Against Oversight: Why Fixing the Oversight of Canadian Surveillance Won't Solve the Problem
|| Print ||
Tuesday February 04, 2014
Last summer, I discussed the Snowden leaks and concerns about Canadian
surveillance activities with a senior government official. The official
remarked that in the wake of the Snowden revelations the political risk
did not lie with surveillance itself, since most Canadians basically
trusted their government and intelligence agencies to avoid misuse (the
steady stream of Snowden leaks and Canada's increasingly apparent role
may have changed this analysis). Rather, the real concern was with being
caught lying about the surveillance activities. This person was of the
view that Canadians would accept surveillance, but they would not accept
lying about surveillance programs.
Those comments came to mind over the past week with the latest revelations about CSEC metadata surveillance. While the story has been characterized as an airport wifi surveillance issue, it is clear that the airport wifi angle misses the real concern. The leaked document and subsequent explanations reveal an attempt to identify travel patterns and geographic locations using user ID data over a two week period provided by a Canadian source (CSEC referred to this as metadata in the Senate committee hearing yesterday) along with a database of geo-locations of IP addresses supplied by Quova (I once served as an advisor to Quova). By identifying airport wifi IP addresses along with broader usage data and geo-identifying information, CSEC hopes to be able to identify locational movements of individual users. Bruce Schneier provides a helpful review of the likely intent of the program.
While some argued the program tracks Canadians and is therefore illegal (citing Charter violations and activities beyond the CSEC mandate), the Justice Minister maintains the program is legal and CSEC has defended the program in a release the day after the story broke and again at the Senate committee yesterday. Moreover, the CSEC Commissioner has posted a somewhat cryptic statement that emphasizes the independence of the review process. Ryan Gallagher has responded to those statements with a post arguing the denials are hollow.
I'm left with four takeaways from the past week.
First, CSEC's surveillance activities of Internet communications in Canada are far more extensive than previously realized. Its trove of metadata - presumably obtained with the cooperation of Canada's major telecom companies - provides enormous insight into the communications habits and activities of millions of Canadians. The use of metadata has been the subject of some concern from the CSEC Commissioner, yet the full scope of activities remain largely secret. Moreover, the ministerial directive on metadata appears to be so broad that it enables widespread tracking and surveillance as CESC is able to mine the data for a myriad of purposes.
Given those capabilities, assurances that metadata surveillance is less invasive than tracking the content of telephone calls or Internet usage ring hollow. Metadata can include geo-location information, call duration, call participants, and Internet protocol addresses. While officials suggest that this information is not sensitive, there are many studies that have concluded otherwise. These studies have found that metadata alone can be used to identify specific persons, reveal locational data, or even disclose important medical and business information. I discuss the issues associated with metadata - including Supreme Court of Canada and Bill C-13 concerns - here. For CSEC to argue that it otherwise does not track Canadians because it only accesses metadata, is misleading at best.
Second, the geographical limits of CSEC - its framework requires that foreign intelligence activities "not be directed at Canadians or any person in Canada" - are being completely blurred. The commingling of data through integrated communications networks and "borderless" Internet services residing on servers around the world suggests that distinguishing between Canadian and foreign data seems like an outdated and increasingly impossible task. CSEC's repeated references to the "global Internet" as opposed to the Internet might well be an attempt to emphasize the foreign component of largely Canadian-based activities. Indeed, the fact that CSEC focuses on Canadian-based metadata (CSEC was asked yesterday why it doesn't collect data from other countries instead) ensures that most of its metadata will include a Canadian component, thereby increasing the likelihood of Canadian surveillance.
Third, the government (including Justice and CSEC) are confident that the programs are legal under the current CSEC mandate. The metadata program operates under ministerial approval, which CSEC would argue extends to uses such as the IP location (or airport wifi) tests. Given the fears of being caught lying, it seems unlikely officials would adopt this position without internal legal reviews and advice.
Fourth, fixing the oversight of CSEC won't solve the problem. Better oversight is currently being touted as the solution to the surveillance problem. The Liberals are proposing a new parliamentary committee review committee, the federal privacy commissioner has identified opportunities for better reporting and oversight, and Ontario privacy commissioner Ann Cavoukian has called for improved transparency and accountability.
Reforms to the current oversight system are needed but the recent experience demonstrates why they are not sufficient. The current system would certainly benefit from external reviewers, who might be more aggressive in questioning the scope of CSEC programs and the stretching of its mandate. Yet the far bigger problem lies with the law itself:
David Collier-Brown said:
pat donovan said:
Craig Wilson said:
Craig Wilson said:
MICHAEL HEROUX said:
Tuesday February 04, 2014