from or received in Canada to identify potential security threats. Part of the Canadian security apparatus since 1941, CSEC currently employs 2,000 people and has a budget of $422 million, according to statements made by CSEC spokesperson Ryan Foreman.

CSEC has increasingly focused on mining communications metadata, which refers to mass computer searches for information on electronic communications. The handing over of telephonic metadata from American Verizon subscribers to the NSA sparked the ongoing debate in the U.S. This type of metadata can include where a telephone call is initiated from, the number to which the call is made, and the duration of the call.

What does metadata tell the government?

Data points like these allow the government to map out not only who knows who, but how well and for what purpose. Deviations from established patterns of activity can also be identified and analyzed. Citizen Lab Director Ron Deibert has pointed out that “MIT researchers who studied 15 months of anonymized cellphone metadata of 1.5 million people found four “data points” were all they needed to figure out a person’s identity 95 per cent of the time… Access to metadata, when combined with powerful computers and algorithms, can also allow entire social networks to be mapped in space and time with a degree of precision that is extraordinarily unprecedented, and extraordinarily powerful.”

Is the government mining my metadata?

CSEC insists that it does not target Canadian citizens and that metadata intercepted unintentionally is safeguarded under Canadian privacy laws.

So why should I be worried?

Concerns over data mining and surveillance were voiced in Canada even before Snowden exposed the NSA’s PRISM, Xkeyscore, and affiliated programs. Globe and Mail reporter Colin Freeze has written that on November 11, former Defence Minister Peter McKay introduced legislation to renew Canada’s metadata surveillance program. The program had been suspended after a federal watchdog expressed concerns that there were insufficient checks on the extra data collected on individuals of no interest to security personnel vacuumed up in the process of collecting data on suspicious individuals. One worry was that data gathered by CSEC as part of “foreign intelligence” collection could end up being shared with the domestic law enforcement agencies who would normally need a warrant.

Despite a lack of public evidence that such issues have been addressed, CSEC’s importance within the Canadian security establishment is growing. Colin Freeze has reported that “the Canadian government is building CSEC a gleaming new $900-million, 72,000-square-metre compound in Ottawa – even as it has relocated military and RCMP operations to older, cheaper offices on the outskirts of the nation’s capital, in buildings vacated by fallen technology companies.”

Who else has access to Canadian metadata and under what conditions can it be used?

Beyond the question of what data Canadian security agencies are collecting is the issue of who else may be gathering Canadian data, and how that data is being used and stored.

It is well known that Canadian data flows through servers located abroad, including the United States. What was not know until Edward Snowden’s interview with the Guardian was that Canadian metadata was among that being swept up by the NSA. The PRISM program secretly collected data from many web services including Google, Microsoft, Apple, Skype and Facebook as well as metadata found through phone calls and emails. Since these interfaces are “borderless”, Canadian data could be collected. Dr. Michael Geist of the University of Ottawa has explained why it is “entirely possible” that Canadian data has been targeted and obtained by U.S. programs.

So it’s just the U.S. government we have to worry about?

The Canadian government has stated that CSEC does not have access to the data collected through PRISM, but it has not confirmed or denied allegations that it has been granted special access to data on Canadian citizens specifically.

Metadata inadvertently intercepted by the NSA can be stored for up to five years or longer if it becomes of interest to law enforcement. New technology-enabled capabilities such as this have led some to argue that legal protections for the personal communications of Canadians are weak and outdated. Michael Geist has commented that “The problem is that surveillance technologies (including the ability to data mine massive amounts of information) have moved far beyond laws that were crafted for a much different world. The geographic or content limitations placed on surveillance activities by organizations such as CSEC may have been effective years ago when such activities were largely confined to specific locations and the computing power needed to mine metadata was not readily available. That is clearly no longer the case.”

How are Canadians responding to the issue of government surveillance?

Many Canadian parliamentarians have spoken out about their concerns over Canadian privacy. Two critical voices are that of Liberal MP Wayne Easter, the man responsible for overseeing CSIS in 2002-03, and who wants to see “some kind of political oversight, beyond just the ministers” and Privacy Commissioner Jennifer Stoddart. In her comments on Canadian data collection, she has stated that “we know very little specific information at this point, but we want to find out more” and that the collection raises “significant concerns”.

Daphne Guerrero, manager of public outreach and education for the office of the privacy commissioner, has also spoken out about the online privacy of Canadians, noting during a CBC web cast that “even the most public people have something to keep private”.

Leading academic voices include Michael Geist, who has raised the question of “who is watching the watchers”.  Geist raises the issue that “Not only do the surveillance programs themselves raise enormous privacy and civil liberties concerns, but oversight and review is conducted almost entirely in secret with little or no ability to guard against misuse”. Ron Deibert wants greater accountability for those with access to our digital private lives. “Oversight of CSEC is really thin, compared to even the oversight that takes place at the (U.S.) National Security Agency… There’s one retired judge with staff that issue an annual review — and in all the years they’ve been doing reviews, they’ve never once found a single problem with CSEC.”

Andrew Clement is concerned by information sharing by CSEC, and Craig Forcese questions whether Canada’s intelligence and security review bodies are up to the challenge posed by new surveillance technologies.

Why haven’t I heard more about this in the media?

The Canadian media has reported widely on the Snowden leaks, less so on the surveillance story at home. A few voices and videos stand out: Alongside Colin Freeze’s sharp analysis of CSEC – “soon to be a literal bridge of the divide between foreign and domestic intelligence” – journalist Jesse Brown has weighed in on the role of telecom companies, and the uneven public interest in surveillance. Jim Bronskin recently reported that CSEC follows complies with federal policy on information-sharing when there is a risk of torture.

Anybody else?

In Canadian civil society, author Andrew Mitrovica finds the biggest problems stem from the information-sharing networks Canada participates in internationally. He has commented that “The pervasive scope and intrusive nature of the [American] surveillance state is breathtaking. It would be a big mistake for you to believe that what Snowden has divulged is solely an American phenomenon without connection to, or consequences for, Canada and Canadians.”  CSEC expert Bill Robinson is also skeptical of the Canadian government’s assurances that it is not spying on Canadians and believes that “if we are to master that Internet, we will have to do it together”.

Openmedia.org has started a petition to stop secret spying and to demand answers from the Canadian government. Canadian experts on government surveillance who have voiced their concerns regarding Conservative party legislation can be found at unlawfulaccess.net

So what do we do now?

Debates over mass government surveillance of communications are likely to continue until processes and regulations to create and sustain a balance between security and transparency in the digital age have been put in place. General complacency around government surveillance – the ‘I have nothing to hide’ attitude – concerns experts in the field. They argue that in order for Canadian society to remain open, citizens must ensure there are appropriate checks and balances on government surveillance programs.

OpenCanada will be soliciting answers from experts over the coming months to the following questions:

• What information should Canadian citizens have access to regarding government surveillance programs? What information should Canadian authorities be able to gather, share, and store on Canadian citizens?

• What policies should be implemented and what laws should be updated or created to avoid a repeat of the PRISM situation in Canada?  Does the combination of data sharing agreements and flow of data though U.S. servers make any distinction between American and Canada surveillance law in practice moot?

• Should greater public knowledge of surveillance programs motivate Canadians to change how and what they communicate, and which companies they use? Will it?

• Why aren’t we seeing more public debate about surveillance in Canada? How would you like to see the Canadian surveillance debate develop?