We live in the digital age. It’s an assertion that won’t raise many eyebrows, or excite much contention. It is also a statement that is constantly being reaffirmed by our own lived experiences. The ways in which we construct our very identities are born out of this digitized environment. However, what should excite contention are the aggressive policies that governments around the world are perusing in order to assert control over that digital environment. As more of our lives and the nature of threats posed to our national security come to exist within this environment, does this not then necessitate the need for greater government control and securitization? While securitization can be curative, it can also be its own disease.
Our worldwide web, our open commons of information, has come up against social forces that are leading us farther and farther down the path of state control and surveillance. Policies that are currently being debated in many cases are antithetical to the principles of liberal democracies. Such policies include expanding the powers of secretive intelligence agencies, circumventing judicial oversight on data sharing with law enforcement agencies, and outsourcing Internet policing to private sector actors, to name just a few. These policies, while their mandates might be appropriate, can have significant unintended consequences.
Securitizing cyberspace has become a growth industry, and governments around the world, including our own, have been capitalizing on that growth. Governments, especially in the developing world, have been contracting out their filtering and surveillance devices to manufacturers in the developed world for years. Take Netsweeper for instance, a Canadian company that sells censorship products and services to regimes across the Middle East and Northern Africa, who then in turn use this software to block access to human rights information, basic news, and dissenting or critical opinions. However, it is not only Canadian companies selling malware software to authoritarian regimes that we should be concerned about: there is a Canadian security agency that has been working on their own circumventing tools right here at home.
The Communications Security Establishment (CSE), Canada’s electronic spy agency, has recently developed a project dubbed “Levitation.” It is, essentially, wholesale mass surveillance, and mass surveillance of a nature that is unprecedented in Canada. What is known publicly about this program to date has come from documents leaked by Edward Snowden. Ronald Deibert, Director of the Canada Centre for Global Security Studies and the Citizen Lab at the University of Toronto, has stated that, while on the surface the program might seem reassuring by being packaged as a means for collecting foreign signals intelligence in order to protect Canadians from national security threats, its architecture raises some serious questions.
While CSE’s overall mandate is certainly important (and necessary to a degree), their standard operating procedures exist in the dark, unknowable to the public. Some questions we should be asking include: how long is the CSE allowed to retain the data they collect? What is the total volume of their mass collection? What are the rules around metadata? Do they share this data with spying partners, and if so, who are those partners?
The Snowden documents also revealed that the CSE has access to malware tools, developed by the National Security Agency (NSA), as part of a program known as QUANTUM. These tools can be used for a variety of different purposes, such as to block traffic onto particular websites, disrupt file downloads, and copy data stored on a hard drive – essentially, they are the tools of cyberwarfare.
The CSE has also been engaged in data mining operations. According to the leaked documents, the agency has been monitoring Canadians’ emails, which the CSE has defended by arguing that this type of operation is within its mandate to defend against hacking and malware attempts by both national or foreign threats. The system on which it relies is codenamed PONY EXPRESS, which is used to analyze messages in order to detect potential cyber threats. While the CSE acknowledges that it does engage in this system of mass collection of private communications, they have not revealed the number of communications they have on file nor how long they will retain the right to keep them.
The advent of PONY EXPRESS has also revealed a loophole in Canada’s criminal code: while it is illegal to eavesdrop on the private communications of Canadian citizens, if a government agency does so with the intent of protecting government infrastructure, that agency can be granted an exemption. The CSE’s stock defence against inquiries that ask questions about their practices is that to reveal such information about their internal policies and procedures would assist those wishing to conduct malicious cyber activity. However, the fact remains that private correspondences are now being archived and shared across government agencies. Whether or not we think this is defensible in the name of security should be a hotly contested debate.
At a time when the federal government is currently debating the merits of Bill C-51, the latest anti-terror legislation, which seeks to grant additional powers to intelligence officials, Canadians are going to have to start asking some tough questions about the appropriate role of our security establishment. The powers that we are granting to these intelligence agencies are far-reaching, and they come at a price of sacrificing our privacy rights, our civil liberties, and even how we are allowed to conduct ourselves online. Bill C-51 would criminalize online speech that would “promote” terrorism, and it would lower the threshold required for making preventative arrests. It also includes the Security of Canada Information Sharing Act, which would allow for 17 government agencies to share information collected on citizens for a variety of different reasons – many of which have no direct link to terrorism.
Of course, this is not intended to completely dismiss the notion that there is a need for the securitization of cyberspace in its entirety. The vulnerabilities and threats posed to cyberspace are real and will continue to require a certain amount of online policing and information control. However, there has to be a better balance between the need to address security risks and the needs of privacy protection and the freedom of speech. Furthermore, despite the salient concerns over Bill C-51, at least the bill demonstrates the federal government’s willingness and commitment to address domestic security issues through the courts, rather than through the use of extrajudicial government power. One only need to look at the advent of such extrajudicial powers being exercised south of the border following 9/11 to see the importance of limiting that power.
As the need for regulating, securing, and controlling the digital environment continues to grow, we are running up against the risk of destroying the very nature of dynamism and openness that made that digital environment so unique in the first place. Before we continue to pursue these aggressive policies of information control and mass surveillance, we need to ask ourselves: have we accepted what we believe to be “the cure” before we have come to truly understand the disease?
Shelby Challis is a 2016 Master of Public Policy candidate at the University of Toronto’s School of Public Policy and Governance. She previously completed an Honours Bachelor of Arts degree in Political Science at the University of Toronto, and has since worked for the Ministry of Health and Long-term Care. Her policy areas of interest include healthcare finance, labour relations and security management.