Another week, another revelation originating from the seemingly unlimited trove of Edward Snowden documents. Last week, the CBC reported that Canada was among several countries whose surveillance agencies actively exploited security vulnerabilities in a popular mobile web browser used by hundreds of millions of people. Rather than alerting the company and the public that the software was leaking personal information, they viewed the security gaps as a surveillance opportunity.
My weekly technology law column (Toronto Star version, homepage version) notes that in the days before Snowden, these reports would have sparked a huge uproar. More than half a billion people around the world use UC Browser, the mobile browser in question, suggesting that this represents a massive security leak. At stake was information related to users’ identity, communication activities, and location data – all accessible to telecom companies, network providers, and surveillance agencies.
Last month, I had the honour of speaking at the Pathways to Privacy Symposium, a privacy event sponsored by the Privacy Commissioner of Canada and hosted by the University of Ottawa. The event featured many excellent presentations (the full seven hours can be viewed here). My talk focused on the recent emphasis on the need to improve oversight, a common refrain in reaction to both the Snowden surveillance revelations and Bill C-51, the anti-terrorism bill. While better oversight is necessary, I argue that it is not sufficient to address the legal shortcomings found in both Canada’s surveillance legislation and Bill C-51. The full talk (which unfortunately has slightly delayed sound) can be viewed here or below.
Citizen Four, Laura Poitras’ enormously important behind-the-scenes documentary film on Edward Snowden, won the Academy Award last night for best documentary. The film is truly a must-see for anyone concerned with privacy and surveillance. It not only provides a compelling reminder of the massive scale and scope of surveillance today, but it also exposes us to the human side of Snowden’s decision to leave his life behind in order to tell the world about secret surveillance activity.
As a lifelong Seattle Seahawks fan, this past Sunday’s Super Bowl – with the Hawks a yard away from winning their second straight championship only to give up a late interception – felt like a punch in the gut. Nearly two days later, I’m still trying to catch my breath. The end to Super Bowl 49 was the actually second time in the week that I was left feeling shocked and speechless. Throughout the week, the combination of Snowden revelations regarding Canada’s role in the daily tracking the Internet activities of millions and the introduction of Bill C-51, the anti-terrorism legislation, left me similarly grappling to make sense of the swirling developments.
It would appear that the immediate response from many, particularly the opposition parties, has centered on the need for improved accountability and oversight. There is no doubt that the failure to address Canada’s weak oversight system of surveillance and intelligence activities is a major flaw (particularly since oversight was actually reduced in 2012). For a government that introduced the Federal Accountability Act as its very first piece of legislation (and supported more oversight when in opposition) to now dismiss oversight as “red tape” is simply shameful. Better oversight and accountability should be a proverbial “no-brainer”: it bolsters public confidence and, as demonstrated elsewhere, need not undermine security-related operations.
Yet the problem with oversight and accountability as the primary focus is that it leaves the substantive law (in the case of CSE Internet surveillance) or proposed law (as in the case of C-51) largely unaddressed. If we fail to examine the shortcomings within the current law or within Bill C-51, no amount of accountability, oversight, or review will restore the loss of privacy and civil liberties.
After years of failed bills, public debate, and considerable controversy, lawful access legislation received royal assent last week. Public Safety Minister Peter MacKay’s Bill C-13 lumped together measures designed to combat cyberbullying with a series of new warrants to enhance police investigative powers, generating criticism from the Privacy Commissioner of Canada, civil liberties groups, and some prominent victims rights advocates. They argued that the government should have created cyberbullying safeguards without sacrificing privacy.
While the bill would have benefited from some amendments, it remains a far cry from earlier versions that featured mandatory personal information disclosure without court oversight and required Internet providers to install extensive surveillance and interception capabilities within their networks.
The mandatory disclosure of subscriber information rules, which figured prominently in earlier lawful access bills, were gradually reduced in scope and ultimately eliminated altogether. Moreover, a recent Supreme Court ruling raised doubt about the constitutionality of the provisions.
My weekly technology law column (Toronto Star version, homepage version) notes the surveillance and interception capability issue is more complicated, however. The prospect of a total surveillance infrastructure within Canadian Internet networks generated an enormous outcry when proposed in Vic Toews’ 2012 lawful access bill. Not only did the bill specify the precise required surveillance and interception capabilities, but it also would have established extensive Internet provider reporting requirements and envisioned partial payments by government to help offset the costs for smaller Internet providers.