In the mid-20th century, George Orwell imagined a future where the government monitored everyone’s every move and every thought using what he called a telescreen. It was an omnipresent television-like device that not only monitored everyone at all times but also broadcast government propaganda.
Telescreens, as Orwell imagined them, do not exist. At least, not yet.
But an Orwellian future might be closer than we think.
In late January, CBC revealed that Communications Security Establishment Canada used the free Wi-Fi service of an undisclosed “major Canadian airport” to track the electronic devices, such as laptops, tablets and mobile phones, of thousands of travellers in 2012.
The information came from a document leaked by National Security Agency whistleblower Edward Snowden. It revealed that CSEC tracked the devices for up to several weeks as they were connected to other public wireless hotspots in Canada, such as those in hotels and coffee shops, and American airports. The agency was also able to trace back the electronic devices days before they even passed through the airport.
In a written response to CBC, CSEC said Snowden’s document disclosed an effort to develop an active surveillance system and not a system that is actually in place. According to CBC sources, however, the technologies CSEC used to collect the data “have since become fully operational.”
But if people have nothing to hide, why should they care about government surveillance?
Because Canada is a democracy.
CSEC says it is authorized to collect and analyze metadata – data about data. In other words, CSEC says it does not and cannot, for example, read the content of emails. What the agency has access to is the information about the emails themselves, such as who is emailing whom and when.
Although collecting and analyzing this type of data may seem insignificant, it isn’t.
“In some ways, it’s actually worse than if they were actually reading the content of emails,” said David Christopher, communications manager at OpenMedia, a Canadian organization focused on protecting online rights.
By collecting metadata, CSEC can figure out where people live and work, who their friends are, what their political and religious beliefs are, and even what their medical conditions are, Christopher said.
“You don’t need to read a message to an AIDS specialist to come to some big conclusions – you just need to know how often someone is emailing that specialist,” said Rebecca Jeschke, media relations director at Electronic Frontiers Foundation, an international digital rights group.
A text message or two to a bankruptcy lawyer can easily reveal someone’s financial status. A few emails to an Alcoholics Anonymous group undermines the whole purpose of such an organization.
“We all know what kind of power something like our credit report can have, even when (maybe especially when) there’s bad data on there,” Jeschke said in an email. “The government now has the ability to create reports like this, with even bigger consequences.”
In a report published earlier this month, a group of Stanford University graduate students concluded that “phone metadata is highly sensitive.” The students analyzed phone metadata from participants and were able to determine a participant’s medical condition and another’s firearm ownership based solely on their call patterns.
“You can pretty much paint a complete picture of someone’s life just by monitoring their metadata,” Christopher said. “That’s why it’s terrible. It’s deeply undemocratic that government agencies are collecting metadata from law-abiding citizens and storing that in giant databases where they can be accessed forever … it seems like at present.”
In a democracy, the government should work for the people and not the other way around, he said.
Christopher says the way CSEC operates is akin to what people would expect from a totalitarian state, not a democratic one.
“The Stasi in East Germany would’ve loved to have a system like CSEC has now.”
People have a right to keep their private lives private, and Canada already has a good judiciary system in place to put people under physical surveillance, he said.
“(Law enforcement agencies) need a warrant and probable cause to believe that they’ve done something wrong,” Christopher said. “And there are checks and balances … to protect peoples’ privacy.”
If that’s the case for putting someone under physical surveillance, he asks, why can’t it be the same for putting someone under online surveillance?
The other thing is, the government is using taxpayers’ money to fund CSEC, Christopher said. Last October, CBC revealed that the government is constructing a billion dollar new headquarters for CSEC – the most expensive government building in history.
And the annual cost of the agency’s operations? Almost half a billion a year, according to Christopher. Next year, the estimate is at almost $1 billion, he said.
“That’s a huge amount of money. It could be spent on schools. It could be spent on hospitals. It could be spent on reducing the tax burden.”
That the Canadian government is spying on its people using their own money is one thing. But there’s an even larger democratic issue at play – the agency’s secrecy.
“There’s a risk when you give government agencies intrusive powers and allow them to use them in profound secrecy,” said Stephen McCammon, the Information and Privacy
Commissioner of Ontario’s legal counsel. “There’s a risk to our fundamental rights and freedoms.”
In an email response, CSEC said it is the agency’s “mandate to collect foreign signals intelligence to protect Canada and Canadians,” and that to do so, it has legal power to collect and analyze metadata.
Whether electronic surveillance actually helps CSEC find “foreign intelligence targets such as terrorists, hostage takers and foreign intelligence agents in locations outside of Canada,” as the agency wrote in the email response, is a whole other issue in itself. (In the United States, while the government claims its surveillance program helped discover more than 50 terrorist plots, critics have their doubts.)
But another question is: CSEC’s activities are legal according to whose interpretation of the law? The answer is the Ministry of National Defence’s.
However, every year, the Office of the CSEC Commissioner reviews CSEC’s operations and determines whether they comply with the law.
In the CSEC Commissioner’s Annual Report of 2006-2007, the then CSEC Commissioner, Charles Gonthier, cited “fundamental differences of opinion” in the interpretation of the act that gives CSEC legal authority to intercept private communications. Gonthier advised that the legislation be amended for clarity, something both his predecessors also suggested.
According to last year’s Annual Report, the act still hasn’t been amended.
“It seems that the CSEC Commissioner is largely not empowered to speak and thus is not empowered to tell Canadians in enough detail what’s going on and what the problems are with current spying powers and operations,” McCammon said.
“The very yardstick the CSEC Commissioner uses to evaluate whether CSEC is complying with the law … is so ambiguous and in such dispute within the confines of the secret system that we can’t be confident that CSEC’s activities are in exact compliance with the law nor can we be confident of the scope of their surveillance powers. So that’s quite a problem when you think that the government has defended CSEC’s activities and said Canadians should be confident in them.”
According to CSEC, the Office of the CSEC Commissioner reviewed the agency’s metadata activities over the span of eight years. This review was completed in 2011, a year before the airport electronic device tracking, and deemed lawful.
“The CSE Commissioner is also currently conducting another review of CSE’s metadata activities,” CSEC said.
What’s odd about that is that in the Office of the CSEC Commissioner’s Annual Reports – the only reports that really provide a window into what’s going on at CSEC — the word “metadata” only appears once since 2001, McCammon said.
“In addition to the possibility that we have armed our spies with too much power, we certainly quote them too much secrecy,” McCammon said. “And that is exactly the risk that we have to address now — whether some or even all of their powers are justified. It’s impossible to tell without more informed public discussion.”
Informed public discussion is what McCammon says needs to be the first step to resolve these issues.
“While respecting necessary operational secrecy, we have to facilitate necessary public discussion. And we’re not anywhere near that in Canada.”
McCammon is confident this discussion will happen.
“It’s a conversation that’s not gonna go away,” he said. “And it’s also not gonna go away because Snowden’s releases are not by any means done … We can probably anticipate that there will be more Canadian-specific, Canadian-centred revelations to come. So CSEC is going to be in the news whether it wants to be or not.”
So, how can people protect themselves from government and non-government Internet surveillance?
“Encryption is the best way to ensure confidentiality,” said Claudiu Popa, CEO of Informatica, a business security and privacy risk-assessment company.
Even Snowden agrees. At the South by Southwest Interactive Festival earlier this month, he said the American government still has no idea what documents he has “because encryption works.”
To simplify the concept, encrypting means password-protecting your information. Without the password, the data is gibberish. (It’s actually way more complicated than that.)
Encryption isn’t ideal, though. For one, it’s quite inconvenient.
“Right now we’re at a stage where convenience is at a premium, and it’s hard to find a convenient way of encrypting,” Popa said.
To have an encrypted conversation, either by email, text message or phone call, both participants must use encrypting software, he explained.
Encrypting data also means people have to enter a password every time they want to open a file, text message or email.
But more importantly, encryption isn’t completely secure.
“(Encryption) does offer some protection, but we actually know the NSA has been very actively involved – and with CSEC’s help – in building ‘back doors’ into encryption services, trying to undermine people’s encryption,” OpenMedia’s Christopher said.
Popa says that people need to make sure the tools they use to encrypt their data are verifiable and programmed adequately.
But how do people decide what’s worth securing?
Popa says encrypting everything, although possible, doesn’t make much sense for individuals – it’s more inconvenient than practical.
“I don’t think the pendulum needs to swing all the way to the other end and make people retract into their shells and say, ‘Okay, everything I do is now completely private,’ ” he said.
The way to figure out what to protect is by figuring out where people spend the most time on their computer, he said.
“Social media is where you really should be looking to protect your personal information and essentially censor some of the stuff that goes online,” he said.
Then it’s email, followed by web browsing.
“The web’s activities really need to be protected because a lot of the threats do come through the web,” Popa said.
At the end of the day, though, Christopher and Popa agree that encryption isn’t the answer.
“We kind of really keep going back to the need for a political solution to this as the only real way that we will resolve this problem,” Christopher said.
Even if encryption was convenient and completely secure, Christopher says people shouldn’t have to change the way they use the Internet to protect their privacy.
“The Internet is a fantastic tool for sharing and for collaboration. We want it to continue to be such a fantastic tool for people to use,” he said.
“It’s that value that’s really being threatened by this online spying that’s going on.”