As part of the campaign against Verizon, opponents have begun to focus on the privacy implications of allowing the U.S. giant into Canada. In a blog post on the company site, Telus points to its privacy work (including fighting a key case to the Supreme Court of Canada) and then raises the spectre of a loss of privacy should Verizon enter the market:
The Canadian government needs to take a hard look at this important issue and ensure that Canadians’ privacy expectations continue to be met; especially if a U.S. communications company sets up shop here. Some U.S. laws, such as Patriot Act, can be quite invasive and could have detrimental impacts on the level of privacy experienced by Canadian wireless users.
The Communications, Energy and Paperworkers Union raised similar concerns in an article over the weekend that warned about the danger of NSA spying on Canadians should Verizon enter Canada.
Yet on closer inspection, it is worth asking whether the Canadian carriers can provide assurances that Canadian phone and Internet activity is any less prone to surveillance. On the Patriot Act fears, the Privacy Commissioner of Canada has found that Canadian law has many of the same provisions. While it is cold comfort to those concerned with their privacy, the Commissioner stated:
The risk of personal information being disclosed to government authorities is not a risk unique to U.S. organizations. In the national security and anti-terrorism context, Canadian organizations are subject to similar types of orders to disclose personal information held in Canada to Canadian authorities.
The surveillance activities are even more troubling. The U.S. programs appear to capture just about all communications: everything that enters or exits the U.S., anything involving a non-U.S. participant, and anything that travels through undersea cables. This would seem to leave Canadian cellphone and Internet users at a similar risk of surveillance regardless of the nationality of the carrier.
Given the extensive reach of U.S. surveillance, there is little doubt much the same monitoring occurs on traffic that involves Canadian carriers. In fact, a recent interim report by Andrew Clement and Jonathan Obar of the University of Toronto found that all the major Canadian carriers fare miserably with respect to transparency and privacy. The report measured Canadian ISP and carrier activity on ten criteria that includes public statements on the location of data storage and routing as well as taking visible steps to avoid U.S. routing of Canadian data. Telus – along with the other major carriers – scarcely rank on any of the criteria. Telus does not issue transparency reports, does not inform users about data requests, does not state where its data is routed and stored, and does not avoid U.S. routing.
The issue of avoiding U.S. routing is particularly important since even Canadian domestic communications that travel from one Canadian location to another may still transit through the U.S. and thus be captured by U.S. surveillance. The privacy implications were foreshadowed in a report commissioned last year by the Canadian Internet Registration Authority on Internet traffic exchange points. Highlighting the risk of relatively few Canadian exchange points, the report argues:
By allowing Canadian data to remain in Canada as much as possible and as often as possible, additional IXPs reduce the risk of Canadian data and personal information becoming subject to U.S. and other foreign laws and practices. Once data is routed outside Canada, foreign companies may track, analyze, and even store the data pursuant to their respective privacy policies. Foreign governments also track, analyze, and store the data. These concerns are more than speculative; in 2006, a whistleblower revealed large-scale U.S. government inspection of data at an AT&T network switching center in San Francisco, and subsequent investigation conï¬rmed that such inspection was occurring elsewhere. More recently, it was revealed that the U.S. National Security Agency is building a vast datacenter to permanently archive and analyze such data. If Canadian data is kept in Canada, it need not be subject to this tracking or analysis.
Despite these risks, the report indicates that Bell requires other Canadian ISPs to exchange traffic outside the country at U.S. exchange points. This would ensure that the exchange of data would be subject to U.S. surveillance.
The privacy issues associated with Verizon are significant and deserve a full airing. Yet in an effort to score points with the public, opponents of their entry to Canada should come clean on their own practices and acknowledge that seemingly none are able to provide assurances that Canadians are not currently subject to extensive surveillance activities.