Unexpected Eyes: Surveillance Beyond Borders

April 12, 2017

Because the Learn section of TalkRights features content produced by CCLA volunteers and interviews with experts in their own words, opinions expressed here do not necessarily represent the CCLA’s own policies or positions. For official publications, key reports, position papers, legal documentation, and up-to-date news about the CCLA’s work check out the In Focus section of our website.

 

One issue that’s already been discussed in other articles on the CCLA website is what happens to personal information when it moves across national borders, and beyond the long arm of the Canadian law. This article seeks to provide some context regarding how your personal information may be exposed to threats on a global scale, in ways you may not have realized.

While once upon a time, sensitive information was kept in physical form (and often under lock and key) according to an article by Privacy International (called Eyes Wide Open), the digitization of data has changed things immensely. It’s no longer possible to expect your personal information to remain within Canadian borders once you’re used it online (take for example a credit card purchase). Transparent Lives: Surveillance in Canada argues that data was once kept in “national silos,” while now it flows across borders with ease. This poses some serious problems for Canadian citizens. As I’ve alluded to already, once that credit card purchase you’ve made is received in another jurisdiction, Canada’s laws have little power to control how the personal information attached to that transaction is used.

A source of great uncertainty in this regard is what happens to the information that’s collected by the intelligence agencies operated by Canada’s allies (an excellent example being the United States intelligence community). The way that sensitive information (including personal information) is stored and transported has changed radically with the advent of the internet, and it’s now apparent that many Western nations operate mass-surveillance operations which likely collect Canadian internet traffic, including much of the personal information therein.

So, to begin with, let’s talk briefly about how your personal information may be collected and shared intentionally by other nations’ governments.

Origins of the Five Eyes

International collection and sharing of intelligence (including personal information) arguably has its origins in the wake of the Second World War, when Canada and other allied powers entered into legal agreements obligating them to share the proceeds of their signals intelligence efforts. At the time, signals intelligence referred to collection of data transmitted over telecommunications technologies in use in the late 1940s, such as the telephone, telegram, and radio.

According to Eyes Wide Open, the Five Eyes alliance was perhaps the most significant of these agreements, comprised of the United States, Canada, England, Australia, and New Zealand. Information on the Five Eyes alliance is quite limited, however what we do have access to provides interesting insight into the history of international surveillance.

The Five Eyes arrangement was largely under the radar for the last half of the twentieth century. While its existence was noted by historians and journalists, there was little public understanding of what the alliance was up to. However, the leaks of famous intelligence whistleblower Edward Snowden changed that considerably. Documents leaked by Snowden began to reveal the extent to which the United States, Canada, and other Five Eyes partners were surveilling foreign and domestic communications online.

In Eyes Wide Open, it’s stated that information gathered by the Five Eyes partners was (and is) available to other members of the alliance very liberally, effectively creating a single multinational intelligence organization. This presents some cause for concern, however. Since our Canadian laws do not apply outside of our national territory, this means that information pertaining to Canadian citizens may be gathered by other members of the Five Eyes and shared in any number of ways. In reality it’s not public knowledge whether or not they have a legal obligation to safeguard our information in any way.

The Five Eyes today

With the advent of modern technology, surveillance has changed drastically. Heavy public reliance on the internet and other modern communication networks has broadened the ambit of electronic spying greatly – recent changes in the nature of telecommunication have resulted in surveillance taking on a broadened scope.

For example, it appears that several world powers (including Canada) now operate global mass-surveillance networks that monitor millions of communications every day. Canada’s foray into this field is called LEVITATION, and was revealed as part of Edward Snowden’s famous leaks. The extent to which LEVITATION monitors Canadians is unknown, however there is evidence that Canadian communications are captured by it to some degree.

From a privacy point of view, these programs are quite problematic. Not only do they represent massive collection of data – they also allow for data sharing on a massive scale. Sharing the proceeds of these online mass-surveillance devices may well be a major part of the Five Eyes alliance in the modern context. Assuming that it’s possible that the surveillance proceeds of LEVITATION are available to Canada’s allies in the Five Eyes, the inverse may also be true – information regarding Canadians gathered by, say, the United States may be available to Canada’s government or to other powers. As I’ve already mentioned, Eyes Wide Open states that information gathered by Five Eyes partners is available to the other participants “by default” – so it isn’t too far fetched to imagine that Canada can easily get access to Canadians’ private information without surveilling us directly.

Our border with the United States

Outside of the realm of intelligence alliances and what you might call “intentional” data sharing lies an issue which is perhaps more insidious: the unintentional transmission of online data outside of Canadian borders.

Take for example our southern border (the longest international border in the world). Over 25 per cent of communications made from one place in Canada to another actually detour south to US communication facilities (such as email servers) before being rerouted to their Canadian destination. While this might seem harmless, remember again that Canada’s laws designed to protect Canadians’ privacy do not apply outside of our borders. As a result, if a Canadian communication is recorded while it’s in the US, a copy of any data contained in it may forever remain outside of Canadian control.

An example of this is described in Transparent Lives. Apparently, a Canadian publication was able to purchase the private phone logs of Jennifer Stoddard (who was then Canada’s Privacy Commissioner) from an American data broker. This demonstrates the ease with which sensitive, personal information regarding Canadians can be collected by foreign actors who need not worry about Canadian laws.

Further, whenever you use your favourite social media platform or email service, it’s quite likely that your data is sent south of the border to the US. It’s been claimed that American authorities have the ability to monitor all online communications entering and leaving their territory, so it’s possible that these types of personal communications may be intercepted by our neighbours. Because of realities such as this, it’s essential that Canadians think carefully about how their actions online may be observed by unexpected eyes.

Looking Ahead

Today it’s more important than ever that we understand how our information may be exploited due to the increasing globalization of data – particularly in our use of the internet.

The advent of the internet means that our communications may cross international borders on their way to their destinations, which means they’re exposed to unprecedented risk of being intercepted. If your data is leaving the country because of communication infrastructure on the other side of national borders, it’s most likely happening without your knowledge. This is potentially true of everything from phone calls to emails to social media traffic.

Unfortunately, the reality of cross-border surveillance means that our national privacy laws (such as the Personal Information Protection and Electronic Documents Act) may not be adequate to protect our personal information. Once data flows across borders (as it does in most of our online activities), Canadian laws are powerless to ensure that it is protected from abuse. However, there’s some hope that privacy laws could change for the better. For example, UN Universal Declaration of Human Rights provides (in Article 12) that “[n]o one shall be subjected to arbitrary interference with his privacy.” Canadian policy dictates that values of international law such as these should be reflected in domestic law in the absence of conflicting legislation, so it’s possible that general statements such as this may motivate a shift towards more effective privacy laws, and perhaps international privacy cooperation.

In sum, if privacy is important to you, it’s essential that you maintain intelligent habits when using online services. Limit the amount of personal information you share using online shopping services, email services, and social media. Being aware of your privacy rights and the laws designed to protect you is crucial, but it’s also important to recognize that these specific rights and laws only apply here in Canada. Be vocal about changes you want to see to privacy law and how Canada can work together with other nations to keep our personal information safe.