Another week, another revelation originating from the seemingly unlimited trove of Edward Snowden documents. Last week, the CBC reported that Canada was among several countries whose surveillance agencies actively exploited security vulnerabilities in a popular mobile web browser used by hundreds of millions of people. Rather than alerting the company and the public that the software was leaking personal information, they viewed the security gaps as a surveillance opportunity.
My weekly technology law column (Toronto Star version, homepage version) notes that in the days before Snowden, these reports would have sparked a huge uproar. More than half a billion people around the world use UC Browser, the mobile browser in question, suggesting that this represents a massive security leak. At stake was information related to users’ identity, communication activities, and location data – all accessible to telecom companies, network providers, and surveillance agencies.
Yet coming on the heels of global revelations of surveillance of network exchange points and Internet giants along with Canadian disclosures of daily mass surveillance of millions of Internet downloads and airport wireless networks, nothing surprises anymore. Instead, there is a resigned belief that privacy on the network has been lost to surveillance agencies who use every measure at their disposal to monitor or gather virtually all communications.
While the surveillance stories become blurred over time, there is an important distinction with the latest reports. The public has long been told that sacrificing some privacy may be part of a necessary trade-off to provide effective security. However, by failing to safeguard the security of more than 500 million mobile users, the Five Eyes surveillance agencies – Canada, the U.S., U.K., Australia, and New Zealand – have sent the message that the public must perversely sacrifice their personal security as well.
Agencies charged with identifying potential security threats believe protecting individual security is not part of their mandate. According to Christian Leuprecht, a Royal Military College professor, “the fact that certain channels and devices are vulnerable is not ultimately the problem of signals intelligence.”
In other words, you’re on your own.
With Internet providers such as Bell refusing to issue transparency reports about when they disclose subscriber information and major telecom equipment companies such as Samsung the target of surveillance agencies (the revelations also disclosed that the agencies explored hacking into Samsung and Google app stores), the corporate community is at best powerless and at worst complicit in the surveillance activities.
Meanwhile, government agencies have abdicated responsibility for safeguarding user security and the government itself has steadfastly opposed any improved oversight of Canadian surveillance agencies, leaving Canada with one of the weakest oversight regimes in the developed world.
What to do in the face of a wide array of surveillance initiatives in which almost anything is viewed as fair game?
The most important self-help step for Canadians is to make encryption a standard part of their communications practices. Encryption is not perfect, but it creates a significant barrier against mass surveillance. The result provides privacy and security for users, while forcing agencies to consider whether to deploy additional tools to crack the communications. In other words, mundane messages are protected, while those associated with a reasonable suspicion of a threat may still be targeted.
Individual encryption is a good start, but more is needed. Many websites and web-based email services still do not offer encryption and therefore leave their users vulnerable to snooping agencies. Pressuring the Internet giants to adopt encryption – or at least offer the option of encryption – is a necessity.
Furthermore, political and policy solutions cannot be abandoned. Bill C-51 generated significant public concern, though most of the focus was on new surveillance agency powers. Even without the changes, there remains a clear need for better oversight and rules based on the principle that Canadians cannot possibly feel secure if their own government views security vulnerabilities as creating an opportunity to exploit rather than an obligation to safeguard.