Why Canadians Should Be Demanding Answers About Secret Surveillance Programs

Privacy and surveillance have taken centre stage this week with the revelations
that U.S. agencies have been engaged in massive, secret surveillance
programs that include years of capturing the meta-data from every
cellphone call on the Verizon network (the meta-data includes the number
called and the length of the call) as well as gathering information
from the largest Internet companies in the world including Google,
Facebook, Microsoft, and Apple in a program called PRISM. This lengthy
post provides some background on the U.S. programs, but focuses
primarily on the Canadian perspective, arguing that many of the same
powers exist under Canadian law and that it is likely that Canadians have been caught up by these surveillance
activities.

The first revelation came from a story by Glenn Greenwald
in the Guardian, in which he reported that the National Security Agency
(NSA) is collecting phone records from millions of Verizon customers
each day. U.S. authorities have sought to downplay the significance of
the “meta
data” from the phone calls, but many experts note that meta data can be more revealing than the content of the call itself. The cell phone meta data collection appears to be authorized through provisions from the USA Patriot Act, which permits a Foreign Intelligence Surveillance Act (FISA) court to order a business to produce certain documents. As Margot Kaminski explains, there are few safeguards over these programs.

The second revelation involved a program called PRISM, which
apparently allows
intelligence services preferential access to content and
communications activities from companies such as Google, Facebook,
Microsoft, Yahoo, and Apple (notably Twitter is not included in the
list and the NY
Times reports
that they have declined to make surveillance
easier for the government). The special access can be used obtain
audio and video chats, photographs, e-mails, documents, and
connection logs. Google has denied
joining any program that provides direct access to its servers (as
has Facebook),
but this appears to be legal parsing with the NY Times confirming
active cooperation from these companies. Jennifer Granick notes
that the legal authority for such a program likely comes from the
Foreign Intelligence Surveillance Act (FISA) and the FISA Amendments
Act (FAA). While there have been efforts to claim that this
initiative only targets non-U.S. communication, the law permits
monitoring provided only one participant is outside the U.S.

The two surveillance programs have sparked widespread outrage, but
as Bruce Schneier points
out
, these programs are just a fraction of the surveillance
programs currently deployed by U.S. agencies. Moreover, the U.S.
Congress seems
unlikely
to curtail the programs (the NSA is building
a $2 billion data storage centre in Utah to better meet its needs).

These surveillance revelations obviously raise huge issues in the
United States, but they should similarly elicit concern in Canada
(Ron Deibert shares that view
here
, Privacy Commissioner Jennifer Stoddart is said
to be on alert
). As Ivor Tossel states,
“Canadians can in no way pretend to be above this.” Indeed, during
some of the private discussions on lawful access, I was struck by
the differing priorities of the various law enforcement and security
branches. Local police forces were anxious for mandatory warrantless
disclosure of subscriber data, but intelligence and security
services seemed far less interested in those legislative powers,
focusing instead on surveillance technologies. In hindsight, the
reason seems obvious – they may already have access to the
subscriber information without the need for lawful access
legislation.

Canadian authorities wield many of the same powers used to justify
the Verizon phone call meta-data surveillance program. For example,
CSIS has some of the same powers as those found in the USA Patriot
Act, including Section 215 applications. As Milana Homsi and I
argued in a 2005 article:

Canada has similar disclosure provisions as those found in the
USA Patriot Act. For example, s.
21 of the Canadian Security Intelligence Act
provides for a
warrant that permits almost any type of communication
interception, surveillance or disclosure of records for purpose of
national security. To obtain such a warrant, the Director of the
CSIS or a designate of the Solicitor General is required to file
an application with a Federal Court judge. The application must
contain an affidavit stating “the facts relied on to justify the
belief, on reasonable grounds, that a warrant… is required”. The
application must also outline why other investigative techniques
are inappropriate. The warrant will typically last 60 days and is
renewable on application. Section 21 orders could presumably also
be applied to U.S. companies operating in Canada.


The section 21 warrant is arguably similar to a section 215
application made to the FISA Court. Both do not require probable
cause and both can be used to obtain any type of records or any
other tangible thing. Moreover, the target of both warrants need
not be the target of the national security investigation
.

Not only can CSIS rely on these provisions to obtain secret warrants
compelling disclosure, but there is considerable information sharing
that takes place between government agencies without the consent of
the person to whom the information relates. In its 2011
annual report
, CSIS reported on hundreds of information
sharing arrangements with foreign agencies:

In 2010-2011, CSIS implemented 11 new foreign arrangements and as
of March 31, 2011, had 289 arrangements with foreign agencies or
international organizations in 151 countries. Of those
arrangements, 41 are currently defined as dormant, meaning there
have been no information exchanges for a period of one year or
longer. During that same period, six existing foreign arrangements
were either enhanced or altered by the Service. Additionally,
eight arrangements were categorized as having restricted contact
due to concerns over the reliability of the foreign agencies in
question. Exchanging information with foreign agencies remains a
key component in CSIS’s ability to effectively carry out its
mandate.

Information sharing is by no means limited to CSIS. As the Privacy
Commissioner of Canada reported
in 2004
:

The federal Privacy Act allows personal information to be
transferred outside Canada, even without the consent of the
individual to whom the information relates. For example, the Act
allows personal information under the control of a government
institution (for example, information collected to issue
passports) to be disclosed for specific purposes under an
agreement or arrangement between the Government of Canada and the
government of a foreign state. These purposes include
administering or enforcing any law or carrying out a lawful
investigation.


One such “agreement†is the Mutual
Legal Assistance Treaty (MLAT) between Canada and the United
States
(Canada has signed similar treaties with 33
countries, including the United Kingdom, Australia and France, and
two multilateral treaties also contain mutual legal assistance
provisions). The Canada-US treaty came into force in 1990 and is
an important tool for both governments to obtain evidence located
in the territory of the other. US authorities might, for example,
want information held by provincial, territorial or federal
governments, by individuals in Canada, or by companies in Canada,
in relation to a broad range of offences. They can rely on the
treaty to obtain this information. 

Much like the Verizon phone call meta-data powers, there are reasons
to believe that Canadian intelligence authorities wield many of the
same powers as those used to justify the PRISM program. The Communications
Security Establishment Canada
has the power
to assist CSIS, the RCMP and other agencies with their domestic
monitoring operations, aided by several
super-computers
. Moreover, the Globe notes
that virtually all CSEC activities remain secret, though its mandate is believed to
cover similar terrain as the NSA with powers to monitor foreign
communications or any communication that involves at least one
foreign participant. That is consistent with its statutory mandate
found in the National
Defence Act
:

(a) to acquire and use information from the global
information infrastructure for the purpose of providing foreign
intelligence, in accordance with Government of Canada intelligence
priorities;

(b) to provide advice, guidance and services to help
ensure the protection of electronic information and of information
infrastructures of importance to the Government of Canada; and

(c) to provide technical and operational assistance to
federal law enforcement and security agencies in the performance
of their lawful duties.

Activities carried out under (a) and (b):

(a) shall not be directed at Canadians or any person in
Canada; and

(b) shall be subject to measures to protect the privacy
of Canadians in the use and retention of intercepted information.

The CSEC annual report explains
its monitoring practices, including the potential for interception
of Canadian communications. The Canadian provisions sound awfully
similar to the powers in the U.S.  Given the lack of
transparency, it certainly seems possible that there are similar
activities taking place here. In fact, its response
to the PRISM story sounds strikingly similar to responses from U.S.
authorities, as the CSEC refuses to comment on specific operations
and merely confirms that it “operates within all Canadian laws.”

Moreover, in recent years, Canada and the U.S. have openly worked to
integrate their security efforts. The U.S.
– Canada Beyond the Border Action Plan
seeks to improve
information sharing between security agencies. A December
2012 update
specifically points to work in this area.

Does this mean Canadian authorities are engaged in similar forms of
surveillance? That phone companies such as Bell and Telus are
subject to warrants similar to those faced by Verizon? That Internet
companies co-operate with Canadian authorities? That Canadian and
U.S. authorities share information obtained through programs such as
the Verizon meta-data program or PRISM? That Canadians are targeted
by the U.S. programs?

The law would suggest that all of these things are entirely
possible. Given the integrated communications networks and the
increased information sharing, it seems very likely. Yet since
virtually everything remain shrouded in secrecy, Canadians don’t
know for sure. As the calls for greater oversight ring out in the
U.S., it is time for Canadians to consider the privacy and
surveillance risks associated with cloud-based services and to
demand answers and accountability from Canada’s politicians and
security agencies.

via Michael Geist Blog http://www.michaelgeist.ca/content/view/6869/125/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: