This week on the PPGR we are talking Big Data in the lead up to this year’s Ford+SPPG Conference, an annual academic policy event between the SPPG and the Ford School of Public Policy at the University of Michigan. Follow us on Twitter @FordSPPG  for the latest updates on the conference and interesting Big Data-related news articles.

Rob Scherf

Since last summer, journalists on both sides of the Atlantic have released a steady trickle of shocking revelations about far-reaching government surveillance based on leaked documents from former National Security Agency (NSA) contractor Edward Snowden.

While most stories concern the NSA’s staggering infrastructure for monitoring digital information across the globe, all nations in the “Five Eyes” intelligence-sharing alliance have been the subject of strange and troubling reports. Until the end of February, Canada’s only entry in the corpus were documents that implied it helped the NSA spy on Canadians during the 2010 G20 summit in Toronto. As the documents exited the news cycle with little fanfare, it was hard to tell whether Canadians cared at all about the surveillance activities of their government.

That changed on January 30, when CBC reported that Canada’s information spy agency, Communications Security Establishment Canada (CSEC), used airport Wi-Fi connections to monitor thousands of travelers for several weeks in 2012. The public was angry, and for good reason: their government had demonstrated a commitment to privacy invasion by tracking the movements and activities of its own citizens.

On February 3, CSEC head John Forster was hauled in front of the Standing Senate Committee on National Security and Defence. His testimony was a staunch defense of CSEC’s activities, in which he repeatedly asserted that the collection of data about Canadians does not constitute surveillance:

“This exercise involved a snapshot of historic metadata collected from the global internet. There was no data collected through any monitoring of the operations of any airport. Just a part of our normal global collection, … We weren’t targeting or trying to find anyone or monitoring individuals’ movements in real time. The purpose of it was to build an analytical model of typical patterns of network activity around a public access node,” Forster said.

To Forster, the program was lawful because the information being collected wasn’t tracking individual people, but rather contributing to research on how individual people should be tracked in future programs. CSEC’s activities are not unlawful unless the agency is actually collecting and storing Canadians’ information. At the same time, he acknowledged that the agency regularly collects data, including that of Canadians. Is there any logic to this apparent inconsistency?

The trouble is that the meaning of “information” has become much more complicated since Snowden first released his documents. Our spy agencies are not obliged to explain which set of definitions they’re using. CSEC seems to be actively discouraging accountability and transparency at every step: from the data it collects, to the way it interprets the rules of its program, to the framework for oversight.

We need reform. We need clarity. Here’s why.

Data about data

Since their operations were made public last summer, intelligence agencies have gone to great lengths to stress that the information being collected about citizens is “just” metadata—the stuff that accompanies all of our communications, but not the content of those communications themselves. Forster likens it to a photograph: data is the picture, and metadata is all of the information encoded with it–the date, time, aperture, dimensions.

Likewise, communications metadata can tell you about senders and recipients, when the communication happened and for how long, and where it took place. Forster maintains that no personal information is revealed by the metadata of our communications. But if that’s the case, why is CSEC so interested in collecting it? The fact is, metadata can paint an extremely revealing picture of our lives.

A recent study from Stanford University tracked the phone records of hundreds of volunteers over several months to build a dataset that approximates what we know about the NSA and CSEC’s data collection operations. The results contain some shockingly evocative personal stories: From the study:

“Participant A communicated with multiple local neurology groups, a specialty pharmacy, a rare condition management service, and a hotline for a pharmaceutical used solely to treat relapsing multiple sclerosis.

Participant E had a long, early morning call with her sister. Two days later, she placed a series of calls to the local Planned Parenthood location. She placed brief additional calls two weeks later, and made a final call a month after.”

Like CSEC, the Stanford group didn’t have access to the content of any of these conversations. But by looking at who was contacted in what sequence, they were able to make strong inferences about the most intimate details of the participants’ lives.

As others have said, the claim that we shouldn’t be concerned about CSEC’s collection of “just metadata” doesn’t hold water. Metadata can reveal just as much as listening in on a phone call, and it’s easier to collect and analyze in bulk.

Slippery definitions

So what about that bulk collection? A key message of this year’s media coverage about the NSA and other spy agencies has been that metadata collection is threatening the privacy of citizens. How can that be, when intelligence agencies are prohibited by law from spying on their own citizens? The answer doesn’t appear to be based in law or regulation; instead, it’s semantic. Based on the comments of James Clapper, America’s top intelligence official, the NSA doesn’t consider information to be “collected” until it is viewed by an analyst. Everything else—from the data subpoenaed from social networks to what’s tapped directly from Internet infrastructure—resides on NSA servers, waiting to be “collected” when it is deemed pertinent to an investigation.

Clapper’s philosophy is reflected in Forster’s comments to the Senate committee. CSEC’s airport operation used “no data collected through any monitoring of the operations of any airport. Just a part of our normal global collection,” he said. In other words, continuous surveillance and capture from global data networks is the status quo. CSEC would only consider its behaviour untoward if Canadians were targeted specifically.

But aren’t we being targeted when our data is sent to CSEC servers for analysis? Collection, targeting, metadata: the most pressing issues in today’s privacy landscape hinge upon the interpretation of words that don’t appear in governing law and that an uninformed observer would find completely innocuous. No other sector of government would find this situation acceptable.

Searching for oversight

Let’s step back and look at the legal position of CSEC’s metadata surveillance program. CSEC was established by the National Defence Act in 1985, with a mandate to “to acquire and use information from the global information infrastructure for the purpose of providing foreign intelligence, in accordance with Government of Canada intelligence priorities.” The worldwide communications ecosystem of three decades ago was quaint by modern standards; CSEC was primarily occupied with monitoring radio activity and wiretapping the phones of foreign dignitaries.

Intelligence agencies must keep up with technological change. The Act allows CSEC to apply directly to the Minister of National Defence for Ministerial Authorizations that would allow it to expand its activities without having to work through Parliament. These authorizations, due to their sensitive nature, are secret.

As a gesture of oversight, the government created the Office of the Communications Security Establishment Commissioner in 1996 under the Inquiries Act. The Commissioner, usually a retired judge, is empowered to enter CSEC’s shroud of secrecy and report directly to the Minister on the lawfulness of the agency’s activities. The Commissioner is not a watchdog in the sense of being accountable to Parliament, though–in fact, no Commissioner has ever appeared before Parliament to answer questions about his office or CSEC’s activities.

Forster pointed out that, “Our collection and use of metadata, including for network analysis, has been reviewed by successive Commissioners five times since 2003, the most recent in 2011, and found to be lawful.” That’s probably true, but we have no way of knowing the details because the Commissioner’s reports to the Minister are classified. His office does, however, issue annual reports to the public. In the last seven of those reports, the word “metadata” appears only once—promising a forthcoming report on the agency’s use of metadata. That report was either submitted to the Minister in confidence, or the study is still ongoing. Either way, it’s difficult to place confidence in pronouncements of legitimacy when all the evidence is secret. “Trust us” is simply not a high enough standard for modern democracies.

So, where do we go from here?

Meaningful information about Canadians is being collected en masse by the government, and there is little clarity about how the program works and how our data is being used. The oversight body for this program reports to the same person who is responsible for its operation, and it all happens behind closed doors.

Canadians deserve a public debate about wide-ranging government surveillance operations. The first step is gaining access to the facts. Journalists, experts, and voters cannot effectively scrutinize a black box. CSEC needs to implement basic reporting and accountability measures, as outlined in a recent report from Canada’s Privacy Commissioner.

Once Canadians have sense of what we are dealing with, we can have a significant discussion about it. In that sense, surveillance is no different from education or taxation. People have a right to know what their government is doing and to question the ideologies that drive policy. Intelligence agencies should not be given a free pass on accountability just because they work in the shadows.

Rob Scherf is a Master of Public Policy student at the University of Toronto. He spends a lot of time thinking about privacy issues, and is on a quest to find the best jerk chicken in the city.