By Lisa M. Austin, Heather Black, Michael Geist, Avner Levin and Ian Kerr
Over the past six months, the steady stream of disclosures from former U.S. National Security Agency (NSA) contractor Edward Snowden has revealed a massive surveillance infrastructure that seemingly touches all Internet and telephone communication across the globe.
While the issue has generated robust debates in many countries, the Canadian political response has been relatively quiet. In an effort to address the lack of oversight over Canadian surveillance activities, Liberal MP and former public safety minister Wayne Easter recently introduced Bill C-551, which would establish a National Security Committee of Parliamentarians.
The bill is a welcome move towards providing greater transparency and accountability for Canadian intelligence agencies, yet attention to oversight is not enough. We also need to address the legal framework under which these agencies operate, and the privacy protections granted to Canadians under the law.
This is true not only for Canada — our law’s 20th-century privacy protections are no match for 21st-century surveillance technologies — but also for U.S. law. The need for U.S. reforms may represent an enormous challenge, but Canadians find themselves between a proverbial rock and a hard place, as our communications data is increasingly stored on the servers of U.S. companies subject to U.S. law.
U.S. cloud computing services and apps such as Gmail, Dropbox and Evernote are very popular with both individual users and large organizations. Indeed, several Canadian universities have already, or are currently considering, outsourcing their email to cloud-based services offered by U.S. giants such as Google and Microsoft. This means that hundreds of thousands of Canadian teachers and students will find their personal data hosted in the United States, with little or no say in the matter.
The move to the cloud certainly offers some convenience and cost savings, yet it also makes our data vulnerable to state surveillance through NSA programs such as PRISM and MUSCULAR. As renowned security expert Bruce Schneier recently wrote, the NSA did not build an Internet surveillance system alone; it noticed that Internet companies had already done this “and simply got copies for itself.”
Cloud computing services often appear free to users, however, the reality is that they come at a significant privacy cost, particularly for customers that aren’t based in the United States. The 2008 FISA Amendments Act, for example, permits American authorities to seek broad certification to collect categories of foreign intelligence information for up to a year. American authorities can then issue directives to U.S. Internet companies compelling them to hand over (and decrypt) information that falls within the broad terms of this certification.
These are not court orders and they do not require anything remotely resembling particularized suspicion. Rather, this legislation provides legal authorization for broad fishing expeditions in relation to both the content and metadata of the communications of non-U.S. persons.
Unlike Americans, who are protected through a variety of mechanisms aimed at respecting their constitutional privacy rights and freedom of expression, people outside the U.S. are only protected through the definition of “foreign intelligence information.” This includes information “with respect to a foreign power or foreign territory that relates to … the conduct of the foreign affairs of the United States.” With such a broad definition, there is practically no protection at all.
Surveillance with such lax privacy protections is fundamentally inconsistent with the values of a free and democratic society. There is simply no comparable Canadian law that applies similar standards to Canadians. If there was such a law, it would be a gross violation of our constitutional rights.
We are not opposed to cloud computing in principle. Some of us have been enthusiastic users of U.S.-based cloud computing such that we cannot remember what it was like to work without Dropbox and other services. Some of us have been supporters of outsourcing and have even made, or helped to make, key legal decisions in this area.
Global communications presents so many opportunities and we need to embrace it rather than lock down our borders. But just as we would not shop online without legal assurances that our financial information is kept secure, we should not be willing to place our data in the U.S. cloud without stronger privacy protection. This is not about placing barricades around our communications, but about insisting on the basic conditions for freedom of speech and association.
When we decided to open our border to trade with the United States, we did so with a free trade agreement. That agreement put in place various legal obligations and a dispute-resolution process. This is how we deal with our interconnected world. If we can do it with goods and services, we can do it with data. Our government and our privacy commissioners need to lead the charge by demanding that information about Canadians in the U.S. receive the level of protection afforded to it by our own constitution.