As a lifelong Seattle Seahawks fan, this past Sunday’s Super Bowl – with the Hawks a yard away from winning their second straight championship only to give up a late interception – felt like a punch in the gut. Nearly two days later, I’m still trying to catch my breath. The end to Super Bowl 49 was the actually second time in the week that I was left feeling shocked and speechless. Throughout the week, the combination of Snowden revelations regarding Canada’s role in the daily tracking the Internet activities of millions and the introduction of Bill C-51, the anti-terrorism legislation, left me similarly grappling to make sense of the swirling developments.
It would appear that the immediate response from many, particularly the opposition parties, has centered on the need for improved accountability and oversight. There is no doubt that the failure to address Canada’s weak oversight system of surveillance and intelligence activities is a major flaw (particularly since oversight was actually reduced in 2012). For a government that introduced the Federal Accountability Act as its very first piece of legislation (and supported more oversight when in opposition) to now dismiss oversight as “red tape” is simply shameful. Better oversight and accountability should be a proverbial “no-brainer”: it bolsters public confidence and, as demonstrated elsewhere, need not undermine security-related operations.
Yet the problem with oversight and accountability as the primary focus is that it leaves the substantive law (in the case of CSE Internet surveillance) or proposed law (as in the case of C-51) largely unaddressed. If we fail to examine the shortcomings within the current law or within Bill C-51, no amount of accountability, oversight, or review will restore the loss of privacy and civil liberties.
First, consider the Snowden revelations that the CSE has been the lead on a surveillance initiative that gathers as many as 15 million uploads and downloads per day from a wide range of hosting sites that even appear to include the Internet Archive. The goal is reputed to be to target terrorist propaganda and training materials and identify who is uploading or downloading the materials. The leaked information shows how once a downloader is identified, intelligence agencies use other databases (including databases on billions of website cookies) to track the specific individual and their Internet use within hours of identified download.
The Levitation program, which removes any doubt about Canada’s role in global Internet surveillance, highlights how seemingly all Internet activity is now tracked by signals intelligence agencies. Note that the sites that host the downloads do not hand over their usage logs. Rather, intelligence agencies are able to track who visits the sites and what they do from the outside. That confirms a massive surveillance architecture of Internet traffic operating on a global scale. Is improved oversight in Canada alone going to change this dynamic that crosses borders and surveillance agencies? It is hard to see how it would.
Moreover, these programs point to the fundamental flaw in Canadian law, where Canadians are re-assured that CSE does not – legally cannot – target Canadians. However, mass surveillance of this nature does not distinguish between nationalities. Mass surveillance of a hundred million downloads every week by definition targets Canadians alongside Internet users from every corner of the globe. To argue that Canadians are not specifically targeted when it is obvious that the personal information of Canadians is indistinguishable from everyone else’s data at the time of collection, is to engage in meaningless distinctions that only succeed in demonstrating the weakness of Canadian law. Better oversight of CSE is needed, but so too is a better law governing CSE activities.
Second, Bill C-51 is a problem not only because it fails to address longstanding shortcomings in oversight and accountability over CSIS. It is a problem because there are substantive provisions that should leave anyone concerned with privacy and civil liberties breathless (Craig Forcese has begun to identify them).
For example, the new CSIS disruption warrants are remarkably broad, providing legal power to effectively ignore any law (domestic or otherwise) and do whatever it deems is needed. It shocks to see the government openly empowering CSIS to break the law with few limitations or restrictions. While this is a warrant (therefore a judge must approve), legally granting the right to ignore the law is enormously problematic. Further, the power applies in far more than just terrorist situations.
In fact, the broad approach extends to other areas as well. The expanded information sharing rules cover:
(a) interference with the capability of the Government of Canada in relation to intelligence, defence, border operations, public safety, the administration of justice, diplomatic or consular relations, or the economic or financial stability of Canada;
(b) changing or unduly influencing a government in Canada by force or unlawful means;
(c) espionage, sabotage or covert foreign-influenced activities;
(e) proliferation of nuclear, chemical, radiological or biological weapons;
(f) interference with critical infrastructure;
(g) interference with the global information infrastructure, as defined in section 273.61 of the National Defence Act;
(h) an activity that causes serious harm to a person or their property because of that person’s association with Canada; and
(i) an activity that takes place in Canada and undermines the security of another state.
For greater certainty, it does not include lawful advocacy, protest, dissent and artistic expression.
Terrorism is enumerated, but “interference with the capability of the Government of Canada” in relation to numerous activities is exceptionally broad. Moreover, the bill speaks to “install, maintain or remove any thing”, pointing to the power to install malware or other computer harms on personal computers or devices. By opening the door to do any other thing, it likely also includes the power to interfere with routine use of encryption, which is increasingly standard for many Canadians.
There are many other provisions that require detailed study, among them the potential takedown of websites or online content if hosted in Canada, expanded promoting terrorism provisions (a scenario released by the government states that posting a Youtube video with the words “Attack Canada” at the end would now constitute a criminal act), and the broad information sharing provisions that the government-appointed Privacy Commissioner of Canada has warned “would seemingly allow departments and agencies to share the personal information of all individuals, including ordinary Canadians who may not be suspected of terrorist activities, for the purpose of detecting and identifying new security threats.”
Law enforcement thankfully already has many powers to target terrorism and terrorist activities in Canada (as arrests in Ottawa on Tuesday demonstrate). The threats are real and we needs laws to address them. However, the radical reform of CSIS – when viewed alongside the mass surveillance programs of CSE – point to the need for a careful, non-partisan review of the substantive rules governing such activities. Viewed in this light, addressing oversight is necessary, but by no means sufficient.