Recently, former NSA consultant Edward Snowden retrieved a document that was eventually obtained by CBC News, showing that the Communications Security Establishment Canada (CSEC) had used information from Canadian airport wireless networks to monitor the smartphones of thousands of passengers. CSEC is responsible for collecting foreign intelligence by examining overseas phone and Internet traffic. It is legally barred from targeting Canadians without consulting a judge for a warrant.
Dr. Ronald Deibert, director of the University of Toronto’s Citizen Lab, told CBC: “ I can’t see any circumstance in which this would not be unlawful, under current Canadian law, under our charter, under CSEC’s mandates.” Deibert authored the book Black Code: Inside the Battle for Cyberspace, about Internet surveillance legislation, published in May 2013.
On January 30, CSEC released a statement in response to CBC’s coverage, stating that “CSEC is mandated to collect foreign signals intelligence to protect Canada and Canadians, and by law, only directs its foreign intelligence activities at foreign entities. However the statement went on to add: “In order to fulfill this key foreign intelligence role for the country, CSEC is legally authorized to collect and analyze metadata.” Metadata is technical information used to route communications, and not the contents of a communication. This can include time stamps, locations of the sender and recipient of telecommunications, and the length and size of the content.
The report has been the subject of debate for the federal government in the last week. “We wouldn’t be able to find or locate our targets without it,” said John Forster, CSEC chief, while speaking about metadata collection to a parliamentary committee on National Security and Defence. Stephen Rigby, National security adviser to the Prime Minister, told the committee that the information collected was not outside CSEC’s mandate. “It is data about data, so it is well within the parameters” Rigby said to the same committee.
Christopher Parsons, a postdoctoral fellow at the Citizen Lab, told The Varsity that “Metadata at this point, is as or more invasive in its collection and analysis than the content of a communication. Any suggestion that because its metadata, it’s any less invasive, just isn’t true.”
“If you were to monitor the metadata coming out of my phone for a day, it would be a lot more revealing than any actual content. This would include things like where I was, when I made the phone calls, how long they were, who I made them to, and who those people talked to,” said Parsons. Using this information, Parsons said, intelligence agencies can determine movement patterns, browsing tendencies, shopping and lifestyle habits, all without figuring out specifically what was said in the conversation.
The Citizen Lab’s campaign for government surveillance oversight has been at the heart of the debate on consumer telecommunications and Internet privacy. Last week, they issued an open letter to several Canadian phone and Internet service providers (ISPs). The letter asked them to publicize the extent of customer information divulged to law enforcement and other intelligence agencies. When contacted by The Varsity for further comments on the Citizen Lab’s campaign, Jennifer Kett, Senior Manager at Rogers Media Relations said they were currently reviewing the request. She added: “We take the privacy and security of our customers’ personal information very seriously. We require a properly executed warrant to disclose customer information to law enforcement or any other body. If we believe that a request is overreaching we will take steps to challenge it.” Kett declined to provide further details when asked, saying that the review of the Citizen Lab’s request was pending. Bell Canada did not respond to multiple contact attempts.
Twitter was a hotbed for reaction to the story of CSEC’s airport surveillance Notable Canadian author and University of Toronto alumnus Margaret tweeted Deibert’s article in the Globe and Mail. Former leader of the Liberal Party, and Toronto-Centre MP Bob Rae tweeted: “ I’m heading to the airport — just thought I’d let CSEC get ready… #canpoli.” Deibert also posted on Twitter, suggesting that the story was being distorted, writing that “it is not just free wifi at airports” that was subject to surveillance.
U of T also collects information from the UTmail email and Wi-Fi networks it provides its students. Policies detailed in the “Appropriate Use of Information and Communication Technology” outline privacy rights. Though the university “respects the reasonable privacy of electronic files stored and distributed on its servers and networks,” the policy also indicates that it “reserves the right to examine any electronic files where the University, in its sole discretion determines that it has reason to do so.” Examples of situations where the university may decide to examine a user’s electronic files include during “an investigation into an allegation that contravenes existing laws, policies or guidelines” or “ when complying with a Freedom of Information request for data.”
In consultation with Information and Technology Services, Laurie Stephens, Director for News and Media Relations, said: “UofT wireless network service tracks authentication records (log-in/out stamps for UTORid credentials) and data related to traffic volumes.
“Emails, material on Blackboard and other electronic content that uses university systems is stored on those systems. However, no data is stored on the nature of content ‘accessed’ using U of T networks. Likewise, the University does not monitor email content.” Stephens also added that in “extraordinary circumstances,” as set out in the guideline, the university has the right to examine the content should it be deemed necessary.
Blackboard, the online learning framework preferred by the university, allows professors to see when a student has viewed the course’s homepage, and whether or not particular items have been viewed by a student and at what time.
UTmail server operations have been outsourced to the United States and elsewhere since the change from ‘@utoronto.ca’ to ‘mail.utoronto.ca’. This transition to the United States means that personal information stored on these servers in now open to the US government via the Patriot Act. The university claims that this does not constitute a breach of privacy based on the findings of the Office of the Privacy Commissioner of Canada. The website states that the “Privacy Commissioner of Canada has reviewed similar scenarios where email is provided to an organization by a US based companies and has determined that there is not an automatic infringement of privacy rights.”
U of T professors and other staff expressed their concerns with the outsourcing. Andrew Clement, a professor in U of T’s Faculty of Information told The Globe and Mail in November that outsourcing made university email accounts widely accessible to the NSA. “As a non-U.S person, there are no legal protections in the U.S against access to Canadians’ data.”
The Office of the Vice President and Provost manages communication technology policies, and is responsible for the Appropriate Use of Information and Communication Technology guideline.