This is part of Life After Privacy, a four-part series on the risks, challenges and opportunities for citizens and consumers posed by a world where your private information is widely available to governments and corporations.
Is your government gathering masses of cellphone information to protect you, or to invade your privacy?
Spy agencies in Canada, the United States and elsewhere have been caught harvesting huge amounts of potentially private data from laptops, tablets and cellphones of millions of people, including their citizens.
They say this is necessary because of the changed world of security threats, such as terrorism. Back in the Cold War era, spy agencies turned their electronic ears outward in hopes of eavesdropping on Soviet secrets and preventing Cold War-era threats
But in the years after the Sept. 11 attacks, the snooping came home to roost. Government agencies started to see a utility in collecting telecommunications data from citizens and non-citizens alike, so as to better pinpoint threats that could now arrive from anywhere – including from suspects who move between a dozen portable devices over the course of a day.
The U.S. National Security Agency, its Canadian counterpart and other allied agencies started broadening their collection programs – after getting secret government directives to do so.
The extent of this spying has become clearer thanks to recent leaks and disclosures. Now the taxpayers who fund these surveillance agencies are left to wonder how much their own communications are at risk of being intercepted – and whether what’s going on is, in fact, legal.
Colin Freeze: Over the past year we’ve learned that intelligence agencies are gathering private information at unprecedented rates. In the United States, the activities of the National Security Agency (NSA) have been exposed by Edward Snowden’s leaks, and its Canadian counterpart, the Communications Security Establishment Canada (CSEC) has come under similar scrutiny. Do you think that intelligence agencies – not just in Canada – have become more of a threat to citizens than a benefit? Is their power to invade privacy – whether they overstep their bounds or not – worth it in the pursuit of their stated goals?
Caily DiPuma: We have to debate this cost-benefit question collectively and on a global scale. Of course the government has a duty to protect our security. But the agencies tasked with protecting our national security are going to have to be more transparent about their work. And we are going to have to assess their effectiveness. We cannot decide how much to give up, unless we know what we are really getting in return.
That being said, I have spent a lot of time thinking about this myself and, on a personal level, I am very much concerned that we are giving up too much in the name of national security without having any evidence that these infringements on our rights provide any benefit.
We all want to feel safe – we all want our children and our families to be safe. But, I also want to live in a world where I feel secure from state intrusion. I want my children to grow up knowing that their government is guarding both their rights and their safety. I do not believe that we have to make a choice between protecting our security and preserving our civil rights. I believe that Canada has enough talent, intelligence, and ingenuity to find the right balance.
Craig Forcese: If we didn’t have intelligence services, we’d need to invent them. This isn’t a conversation about abolition. Instead, it is a discussion about evolution.
We haven’t had a serious political discussion about national security institutions since 1984, when the CSIS Act was introduced. The changes made after Sept. 11 were less discussion than reaction. Added to which, 2001 was a technological lifetime ago, when data-rich smartphones were basically a rumour on the horizon and not everyday appliances.
The Arar Commission proposed reform to Canada’s national security accountability systems in 2006. None of those have come to pass. Our national security laws are showing their age – the very fact that we are debating privacy and metadata [the location and calling-record information left by mobile phones] shows the impact of technological change.
The security services are left to apply laws designed for a different era, relying on (usually secret) interpretations, piled on theories, constructed on extrapolations.
No government seems keen to do more than tinker on the margins, and so we muddle along with imperfect and opaque rules. The risk of scandal in that environment is high. So too the threat to the credibility – or what my colleague Wesley Wark calls the “social licence” – of the security services. The very fact that you have posed this question is proof of this.
J. William Galbraith: The legislation governing the two principal intelligence agencies in Canada reflects how Parliament weighed the need for intelligence to help protect the security of Canada on the one hand and, on the other hand, the need to ensure controls over the intrusive powers granted to these agencies.
In the case of CSEC, the Commissioner is a critical part of the control, by being at arm’s length from government; by being “within the security fence;” by having powers under the Inquiries Act giving full access to all CSEC records, facilities and personnel; and by providing recommendations for strengthening compliance with the law and privacy protections to the Minister of National Defence who is responsible for CSEC.
The Commissioner’s reviews have had a significant impact on CSEC resulting in, for example, CSEC stopping certain activities, changes to CSEC policies and procedures to clarify authorities, the prevention of possible non-compliance and the encouragement of privacy protection; and the reporting by CSEC of additional information relating to privacy to support the Minister of National Defence in his accountability for CSEC.
Commissioners have stated that there is a culture of compliance within CSEC. Therefore we would agree with the Chief’s statement before a Senate committee to the effect that if there were indications of CSEC directing certain activities at Canadians, there would be CSEC employees coming to the Commissioner with complaints.
Colin Freeze: Our country’s little-understood electronic-eavesdropping agency, Communications Security Establishment Canada, has spawned much discussion and debate in recent months – some informed, some not so informed. What’s become clear is that CSEC is acting more like the U.S. National Security Agency than many Canadians had thought.
It appears that like the NSA for much of the past decade, CSEC has been trawling through masses of “metadata” – presumably phone logs, Internet addresses, possibly even geo-location information held on smartphones and other devices – in the name of its quest for “foreign” intelligence. And, to some extent or another, CSEC is looking at metadata flowing from Canadian citizens in pursuit of this objective, even though the agency remains banned from eavesdropping on Canadian conversations, which are considered private.
Based on the little that is publicly known about these sorts of practises, is this sort of metadata collection lawful and legal?
Caily DiPuma: Based on what little we know, CSEC’s metadata program is not legal – it infringes Canadians’ privacy and free-expression rights. I use the word “program” because it is not just CSEC’s collection of metadata that is problematic under the Charter of Rights and Freedoms. It is also the use and subsequent analysis of that data that offends the rights of Canadians.
Now, “metadata” is not mentioned at all in the National Defence Act, the legislation that gives CSEC its legal authority. Metadata is not defined in any statute. So it is not entirely clear why CSEC believes it can collect metadata at all.
I can assume it is in part because they argue that metadata are not “private communications;” that is, not the content of communications, just data associated with those communications. This may be a neat and tidy interpretation for them, but Canadians have privacy expectations that extend far beyond just the content of their conversations.
Metadata – collected, held and analyzed over time – has the power to reveal intimate details about a person’s life. Canadians have an expectation of privacy in that information. And that is why CSEC’s collection of it is not legal.
Craig Forcese: Since we don’t really know what CSEC is doing, any response on this question is provisional. But let me raise three quite distinct doubts.
First, I think CSEC can collect metadata under its governing law – but there are constraints.
Second, the government position seems to be that metadata is not “private communication,” attracting special privacy rules. Government lawyers can point to cases supporting their position. I can point to cases that reach opposite conclusions, and I think the Supreme Court is trending towards this view. If the government’s legal theory is wrong, then it commits a crime when it collects metadata without proper authorization.
Third, metadata of the sort that seems to be in play probably attracts constitutional privacy protections. If the Charter is implicated, CSEC likely needs advance blessing from a judge. That hasn’t happened, it would seem.
The government clearly has a different view on each of these questions, not shared with the rest of us. But it is worth noting that the government record of in-court success with its legal positions in national-security matters is mixed, to say the least.
J. William Galbraith: The metadata activities Commissioners have reviewed over eight years have been in compliance with Canadian law.
CSEC has a mandate “to acquire and use information from the global information infrastructure.” Here, “information” includes metadata. Metadata assists CSEC to identify foreign entities located outside Canada and to prevent the interception of private communications.
The National Defence Act prohibits CSEC from directing any of its activities at Canadians. This includes metadata.
Some metadata may involve personal information and CSEC must take measures to protect it, as it must protect privacy in all its activities. “Trawling” through masses of Canadian metadata would be directing activities at Canadians and would be illegal.
The Commissioner is arms-length from government. He has at times disagreed with Justice Canada advice to CSEC.
The other panellists are in the difficult position of trying to determine legality when access to the details of these activities is restricted by the Security of Information Act. This is why Parliament established review bodies with full access to the intelligence agencies, “to represent the public interest in accountability.”
If there is disagreement about the scope of CSEC’s mandate, that is a policy issue for Parliament to consider.
Colin Freeze : I don’t blame spies for aggressive spying. I blame lawmakers for not constraining aggressive spying. And what we have now, it seems to me, is a system that is nuts: CSEC almost singlehandedly shapes the secret legal environment it works in, without any the benefit of input from MPs or sitting judges.
By this I mean CSEC’s embedded lawyers come up with secret legal opinions that redraw the borders around what’s considered private and what’s not. Defence ministers, who may or may not know anything about signals intelligence, darken the border lines by signing off on secret directives and authorizations, and no one on the outside, with the exception of the Commissioner's office, is ever looped in on the specifics.
So it seems to me we have a system where a hockey team (CSEC) gets to work with its coaches and general manager (Justice Canada and Minister of Defence) to rewrite the rulebook during the game, which the people (citizens) in the arena aren’t allowed to read, and – not surprisingly – no one ever goes to the penalty box. How can the game operate like this?
J. William Galbraith: In any discussion of CSEC activities, the role of the Commissioner must be included because he is a legislated part of how Parliament decided – in the National Defence Act – to strike a balance between the government’s need for foreign intelligence and information-technology security, and the need to protect the privacy of Canadians.
There are no “secret” laws in Canada. It is Parliament that “shapes the legal environment.” The Commissioner has access to all CSEC records, including legal advice, and represents the public interest in accountability. Until last June, there was limited public interest in CSEC or the Commissioner’s office. Parliament has the authority to ask questions of CSEC and the Commissioner.
The Commissioner provides classified reports to the Minister of National Defence to assist him in his accountability for CSEC and also provides a public report for Parliament, as required by the National Defence Act. The Commissioner is also required by law to inform the Minister and the Attorney General of Canada of any CSEC activities he believes may not be in compliance with the law.
Craig Forcese: I believe CSEC acts in good faith and follows rules. The issue is whether it correctly construes those rules. CSEC’s interpretation goes untested outside of the circle of government secrecy.
The British Columbia Civil Liberties Association [Ms. DiPuma’s organization] is trying to change this with their court challenge, and the government responds that BCCLA has no standing to do so. Does this mean that only people who have been spied on (and can prove it) can challenge the constitutionality of CSEC’s actions?
We should all acknowledge that Mr. Galbraith’s boss does vital work. The Commissioner and his staff have disputed CSEC’s legal interpretations before. But they can’t definitively decide these matters. And what they offer in their public reports are conclusions, not explanations.
Meanwhile, Canadian Security Intelligence Service also is allowed to spy, but its type of spying is first approved (or not) by judges. These judges now often issue public versions of their legal analyses – decisions that apparently can even be appealed.
Bottom line: The legal issues around metadata (and CSEC generally) are big legal (and policy) questions – they can be debated in court, before Parliament and in public without spilling national security secrets. Government silence leaves an empty space that others fill with rumours of government skulduggery. That is good for no one.
Caily DiPuma: It is clear that the Office of the Commissioner plays a key role in ensuring that there is some degree of oversight. But the Office of the Commissioner is no substitute for Parliamentary scrutiny. It is no substitute for robust public debate. It is no substitute for the kind of pre-authorized warrant procedures that apply to CSIS or law enforcement.
The Office was simply not designed to fulfill those functions – and I believe that those are functions are necessary to achieve a proper balance between protecting our national security and preserving our civil liberties.
Now, certain technical aspects of how CSEC performs its operations will likely remain classified to protect national security. But there is much that the government could do to shed light on the nature and extent of CSEC’s work. As Mr. Forcese commented, government silence creates a vacuum. If the government wants to restore public confidence that privacy rights are being respected, it must give the public and the lawmakers sufficient information to debate these issues with rigor.
Finally, I will just add that there is no “national security” exception to the application of the Charter. The nature of CSEC’s work cannot and does not shield it from constitutional scrutiny. The BCCLA filed its lawsuit so that a court could determine whether CSEC’s collection and use of Canadians’ metadata and private communications passes constitutional muster.
We, obviously, say that it does not.