Since June, 2013, a steady stream of revelations from Edward Snowden has shed light on a vast U.S.-led surveillance system. While there have been several important Canadian-related revelations, none has raised clear issues of potential unlawfulness. That is, until now.
A "Top Secret" presentation obtained by the CBC from the Snowden cache, which I reviewed in detail, outlines the indiscriminate and bulk collection and analysis of Canadian communications data by the Communications Security Establishment of Canada (CSEC). Assuming the documents are legitimate, it is difficult not to reach the conclusion that these activities constitute a clear violation of CSEC's mandates and almost certainly of the Charter of Rights and Freedoms.
The CSEC presentation describes ubiquitous surveillance programs clearly directed at Canadians, involving data associated with Canadian airports, hotels, wi-fi cafes, enterprises and other domestic locations. The presentation outlines the challenges of discerning specific internet addresses and IDs associated with users within the universe of bulk data, paying special attention to challenges involving the movement of people through airports. It outlines results of experiments undertaken at a medium-sized city airport, which could possibly mean Calgary or Halifax, and which includes observations at "other domestic airports," "hotels in many cities" and "mobile gateways in many cities." Observations are made with detailed graphs of specific patterns of communications, noting differences as to how individuals communicate upon arrival and during departure, how long they spend in transit lounges, wi-fi cafes, hotel visits and even places of work. The objectives, the presentation says, are to separate the "needle from the haystack" – the haystack being, of course, all of us.
The presentation specifies that at least some of the bulk data from these locations was obtained through the cooperation of what's only described as a "Canadian Special Source," which is likely a Canadian telecommunications provider. If so, such revelations would make a mockery of Canadian carriers advertising their services as a "safe haven" from the snooping U.S. National Security Agency. From an accountability and oversight point of view, moving data hosting from the United States to Canada is like moving from a dimly lit cave to a pitch-black tunnel at the back of the cave.
What's this mean for Canadians? When you go to the airport and flip open your phone to get your flight status, the government could have a record. When you check into your hotel and log on to the Internet, there's another data point that could be collected. When you surf the Web at the local cafe hotspot, the spies could be watching. Even if you're just going about your usual routine at your place of work, they may be following your communications trail.
Ingenious? Yes. Audacious? Yes. Unlawful? Time for the courts to decide. With regard to recent revelations, Canadian government officials have strenuously denied doing what is clearly described in this presentation. On 19 September 2013, CSEC chief John Forster was quoted by the Globe and Mail saying "CSEC does not direct its activities at Canadians and is prohibited by law from doing so." In response to a lawsuit launched by the British Columbia Civil Liberties Association against the Government of Canada, CSEC admitted that there "may be circumstances in which incidental interception of private communications or information about Canadians will occur." Only in Orwell-speak would what is contained in these presentations be described as "incidental" or "not directed at Canadians." Then again, an Orwellian society is what we are in danger of becoming.
The revelations require an immediate response. They throw into sharp relief the obvious inadequacy of the existing "oversight" mechanism, which operates entirely within the security tent. They cast into doubt all government statements made about the limits of such programs. They raise the alarming prospect that Canada's intelligence agencies may be routinely obtaining data on Canadian citizens from private companies – which includes revealing personal data – on the basis of a unilateral and highly dubious definition of "metadata" (the information sent by cellphones and mobile devices describing their location, numbers called and so on) as somehow not being "communications." Such operations go well beyond invasions of privacy; the potential for the abuse of unchecked power contained here is practically limitless.
We live in a world of Big Data and the Internet of Things, our lives turned inside out. We leave a vast digital trail of intimately revealing metadata around us wherever we go. Allowing the state to have access to all of it is incompatible with a free and democratic society. The question now for Canadians to collectively address is what are we going to do about it?
Ron Deibert is Director of the Citizen Lab and Canada Centre for Global Security Studies at the University of Toronto's Munk School of Global Affairs, and the author of Black Code: Surveillance, Privacy, and the Dark Side of the Internet (McClelland & Stewart, 2013)