Trading Sovereignty for Surveillance in the Telecommunications Sector

January 10, 2011

In June 2010, the government released a consultation paper which asked Canadians to comment on the possible impacts of increased foreign direct investment in the Canadian telecommunications sector. [2] While the paper clearly promoted potential economic benefits, the potential risks, which would not be confined to economic impacts, were absent from the analysis. This article briefly looks at the issue of increased foreign ownership on the telecommunications sector from the perspective of national sovereignty and security.

Security threats move online

Influential world affairs magazine The Economist sounded the alarm in its July 3rd 2010 edition “Cyberwar; The threat from the internet.” The related articles described an early logic bomb which blew up a gas pipeline in Siberia, a denial of service attack which crippled government services in Estonia and Georgia at crucial political moments, and noted the possibility that power installations and banking systems, both highly dependant on electronic connections, could also be hijacked by malicious software.[3] They may have already heard about just such a hijacking threat, an internet worm called Stuxnet, which had just appeared on the radar of security experts. It’s “a working and fearsome prototype of a cyber-weapon that will lead to the creation of a new arms race in the world,” declared European digital security company Kaspersky.[4] Unlike previous internet threats, experts seemed to agree that this one could not have been constructed without financial and human resources usually available only to large entities such as nation states.

It is safe to say that security experts dealing with these threats are grappling with faceless, nameless actors that sometimes work for governments, sometimes for industries, sometimes for terrorists and sometimes for themselves. “It’s like chasing ghosts” says Marcus Sachs, director of the Internet Storm Center, a volunteer monitoring group run by web security specialists.[5]

Meanwhile, back in Canada, our ability to manage these cyber invasions are surprisingly dependant on the “best interests” of private corporations. To protect their financial interests and keep the networks running smoothly, telecommunications providers have adopted technology and security tools that were once the domain of military and space programs. Currently, large Internet Service Providers (ISPs) have, by virtue of their unique capacity to filter malicious content, become a first line of defense against cyber attacks. ISPs themselves are concerned about this unofficial national security gatekeeper role. Bell Canada alone is dealing with over 80,000 “zero day” attacks per day targeting computers on its network.[6] “Zero day” attacks are attacks not yet known or addressed by computer security experts.

With private interests playing such a crucial role in national security, changes in foreign investment rules in the telecommunications industry need to be approached very cautiously. At the moment, Canadian law enforcement is not actively overseeing the network monitoring activities of large ISPs.[7] Canadians seem relatively relaxed about leaving it up to the majority Canadian-owned ISPs rather than the government. Around the world, there are already plenty of examples of state interference with the flow of information -- setting up information firewalls and/or spying on individual citizen’s internet activities. But are we just as relaxed about leaving it up to companies owned and controlled in foreign jurisdictions? What if these companies originate in foreign jurisdictions that actively interfere with the information flow in and out of their own countries? Should we be a bit more wary of Chinese or Saudi Arabian controlled companies, or a company based in Egypt, where the organization Human Rights Watch has recently documented a number of cases of internet repression.[8]

Alas, recent policy decisions are already moving us down this road. In December 2009, desperate to infuse some competition into the cell phone market and acting against the advice of the CRTC, the government allowed Globalive Communications Corporation to enter the Canadian market with its Wind Mobile wireless services. Globalive, in turn, is owned by Egyptian-based Orascom Telecom Holdings. In March 2010, seeking to address the gap between telecom legislation and practice, the federal Throne Speech announced that parts of the satellite and telecommunications industry would be opened to both venture capital and investment from outside the country. Industry Minister Tony Clement deflected questions saying that any change in policy would "have to be in the net benefit of Canada and have to satisfy the test in making sure it's consistent with national security."[9]

“What’s the test?” you might ask. Canadian internet researcher and commentator Jesse Hirsh suggests that protecting national security in this context is used as a blanket term to include anything related to the military, law enforcement, or the intelligence services. “The subtext to that is surveillance, that foreign companies would be allowed to operate in so far as they allow the state to have the same type of access they already have to Canadian owned and operated networks,” says Hirsh.[10] The state, at the moment, doesn’t seem to be intrusively monitoring, at least according to large ISPs. But it looks like that is about to change drastically.

Canada’s new cyber security and surveillance strategies

On October 3 2010, Public Safety Minister Vic Toews launched Canada’s Cyber Security Strategy.[11] It offers $90M over five years and $18M in ongoing funding to secure government systems, partner with the private sector to secure systems outside of the federal government and help Canadians to be secure online. It recognizes the gap in security caused by reliance on the private sector to deal with cyber threats by promising to strengthen existing structures and organizations. It also seeks to establish cross-sector mechanisms so government and industry can collaborate on critical infrastructure issues, including cyber security and security of process control systems which control critical infrastructure – the kind that Stuxnet was designed to infiltrate. Attempting to strike a balance between the public and private role, the emphasis, in this strategy, is on the shared responsibility of multiple actors. “Everyone must do their part,” says the document.

Canadian security experts were underwhelmed with this strategy. “I think this is not a strategy at all,” said Ron Diebert, director of the Citizen Lab at the University of Toronto Munk School of Global Affairs. “It is more like a tactical stop gap. The fundamental problem with this initiative is that it assumes that we can deal with these problems by focussing on the domestic front, by securing our critical infrastructure here at home….It really misses the important point that the sources of these problems are international, they are beyond Canada’s borders. They are very complex. They have more to do with a wide range of issues that Canada is not dealing with.” Diebert argues for the development of a foreign policy for cyberspace and assertive government engagement on this issue at all levels from the G-8 to the Internet Governance Forum. “We need to develop a strategy for cyberspace as a whole.” [12]

Meanwhile the other shoe dropped in early November 2010 when the legislation known as “lawful access” (Bill C-50, C-51, C-52) was reintroduced in Parliament. This legislation would give police and intelligence officers the right to intercept online communications and get personal information from ISPs about subscribers without first obtaining a search warrant. The bills, if passed, would supply law enforcement agencies with all kinds of new powers to secure information about the nature and content of individual communications.

Privacy advocates have been arguing against interception of communications without a warrant for years, indicating that it tramples on privacy rights. Besides, they argue, the police already have adequate tools to request such information.

"That type of approach is open to abuse, and I don't think it strikes the right balance," said Michael Geist, Canada Research Chair in Internet and E-commerce Law at the University of Ottawa. "There is a significant price to be paid, and sadly, scant evidence that a) we've got a problem, and b) that this is going to do very much about it."[13]

If the kind of intrusive measures described in the lawful access bills is part of the price Canadians are going to pay for the current push to loosen foreign ownership restrictions in the telecommunications sector, it is, indeed, a significant price to pay for a small reduction in the monthly cell-phone bill.

Tell us what our choices really are

Protecting national security by combating terrorism is one of the reasons given for the need for these added law enforcement powers, but it must be balanced with respect for the rights of all Canadians. As we have seen since the terrible events of 9/11, individual rights can be quickly subsumed under the blanket of national security. Safeguarding the line between spying on citizens or denying access to communications tools and legitimate law enforcement activities requires constant vigilance. And when issues arise, citizens must have the tools to challenge proposed changes. So it is essential that Canadians keep a close eye on the status of legislation that protects individual rights.

Most Canadians have never heard of section 7 of The Telecommunications Act which affirms that telecommunications performs an essential role in maintaining Canadian identity and sovereignty. It identifies government as a key player in the development of a telecommunications system that “serves to safeguard, enrich and strengthen the social and economic fabric of Canada and its regions”. It is also a piece of legislation that stands in the way of the federal government’s expressed desire to modify current foreign ownership rules. Among the objectives of telecommunications policy identified in section 7 are to promote the ownership and control of Canadian carriers by Canadians; and to promote the use of Canadian transmission facilities for telecommunications within Canada and between Canada and points outside Canada. Section 7 also makes the protection of personal privacy one of the objectives of telecom policy.[14]

This is a key piece of legislation that defines the Canadian communications landscape. By making a clear connection between telecommunications, sovereignty, security and, privacy, this is one of the legislative instruments that gives citizens a platform from which to hold government accountable on telecommunications issues. When it was enacted, majority Canadian ownership was considered to be an essential part of this equation. If that is to be changed, we need to have a national conversation about what would replace it. So far there has been no attempt to describe to Canadians what the choices really are.

Note: This article appeared in the December/ January issue of the CCPA Monitor and will be part of a forthcoming collection of articles on telecommunications policy in spring 2010.

[1]Parts of this article formed the basis of a submission to the federal consultation on Options for the Foreign Investment Restrictions in the Telecommunications Sector. See: “Telecommunications Is a Strategic Asset Essential to Sovereignty and National Security” http://www.ic.gc.ca/eic/site/smt-gst.nsf/vwapj/MaritaMoll.pdf/$file/MaritaMoll.pdf

[2]Industry Canada. (2010). Opening Canada's Doors to Foreign Investment in Telecommunications: Options for Reform. June. http://www.ic.gc.ca/eic/site/smt-gst.nsf/eng/sf09920.html

[3]“Cyberwar; It is time for countries to start talking about arms control on the Internet” (p.11-12) and “War in the fifth domain.” (25, 26,28). The Economist, July 3, 2010.

[4]Maclean, William. (2010). “The ‘nation-state’ likely behind cyber attack o Iran, experts say.” Ottawa Citizen. Sept. 25

[5]Waterman, Shaun. (2009). “Costs of war: chasing cyberghosts.” ISN Security Watch. July 9. http://www.isn.ethz.ch/isn/Current-Affairs/Security-Watch/Detail/?lng=en&id=103253

[6]Deibert, Ron and Rafal Rohozinski. (2010). “Meet Koobface, Facebook’s evil doppelgãnger.” Globe and Mail. Nov. 12.

[7]From remarks by panel members at the June 30, 2010 OpenNet Initiative. Global Summit. Ottawa in which large ISPs, the RCMP, and foreign affairs representatives were represented.

[8]Human Rights Watch. (2005). False Freedom. Internet Censorship in the Middle East and North Africa. Egypt. http://www.hrw.org/en/node/11563/section/5

[9] Ottawa open to foreign ownership in cell phone market. (2010). The Canadian Press. Mar. 3. http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20100303/cell_phone_...

[10]Hirsh, Jesse. (2010). Raising foreign ownership limits for telecom in Canada. Jessehirsh.com blog entry Mar. 9. http://jessehirsh.com/raising-foreign-ownership-limits-for-telecom-in-canada

[11]Government of Canada. (2010). Canada’s Cyber Security Strategy. Public Safety Canada. http://www.publicsafety.gc.ca/prg/ns/cbr/_fl/ccss-scc-eng.pdf

[12]Diebert, Ron. (2010). Oral comments on Cyberwar. CBC Radio. The Current Oct. 5. http://www.cbc.ca/thecurrent/2010/10/oct-0510---pt-2-cyberwar.html

[13]CBC News. (2010). “Tories reintroduce ISP intercept bill.” Nov.1 http://www.cbc.ca/technology/story/2010/11/01/justice-nicholson-justice-isp.html

[14]Canada. Government of Canada. (1993). Telecommunication Act, 1993.