Columns Archive

Security Agencies Need to Fess Up About Illegal Privacy Breaches

Appeared in the Toronto Star on June 13, 2016 as Security Agencies Need to Fess Up About Illegal Privacy Breaches

Three years ago this month, Edward Snowden shocked the world with a series of disclosures that revealed a myriad of U.S. government-backed surveillance programs. The Snowden revelations sparked a global debate over how to best strike the balance between privacy and security and led to demands for greater telecom transparency.

The initial Canadian response to the surveillance debate was muted at best. Many Canadians assumed that the Snowden disclosures were largely about U.S. activities. That raised concerns about Canadian data being caught within the U.S. surveillance dragnet, but it did not necessarily implicate the Canadian government in the activities.

Within months, it became clear that Canadian securities agencies were enthusiastic participants in numerous surveillance initiatives. Canadians played a lead role in projects focused on tracking travellers using airport Wi-Fi networks, monitoring millions of daily uploads and downloads to online storage sites, aggregating millions of emails sent by Canadians to government officials, and targeting mobile phones and app stores to implant spyware.

Moreover, the U.S. collection and mining of “metadata” – the data about data that covers geographic information and details about social links – was also at the heart of Canadian activities with a ministerial authorization granting officials the power to capture the potentially sensitive personal information with minimal oversight.

While these programs attracted attention for a day or two, it was the Conservatives’ introduction of Bill C-51, the anti-terrorism legislation that granted the government a host of new powers, that finally succeeded in generating a sustained focus on Canadian surveillance law.

The bill became law with few amendments, but emerged as the public’s shorthand for the need for reforms to surveillance activities. Public Safety Minister Ralph Goodale and the new Liberal government have promised changes, with expectations that they will focus initially on a new “super” oversight body for security agencies and later open the door to further amendments.

Yet despite assurances that improved oversight will provide adequate safeguards against intrusive surveillance, in recent months it has become apparent that weak oversight represents only a small part of the problem.

Consider this year’s report from the Communications Security Establishment (CSE) commissioner, who uses legal language to obscure an otherwise clear admission that there are ongoing metadata violations within the CSE. The report notes that metadata activities were “generally conducted in compliance with operational policy” and that the “CSE has halted some metadata analysis activities” that were the subject of previous criticisms.

The use of words like “generally” and “some” are no accident. The CSE Commissioner could have just as easily written that the CSE still does not conduct its metadata activities in full compliance with the law and that it has refused to stop some activities that were the subject of complaints. Yet the soft framing turns what should be a major story and source of concern into something largely ignored by the general public.

The same is true for a series of admissions related to “privacy breaches” at the CSE. In plain language, this suggests that Canadian security intelligence agencies revealed information to foreign agencies in a manner that violates the law. Indeed, reports indicate that this includes identifying information arising from phone calls and Internet usage.

These are not privacy breaches in the conventional sense of an inadvertent loss of information or a malicious hack into government systems. Those are privacy breaches largely beyond the control of the holder of the information. Rather, these are unlawful disclosures that run afoul of the law. In fact, rather than come clean about the violations, the CSE has refused to disclose the number of “privacy breaches” since 2007 and the government has said it cannot identify those affected.

Three years after Snowden thrust surveillance onto the public agenda, it is time for Canada to reshape how its securities agencies operate. The desperate need for a full airing of Canadian surveillance practices comes not from what was hidden for many years, but what has been happening in plain sight.

Michael Geist holds the Canada Research Chair in Internet and E-commerce Law at the University of Ottawa, Faculty of Law. He can be reached at mgeist@uottawa.ca or online at www.michaelgeist.ca.

Comments are closed.