News

Why Canadians Should Be Demanding Answers About Secret Surveillance Programs

Privacy and surveillance have taken centre stage this week with the revelations that U.S. agencies have been engaged in massive, secret surveillance programs that include years of capturing the meta-data from every cellphone call on the Verizon network (the meta-data includes the number called and the length of the call) as well as gathering information from the largest Internet companies in the world including Google, Facebook, Microsoft, and Apple in a program called PRISM. This lengthy post provides some background on the U.S. programs, but focuses primarily on the Canadian perspective, arguing that many of the same powers exist under Canadian law and that it is likely that Canadians have been caught up by these surveillance activities.

The first revelation came from a story by Glenn Greenwald in the Guardian, in which he reported that the National Security Agency (NSA) is collecting phone records from millions of Verizon customers each day. U.S. authorities have sought to downplay the significance of the “meta data” from the phone calls, but many experts note that meta data can be more revealing than the content of the call itself. The cell phone meta data collection appears to be authorized through provisions from the USA Patriot Act, which permits a Foreign Intelligence Surveillance Act (FISA) court to order a business to produce certain documents. As Margot Kaminski explains, there are few safeguards over these programs.

The second revelation involved a program called PRISM, which apparently allows intelligence services preferential access to content and communications activities from companies such as Google, Facebook, Microsoft, Yahoo, and Apple (notably Twitter is not included in the list and the NY Times reports that they have declined to make surveillance easier for the government). The special access can be used obtain audio and video chats, photographs, e-mails, documents, and connection logs. Google has denied joining any program that provides direct access to its servers (as has Facebook), but the NY Times maintains there is active cooperation from these companies. Jennifer Granick notes that the legal authority for such a program likely comes from the Foreign Intelligence Surveillance Act (FISA) and the FISA Amendments Act (FAA). While there have been efforts to claim that this initiative only targets non-U.S. communication, the law permits monitoring provided only one participant is outside the U.S.

The two surveillance programs have sparked widespread outrage, but as Bruce Schneier points out, these programs are just a fraction of the surveillance programs currently deployed by U.S. agencies. Moreover, the U.S. Congress seems unlikely to curtail the programs (the NSA is building a $2 billion data storage centre in Utah to better meet its needs).

These surveillance revelations obviously raise huge issues in the United States, but they should similarly elicit concern in Canada (Ron Deibert shares that view here, Privacy Commissioner Jennifer Stoddart is said to be on alert). As Ivor Tossel states, “Canadians can in no way pretend to be above this.” Indeed, during some of the private discussions on lawful access, I was struck by the differing priorities of the various law enforcement and security branches. Local police forces were anxious for mandatory warrantless disclosure of subscriber data, but intelligence and security services seemed far less interested in those legislative powers, focusing instead on surveillance technologies. In hindsight, the reason seems obvious – they may already have access to the subscriber information without the need for lawful access legislation.

Canadian authorities wield many of the same powers used to justify the Verizon phone call meta-data surveillance program. For example, CSIS has some of the same powers as those found in the USA Patriot Act, including Section 215 applications. As Milana Homsi and I argued in a 2005 article:

Canada has similar disclosure provisions as those found in the USA Patriot Act. For example, s. 21 of the Canadian Security Intelligence Act provides for a warrant that permits almost any type of communication interception, surveillance or disclosure of records for purpose of national security. To obtain such a warrant, the Director of the CSIS or a designate of the Solicitor General is required to file an application with a Federal Court judge. The application must contain an affidavit stating “the facts relied on to justify the belief, on reasonable grounds, that a warrant… is required”. The application must also outline why other investigative techniques are inappropriate. The warrant will typically last 60 days and is renewable on application. Section 21 orders could presumably also be applied to U.S. companies operating in Canada.

The section 21 warrant is arguably similar to a section 215 application made to the FISA Court. Both do not require probable cause and both can be used to obtain any type of records or any other tangible thing. Moreover, the target of both warrants need not be the target of the national security investigation.

Not only can CSIS rely on these provisions to obtain secret warrants compelling disclosure, but there is considerable information sharing that takes place between government agencies without the consent of the person to whom the information relates. In its 2011 annual report, CSIS reported on hundreds of information sharing arrangements with foreign agencies:

In 2010-2011, CSIS implemented 11 new foreign arrangements and as of March 31, 2011, had 289 arrangements with foreign agencies or international organizations in 151 countries. Of those arrangements, 41 are currently defined as dormant, meaning there have been no information exchanges for a period of one year or longer. During that same period, six existing foreign arrangements were either enhanced or altered by the Service. Additionally, eight arrangements were categorized as having restricted contact due to concerns over the reliability of the foreign agencies in question. Exchanging information with foreign agencies remains a key component in CSIS’s ability to effectively carry out its mandate.

Information sharing is by no means limited to CSIS. As the Privacy Commissioner of Canada reported in 2004:

The federal Privacy Act allows personal information to be transferred outside Canada, even without the consent of the individual to whom the information relates. For example, the Act allows personal information under the control of a government institution (for example, information collected to issue passports) to be disclosed for specific purposes under an agreement or arrangement between the Government of Canada and the government of a foreign state. These purposes include administering or enforcing any law or carrying out a lawful investigation.

One such “agreement” is the Mutual Legal Assistance Treaty (MLAT) between Canada and the United States (Canada has signed similar treaties with 33 countries, including the United Kingdom, Australia and France, and two multilateral treaties also contain mutual legal assistance provisions). The Canada-US treaty came into force in 1990 and is an important tool for both governments to obtain evidence located in the territory of the other. US authorities might, for example, want information held by provincial, territorial or federal governments, by individuals in Canada, or by companies in Canada, in relation to a broad range of offences. They can rely on the treaty to obtain this information. 

Much like the Verizon phone call meta-data powers, there are reasons to believe that Canadian intelligence authorities wield many of the same powers as those used to justify the PRISM program. The Communications Security Establishment Canada has the power to assist CSIS, the RCMP and other agencies with their domestic monitoring operations, aided by several super-computers. Moreover, the Globe notes that virtually all CSEC activities remain secret, though its mandate is believed to cover similar terrain as the NSA with powers to monitor foreign communications or any communication that involves at least one foreign participant. That is consistent with its statutory mandate found in the National Defence Act:

(a) to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities;
(b) to provide advice, guidance and services to help ensure the protection of electronic information and of information infrastructures of importance to the Government of Canada; and
(c) to provide technical and operational assistance to federal law enforcement and security agencies in the performance of their lawful duties.

Activities carried out under (a) and (b):

(a) shall not be directed at Canadians or any person in Canada; and
(b) shall be subject to measures to protect the privacy of Canadians in the use and retention of intercepted information.

The CSEC annual report explains its monitoring practices, including the potential for interception of Canadian communications. The Canadian provisions sound awfully similar to the powers in the U.S.  Given the lack of transparency, it certainly seems possible that there are similar activities taking place here. In fact, its response to the PRISM story sounds strikingly similar to responses from U.S. authorities, as the CSEC refuses to comment on specific operations and merely confirms that it “operates within all Canadian laws.”

Moreover, in recent years, Canada and the U.S. have openly worked to integrate their security efforts. The U.S. – Canada Beyond the Border Action Plan seeks to improve information sharing between security agencies. A December 2012 update specifically points to work in this area.

Does this mean Canadian authorities are engaged in similar forms of surveillance? That phone companies such as Bell and Telus are subject to warrants similar to those faced by Verizon? That Internet companies co-operate with Canadian authorities? That Canadian and U.S. authorities share information obtained through programs such as the Verizon meta-data program or PRISM? That Canadians are targeted by the U.S. programs?

The law would suggest that all of these things are entirely possible. Given the integrated communications networks and the increased information sharing, it seems very likely. Yet since virtually everything remain shrouded in secrecy, Canadians don’t know for sure. As the calls for greater oversight ring out in the U.S., it is time for Canadians to consider the privacy and surveillance risks associated with cloud-based services and to demand answers and accountability from Canada’s politicians and security agencies.

22 Comments

  1. Canadians don’t enjoy US Constitutional protections that Americans enjoy
    Folks,

    When you use Internet services run by American companies, your data is free for taking. While Americans still do enjoy some of the constitutional protections (and even those PRISM docs show that they don’t willingly look at the data of Americans and only look at when they’re certain they’re 51% certain that they’re not Americans).

    But Canadians have no such protections. When you use Google, Facebook and so on, your data is parsed, analyzed and looked at FREELY! You have no protections of any kind!

    So quit using American services and start looking for Canadian alternatives. At least you’ll have privacy protections when you do so.

  2. @David “So quit using American services and start looking for Canadian alternatives. At least you’ll have privacy protections when you do so.”

    I would like to believe that, but with out assurances to the contrary I don’t see how. The only thing I can think is if Bill C-30 (or the desperately renamed “The Protecting Children from Internet Predators Act”) was an attempt to do the same at least it was quashed. Of course something of the sort with the USA where the ISP servers are tapped without even them knowing it is still a possibility.

    The only bright part in all of these recent revelations is Obama was about to meet with the Chinese leader to take him to task on cyber-warfare, I don’t usually find hypocrisy amusing but in this case I’ll take it.

  3. You are a salve, stupid
    Just get used to it. Most people are too stupid to comprehend their own rights, let alone knowing where the server is located, or even the concept of TCP/IP, metadata… Waay over their public education IQ…..

    The problem isn’t spying , the problem is mental retardation of the masses!

  4. The Curmudgeon says:

    Notice the reciprocity and its consequences
    US surveillance cannot cover US citizens but can cover foreign citizens. Canadian surveillance cannot cover Canadian citizens but foreign citizens. Countries can exchange information. This nicely gets around the problem of not surveiling your own citizens as you can get all the information collected by the other country.

    Protections? They don’t exist and never will. We’ve past the point where simple citizen protests in any one country can solve this problem.

  5. First.. Harper’s government has never been the friend of the average Canadian.

    Second.. If Canada isn’t spying on us, the US is.. plan for both.

    Third.. being a member of the “5 eyes” and NATO, one has to expect a fair amount of information sharing and after 9/11 you have to expect much of this is dictated by the US.

    That said, reading s.21 I don’t see how it is the same as the US. The US FISA orders (NSLs) are accompanied with a gag order. I don’t see that in s.21. s.21 also requires the sign off of a federal judge (warrant) with reasonable cause evidence. How this differs from probable cause, a lawyer needs to clue us in. But this certainly differs from the FISA warrant-less evidence gathering and provisions of the PATRIOT act of the US which seems key to PRISM.

    The Privacy Act also precludes the mass collection and transfer of information (http://en.wikipedia.org/wiki/Privacy_Act_(Canada)). Only specific exception apply. So if CSIS is collecting information on *everyone*, it can’t share *all* of it. Only the specifics(exceptions clause). Obviously for this to be any consolation, a certain amount of misplaced trust needs to be there that the government won’t abuse this. I am sure they will/would given the lack of transparency mechanisms.

    Maybe I am splitting hairs or misinterpreting things. Given Mr Geist’s native skill set in this area I am betting I am wrong all over. We are certainly going down a hole, and the hole might lead to the same place as the US.. but it seems like it is a different whole.

  6. Fishing
    Some years back Revenue Canada sought all trading records from Richardson’s Securities of Winnipeg. This went to the Supreme Court which ruled that it could not go on a fishing expedition for the records of all clients. Demands needed to be for the records of specific individuals. I suggest that this could apply to even wider demands from Telcos.

  7. RMycroft says:

    It’s not just the services, it’s the routing
    @David: Even if you could find Canadian equivalent services, your data traffic will likely pass through the United States, where it could be picked off. From Toronto, I just did a traceroute on vancouver.ca. The traffic passed through Chicago, Denver and Seattle before arriving in Vancouver.

  8. Old news.
    If Canadians would be shocked to learn that their federal government and police agencies monitor and analyze their internet and telephone traffic patterns to create social “graphs” of personal connections, then use that information to marginalize domestic political enemies and people capable of embarrassing institutions, then they would be very naive about what government does.

  9. Anonymous browsing
    If you don’t already have TOR downloaded and are worried about your data being snatched while browsing, then I highly recommend doing so now, although I don’t have any advice regarding the telephone and social networking issues.

  10. VPN
    Or get a privacy-conscious VPN service that doesn’t keep logs. For less than $10/month you can encrypt all your traffic through the VPN and exit from collective IP address.

    While it falls upon consumers to stop blindly handing over all their data to Google, Facebook, et al, this is not likely. At all.

  11. deeply concerned says:

    subcontracting: like torture, they can simply let someone else do it for cash or credit
    can Canada have a soveign government?
    or small competitive businesses?
    or even alternative industries?

    when the US has the power to ensure compliance?

  12. The Time is NOW!
    Of course Canada is in on it. Canada buys the exact same supercomputer NSA does and even helps in funneling the information for flag sweeps at the CSEC or Communications Security Establishment Canada (formerly known as the CSE or Canadian Security Establishment) in the Sir Leonard Tilley Building on Heron rd in Ottawa. This stuff has been going on for the past 3 decades.

    Every transmission, every phone call, every email, web search, satellite transmission etc have been recorded and stored. Canada has been a part of the ECHELON project as well as the PRISM project along with many other cooperative projects with other countries like Denmark, New Zealand etc who also have bases of operations in order to convey information on it’s citizens and what they do especially when they travel.

    The world is comprised of the elite class and the lower slave class. The elite class will always have the wealth and protect it against the slave class. It is why the rights and freedoms are slowly being taken away. All for control of its own citizens.

    How many of the corporate heads got into legal trouble during the US financial bubble? None that’s right. Why is that?! They sold CDO’s that were junk, paid a rating system to rate them AAA and sold them to investors and then purchased insurance that bet against it. Predator lending was at an all time high and who had to pay back the banks? The citizens. So the rich stole about 2 trillion dollars and got away with it scott free. Awesome isn’t it! The very people who designed that bubble were the same people in the presidential financial advisory boards. People like Larry Summers who wanted to make sure there were no laws to govern the awful CDO’s to be sold. Nice huh?

    The entire system is corrupt from the head down. The entire infrastructure needs to be redone. Get rid of the monetary system. It does not work. Use of the resource governance system (venus project) is a much better system. That way people are guaranteed rights, a home and food.

    The time is now to act while you still have some freedom’s. They are planning to implant RFID’s next…into every citizen. You are a slave Neo! 🙂 had to!

  13. not so private anymore says:

    VPN
    @Frank
    Seeking vpn suggestions.

  14. not so private anymore says:

    End Result
    So in short, the terrorists have won by causing our governments to become the very things they fought against.

  15. Giordano Bruno says:

    The proof, from 1990!
    Sadasius is right! All of this was revealed on pages 77-78 of the paperback edition of “Official Secrets: The Inside Story of The Canadian Security Intelligence Service” by Richard Cleroux, which was published in 1990 by McClelland and Stewart. (From the cover… “Good muckraking fun” — The Globe and Mail ?!?!?!?) IIRC, this was BEFORE Echelon was even rumoured on the Internet! Fully disclosed, with details. But it was completely missed by the world at large because (presumably) it’s very easy to ignore something that appears in a Canadian publication. 😛 But there it is, for your historical reference.

  16. Bruce Ryan says:

    Reverend
    We’ve spoken of this entire agenda for decades… it’s no surprise. At all. A global perspective calls for more than just “alarm” or “concern” or “outrage”: the Agenda is very far advanced. Any citizen who believes otherwise is just watching WAY too much TV and drinking too much fluoride. Which means, of course, that the revolution will not be televised. Official Secrets. Of course! Business as usual.
    This is basically arguing about deck chairs on the Titanic. Humanity has a very serious issue that I doubt even the globalist technocratic elite can deal with on a realistic level. Burn the planet down and will even the 1% survive? Count the money while you hold your breath and pray the toxic chemicals in the air, the water and the earth haven’t already sealed your fate. Pray your children haven’t inherited your sins. Poison your home in the name of profit driven by greed. Your children’s children shall suffer all your transgressions against Mother Nature.
    We’re talking about the Destroyers listening in as the population begins to wake the fuck up… a little too little a little too late.
    I haven’t seen a single honey bee in the past two weeks. The CO2 level is over 400ppm. We are the Warriors of the Rainbow ~ as the prophecies have foretold.
    Blessings

  17. The tools of tyranny.
    This is exceedingly dangerous for anyone who takes issue with what the government is doing/permitting/hiding/not doing. Should you wish to be part of a protest – this surveillance – will discourage it. It will help isolate people to individuals that can be controlled, persecuted, and removed for one reason or another. It is at their discretion/whim. We have Guantanamo and a whole host of ‘alt’ prisons in other countries that the US government has used to imprison people without trial. Without justice. The US has a for-profit prison system which is highly corrupt. Anyone that the government (as representatives of their owners the oligarchs) deems unsuitable to the preservation and progress of the oligarchs agenda is a target. Is at risk of their life if they speak out. That goes for here in Canada as well. As people sit idly by, making jokes, not realizing how serious this is, we are handing over willingly our rights like they are worthless to those who know just how valuable they are to control us. God help us, I pray. Wake up before it is too late.

    “The wisest thing in the world is to cry out before you are hurt. It is no good to cry out after you are hurt; especially after you are mortally hurt. People talk about the impatience of the populace; but sound historians know that most tyrannies have been possible because men moved too late. it is often essential to resist a tyranny before it exists.”
    ― G.K. Chesterton

  18. anonymous says:

    I’m amazed at how paranoid you people are. Yes it is important to be vigilant but lettng your paranoid deliusions get the better of you is just silly. BTW Sadasius you are correct that CSEC was formerly called CSE but is stood for Communications Security Establishment (note no Canada) rather than what you siad. Sheesh if you can’t get the simplest things correct why on earth do you think you have the big complicated things accurate?

  19. Big Brother is watching says:

    All you networks are belong to US
    The average Canadian have no say in how their internet traffic are routed. More often than you think, your traffic goes pass the US even when you are only visiting a Canadian website.

    So even when The Canadian government follows their own laws and constitution, we are still spy on by the US.

    http://ixmaps.ca/tour.php
    >As a result of a variety of technical, economic and policy choices made principally by private corporations, Canadian internet traffic is often routed through the US, even when both origin and destination are within Canada.

    >One example of a boomerang route is traceroute 4168, which originates in Toronto, and is destined for the Hockey Hall of Fame website, also in Toronto, but goes to Chicago and back.

    More examples here:
    http://ixmaps.ca/sovereignty.php

  20. Pseudo-anonymous says:

    email me at wigglehush.ai if you want me to reply
    Though this doesn’t address the HUGE issue regarding the mass blanket surveillance (and network/social monitoring) that this article is speaking of, there are several options for preserving *some* (read: very little) of your overall privacy from prying eyes (e.g. CSIS, telcoms, eavesdroppers, hackers, etc).

    ——————————————————————
    Don’t ask your government for your Privacy, take it back:

    Browser Privacy: HTTPS Everywhere, AdBlock Plus + EasyList (+ EasyPrivacy), Ghostery (make sure you set it up properly!), RefControl (make sure to set it up to your liking), disable third-party cookies + tick the “Do Not Track” or “Tell sites not to track me” option in the preferences (see note below on criticisms of this option), NoScript (FireFox), NotScript (Chrome), opt out of Google’s analytics (http://is.gd/OyxO9S)
    VPNs: Private Internet Access (US), BTGuard (Canada), ItsHidden (Africa), Ipredator (Sweden), Faceless.me (Cyprus / Netherlands)
    Internet Anonymization: Tor, Tor Browser Bundle, I2P, VPNs
    Disk Encryption: TrueCrypt open source(Windows / OSX / Linux), File Vault (Mac).
    File/Email Encryption: GPGTools + GPGMail (Mac), Enigmail (Windows / OSX / Linux), of PGP in general IF setup correctly
    IM Encryption: Pidgin + Pidgin OTR, http://crypto.cat (web-based but make sure to READ all the security risks as your single point of failure is with the browser itself)
    IM/Voice Encryption: Mumble, Jitsi
    Phone/SMS Encryption: WhisperSystems (TextSecure + RedPhone, both for android and open source), Ostel, Spore, Silent Circle ($$$)
    Google Alternative: DuckDuckGo, StartPage (has never given any information to governments + strips PII like IPs from searches before passing the search term to Google), IXQuick
    (Volunteer) Digital P2P Currency: BitCoin, Litecoin, etc
    Live Anonymous/Secure Linux: TAILS Linux

    If you have any problems installing or using the above software, please contact the projects. They would love to get feedback and help you use their software.

    Have no clue what Cryptography is or why you should care? Checkout the Crypto Party Handbook or the EFF’s Surveillance Self-Defense Project.

    Source: https://gist.github.com/postmodern/5018337 + my edits
    ——————————————————————

    Obvious note: Never use Facebook, Skype/MS or Google/Gmail (gmail is not encrypted, SSL excluded, in any way nor is their chat client actually OTR)

    Here’s some further reading for those inclined:

    First: please read, in it’s ENTIRETY this yellow highlighted post: http://is.gd/ojTadV
    – A seriously underlooked aspect of these spying revelations – http://is.gd/BI5bFX
    – Richard Stallman on cellphone tracking – https://www.youtube.com/watch?v=WGkNiRFwmOg (relevant link to the German politician’s visual cellphone tracking: http://www.zeit.de/datenschutz/malte-spitz-data-retention ; keep in mind the Germany has some of the strongest privacy laws in the EU/World due to their history (e.g. Nazis, Waffen SS, etc))
    – Daniel Solove – ‘I’ve Got Nothing to Hide’ and Other Misunderstandings of Privacy – http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565
    – PRISM vs TOR onion routing network as explained by the Tor Project – https://blog.torproject.org/blog/prism-vs-tor
    – Tor and HTTPS as explained by EFF – https://www.eff.org/pages/tor-and-https
    – DuckDuckGo sites: http://fixtracking.com/ (helpful tips and information) + http://donttrack.us/ (privacy tracking) + http://dontbubble.us/ (search bubbling) + http://whatisdnt.com/ (DNT is voluntary)
    – If you’re in the US please go here: https://www.stopwatching.us/?r=eff
    – My life as a spyware developer – https://www.youtube.com/watch?v=k2mdUcOXW6I (there are better ones but I don’t have time to look them up, atm)

  21. Anyone know more about rulings in this context?
    As far as I can tell, we have never had a supreme court blunder like that of SCOTUS which allowed for the major gripes that US citizens have with PRISM, mostly via this ruling:

    https://en.wikipedia.org/wiki/Smith_v_Maryland

    Or at least, all available information indicates that even if such a similar ruling in Canada does allow CSIS/CSEC to collect metadata internally, they aren’t.

    Have you found a Canadian court ruling which would indicate that a program like PRISM is legal in Canada?

    Because the National Defense Act in Canada clearly indicates that it is not, and again, I have yet to see any judicial action in Canada that would allow for this type of behaviour from these agencies.

    I hope I do not run into this information, ever, as I would start to melt.


  22. I would like to know if I can even find out why I am under extreme surveillance in Toronto. I am law-abiding, Canadian born, a professional. My home is entered multiple times a day. All of my communications are tampered with. I cannot obtain any assistance. This new iMac has been downgraded, to prevent me from obtaining info. I cannot even FIND, a lawyer, unless it is one the security forces wish me to have. They will possibly torture me for this post.