Privacy and surveillance have taken centre stage this week with the revelations that U.S. agencies have been engaged in massive, secret surveillance programs that include years of capturing the meta-data from every cellphone call on the Verizon network (the meta-data includes the number called and the length of the call) as well as gathering information from the largest Internet companies in the world including Google, Facebook, Microsoft, and Apple in a program called PRISM. This lengthy post provides some background on the U.S. programs, but focuses primarily on the Canadian perspective, arguing that many of the same powers exist under Canadian law and that it is likely that Canadians have been caught up by these surveillance activities.
The first revelation came from a story by Glenn Greenwald in the Guardian, in which he reported that the National Security Agency (NSA) is collecting phone records from millions of Verizon customers each day. U.S. authorities have sought to downplay the significance of the “meta data” from the phone calls, but many experts note that meta data can be more revealing than the content of the call itself. The cell phone meta data collection appears to be authorized through provisions from the USA Patriot Act, which permits a Foreign Intelligence Surveillance Act (FISA) court to order a business to produce certain documents. As Margot Kaminski explains, there are few safeguards over these programs.
The second revelation involved a program called PRISM, which apparently allows intelligence services preferential access to content and communications activities from companies such as Google, Facebook, Microsoft, Yahoo, and Apple (notably Twitter is not included in the list and the NY Times reports that they have declined to make surveillance easier for the government). The special access can be used obtain audio and video chats, photographs, e-mails, documents, and connection logs. Google has denied joining any program that provides direct access to its servers (as has Facebook), but the NY Times maintains there is active cooperation from these companies. Jennifer Granick notes that the legal authority for such a program likely comes from the Foreign Intelligence Surveillance Act (FISA) and the FISA Amendments Act (FAA). While there have been efforts to claim that this initiative only targets non-U.S. communication, the law permits monitoring provided only one participant is outside the U.S.
The two surveillance programs have sparked widespread outrage, but as Bruce Schneier points out, these programs are just a fraction of the surveillance programs currently deployed by U.S. agencies. Moreover, the U.S. Congress seems unlikely to curtail the programs (the NSA is building a $2 billion data storage centre in Utah to better meet its needs).
These surveillance revelations obviously raise huge issues in the United States, but they should similarly elicit concern in Canada (Ron Deibert shares that view here, Privacy Commissioner Jennifer Stoddart is said to be on alert). As Ivor Tossel states, “Canadians can in no way pretend to be above this.” Indeed, during some of the private discussions on lawful access, I was struck by the differing priorities of the various law enforcement and security branches. Local police forces were anxious for mandatory warrantless disclosure of subscriber data, but intelligence and security services seemed far less interested in those legislative powers, focusing instead on surveillance technologies. In hindsight, the reason seems obvious – they may already have access to the subscriber information without the need for lawful access legislation.
Canadian authorities wield many of the same powers used to justify the Verizon phone call meta-data surveillance program. For example, CSIS has some of the same powers as those found in the USA Patriot Act, including Section 215 applications. As Milana Homsi and I argued in a 2005 article:
Canada has similar disclosure provisions as those found in the USA Patriot Act. For example, s. 21 of the Canadian Security Intelligence Act provides for a warrant that permits almost any type of communication interception, surveillance or disclosure of records for purpose of national security. To obtain such a warrant, the Director of the CSIS or a designate of the Solicitor General is required to file an application with a Federal Court judge. The application must contain an affidavit stating “the facts relied on to justify the belief, on reasonable grounds, that a warrant… is required”. The application must also outline why other investigative techniques are inappropriate. The warrant will typically last 60 days and is renewable on application. Section 21 orders could presumably also be applied to U.S. companies operating in Canada.
The section 21 warrant is arguably similar to a section 215 application made to the FISA Court. Both do not require probable cause and both can be used to obtain any type of records or any other tangible thing. Moreover, the target of both warrants need not be the target of the national security investigation.
Not only can CSIS rely on these provisions to obtain secret warrants compelling disclosure, but there is considerable information sharing that takes place between government agencies without the consent of the person to whom the information relates. In its 2011 annual report, CSIS reported on hundreds of information sharing arrangements with foreign agencies:
In 2010-2011, CSIS implemented 11 new foreign arrangements and as of March 31, 2011, had 289 arrangements with foreign agencies or international organizations in 151 countries. Of those arrangements, 41 are currently defined as dormant, meaning there have been no information exchanges for a period of one year or longer. During that same period, six existing foreign arrangements were either enhanced or altered by the Service. Additionally, eight arrangements were categorized as having restricted contact due to concerns over the reliability of the foreign agencies in question. Exchanging information with foreign agencies remains a key component in CSIS’s ability to effectively carry out its mandate.
Information sharing is by no means limited to CSIS. As the Privacy Commissioner of Canada reported in 2004:
The federal Privacy Act allows personal information to be transferred outside Canada, even without the consent of the individual to whom the information relates. For example, the Act allows personal information under the control of a government institution (for example, information collected to issue passports) to be disclosed for specific purposes under an agreement or arrangement between the Government of Canada and the government of a foreign state. These purposes include administering or enforcing any law or carrying out a lawful investigation.
One such â€œagreementâ€ is the Mutual Legal Assistance Treaty (MLAT) between Canada and the United States (Canada has signed similar treaties with 33 countries, including the United Kingdom, Australia and France, and two multilateral treaties also contain mutual legal assistance provisions). The Canada-US treaty came into force in 1990 and is an important tool for both governments to obtain evidence located in the territory of the other. US authorities might, for example, want information held by provincial, territorial or federal governments, by individuals in Canada, or by companies in Canada, in relation to a broad range of offences. They can rely on the treaty to obtain this information.
Much like the Verizon phone call meta-data powers, there are reasons to believe that Canadian intelligence authorities wield many of the same powers as those used to justify the PRISM program. The Communications Security Establishment Canada has the power to assist CSIS, the RCMP and other agencies with their domestic monitoring operations, aided by several super-computers. Moreover, the Globe notes that virtually all CSEC activities remain secret, though its mandate is believed to cover similar terrain as the NSA with powers to monitor foreign communications or any communication that involves at least one foreign participant. That is consistent with its statutory mandate found in the National Defence Act:
(a) to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities;
(b) to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and
(c) to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.
Activities carried out under (a) and (b):
(a) shall not be directed at Canadians or any person in Canada; and
(b) shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.
The CSEC annual report explains its monitoring practices, including the potential for interception of Canadian communications. The Canadian provisions sound awfully similar to the powers in the U.S. Given the lack of transparency, it certainly seems possible that there are similar activities taking place here. In fact, its response to the PRISM story sounds strikingly similar to responses from U.S. authorities, as the CSEC refuses to comment on specific operations and merely confirms that it “operates within all Canadian laws.”
Moreover, in recent years, Canada and the U.S. have openly worked to integrate their security efforts. The U.S. – Canada Beyond the Border Action Plan seeks to improve information sharing between security agencies. A December 2012 update specifically points to work in this area.
Does this mean Canadian authorities are engaged in similar forms of surveillance? That phone companies such as Bell and Telus are subject to warrants similar to those faced by Verizon? That Internet companies co-operate with Canadian authorities? That Canadian and U.S. authorities share information obtained through programs such as the Verizon meta-data program or PRISM? That Canadians are targeted by the U.S. programs?
The law would suggest that all of these things are entirely possible. Given the integrated communications networks and the increased information sharing, it seems very likely. Yet since virtually everything remain shrouded in secrecy, Canadians don’t know for sure. As the calls for greater oversight ring out in the U.S., it is time for Canadians to consider the privacy and surveillance risks associated with cloud-based services and to demand answers and accountability from Canada’s politicians and security agencies.