It sounds like a storyline out of a James Bond movie, or the latest Aaron Sorkin drama. But code name PRISM is the real-life alias of the United States National Security Agency’s massive data collection and surveillance computer program officially known as SIGAD US-984XN. It involves technology and media companies providing direct access to their customers’ information, including search histories, file transfers, e-mail content, and live chats, to the NSA, who reportedly studied only metadata of these communications for patterns, rather than the content.
Last month, PRISM was thrust into the spotlight by whistleblower Edward Snowden, a former NSA and CIA employee who disclosed details of the program to The Guardian and The Washington Post, promptly fled to Hong Kong, and then spent several days bunkered down in a Moscow airport before ultimately being granted asylum by Venezuela (which he has yet to accept).
Since Snowden blew the whistle on the NSA (or committed acts of theft and espionage, if you ask the United States government), the subject of data privacy and our rights as individuals in an increasingly online world has come to the forefront around the world, including here in the True North, Strong and Free: How did this happen? Could PRISM affect Canadians? Could Canadian governments be up to the same tricks? Just what are our rights to privacy online?
A law for the post-Sep. era: The Protect America Act of 2007
While most of us have heard of the U.S. Patriot Act, the lesser-known Protect America Act generated just as much controversy when it was enacted. The Protect America Act amended the U.S. Foreign Intelligence Surveillance Act to remove a requirement for law enforcement to obtain a warrant before conducting surveillance on individuals, either outside of the U.S., or within the U.S. but communicating with persons outside the U.S., to obtain foreign intelligence information and in connection with U.S. terrorism investigations.
Instead, the NSA was left to conduct such surveillance according to its own “internal controls,” and to simply notify a FISA court within 72 hours of such surveillance. The notification would remain sealed, a secret of the FISA court, unless and until the collection or surveillance was challenged legally, generally by the Internet service provider being asked to provide information (an individual would not be notified that he or she was the subject of such surveillance).
Along with the Patriot Act and the Communications Assistance for Law Enforcement Act, the Protect America Act represents a controversial legislative shift away from civil liberties in favour of national security and combatting terrorism. In 2012, the Protect America Act was further amended so the surveillance powers it granted could be used in connection with individuals “reasonably believed” to be outside the U.S., thus broadening the net by increasing the opportunities for the NSA to initiate surveillance. Individual orders confirming a subject was outside the U.S. were no longer required, only suspicion.
PRISM: The Protect America Act in action
PRISM took the broad permissions granted to the government in the amended Protect America Act even further. The program permitted the NSA to have direct access to ISPs’ servers. In the information leaked by Snowden last month, several ISPs and media companies, including Yahoo, Skype, Google, Apple, Microsoft, and Facebook, were shown to have granted PRISM direct access to their servers, and thus to their customers’ information.
The exact details of these companies’ disclosures and the companies’ responses to these requests (and whether they fought against such disclosures) are sealed by the FISA court, although Yahoo, Microsoft, and Google are currently lobbying to be able to reveal information about their participation in the program — undoubtedly to allay their customers’ (and shareholders’) fears.
While these companies would have been legally obliged to comply with FISA orders, they appear to have voluntarily granted access to the PRISM program. The NSA’s own documents say the PRISM program is “100 per cent dependent on ISP provisioning.”
Given the Protect America Act authorizes the NSA to conduct warrantless surveillance on individuals outside the U.S., it is logical to wonder how many Canadians’ rights to privacy have been affected by PRISM.
In the House of Commons, Defence Minister Peter MacKay did not directly answer questions as to whether the federal government knew about PRISM or its effect on Canadians. Not very comforting, and it is almost certain as more information comes to light, we will find Canadians were subject to the wide-ranging powers of the PRISM program.
The federal Office of the Privacy Commissioner has admitted it has little details available about how PRISM has affected Canadians, but has committed to working with its counterparts in the U.S. and elsewhere to investigate and to make inquiries to the appropriate American officials.
Communications Security Establishment Canada allegedly has its own metadata analytics program, which was authorized by MacKay in 2011. The privacy commissioner has indicated further investigation into CSEC’s program would be undertaken, but as of now very few details about the scope of this surveillance program are known, although MacKay has insisted it is “specifically forbidden from looking at the information of Canadians.”
PRISM hits home
News of the PRISM program hit the news the very week I started my new position as corporate counsel at PEER 1 Hosting, an Internet hosting solutions provider, and I found myself, a few days into the job, having to reassure customers as to the security and privacy of the data they host with us. “Oh no,” I thought. “Have I started working for the dark side?” I was relieved to know my new employer reacted with as much horror as I did to the PRISM story, and our customers’ privacy is taken as seriously as I would hope.
I’ve been a student of media, communications, and technology my whole life. I work in this field because I truly believe the Internet is a powerful tool for education, for commerce, for change. It’s really the new land of opportunity we all seek, and its integrity must be protected in the name of those opportunities.
The Internet has created infrastructure that makes information generation and gathering exponentially easier — but authorities should not be able to exploit these capabilities at the expense of individual privacy, or in any manner that has a chilling effect on our use of this technology. PRISM is a perfect example of how modern technologies have broadened the scope of old-school surveillance laws beyond what we should be comfortable with, and have created genuine, well-founded suspicion about the privacy of our online lives.
Of course, laws must be in place to prevent those types of activities we have, as a society, defined as unacceptable, but it is essential that we as citizens are able to use the Internet with as much confidence in our privacy, for this tool to thrive.
Devil’s advocates will say, “If you’re not doing anything suspicious, why be worried?” I don’t accept this premise. The guarantees to privacy that we’re granted in real life, in the Charter of Rights and Freedoms, and in various federal and provincial privacy acts, should extend to our online life. The Internet should be a tool for good, not evil. And secret monitoring of my communications online? Well, I’m sure we can all agree on which side that falls.