On 6 June 2013 it was revealed that the US Government has been collecting metadata from millions of Verizon accounts in the United States under a court order. The order provided that data be produced for all “telephony metadata” for calls where at least one party was in the United States.
Following that was the public exposure of an NSA program called PRISM which revealed links between the NSA and major Internet entities – Apple, Google, Facebook and others – who allegedly allowed the NSA access to user information including e-mails, attachments, address books, calendars, files stored in the cloud, text/audio/video chats, and metadata.
Reaction has been swift, most people are uneasy and confused by these revelations. Here is an initial FAQ on how these programs impact Canadians (and others):
1. What is metadata exactly?
By definition, metadata is data about data – in other words, the information generated when we use technology. This can include: the date and time of a transaction, locations between which communications are exchanged as well as the location from which the information is accessed, length of time of an exchange, the type of device used, the activity (search, file transfer, etc.), search terms, and other similar information.
2. If there isn’t any personal information revealed, why worry about metadata?
Despite not collecting content, the mere fact of communication between two parties may establish a (presumptive) relationship between them, especially where there is more than one incidence of contact. Confidential albeit legal conduct (ranging from extramarital affairs to 'whistle-blowing") may be inferred from such data.
Metadata can contain within it personal information. As Jay Stanley and Ben Vizner argue “…like the list of books we check out of a library, the sites we “visit” online are really a list of things we’ve read. Not only do URLs often contain content – such as search terms embedded within them – but the very fact that we’ve visited a page with a URL such as “www.webmd.com/depression” can be every bit as revealing as the content of an email message.”
So-called "data mining" or analysis may also reveal information from metadata. An MIT research study, for instance, showed that analysis of an individual’s social network contacts was sufficient to identify the sexual orientation of the individual.
3. Do they impact me as a Canadian?
While PRISM is a program of the United States government, it is important to note that the NSA is claiming that PRISM is targeted at non-US residents, although the standard of proof for non-US residency appears to be fairly low. This means that information of Canadians may well be collected under these programs.
4. If I keep all my communications within Canada can I avoid such scrutiny?
It is virtually impossible to keep one’s communications entirely within Canada. Just as domestic Canadian flights often enter US airspace, so too do the majority of Canadian communications get routed through the US telecommunications infrastructure even where both sender and receiver are located in Canada.
Not only may Canadian communications become part of the US framework, but as non-US-citizens, Canadians have no protections from surveillance under US law.
5. Are there similar Canadian government surveillance programs?
It seems inescapable that such surveillance is not restricted to US agencies.
The Globe and Mail has published a document from 2011, obtained via Access to Information, that appears to show the Minister of Defence authorizing a “Top Secret” program intended to mine global metadata.
Apart from such a program, as Michael Geist and Milana Homsi argue, under s. 21 of the Canadian Security Intelligence Act CSIS has the same warrant and information collecting information that is being exercised by FISA and the NSA in the United States. This certainly suggests the possibility that CSIS might be engaged in similar information collection.
Communications Security Establishment Canada is Canada’s version of the NSA. The CSEC's mission is to assist law enforcement and security mandates, and it appears to have powers akin to the NSA powers that are being exercised in PRISM and similar programs.
Unfortunately, it is not possible to be certain whether or how these powers are being exercised. As Colin Horgan states:
When asked about possible involvement in the PRISM program, CSEC was predictably cagey. I put a series of question to them on Friday about whether CSEC ever had access to PRISM; whether CSEC compiles information from internet companies based outside of Canada (and whether it ever had access to data collection systems for Facebook, Google, Apple, Yahoo, Microsoft or Skype); whether CSEC collects “metadata” (that is, data about data – so, things like who information is being sent to and received by, the time of sending, the duration of the communications, locations of the sender and receiver) and what it might do with that data should it collect it. CSEC’s answer was simply that it would not say much.
To “comment on its methods, operations or capabilities,” Ryan Foreman, a spokesman from CSEC, told me via email, “would undermine CSEC’s ability to carry out its mandate.”
6. What, if anything, is being done to protect privacy rights in Canada?
CSEC is overseen by the Communications Security Establishment Commissioner, who reviews activities to ensure that they are appropriately authorized, that they are not targeted at Canadians, and that the privacy of Canadians is protected. The Commissioner submits an Annual Report to Parliament every year.
Additionally, the Privacy Commissioner of Canada has expressed concern about this issue and has reportedly reached out to CSEC to begin an investigation.
The European Parliament’s Committee on Civil Liberties, Justice and Home Affairs is also setting up a special committee to investigate the NSA/PRISM issues. The committee’s report is expected by the end of the year.
NOTE: Reputable Blog is committed to covering the legal and ethical issues of these and other issues that impact privacy. For ongoing analysis subscribe to our updates.