Almost every day this past week brought shocking new revelations about the scale of spying programs operated by the Obama administration in the United States as well as by governments around the world (including the Canadian government).
These secret programs are incredibly broad: harvesting information about every phone call or allowing access to information about almost any internet-based communication. The programs operate with little or no meaningful oversight from elected representatives or the courts.
Governments around the world have attempted to excuse their unaccountable snooping with tired arguments about the balance between privacy and security, i.e. by downplaying the importance of the information collected, and pretending that proper oversight is in place. This is nonsense.
Today we will review the revelations of the past week and shoot down those sorry excuses to show these programs for what they really are: outrageous intrusions into our personal lives, an attack on democratic principles, and unacceptable threats to freedom.
A week of scandals.
Wednesday, June 5, 2013 – the Verizon telephone spying order
Last Wednesday, we learned that Verizon was subject to a secret order (pdf) from a secret court, requiring it to collect information on every phone call made on their network (including calls placed and received within the US) and turn that information over to the National Security Agency (“NSA”). The NSA is the US spy agency responsible for making sense of the large volume of data collected by US spy efforts overseas – and apparently at home as well.
The order forces Verizon to turn over the following information to the NSA:
- Originating and terminating telephone number – The numbers a call is to and from.
- IMSI Number – A unique identifying number for the SIM card in every cell phone.
- IMEI Number – A unique identifying number associated with every mobile phone.
- Trunk identifier – The telephone network that carried the call.
- Telephone calling card numbers.
- Time of the call.
- Duration of the call.
The order also has a gag provision that prevents Verizon from talking about the existence of the order.
Thursday, June 6, 2013 – PRISM and the NSA direct line to internet companies
On Thursday, the Washington Post revealed the existence of PRISM, another secret NSA program. According to the leaked NSA documents, PRISM allows spies to take data “directly from the servers of… US Service Providers: Microsoft, Yahoo, Google, Facebook, PalTalk, AOL, Skype, YouTube, Apple”, and to access email, voice and video chat, videos, photos, stored data, file transfers, video conferencing, notifications of target activity, and other social networking activity.
The Obama administration quickly declassified information giving PRISM credit for defeating a New York City terrorist plot. However, the Washington Post has questioned the relevance to the NYC plot:
In the rush to defend the surveillance programs, however, government officials have changed their stories and misstated key facts of the Zazi plot. And they’ve left out one important detail: The email that disrupted the plan could easily have been intercepted without PRISM.
As for the capabilities of PRISM itself, the NSA has said next to nothing except to say that “PRISM is not an undisclosed collection or data mining program”. However, the NSA has a different understanding of the word “collection” than everyone else, insisting that “collection” only refers to information that is processed into a useful form.
The companies said to be involved in the program have issued denials that are both vague and suspiciously specific, leaving lots of wiggle room. The companies have denied the kind of direct access described in the PRISM documents, but not participation in a PRISM-like program. However, like Verizon, they are likely to be subject to orders preventing any discussion of their role. Microsoft, Google, and Facebook are all asking to be allowed to say more, but so far the gag is still in place.
So, a week after the program was announced, we still do not know what PRISM is except that it is probably a system to automate the process of requesting information from the listed companies and for receiving their responses. We know nothing about what information is delivered, how often it is used, or in what circumstances. We just know it exists, and that the NSA really wants it to remain secret.
Friday, June 7, 2013 – PRISM spreads to the UK
On Friday, it was revealed that PRISM wasn’t limited to United States spies. Spies in the UK were given access to the same database as their American counterparts. The reports say that PRISM allows British spies to circumvent domestic legal processes required to obtain personal information from companies based outside of the country.
Sunday, June 9, 2013 – The whistleblower revealed
On Sunday, the man responsible for the leaks came forward. Meet Edward Snowdon, a 29 year old former contractor for the NSA who decided enough was enough, and turned over a trove of NSA documents to American journalist Glenn Greenwald, including the PRISM slideshow. Why did he do it? In his words: “My sole motive is to inform the public as to that which is done in their name and that which is done against them.”
Monday, June 10, 2013 – Canada’s homegrown spying program
Not to be left out of a major scandal, the Globe and Mail reported on Monday that Canada has had its own metadata spying program since 2005, most recently authorized by Defence Minister Peter Mackay in 2011.
The Canadian program is operated by the Communications Security Establishment of Canada (“CSEC”), Canada’s version of the NSA. Little is known about the program, but Mackay insists that it does not target Canadians.
As part of the fallout from the story, the Canadian government has insisted that the CSEC “does not have access to data in PRISM”. However, in this very specific denial the government has not confirmed or denied whether other Canadian intelligence or law enforcement agencies—the Canadian Security Ingelligence Service (“CSIS”) or RCMP—have access to PRISM.
Tuesday, June 11, 2013 – PRISM spreads again
On Tuesday, De Telegraaf, a Dutch-language newspaper, reported that Dutch intelligence agency AIVD also has access to PRISM (Google translated version).
It’s only metadata! We’re not listening to your calls or reading your email.
From Obama’s insistence that “[n]obody is listening to your telephone calls” to CSIS’ claim that Canada’s program is “not the content but it’s the who, the length of time, the where, and it’s the when of a communication”.
Metadata is information about information. In the case of the Verizon order, it is a complete list of what phones are used to call what phones, when they call, and how long they talk for. In the case of PRISM, it is information about which internet users are mailing and chatting with other users, who is visiting what websites, and maybe even what those users are searching for. This is the same kind of information that former Public Safety Minister Vic Toews famously said is just “telephone book” information before telling Canadians to side with his spy program or side with the child pornographers.
Metadata matters. Even though monitoring metadata is not the same as listening in on the contents of a phone call, it can reveal a lot about you, especially when you have a lot of it to analyse. As discussed by Michael Geist in a blog post yesterday, metadata can reveal locational information, medical information, sexual orientation or important business information. It can even reveal specific persons from supposedly anonymous information. The EFF gives a few more examples of what the government can learn about you from metadata:
- They know you rang a phone sex service at 2:24 am and spoke for 18 minutes. But they don’t know what you talked about.
- They know you called the suicide prevention hotline from the Golden Gate Bridge. But the topic of the call remains a secret.
- They know you spoke with an HIV testing service, then your doctor, then your health insurance company in the same hour. But they don’t know what was discussed.
- They know you received a call from the local NRA office while it was having a campaign against gun legislation, and then you called your senators and congressional representatives immediately after. But the content of those calls remains safe from government intrusion.
- They know you called a gynecologist, spoke for a half hour, and then called the local Planned Parenthood’s number later that day. But nobody knows what you spoke about.
In an era of “big data” and datamining, or even just common sense interpretation of what we know about phone numbers and the people who call them, it is disingenuous for our leaders to claim we have nothing to fear from their spying on information about our communication. Metadata is our data. It matters, and it is as critical to protect it as it is to protect the contents of our phone calls and emails.
It’s only foreigners! We would never target Americans/Canadians/[your country here].
The “only foreigners” argument has been best set out by Peter Mackay, who in defence of the spy program he authorized said: “We don’t target Canadians, okay?” Mackay had earlier emphasized that the program only targets “activities outside the country, foreign threats.”
What Mackay does not acknowledge is that his government has been increasing the amount of information shared through cross-border data sharing agreements for years. Like the secret spying program Mackay authorized in 2011, the cross-border data sharing agreements are also secret, and subject to no oversight but his own.
Everyone is a foreigner somewhere. While the CSEC might not spy on Canadians, Canadians are fair game to the spies at the NSA and in the UK. Americans who are not targeted by PRISM are fair game to the CSEC’s program.
As UK spies’ access to PRISM illustrates, cross-border data sharing is alive and well, and undermines even the minimal protections that are in place through the secret programs. Without a system of checks and balances on both the spy programs and the cross-border data sharing programs that spread the information collected, the “only foreigners” argument is completely meaningless.
We act within the law! Take our word for it.
Nearly everyone involved in the programs revealed over the past week has bent over backward to reassure the public that its programs are in compliance with the laws of the land. Obama reassured us that he takes his oath to uphold the US Constitution seriously. Mackay has reassured Canadians that the CSEC program he authorized is “authorized and carried out in accordance with the law, ministerial requirements, and CSE’s policies and procedures”, and subject to “rigorous oversight”.
But how can we trust the same governments that have authorized secret programs that have spied on us for years, especially when the secret programs stay secret and avoid oversight? Apart from a few leaked documents, media reports, and these assurances from the same officials who hid the programs to begin with, we know very little about this program and its legal justifications. And the government representatives behind the programs continue to dodge and weave to avoid any real accountability or oversight. For example:
- The Foreign Intelligence Surveillance Court—the only body that could rein in abuse by the NSA by refusing to grant spy orders—has instead become a rubber stamp for spy orders. The last time the court rejected a spying request was 2009. By contrast, it approved 1320 orders in 2009, 1579 in 2010, 1745 in 2011, and 1855 in 2012. That kind of oversight is no oversight at all.
- NSA head James Clapper, Jr. has severely misled Congress as to the scale and scope of NSA spying. He specifically denied that the NSA collects information on hundreds of millions of Americans, which after the Verizon order we know is completely false. The NSA falsehoods and word games make oversight by elected representatives impossible.
The same secret FISA court that authorized the Verizon order today refused to release the still-secret opinion authorizing the PRISM program. US lawmakers and the ACLU have demanded that court turn over its reasons for issuing the Verizon order, but so far it has declined to do so.
- Lawsuits have been filed against the NSA, Obama, and other officials with respect to the Verizon spying program. However, the lawsuits filed over the last round of NSA spying are being fought tooth-and-nail by Obama’s Department of Justice, which continues to claim national security would be jeopardized by exposing the programs to judicial scrutiny.
- A similar story is unfolding in the UK, where government officials insisted that its participation in the PRISM surveillance program complied with the law while simultaneously refusing to acknowledge any participation.
Governments are saying their programs operate within the bounds of the law. To nearly everyone else, these programs are incompatible with constitutional protections. In the words of Bruce Schneier:
We need to determine whether these National Security Agency programs are themselves legal. The [U.S.] administration has successfully barred anyone from bringing a lawsuit challenging these laws, on the grounds of national secrecy. Now that we know those argument are without merit, it’s time for those court challenges.
Here in Canada, the Privacy Commissioner Jennifer Stoddart has “significant concerns” with Canada’s spying program, but like the rest of us has “very little specific information at this point”. She plans to contact other privacy commissioners around the world to coordinate an investigation into the US program.
Keep watching the watchers
The government of Canada must immediately reveal its own spying programs, as well as its participation in PRISM and other international spying programs.
In the coming weeks the BCCLA will continue to pressure the government to come clean on its spying programs and cross-border data sharing.
For now, you can consider writing to your MP to demand answers, or visiting our friends at OpenMedia.ca and signing their No Secret Spying petition at secretspying.ca.