The extensive U.S. surveillance programs appear to capture just about all communications: everything that enters or exits the U.S., anything involving a non-U.S. participant, and anything that travels through undersea cables. This would seem to leave Canadian cellphone and Internet users at a similar risk of surveillance regardless of the nationality of the carrier and suggests that Canadian companies may be facilitating surveillance of their customers by failing to adopt safeguards that render it more difficult for foreign agencies to access data.
For example, both Bell and Rogers link their email systems for residential customers to U.S. giants with Bell linked to Microsoft and Rogers linked to Yahoo. In both cases, the inclusion of a U.S. email service provider may allow for U.S. surveillance of Canadian email activity. While the Canadian privacy commissioner previously dismissed concerns associated with using U.S. email providers on the grounds that Canada had similar security laws, the new surveillance revelations suggest that a re-examination of that conclusion may be warranted.
The issue of avoiding U.S. routing is particularly important since even Canadian domestic communications that travel from one Canadian location to another may still transit through the U.S. and thus be captured by U.S. surveillance. Despite these risks, Bell requires other Canadian Internet providers to exchange Internet traffic outside the country at U.S. exchange points, ensuring that the data is potentially subject to U.S. surveillance.
Again, here in British Columbia public institutions are told they must meet a fairly high threshold of informed consent and other safeguards if they wish to use non-Canadian online services with students. On the ground, the requirements for compliance and the ambiguity in these guidelines too often results in a blanket policy forbidding many useful activities. It’s common to hear people cite our FIPPA law to forbid students authoring articles on Wikipedia, for instance, with fearsome fines reputed to be in the tens of millions of dollars awaiting malefactors. It’s taken as given that we can’t involve students in interesting pilots such as Reclaim Hosting, ironic since it’s a program designed to allow participants to take unprecedented control over their online practices.
But as Geist points out, the vast majority of Canadian online exchanges are every bit as exposed to US eyes. Does security theatre really reassure us? Do we meet the offense to democracy posed by pervasive surveillance with measures that hamper nothing but our own ability to function?
Note as well how this ends up playing out in terms of public education in relation to the private sector. Why does UBC’s arrangement with Coursera proceed in the face of FIPPA requirements? Because as far as the law is concerned, Coursera’s students are not UBC students, even when they are taking a course developed by UBC faculty and supported by UBC staff.