Michael Geist has been a busy guy. Every time the federal government makes headlines for infringing on Canadians’ privacy rights, particularly online, Geist’s phone rings off the hook. He’s the Canada Research Chair in Internet and E-commerce Law, and that means his opinions matter.
When revelations broke about a massive online and cell-based surveillance program undertaken by the U.S.-based National Security Agency, and separate reports of a similar program run on this side of the border by Communications Security Establishment Canada, many turned to Geist for the definitive view of what it all means for Canadians’ private data. He sat down with Maclean’s to talk about how confident we should feel about the safety and security of our phone calls and emails.
Q: Let’s start with a simple question: How likely is it that an e-mail that I have sent from my personal account is somewhere in some database—maybe not the e-mail, but the metadata surrounding it—in the United States, and some element of the U.S. government has that in its possession?
A: The truth is we don’t know for sure, and so had you asked me about a phone call, you were roaming in the United States or you’re calling someone in the U.S., then I think we could probably say it’s very likely that that’s been collected. We know on the cell phone side there really hasn’t been anybody contest the fact that Verizon has been making available literally metadata on all phone calls—cell phone calls—and I think it seems somewhat undisputed that the same would be true for the other providers in the U.S.
Q: I have gone to the United States, I’ve roamed a little bit, made a few phone calls. How worried should I be, or how concerned should I be about the data that they do have? Is it something that I should lose sleep over if I’ve just made a few phone calls to a few friends saying, “I’m in front of the Washington Monument, and isn’t this a wonderful thing?”
A: Certainly, there’s a lot of people trying to downplay all of this and saying the answer is no, and of course your call is just one of hundreds of millions or billions that are taking place over a period of time, and unless there’s a reason for them to be of consequence, they’re likely to be seen as inconsequential. That said, it seems to me that the metadata off the cell phone tracking is, at least for now, given what we know, the more significant of the two stories. It doesn’t carry the same fancy name like PRISM, and doesn’t have the same sort of big, sexy companies like Google and Microsoft and Apple, but it’s clearly incredibly invasive in terms of such a broad amount of coverage, and the potential to use that metadata to identify any number of things: what your network of friends looks like, their network, where the connections happen to be, where you were physically located at any particular point in time? Did you enter the United States through a flight to New York, and listed the hotel that you’re going to stay at in that customs form as being a hotel in New York—but suddenly found yourself in front of the Washington Monument? Why is that, when you claimed that you’d be something else? And why is it that one of your phone calls was to an individual that happened to be at a rally in San Francisco on a particular day protesting something or other? I mean, these are the kinds of things that, once you get into the sorts of data mining that we’re now capable of, can well happen. You know, I was writing this week that we’ve got 20th century laws and 21st century surveillance taking place, and so the ability to have the appropriate levels of oversight and constraints aren’t there, in part because I don’t think that many envisioned—well, some did, Orwellian-type visions were there—but many envisioned that these kinds of capabilities would come as quickly as they have.
Q: I want to talk about those laws and maybe potential reforms a little bit. Polls have come out—I guess fairly preliminary polls, since the news has just hit in the United States—saying that there’s actually some measure of support for this kind of stuff. Usually, when laws like this are changed, it often has to do with public pressure, right?
Q: What are the odds that the laws, whether in the United States or in Canada, will see some sort of evolution?
A: At this stage, they seem pretty slim. Certainly, the scale is so enormous that I think part of what’s happening is that people are just having a hard time processing it. When you read that the NSA is accessing 97 billion intelligence pieces or documents on a monthly basis, I mean, that number is simply so staggering in terms of just the pervasiveness of surveillance that it’s very difficult to process and figure out what that means.
Layer on top of that a $2-billion facility in Utah that’s scheduled to open in a few months’ time that is devoted to this collection, and then data-mining of that information, and we’re talking about surveillance at a scale that, at least in these democratic countries, we previously weren’t thinking about.
The public reaction this time, if not one of acceptance, is perhaps one of resignation—almost the sense that, yes, this stuff happens and having now undergone a number of similar kinds of instances—if not as large—in the past where nothing really changed, there’s almost the sense publicly that well, yes, this happens, and almost this sense of powerlessness that there’s very little that can be done about it. Certainly the political response—and you see it both I think in Canada and in the United States—is one of not just no apologies but one of outright defending otherwise previously secret programs that go far beyond what a lot of people otherwise would have thought.
Now, we are seeing attempts, certainly, from civil society and other groups, to fight back, and the ACLU I know has filed suit, and we can expect a lot of other groups to pursue every legal avenue that they can, and I’m sure there will be some outspoken members of Congress who will do the same. But we had some outspoken members of Congress—not many in a post-911 world—that fought up against the Patriot Act and stuff like that. They were unsuccessful then. Ten years on this becomes so entrenched that, reading the tea leaves, it doesn’t look like there’s some strong movement certainly in Congress to overturn this—and right now it doesn’t feel like there’s a strong movement publicly, either, although perhaps as people come to better understand just the sheer magnitude of this and more and more information leaks out, and they better appreciate how it may directly affect them and their family and their friends, there may be greater demands for change.
Q: In the wake of the American program, of course it’s been reported that there’s a Canadian surveillance program that was, for some years, active, stopped being active, and then in 2011 Defence Minister Peter MacKay reactivated this program or approved it. I’m wondering what your sense is of the Canadian reaction publicly to this, and how it might differ, or maybe be similar to the American public reaction?
A: Part of the problem in Canada is that we have even less information, in a sense, than we had in the United States. In the U.S., the information is a result of leaked documents straight out of the NSA, and the response of the NSA in some instances, rather than denying anything, has been to acknowledge it exists, defend it, and even try to provide essentially their spin or their perspective on why it’s been happening. In Canada, this is coming out of out of access-to–information documents, and so it’s certainly clearly official government documents, they’re redacted so you’re not getting the full picture, you’re getting just the picture that the government is willing to, in a sense, provide as part of it, and we haven’t seen as strong a reaction.
Part of that may be because we know even less than we know in the United States, part of it may be that in an environment where we’ve been dealing with political scandal after political scandal, I mean, for some this may just feel like just another log on the fire and it doesn’t get the attention it might otherwise deserve. But it’s early days still. Some of us have been writing for some time with the expectation that, in fact, Canada surely was involved or, at a minimum, Canadians were clearly going to be affected by this in the U.S., and that some of the same sorts of powers that we decry in a U.S. context have been pretty much available in Canada as well.
Q: You’ve mused about the potential involvement of say, Bell and Telus in providing information to the government departments. How do we find out about that? Do we just hope one day the information leaks because a whistle-blower comes forward, or is there any way to compel these companies to kind of come clean if there is anything to come clean about?
A: That’s one of the most interesting and big questions that’s out there. We now know that we have a metadata program that sounds, when it’s described, like it’s quite similar to what the Verizon program looks like in the United States. What we don’t know: is the Canadian program one that’s being done with the active participation of the major Canadian telecommunications companies? And it’s something that we surely ought to know. I was writing, a number of months ago, on the issue of telecom transparency and the fact that we’ve seen a number of Internet companies, without knowing that this is what was going to come to the fore, but simply seeing greater demands for transparency—and some responsiveness from companies like Google and Twitter and even Microsoft that had been more responsive to government requests for this information. And yet, especially in the aftermath of the very public fight over lawful access, Bill C-30, when people were surprised to learn that there is, in fact, tens of thousands of instances where there are these disclosures that take place legally under Canadian privacy law coming from major Internet companies and telecommunications companies without any disclosure of that taking place, there is a desperate need for greater transparency about what those companies do, under what circumstances do they disclose, and do they in fact disclose on a very wide basis.
We don’t know any of that right now, and I think that I’d like to see the Canadian privacy commissioner, frankly, get far more aggressive about demanding access to that kind of information. Indeed, the commissioner, it should be noted, doesn’t have to wait just for complaints, there is audit power. She has used that audit power in the past, in some instances, with federal departments. I think this is crying out for a case of an audit from the privacy commissioner of the major telecom companies to better understand the information they collect. We have a pretty good sense of just how widespread that is when you start getting into metadata, but even more under what circumstances, when is it shared, when is it disclosed, under what circumstances, with what level of cooperation, with what kind of protections, under what circumstances is it then destroyed, how is it ultimately used? There is a large data trail that we all give off almost every moment of the day, if we’re walking around with cellphones actively contacting cell towers. It’s a huge amount of information and we just don’t know very much about what happens to it.
Q: How confident are you that that process will be undertaken by the commissioner? Do you have a lot of confidence?
A: Given that most of the stuff only seems to come up whether by leaks or proactive attempts to obtain information through access to information, we’re not in an environment where we’re proactively trying to grapple with these sorts of issues. That’s clearly not what’s happening. One would hope that perhaps this becomes a bit of a watershed moment that says, “Okay, you know what? This is happening on a scale that most previously didn’t fully appreciate and we need to begin the process of dealing with it in a far better way and have a much more mature, open discussion and debate about what’s appropriate, what’s necessary. And to the extent to which we have things that are necessary that some feel are inappropriate or at least unfortunate, how do we find ways to ensure that we surround that with safeguards and oversight that try to limit the prospect for misuse or abuse?” And we’re not even close to having any of that. For the moment, it’s either just denials or partisan claims from either side that this is seen as an opportunity to score political points as opposed to a genuine effort to try to ensure that we’ve got the security we need—and also the privacy we deserve.