by Michael Geist
Published on www.michaelgeist.ca, June 11, 2013.
The concerns about telephone and Internet surveillance moved north yesterday as the Globe revealed that Canada has its own metadata surveillance program. The program was discontinued in 2008 after concerns that it could involve illegal surveillance of Canadians, but was secretly restarted in 2011. It is not clear what change sparked the policy reversal, though the documents obtained under the Access to Information Act include references to meetings with the NSA. The issue was raised in the House of Commons, but the response from the government focuses on two claims: (1) that the surveillance does not target Canadians; and (2) that the data captured is metadata rather than content and therefore does not raise significant privacy issues.
Neither response should provide Canadians concerned for their privacy with much comfort as it is increasingly apparent that Canada has 20th century protections in a world of 21st century surveillance.
The government was emphatic that its metadata surveillance program does not target Canadians (“we don’t target Canadians, okay.”). Yet there are at least two holes in the response. First, the same claims are made by other intelligence agencies, with each claiming that they limit surveillance to foreign targets (this was a key point in a debate I participated in on CBC’s Power and Politics). However, information sharing between intelligence services is common, particularly given the common communications network shared by Canada and the U.S. The prospect that U.S. surveillance becomes a key source for Canadian agencies, while Canadian surveillance supports U.S. agencies, does not strike anyone as particularly far-fetched. In fact, the ATI documents note that the ministerial directive “recognizes CSEC’s role as a foreign signal intelligence agency, and maintains long-standing alliance with Five-Eyes partners.” In other words, relying on the domestic-foreign distinction is necessary for legal compliance, but does not provide much assurance to Canadians that they are not being tracked.
Second, given the commingling of data-integrated communications networks, cloud-computing services, and ‘borderless’ Internet services residing on servers around the world,distinguishing between Canadian and foreign data seems like an outdated and increasingly impossible task. Indeed, the decision to stop the Canadian surveillance program several years ago arose in part due to fears of over-broad surveillance. In the current communications environment, tracking Canadians seems inevitable and makes claims that such domestic surveillance is ‘inadvertent’ increasingly implausible.
The government also relies on claims that the surveillance program only targets metadata (including geo-location, call duration, call participants, IP address), not content–with the implication being that such information does not raise serious privacy concerns. Yet there are many studies that suggest otherwise. Ron Deibert highlights an MIT study that examined months of anonymized cellphone data and found that only four data points were needed to identify a specific person 95 percent of the time. Susan Landau points out that metadata can reveal locational information, medical information, or important business information. Jay Stanley and Ben Wizner identify studies that have found that sexual identify can be guessed based on Facebook metadata. Best of all is a Kieran Healy post titled Using Metadata to Find Paul Revere that places the spotlight on the how connections revealed through metadata can be enormously revealing. Of course, none of this should come as a surprise, since intelligence agencies would not be gathering metadata on every cellphone call if the information was not valuable.
The problem is that surveillance technologies (including the ability to data-mine massive amounts of information) have moved far beyond laws that were crafted for a much different world. The geographic or content limitations placed on surveillance activities by organizations such as CSEC may have been effective years ago, when such activities were largely confined to specific locations and the computing power needed to mine metadata was not readily available. That is clearly no longer the case, with geography often a distinction without a difference, and the value of metadata sometimes greater than the actual content of telephone conversations. If we genuinely believe in preserving some privacy in an environment where every cellphone call is tracked, we must be open to significant legislative reforms and increased oversight that better reflects the realities of modern-day communications surveillance.