Andrew Clement is a Professor Emeritus and surveillance researcher in the Faculty of Information at the University of Toronto.
Canadians are rightfully troubled by recent news of Cambridge Analytica's abuse of Facebook data for psychographic profiling and political manipulation. The threats to personal privacy and democratic governance exposed in this case are not an isolated phenomenon, but rather the tip of an iceberg. Alarming as they are, the revelations of Christopher Wylie, the 28-year-old Canadian who helped found Cambridge Analytica, pale in comparison with those of another young, brave, conscientious whistleblower.
In 2013, Edward Snowden revealed the mass secret surveillance of domestic populations by the National Security Agency (NSA) and its Five Eyes partners, including Canada. These exposés open our eyes to the perils of globe-spanning organizations with insatiable appetites for personal information operating largely unfettered by weak privacy-protection regimes. They lend urgency to the calls of Canada's Privacy Commissioner for additional powers to make data custodians more transparent and accountable in their activities.
Even long overdue strengthening of domestic privacy protections will be partial at best, however, given that an estimated 90 per cent of Canadians' internet communications pass through the United States. Once across the border, personal information loses Canadian legal and constitutional protections and becomes subject to surveillance by the NSA and other organizations without the safeguards afforded to U.S. citizens.
Exposure to U.S. risks comes in several ways. The internet services most popular among Canadians – including Facebook, Google and Twitter – all store users' data in the United States. But even a significant portion of Canadian domestic internet communication, including Canadians exchanging e-mail with each other or accessing a website located in Canada, will have their personal data routed through the United States. Surprisingly, this "boomerang routing" is common when both parties are in the same city, even across the street from each other. And nearly all international communications pass through the United States because Canada lacks adequate access to trans-oceanic fibre-optic cables.
The current heavy reliance of Canadian internet operations on U.S. facilities puts personal and corporate data at risk while impairing the efficiency and quality of Canadian internet services. This one-sided dependence on the United States for a major part of critical national infrastructure also weakens bilateral bargaining power. These challenges point to the central, overarching issue, which is weak Canadian sovereignty in the internet realm.
Any strategy aiming to protect Canadians' privacy must actively pursue national sovereignty in the domain of network infrastructures. To advance the public interest, a country needs to exercise effective control over the communication networks upon which the social and economic life of the country depend. While a new term, the concept of network sovereignty is old. Indeed, public investment in and oversight of national transportation and communication infrastructure has been central to the Canadian nation-building project from the early 19th century. The twin imperatives have been to foster development and to knit disparate communities into a more cohesive whole, especially in the face of forces pulling Canada into the U.S. orbit. Canada's Telecommunications Act reflects this historic tradition, mandating internet sovereignty in its declaration that "telecommunications performs an essential role in the maintenance of Canada's identity and sovereignty." It further seeks "to contribute to the protection of the privacy of persons."
"Localization" is the most obvious approach to achieving network sovereignty in the case of the internet. This means keeping data within the region of their creation and use whenever feasible; that is, storing and routing the personal data of Canadians within Canadian jurisdiction. As a promising first step in this direction, Microsoft has recently established data centres in Toronto and Montreal for storing Canadians' personal information as much as possible under Canadian legal protection. Other major service providers, notably Facebook and Google, should be required to do likewise.
Keeping Canadian domestic internet data flows within Canadian jurisdiction involves developing greater technical capacity to route traffic efficiently through domestic facilities. Public internet exchange points (IXPs) represent the most promising first step toward data-routing localization. IXPs enable local networks to reach users on other networks without having to leave the region for local delivery. This improves performance, reduces transit cost and delay, and can often avoid boomerang routing through the United States and the risks this poses. A further step is to expand access to Canada's long-haul internet backbone, especially for linking IXPs.
Finally, whatever success is achieved in strengthening Canadian privacy protections and advancing network sovereignty, there will remain a vital public interest in ensuring safe, free, open global internet communication. Doing so will require developing a robust international internet governance regime that meets human rights standards and strengthens democracy. Helping to forge such an international regime will be integral to achieving national sovereignty and public-interest goals in relation to the internet.
This article draws on Canadian Network Sovereignty: A Strategy for Twenty-first-Century National Infrastructure Building, a forthcoming essay in the Centre for International Governance Innovation (CIGI)'s series on Data Governance in the Digital Age.