Feeling Lucky?

by adam rasmi

(Illustrations by Parker Jackson)

(Illustrations by Parker Jackson)

Read the original at Maisonneuve.

Today I searched the terms “penicillin skullduggery,” “almond loincloth,” and “cat walker”; the latter led me to a do-it-yourself guide on how to create a $20 walking aid for a cat suffering from cerebellar hypoplasia. These are not subjects that would ordinarily interest me, but were instead the results of a tool called Internet Noise, which generates random searches every five seconds using Google’s “I’m Feeling Lucky” feature. By adding false data, or noise, to your search history, the tool protests the omnipresent culture of mass electronic surveillance.

On March 28, the US Congress overturned Federal Communications Commission rules that would have blocked the right of internet service providers to track and sell your online activity to whomever they please. In response, Philadelphia-based software engineer Dan Schultz developed Internet Noise, a bare-bones web tool—a mere thirty lines of code in all. As Schultz explains, any decent computer algorithm can see through the obfuscation. Internet Noise was always meant to be an act of protest rather than a genuine privacy tool; he calls it “a way to give the middle finger to people in power.” Its creation struck a public nerve—one article about Internet Noise in Wired was shared around thirty thousand times on Facebook and remained the website’s most-read piece for days.

When Canadians think of electronic spying, the American National Security Agency (NSA) might come to mind more readily than our domestic counterpart, the Communications Security Establishment (CSE). A relatively new, $1.2 billion-dollar facility in suburban Ottawa provides a conspicuous symbol of the CSE’s hefty spy operations—the vast, seventy-two-thousand-square-metre complex has served as the CSE’s new headquarters since 2014. According to CBC News, it hosts the most powerful supercomputer in the country; about two thousand employees work there. An additional $3 billion has been earmarked to operate the facility over the next three decades.

Due to its top-secret nature, little is known about what occurs behind CSE’s doors, but the Edward Snowden leaks have cast some light on the agency’s programs. In early 2014, reports emerged that the CSE had used the free Wi-Fi service at an unspecified major Canadian airport to collect and analyze the metadata of travellers, tracking their whereabouts for weeks afterward. Because CSE’s mandate is to gather foreign intelligence, lawyers and security experts were quick to note that any surveilling of Canadians was illegal. At the time, Ontario’s then-Privacy Commissioner Ann Cavoukian said she was “blown away” by the disclosures.

According to the leaked “IP Profiling Analytics & Mission Impacts” document, the program was developed with the help of the NSA. Experts say intelligence gleaned from the trial-run initiative was meant to be shared with the US, the UK, Australia, and New Zealand—together, the electronic spy agencies of these countries form the exclusive Five Eyes intelligence alliance that dates back to the early days of the Cold War.

In early 2015, more extensive spying operations were revealed. A series of leaked NSA reports showed that the CSE was capable of monitoring internet data on a scale not dissimilar to that of the US. The program, named EONBLUE, was developed over eight years and entailed deploying more than two hundred sensors at internet backbone sites across the globe—potentially monitoring all traffic passing through these (still) undisclosed sites. The CSE has said that its surveillance activities do not “target” Canadians. Yet access to much of the data travelling through these two hundred-plus sensors can, from a technical standpoint, be intercepted and analyzed. Given the interconnected nature of communications technology today, it’s nearly impossible that large swathes of Canadians’ data aren’t swept up in the process.

“If you are collecting all global communications,” says Tamir Israel, a staff lawyer at the Canadian Internet Policy and Public Interest Clinic (CIPPIC), “you could actually have all Canadian communications as a subset of that, and it would only be like 2 percent.” For this reason, in 2014, the CSE acknowledged on its website that it may “incidentally” collect information about Canadians.

When General Michael Hayden, the former NSA director under Presidents George W. Bush and Bill Clinton, came to Toronto in 2014 for a Munk Debate with journalist Glenn Greenwald, he told the Globe and Mail that he envied the CSE for the wide latitude under which it operates. The CSE, he said, conducts surveillance without facing pushback from Canadian officials: “Many things that an American has to go to a court for, the British, Canadian, Australian and New Zealand services all have completed within the executive—through ministerial warrants.”

Among the Five Eyes countries, the CSE is considered to be the least accountable electronic spy agency. Unlike the NSA, the UK’s Government Communications Headquarters (GCHQ), the Australian Signals Directorate (ASD) and New Zealand’s Government Communications Security Bureau (GCSB), the CSE wasn’t—until very recently—subject to any parliamentary oversight. Though a commissioner has reviewed the CSE’s activities every year, the process has been led by a retired judge who works part-time with a small staff of eleven. Andrew Clement, a professor emeritus at the University of Toronto’s Faculty of Information, describes the arrangement as “a bit like a mouse trying to exercise accountability over a cat.”

Because the Office of the CSE Commissioner is a review rather than an oversight body, it studies the agency’s surveillance after the fact. The commissioner reports to the Minister of National Defence, the same cabinet position responsible for giving the CSE its marching orders, and the office cannot issue binding legal recommendations. Israel is critical of this arrangement. “Typically in democratic societies,” he says, “we try to have objective entities—the court or an independent tribunal.”

In recent years, there have been some efforts to bring about greater oversight and control. In 2014, a private member’s bill (C-622) put forward by Liberal MP Joyce Murray sought to bolster online privacy protections. Among many measures, Bill C-622 would have appointed a judge that would rule on any CSE requests to collect the private communications of Canadians. However, the bill was voted down by a Conservative majority government that had already presided over a large expansion in CSE’s staff and operating budget even as it cut funding in other departments—according to the CBC, the number of CSE employees grew 42 percent between 2005 and 2012.

During the 2015 election, the Liberal platform called to restrict the CSE’s powers by “requiring a warrant to engage in the surveillance of Canadians.” The Liberal government has since introduced Bill C-22, which will create—at least in name—an oversight committee in parliament. Yet important amendments introduced by the public safety committee in December 2016, including the power to subpoena, were rejected in March 2017 by the Liberal government, to the chagrin of organizations fighting for Canadians’ digital privacy. “We’re not very confident that C-22 is going to do what we need it to do,” says Israel. (The bill passed its third reading in the House in April and received royal assent in June.)

On June 20, the Liberals also tabled Bill C-59, also known as the National Security and Intelligence Review Agency Act, a 150-page document overhauling Canada’s national security framework. The legislation is meant to correct aspects of Bill C-51, the controversial Anti-Terrorism Act passed in 2015 under the then-Conservative majority. Bill C-59 will create the National Security and Intelligence Review Agency (NSIRA), an integrated super-agency responsible for reviewing all of Canada’s security agencies, thus cancelling out the Office of the CSE Commissioner. As with any regulatory regime, questions of resources and staffing will be paramount.

The bill will also create an intelligence commissioner to oversee ministerial decisions related to electronic spying, adding a much-needed approval role. Bill C-59 is a significant upgrade, but accountability problems remain—the new commissioner will only be able to approve categories of spy operations, rather than individual cases, which falls short of the Liberal pledge for warrants. Moreover, the bill codifies in law the CSE’s right to “incidentally” collect information about Canadians, and it moves beyond a defense-only mandate—allowing for offensive capabilities relating to disrupting communications networks.

As we surf the web, our data takes a circuitous route. According to IXmaps.ca, a tool that maps where our web traffic flows, even when I only have Canadian news websites open and I’m not connected to any US-based social media—Facebook, Instagram, Twitter—my data is flitting across the United States, beginning its continental zigzag on Bloor Street in Toronto and routing through Chicago, Seattle, Portland, San Francisco and Denver. Like millions of other Canadians, there’s a fair chance my data is being intercepted—all of these cities are suspected NSA listening posts. Domestically, up to a quarter of data both originating in and destined for Canada flows through internet exchanges in the United States. Because so much of Canadian internet traffic is directed towards popular American services, 90 percent is routed through the US.

Thanks to 2006 revelations by Mark Klein, a former AT&T technician, we know definitively that the NSA installed splitters at six internet exchange points in the US to make copies of all internet traffic passing through these facilities. According to Clement, who leads the IXmaps.ca initiative, having splitters in just eighteen cities would be enough to intercept 97 percent of all US web traffic.

Crucially, when Canadian data hops across the border, it loses its domestic protections. There are legal restrictions on how the NSA handles data, but these protections are weak when it comes to foreign nationals. Moreover, Canadian authorities can also query a searchable NSA database called XKeyscore, which has been referred to as the Google of signal intelligence agencies, to indirectly obtain information through its US partner. Bill C-59 continues to permit the sharing of information with foreign states and organizations.

Tamir Israel of the CIPPIC points out that in the early 1900s, a decade or so after telephone wiretapping technology was first made available, the NYPD set up shop at the central switching station in New York City. The police force was essentially free to listen in on whichever phone calls they pleased, and it took decades before the practice was reined in.

Today, technological advances have made trillions of data points subject to surveillance, and as with phone wiretapping, it will likely take many years for privacy laws to catch up. The global, interconnected nature of web communications further complicates the problem; nations the world over will have to collectively enact privacy rules and restrain electronic spying agencies, with ostensibly free and democratic nations like Canada leading the way. For that to happen, citizens will need to firmly reject the idea that the spectre of terrorism requires foregoing privacy rights, and continue demanding a more transparent accounting of what agencies like the CSE are up to. Only then can the watchers be held to account.