The Communications Security Establishment’s surveillance practices raise significant privacy concerns but full answers, transparency, or substantive reforms ensuring democratic oversight from either CSEC, or the Canadian Government, are not likely forthcoming. Canadians should also care about what to do in the meantime. Professor Michael Geist has recently posted about what average Canadians can do about mass online surveillance and Professor Kent Roach has written about where to direct reforms. Here, I want to talk about what Canadian internet companies can do, or do differently, to help fill Canada’s transparency void.
Last week, CSEC chief John Forster appeared before the Senate’s national defence committee and did little more than deny allegations of mass surveillance on Canadians, while Senators struggled to pin him down. Given the Prime Minister’s vote of confidence in CSEC, via his top security advisor, any change, or full accounting of the agency’s activities, is unlikely anytime soon.
This is remarkably similar to how things played out in the United States, at the federal level, when Edward Snowden first leaked documents on the National Security Agency (NSA)’s own mass surveillance programs. In response, Director of National Intelligence James Clapper appeared before a U.S. Senate committee last March and flatly denied any mass data collection on Americans (denials, by the way, that turned out to be false). President Obama, like our Prime Minister did with CSEC, expressed confidence in the NSA. And that was that. At least until the next Snowden leaks.
But a striking difference between the two national stories, was the strong reaction from American internet companies implicated in the NSA leaks. Companies like Google, Facebook, Yahoo, Microsoft, and others, quickly disclaimed conscious involvement in any NSA surveillance program. And later, with some prodding from activists like OTI’s Kevin Bankston, they put competition aside to band together and sue the U.S. Government seeking the right to be more transparent about national security related matters, recently winning key concessions from the U.S. government on point.
By contrast, Canadian internet service providers and telecommunication companies have offered mostly silence in response to the CSEC stories, beyond a few cursory statements in the past. And it is not as if Canadian ISPs and telco companies are not implicated by the Snowdon leaks— the “top secret” presentation on CSEC surveillance operations obtained by the CBC, for example, talks about a “Canadian Special Source” which is very likely a Canadian company, though as leading security expert Bruce Schneier has pointed out in his great post on the CSEC revelations, it’s not clear if the “source” is consciously participating in the CSEC activities. The slide deck does, however, explicitly mention “major CDN ISPs” teaming up “with US email majors”.
Yet, the response from Canadian ISPs has been no response at all. You would think that any innocent “major” Canadian ISPs would be rushing to disclaim any involvement in CSEC’s controversial exercises or provide more transparency. Yet, no disclaimers were issued. No clarifications about data collection no Canadians offered. And no steps taken to pursue greater transparency.
Not only are Canadian ISPs and telcos offering nothing on these national security related matters, but they are not even providing any form of more basic transparency through a practice of corporate “transparency reporting” that disclose through online reports on the nature and quantity of government and law enforcement requests that reporting company receives over a fixed period of time. This practice, which Google led on and helped establish, is now becoming industry standard among U.S. tech companies. Even large established telecommunication companies like Verizon and AT&T, long known for their close and opaque relationship with national security agencies, are issuing transparency reports.
Ironically, the little information Canadians do know about our governments’ requests of Internet companies come to us through these voluntary American transparency reports. We know, for example, how many user requests the Canadian government may send to Google or Twitter because of these companies’ transparency reports but have no clue about similar requests received by Canadian ISPs like Rogers or Telus. Call it the Canadian transparency inferiority complex. We are, after all, ranked 56th out of 95 countries in the world on transparency. If we aren’t already afflicted by such an inferiority complex, we really should be.
The reality is that there is a wide open space in the Canadian technology sector for innovation on transparency. Working on these issues at both Harvard University’s Berkman Center for Internet & Society and here at the Citizen Lab, I have seen American tech companies step up, take the lead, and establish a competitive edge on its peers on transparency. Will Canadian companies do the same? Though suing for more transparency on national security may not be their thing, at the very least, Canadian ISPs, telcos, and other internet companies should start issuing “transparency reports”, whilst other stakeholders and civil society groups push for greater democratic oversight for CSEC activities. That may even start by responding to these letters.
Canadians should demand more from government in reigning in electronic spying and cyber-policing. But we should also, as citizens, subscribers, and users, demand more from our internet and telecommunication service providers. With more private sector transparency, we will have the necessary information and data for a national conversation to forge a stronger push on the reforms and democratic oversight we need. That way, both companies and citizens win, leaving no one suffering mass surveillance in the dark.