Columns

Time for Canadian Privacy Regulators to Take Action on Pervasive Surveillance

As the near-weekly revelations of pervasive surveillance activities generates both debate and mounting opposition in the United States and Europe, the Canadian reaction has remained somewhat muted. Following an initial flurry of coverage over the surveillance activities of Canadian intelligence agencies, the issue has largely disappeared despite evidence that Canadian data is regularly collected by foreign intelligence agencies, most notably the U.S. National Security Agency.

Interestingly, the battle over the potential entry of Verizon into Canada may have opened the door to greater public scrutiny of the privacy practices of all telecom carriers. The debate unexpectedly features a privacy and surveillance dimension, with the incumbents and their unions raising fears about the link between Verizon and U.S. surveillance.

Verizon may raise privacy concerns, but my weekly technology law column (Toronto Star version, homepage version) notes it is worth asking whether the Canadian carriers can provide assurances that Canadian phone and Internet activity is any less prone to surveillance. The major Canadian carriers have been very secretive about many of these issues. In fact, a recent University of Toronto report found that none issue transparency reports (Google, Twitter, and Microsoft do), inform users about data requests, state where data is routed and stored, or avoid U.S. routing.
 
The extensive U.S. surveillance programs appear to capture just about all communications: everything that enters or exits the U.S., anything involving a non-U.S. participant, and anything that travels through undersea cables. This would seem to leave Canadian cellphone and Internet users at a similar risk of surveillance regardless of the nationality of the carrier and suggests that Canadian companies may be facilitating surveillance of their customers by failing to adopt safeguards that render it more difficult for foreign agencies to access data.

For example, both Bell and Rogers link their email systems for residential customers to U.S. giants with Bell linked to Microsoft and Rogers linked to Yahoo. In both cases, the inclusion of a U.S. email service provider may allow for U.S. surveillance of Canadian email activity. While the Canadian privacy commissioner previously dismissed concerns associated with using U.S. email providers on the grounds that Canada had similar security laws, the new surveillance revelations suggest that a re-examination of that conclusion may be warranted.

The issue of avoiding U.S. routing is particularly important since even Canadian domestic communications that travel from one Canadian location to another may still transit through the U.S. and thus be captured by U.S. surveillance. Despite these risks, Bell requires other Canadian Internet providers to exchange Internet traffic outside the country at U.S. exchange points, ensuring that the data is potentially subject to U.S. surveillance.

Add in the regular surveillance demands for the email traffic that passes through Blackberry’s Waterloo-based servers and the likely interception of communications traffic through several undersea cables that enter Canada and there is little doubt that Canadian Internet and phone use is subject to significant U.S. surveillance activity.

Given these privacy risks, it is surprising that Canadian privacy regulators (which for telecom issues includes both the Office of the Privacy Commissioner of Canada and the Canadian Radio-television and Telecommunications Commission) have remained largely on the sidelines as the surveillance revelations mount. 

Responsibility for oversight of the Communications Security Establishment (the Canadian equivalent of the U.S. NSA) may fall to the CSEC Commissioner. However, the role of the private sector in facilitating surveillance activities sits squarely within the mandate of the privacy commissioner, while the CRTC has a clear role on telecom privacy concerns.

All companies have an obligation under Canadian privacy law to adopt minimally invasive practices, yet the use of foreign service providers or network routing that increases the likelihood of surveillance may run afoul of that obligation. With audit powers and the right to launch investigations, it is time for privacy regulators to proactively address whether Canada’s telecom companies should be doing more to protect their customers from foreign surveillance.

16 Comments

  1. David Collier-Brown says:

    Regrettably, our gvernment doesn’t think laws apply to it
    This is not an unusual error, as many other countries think that a duty to “adopt minimally invasive practices” applies to everyone else.

    Kings used to think that too: they called it “the Divine Right of Kings”. They were wrong.

    Our government and all our public servants need to be reminded of this, and while applying them to a foreign “king” may be a good opportunity (:-))

    –dave

  2. Jean-François Mezei says:

    One has to question whether the Canadian government has any sovereignty on the privacy issues or whether as member of the “5 eyes”, it is basically a puppy that obeys orders from the USA and has no real choice on the matter.

    As such, a fight for privacy should be 2 pronged: A domestic fight, and one with the United States to promote moderation in spying activities.

    If the USA moderates its spying ambitions, it tanslates into more moderate requests to Canada by the USA for spying.

  3. The Ontario Privacy Commish has been fairly active on these leaks, issuing a press release back in July that Mass metadata collection violates every individual’s right to privacy:

    http://www.ipc.on.ca/images/Resources/2013-07-17 Metadata.pdf

    She’s also written a Primer on this as well:

    http://www.privacybydesign.ca/index.php/paper/a-primer-on-metadata-separating-fact-from-fiction

    Tech companies are involved in all of this as well. Back in the day, the main objection to getting businesses online was customer privacy. IT solution providers develop services specifically to keep people out to protect privacy. The fact that some in IT are allowing people in on a massive scale like this, is a mass breach of confidence and trust which will be felt in the markets (and to an extent already is) and in the tech sector. Big data may end up at an end after this, and those that want the data, will have to fight hard to earn trust back to get the data they are looking for.

  4. Insert Real Name says:

    A related question is whether either CSIS or CSEC have anything resembling a real inspectorate with full audit of their activities and external relations, and with real powers to forbid and stop them. They have review committees and so forth, but these are mostly reactive and take a very high altitude view; I’m not even sure they are authorized to see everything that these agencies do.

    Enhancing democratic control is even more important in the light of the revelations about the UK’s GCHQ “sub-contracting” for the USA’s NSA: one of the GCHQ presentations specifically touted the UK’s “lighter oversight” and permissive legal environment compared to the USA’s constitutional guarantees as an argument for the GCHQ’s surveillance sub-contracting. Canada has such a permissive legal regime as well, I believe, and thus could take on tasks (e.g. big-data analysis of US persons) that spread the NSA’s constitutional risks over all partners in the US-led Western surveillance alliance.

    I’m not sure how there can be any moderation of the US military-security-hightech-corporate complex at this point, it’s simply become so huge and money-making, and so well integrated into the post-9/11 N. American culture of fear of terrorism & “I’ve got nothing to hide” ostrich.

    In Canada, what politician really wants to burn themselves out with a concerted attempt to bring CSIS and CSEC to accountability? Let the dirty laundry secrets remain in the twilight zombie world of those agencies (and the PMO).

  5. Insert Real Name says:

    Oh, another gloomy thought to conclude: is there any Canadian media outlet not a subsidiary of a telecommunications company which would have the freedom of manoeuvre to partner with Snowden/Greenwald/Poitras if there were documents in the Snowden trove that dealt with Canadian aspects of telecommunications surveillance?

    What opportunities for prior restraint does the Canadian legal system offer to the government if Canadian journalists decide to “commit journalism” (cf. PM Harper’s comment about not wanting to “commit sociology”)? (Not being very informed about the legal system, I simply don’t know where to start to find out.)

  6. I believe moderation will come through private sector innovation. The worst thing the US gov did was get the private sector involved. Now there’s a very huge market need for secure communications. That will probably come from offshore providers. This could potentionally have severe and long term effects on local IT sectors.

    Only way I see to avoid that would be to strengthen our privacy laws but that’s unlikey to happen any time soon.

  7. Insert Real Name says:

    Certainly private sector innovation and the displacement of IT business towards more privacy friendly offshore technology providers will probably occur (e.g. “silent circle”), but these effects are defensive in nature–the security/surveillance sector will still remain out of public control & oversight, and its institutions will still set the framework in which that innovation occurs or (more likely) is inhibited/blocked.

    It’s the secretive state-within-a-state operation of the security sector and institutions that has to be fixed. After all, one of the more surprising revelations on the US side was the cooperation of various law enforcement agencies in fabricating evidence in criminal proceedings to conceal the actual surveillance sources, a total denial of any kind of lawful or due process. How far can this cult of state secrecy go in the future? Will we all become chopped liver?

  8. “Certainly private sector innovation and the displacement of IT business towards more privacy friendly offshore technology providers will probably occur (e.g. “silent circle”), but these effects are defensive in nature–the security/surveillance sector will still remain out of public control & oversight, and its institutions will still set the framework in which that innovation occurs or (more likely) is inhibited/blocked.”

    If you inhibit innovation than that comes at great economic costs. Even if new tech was blocked eventually, than there will be something that will come out to unblock it. Essentially the net was built as an uncontrollable network. Traffic eventually re-routes. If I was in the Canadian IT sector (which I am), I’d be very concerned right now about my future.

  9. Take note that no American will object to the NSA spying on Canadian citizens and businesses. On fact, they will WANT the NSA to do so as it’s their job. Sensitive information re negotiations, etc. is placed in the of US business interests and taken advantage of.

    It’s up to us to educate on properly using encryption, etc. We have to rely on our government to create a climate where protecting your own privacy is not hindered in any way.

  10. @Byte
    At the same time, that leaves networks vulnerable. If we get into a situation where everyone is using encryption and tools so no one can be tracked, that creates a security risk.

    In IT privacy and security go hand in hand. You can’t have one without the other. If you go too far on either side they cancel each other out. The way to get people thinking about security is through privacy. If privacy laws are updated to severely punish corps who don’t comply, that will get everyone thinking about updating their IT infrastructure which is so badly not secured right now (also part of the Snowden leaks) because no one in Tech right now is thinking about privacy (rather Big Data which should be a thing of the past right now), including our own government.

    If we go the other route and not update our privacy legislation, than we’ve just accelerated a cyber arms cold war big time with huge costs to the tax payer and economy to stay ahead of the game, with no benefits to either party.

    I and many others have no probs with targeted investigations, but scooping up mass amounts of data sets, leaves room for innocent people being falsely accused because of the reliability of the automated systems being used, and the lack of oversight on people’s privacy by corps.

  11. To add..if privacy laws are not updated, it excellerates the cyber arms race at a time when the end points of the network are at risk because IT solutions have been based on grabbing mass data, rather than focusing on the protection and privacy of that data. Make sense?

    Snowden has done a great service coming forward. How less secure we become depends on how government treats the privacy implications.

  12. Insert Real Name says:

    I agree on the necessary reinforcement of privacy rights to avoid a kind of anti-surveillance arms race–my point is simply that none of that will work as long as the political system does not closely control the security apparatus and place it in democratic oversight, neither of which is happening now.

    The principles of personal privacy should be respected by my government and corporations as a matter of rights and laws, without needing to resort to convoluted encryption and anti-traffic-analysis techniques, or even being forced to abandon the old-fashioned internet protocols (e.g. SMTP) for something more surveillance resistant.

  13. @Insert Real Name
    “my point is simply that none of that will work as long as the political system does not closely control the security apparatus and place it in democratic oversight, neither of which is happening now.”

    You do this through privacy legislation. That’s where the oversight should be. Privacy legislation that has teeth will also allow government to demand that corps take network and data security way more seriously. As a result, our national cyber security will be beefed up huge.

    A lot of this has been unbalanced for sometime. I’ve been following the security aspect of all of this for years now. All Snowden has done has confirmed what most of us in the IT solutions already know, and has been made public and has been for years. Snowden just provided a sensationalism aspect to everything, now finally IT admins have the attention of the public.

    A lot of people that should be involved in protecting privacy are not in large part due to business interests with Big Data, and self interests in copyright reform. The current ideology around privacy has been warped by business interests, and has made us all less secure as a result.

    Snowden has pointed out our weakest link (which is lack of oversight on our data in government and in the private sector), that is being very much exploited already and for years by our adversaries. It’s the worst kept secret in IT. Privacy law should be a national security priority as far as I’m concerned. That’s unlikely to happen due to the business interests in all of this. It’s extremely sad to see. Greed is a sin that puts us all at risk. You’d figure after the 2008 market crash, we would have figured that out by now as a society. We just keep kicking the can down the road because no one politically has the guts to deal with it. Sooner or later that can comes rolling back 1000x bigger.

  14. A 10 min clip from a 2009 PBS Documentary:

    Sound familiar? Note what the former NSA agent says at the end. Mass data collection, not the way to go. Targeted investigations are.

  15. Jurisdictional shopping
    Michael, would you be able to comment on the following:

    The US NSA is prevented by law from spying on US citizens, but intercepting foreign communications is ok. The Canadian CSEC is prevented from spying on Canadian citizens (with narrow exceptions), but allowed to intercept the communications of non-Canadians. If the NSA routinely collected all or nearly all electronic communications in Canada, and CSEC routinely collected all or nearly all electronic communications in the US, have any laws been broken if they share intelligence with each other?

  16. If Google knows nearly every Wi-Fi password in the world, does that include CANADA?
    http://blogs.computerworld.com/print/22806

    “If an Android device (phone or tablet) has ever logged on to a particular Wi-Fi network, then Google probably knows the Wi-Fi password.

    Considering how many Android devices there are, it is likely that Google can access most Wi-Fi passwords worldwide.” – Michael Horowitz, Computerworld Blogs