As the near-weekly revelations of pervasive surveillance activities generates both debate and mounting opposition in the United States and Europe, the Canadian reaction has remained somewhat muted. Following an initial flurry of coverage over the surveillance activities of Canadian intelligence agencies, the issue has largely disappeared despite evidence that Canadian data is regularly collected by foreign intelligence agencies, most notably the U.S. National Security Agency.
Interestingly, the battle over the potential entry of Verizon into Canada may have opened the door to greater public scrutiny of the privacy practices of all telecom carriers. The debate unexpectedly features a privacy and surveillance dimension, with the incumbents and their unions raising fears about the link between Verizon and U.S. surveillance.
Verizon may raise privacy concerns, but my weekly technology law column (Toronto Star version, homepage version) notes it is worth asking whether the Canadian carriers can provide assurances that Canadian phone and Internet activity is any less prone to surveillance. The major Canadian carriers have been very secretive about many of these issues. In fact, a recent University of Toronto report found that none issue transparency reports (Google, Twitter, and Microsoft do), inform users about data requests, state where data is routed and stored, or avoid U.S. routing.
For example, both Bell and Rogers link their email systems for residential customers to U.S. giants with Bell linked to Microsoft and Rogers linked to Yahoo. In both cases, the inclusion of a U.S. email service provider may allow for U.S. surveillance of Canadian email activity. While the Canadian privacy commissioner previously dismissed concerns associated with using U.S. email providers on the grounds that Canada had similar security laws, the new surveillance revelations suggest that a re-examination of that conclusion may be warranted.
The issue of avoiding U.S. routing is particularly important since even Canadian domestic communications that travel from one Canadian location to another may still transit through the U.S. and thus be captured by U.S. surveillance. Despite these risks, Bell requires other Canadian Internet providers to exchange Internet traffic outside the country at U.S. exchange points, ensuring that the data is potentially subject to U.S. surveillance.
Add in the regular surveillance demands for the email traffic that passes through Blackberry’s Waterloo-based servers and the likely interception of communications traffic through several undersea cables that enter Canada and there is little doubt that Canadian Internet and phone use is subject to significant U.S. surveillance activity.
Given these privacy risks, it is surprising that Canadian privacy regulators (which for telecom issues includes both the Office of the Privacy Commissioner of Canada and the Canadian Radio-television and Telecommunications Commission) have remained largely on the sidelines as the surveillance revelations mount.
Responsibility for oversight of the Communications Security Establishment (the Canadian equivalent of the U.S. NSA) may fall to the CSEC Commissioner. However, the role of the private sector in facilitating surveillance activities sits squarely within the mandate of the privacy commissioner, while the CRTC has a clear role on telecom privacy concerns.
All companies have an obligation under Canadian privacy law to adopt minimally invasive practices, yet the use of foreign service providers or network routing that increases the likelihood of surveillance may run afoul of that obligation. With audit powers and the right to launch investigations, it is time for privacy regulators to proactively address whether Canada’s telecom companies should be doing more to protect their customers from foreign surveillance.