One hundred and twenty-eight Canadians. According to Google, that’s the number of users in this country on whom our government has requested account data in 2012. And less than half of those requests resulted in Google actually providing authorities with any information.
But is that the whole story? In the wake of revelations about PRISM, one of several bulk surveillance efforts by the U.S. National Security Agency, Canadians have been wondering if something similar has been happening here, wherein the data of millions is getting scooped up in whole, stored, and analysed at some later date. Last month, the Globe and Mail revealed the existence of a metadata surveillance effort by CSEC (Communications Security Establishment Canada). CSEC, our little-known equivalent to the NSA, is tasked with “foreign signals intelligence,” but as the Globe revealed, they’ve also been spying on Canadians. Metadata is information about a communication (say, who sent a message, to whom, when, and from where) but does not include the message itself. The Globe learned through access to information requests that CSEC has spied on bulk metadata, but reported nothing on how CSEC was obtaining this data, or on which companies have been aiding them.
Little is publicly known in Canada about bulk surveillance on the actual content of our communications. Internet Law professor Michael Geist recently provided an analysis of Canadian law in relation to the mandates of CSIS and CSEC. Geist found equivalents in Canadian law for most of the U.S. statutes that enable the NSA to operate as it does, and language from our intelligence agencies suggesting that they may be up to the same tricks as their ‘Five Eyes‘ partner stateside. To the question, “does this mean Canadian authorities are engaged in similar forms of surveillance?” Geist concludes that it is certainly possible, even likely.
If so, Google says they aren’t involved. I asked Google Canada spokesperson Leslie Church if the search giant is participating with our government in any bulk surveillance effort of any kind. Here’s what she says:
“We do not provide broad or untargeted access to user data. We refuse to participate in any program – for national security or other reasons – that requires us to provide governments with access to our systems or to install their equipment on our networks.”
As comforting as Church’s statement sounds, it’s still not a simple “no.” Might she be employing semantic sophistry to obscure some kind of bulk spying which Google considers to be “targeted” enough not to qualify as bulk surveillance? Or perhaps a mass spying technique that doesn’t involve installing government spyware or handing over the keys to Google servers? Why, I ask, can’t Google simply assure me there were no surveillance targets in 2012 beyond the 128 users they’ve disclosed?
Instead of an answer, Church directs me to David Fraser, a well-known Canadian Internet privacy lawyer who has worked for Google. Unwilling to speak directly about Google (Fraser doesn’t represent them in this matter), we speak instead about what Canadian law has to say about digital surveillance.
I ask Fraser if a company like Google might be placed under a “gag order” by the courts whereby they wouldn’t be allowed to disclose a surveillance effort. Fraser tells me that “there’s no ‘Fight Club’ rule in the National Defence Act, but the CSIS act does give courts broad discretion to put terms and conditions into a surveillance warrant.”
Might one of those conditions be secrecy, I ask? “It’s possible,” says Fraser.
But Fraser also explains just how difficult it would be for CSIS or CSEC to enlist a U.S.-based company like Google. Corporate structuring, or the physical location of servers, might place data outside of the jurisdiction of Canadian law. Meanwhile, U.S. law might prevent them from providing intelligence to a foreign government.
The truth is, if CSIS and CSEC wanted to intercept every bit of data we create (including information that passes through Google’s servers), they could get it without Google’s help. The most logical place to nab it would be at the backbone level: from Canadian infrastructure owners like Bell, Telus and Rogers (the parent company of Maclean’s).
So I posed the same question to these companies, which collectively control over 90 per cent of the telecommunications market in Canada. Have they been providing police or other authorities with bulk data on their customers?
Bell responded, with a fairly direct denial from spokesperson Jacqueline Michelis:
“Bell would only provide access to law enforcement agencies in response to a court-approved warrant regarding specific individuals and as part of an ongoing investigation.”
I followed up, just to be sure that Bell defines “specific individuals” the same way we all would: someone specified by their name, not by vague specifications like, say, “all males over 18 residing in this postal code.”
Michelis confirmed that yes, Bell needs warrants with names before they’ll hand over data.
Rogers and Telus have yet to respond. If and when they do, I’ll update this post with their replies.
UPDATE: To my question; is Telus providing CSEC, CSIS, or any other branch of Canadian law enforcement with bulk data (including metadata) on its customers (internet or mobile), Telus spokesperson Shawn Hall has responded with the following:
“TELUS fully supports law enforcement’s need to carry out lawful wiretap of communications with a warrant, which ensures proper judicial oversight and protection of customer privacy. It can be a necessary tool in their investigations. We do not voluntary (sic.) release customer information. “
Follow Jesse on Twitter @JesseBrown