Online spying bill C-30: Expert confirms innocent Canadians likely to be caught up in digital dragnet
Our intrepid academic friend Christopher Parsons isn’t one to sit idly by while the future of the online spying bill remains unclear. After the Globe and Mail reported that this bill, C-30, was dead, Public Safety Minister Vic Toews made a spectacle of himself by arrogantly announcing that warrantless online spying is still on the government’s agenda. Following this announcement, we at OpenMedia.ca renewed our StopSpying.ca campaign with the launch of a viral video at http://openmedia.ca/stand, which Canadians have been watching and sharing like crazy in order to ensure that politicians know we’re united against this costly and invasive scheme. One week later—the video has 15,000+ views and counting.
While all this was happening, cybersecurity expert Parsons was spending his time pouring through articles and access-to-information requests that could provide insight into the future of electronic surveillance in Canada. His findings are, to say the very least, significant. You can learn about them in detail on his blog here, or check out our summary:
The meat of Parsons’ blog begins with a short summary of the work he’s done so far on the online spying bill:
Over the past year I’ve identified a series of methods that authorities could use – and, internationally, are known are used – to monitor citizens’ digitally mediated communications. As examples, I’ve identified ways that subscriber information can be used for online tracking actions, raised awareness about how IMSI catchers could be used to track Canadians’ physical locations, and made available a chapter on deep packet inspection technologies that could be repurposed for law enforcement. I’ve also posted a report, prepared for the BCCLA, that looks at how lawful access powers are used (and abused) by our closest economic and military allies.
You may read – or skim – those pieces and come to the following conclusion: while valid concerns are raised, they don’t necessarily speak to how authorities are conducting surveillance right now. Why should Canadians be concerned in the absence of evidence of broad-based surveillance of the population right now?
Early on in his piece, Parsons answers this question by revealing that over 28,000 requests for private data were sought from ISPs in 2010:
From documents released under federal access to information laws, we find that in 2010 (.pdf) the RCMP contacted ISPs for customer name and address information a total of 28,143 times. Such information is generally referred to as ‘subscriber data’ under the federal government’s proposed lawful access legislation. In 93.6% of cases, ISPs voluntarily provided information to authorities. For the remaining cases, ISPs demanded warrants (Pp. 216).
It’s safe to assume that the 28,000 requests included requests for information on law-abiding Canadians. Parsons goes on to point to how social media, which about 60% of online Canadians use to create profiles, is used regularly in policing:
Richard Frank, Connie Cheng, and Vito Pun prepared a report for Public Safety that examined authorities’ intelligence gathering practices as related to social networking sites. The researchers conducted interviews with members of policing agencies as part of their methodology. Interviewed subjects uniformly indicated that “they now often begin investigations by opening up a web-browser and gathering online information.” Such information constitutes “open source” intelligence (OSINT).
Combined with the other subscriber information obtainable without a warrant under Bill C-30, this information can be used to erode online anonymity. As our infographic about this issue shows, not only could phone numbers, aliases, and physical locations be revealed, but also the identities of a person’s friends, co-workers, relatives, organizations could be found out. Parsons provides a strong example of why this is so significant:
This research corresponds with earlier work I’ve done, where I stated that “[h]aving coffee with a work friend who advocates for social justice on the weekends could lead to unsuspecting, and utterly uninvolved, citizens being stuck in the same net as their law-abiding colleagues who are caught in the web of actuarial justice.” In short, being close to a potential suspect/criminal is sufficient to warrant police investigation, regardless of your own innocence.
In short, this means that innocent people will be swept up by the online spying bill’s digital dragnet. As Parsons puts it,
..contemporary open source intelligence operations entail surveilling individuals who are not, themselves, presumed guilty of criminal malfeasance: their ‘crime’ is being associated with those who are so suspected. Thus, under the lens of intelligence gathering those who are merely proximate to suspects – and thus instrumentally useful to police – may have their subscriber information collected secretly and used for online tracking and association purposes, all without those individuals ever being the wiser.
Parsons’ analysis also re-emphasizes the lack of oversight measures in the online spying bill. Quoting an analyst responding to the federal Privacy Commissioner’s office (noting their lack of resource), Parsons highlights a “callous” disregard for the importance of meaningful deterrents of abuse:
“In terms of resources, the OPC does not receive additional funding every time a government department or agency implements a program that will be subject to OPC review. It is up to every department to determine how best to allocate their resources (Pp. 241).”
After analyzing internal memos and correspondence, Parsons comes to the conclusion that
“any claims that Canadians’ privacy will be protected and that the government is committed to strong audits are more rhetorical than actual.” He concludes by setting out what we at OpenMedia.ca believe is an entirely reasonable benchmark for the government to meet in order to address widespread privacy concerns:
Establishing a Commissioner to oversee how lawful access powers are used, as well as a right of notification, will not prevent or stop misuses of powers under lawful access. Combined, however, these provisions could limit the harms that authorities might otherwise commit.