Text: Small Text  Normal Text  Large Text  Larger Text
  • Blog
  • 20th Century Laws Meet 21st Century Surveillance: Why Metadata Surveillance is a Serious Concern

Blog Archive

PrevPrevApril 2014NextNext

20th Century Laws Meet 21st Century Surveillance: Why Metadata Surveillance is a Serious Concern

PDF  | Print |  E-mail
Tuesday June 11, 2013
The concerns about telephone and Internet surveillance moved north yesterday as the Globe revealed  that Canada has its own metadata surveillance program. The program was discontinued in 2008 after concerns that it could involve illegal surveillance of Canadians, but was secretly restarted in 2011. It is not clear what change sparked the policy reversal (if there was a reversal - some believe the program was never stopped).  The issue was raised in the House of Commons, but the response from the government focuses on two claims: (1) that the surveillance does not target Canadians; and (2) that the data captured is metadata rather than content and therefore does not raise significant privacy issues.

Neither response should provide Canadians concerned for their privacy with much comfort as it increasingly apparent that Canada has 20th century protections in a world of 21st century surveillance.

The government was emphatic that its metadata surveillance program does not target Canadians ("we don't target Canadians, okay."). Yet there are at least two holes in the response. First, the same claims are made by other intelligence agencies, with each claiming that they limit surveillance to foreign targets (this was a key point in a debate I participated in on CBC's Power and Politics). However, information sharing between intelligence services is common, particularly given the common communications network shared by Canada and the U.S.  The prospect that U.S. surveillance becomes a key source for Canadian agencies, while Canadian surveillance supports U.S. agencies does not strike anyone as particularly far-fetched. In fact, the ATI documents note that the ministerial directive "recognizes CSEC's role as a foreign signal intelligence agency, and maintains long-standing alliance with Five-Eyes partners." In other words, relying on the domestic-foreign distinction is necessary for legal compliance, but does not provide much assurance to Canadians that they are not being tracked.

Second, given the commingling of data - integrated communications networks, cloud-computing services, and "borderless" Internet services residing on servers around the world - distinguishing between Canadian and foreign data seems like an outdated and increasingly impossible task. Indeed, the decision to stop the Canadian surveillance program several years ago arose in part due to fears of overbroad surveillance. In the current communications environment, tracking Canadians seems inevitable and makes claims that such domestic surveillance is "inadvertent" increasingly implausible.

The government also relies on claims that the surveillance program only targets metadata (including geo-location, call duration, call participants, IP address), not content, with the implication being that such information does not raise serious privacy concerns. Yet there are many studies that suggest otherwise. Ron Deibert highlights an MIT study that examined months of anonymized cellphone data and found that only four data points were needed to identify a specific person 95 percent of the time. Susan Landau points out that metadata can reveal locational information, medical information, or important business information. Jay Stanley and Ben Wizner identify studies that have found that sexual identify can be guessed based on Facebook metadata. Best of all is a Kieran Healy post titled Using Metadata to Find Paul Revere that places the spotlight on the how connections revealed through metadata can be enormously revealing.  Of course, none of this should come as a surprise since intelligence agencies would not be gathering metadata on every cellphone call if the information was not valuable.

The problem is that surveillance technologies (including the ability to data mine massive amounts of information) have moved far beyond laws that were crafted for a much different world. The geographic or content limitations placed on surveillance activities by organizations such as CSEC may have been effective years ago when such activities were largely confined to specific locations and the computing power needed to mine metadata was not readily available. That is clearly no longer the case with geography often a distinction without a difference and the value of metadata sometimes greater than the actual content of telephone conversations. If we genuinely believe in preserving some privacy in an environment where everyone cellphone call is tracked, we must be open to significant legislative reforms and increased oversight that better reflects the realities of modern-day communications surveillance.
Comments (6)add comment

Dan Misener said:

So, we have U.S. government officials claiming that PRISM doesn't target U.S. citizens. And we have Peter MacKay saying, “We don’t target Canadians, okay.”

But what if I'm a Canadian citizen, using a proxy server or VPN service (like TunnelBear or Unblock-Us) to appear as though I'm in the U.S.?

In the eyes of a government surveillance program... where am I?

June 11, 2013

Thomas Cooke said:

Great post, and really good question, Dan. Admittedly, my familiarity with the implications of VPN needs refreshing. However, when considering how some of the bigger third party service provides, like Google, use HTTP cookies to collect meta-data (to generate revenue via Google Analytics), they compile that information against other data sets, either of their own or gathered from their clients like Facebook or DataLogix. My point is simply that there are other databases accessed by different parties using various techniques and practices that would simply workaround using VPN. google's ga.js cookie is incredibly efficient and documents device IDs; pairing that info with your name or email address facilitates other conditions of possibility for exacting identity and geophysical whereabouts. Now, the extents to which PRISM mines data similarly to Google Analytics, Facebook or any of the big third party players is another question. I'm researching the relationship between third party data mining and how various securitization regimes perform their mining techniques. It is not clear to me how similar or effective PRISM is to the private sectors' methods, but given the intimacy between these service providers and the NSA and FBI, I am certain their practices utilize far more than simply HTTP cookies. Christopher Soghoian's dissertation from 2012 is a good reference here for exemplifying said relationships.

Bottom line is that VPN can't hide the things that DataLogix and Facebook purchase about you from a multitude of sources, both physical and digital. If the state compiles enough info, they can figure it out pretty easily.
June 11, 2013

Crockett said:

We have nothing to fear?
A recent poll by the Washington Post asked 1000 Americans if they were OK with the activities of the NSA as recently outed by Mr. Snowden. The response was for the most part was yes, but there are some interesting points to consider.

- Did those surveyed understand the full issues?
- Did they believe, without proof, that the activities of the NSA (and the Canadian equivalent) were effective?
- Were they of the misconception "If you have nothing to hide, you have nothing to fear"

Let's touch on each of those subjects ...

As Michael points out, the issue is much more complex than most people realize. Without taking the time to look at all the ramifications for oneself and society as a whole, a simple poll result is essentially meaningless. This is an important and serious issue that requires informed contemplation.

Another question being, is this surveillance effective? Well the answer to that is we just don't know. It certainly didn't catch the Boston bombers and the American authorities even had warning from Russia that they ignored, or failed to integrate. Further, without any transparency or public oversight there is no way for us to know if it has worked in the past. We are asked to just trust the government, which is ironic as trust requires accountability which there seems to be none.

Finally, and perhaps most ominously, the catch phrase to pacify the masses is "If you have nothing to hide, you have nothing to fear" is widely believed. Again, this is where informed understanding is needed. The link below is a great primer, but the basic premise is the power afforded by unconstrained surveillance will at some point be misused, at which point it is also too late to so anything about it.

Take the time to read this article so you can help educate people to the fallacy of indifference ... http://falkvinge.net/2012/07/1...g-to-fear/
June 11, 2013

zb said:

to be honest, i don't think this will change internet usage drastically. I think this will only make people more aware of the government's tactics.
June 11, 2013

Gerritv said:

This is more indicative of the danger of this data

Malte gave a talk to TED, this is the data behind that talk. This is the level of detail that is available on movement and activity while carrying a cell phone without having some one's name.

And of course the cooperating governments are not stupid, of course they know that the bilateral agreements they make cover the in-country legal aspects while still giving them access to their own citizens info. Do not believe for a moment that the are stupid.
June 11, 2013

Ferguson T. said:

Well... I'll have you know.
June 17, 2013

Write comment
smaller | bigger

, , , ,
Share: Slashdot, Digg, Del.icio.us, Newsfeeder, Reddit, StumbleUpon, TwitterEmailPrintPDF
Related Items: