The Future of Privacy: Rules for Needles in Machine Readable Haystacks

I have now written twice (here and here) over the last two days on recent revelations/debates over data-mining by signals intelligence agencies.  Every morning, I wake up to a new news report.   This morning the Globe & Mail's Colin Freeze (who has been the lead on the Canadian metadata story) writes: "CSEC’s metadata collection rests on a foundational legal assumption by the minister and CSEC. They believe that metadata telecommunications are legally different from private communications, such as the content of e-mails and phone calls, which can’t be intercepted without a warrant."

If this is so, and the government is acting as if this were an indisputable legal fact, then the following may also be true:

  • No Ministerial Authorization for the foreign intelligence program: The metadata program described in the excised "ministerial directive" (that is, the command/control order the minister may issue under the National Defence Act) disclosed at this point may not be supported by a "ministerial authorization", required where there is a prospect that Canadian private communication may be swept up in surveillance conducted as part of CSEC's foreign intelligence collection mandate.  That is because the government would be of the view that any Canadian information is not private communication and therefore not governed by the special rules for such information in the National Defence Act.  As I have already noted, the government had better be right about this: if they are wrong, and the data does include private communication being collected without ministerial authorization, they are not protected by the National Defence Act s.273.69 carve-out from culpability under the Criminal Code, Part VI.  Personally, I think the government would be insane not to have covered its bases by failing to issue a ministerial authorization on a "just in case" basis.
  • Any domestic metadata project may be unsupported by a warrant:  So far, we know that there is a foreign intelligence metadata project.  Is there also a domestic metadata project?  As best as I can tell, we don't know.  But to remain within its mandate, a domestic metadata project involving CSEC would have to be conducted as assistance to law enforcement or security agencies.  I have argued that a program analogous to the US telephone metadata project would require a warrant.  Who calls whom, from what number, when, and from where, is information in relation to which a person surely has a reasonable expectation of privacy, triggering application of section 8 of the Charter.  This is information closely tied to a biographical core -- much more so than house heat signatures or power bills.  In those circumstances, a warrant is required.  (And no, I do not think that labelling this "national security" is enough to escape this requirement -- a few obiter statements by a court made in passing without a focus on adjudicative facts does not create an exception likely to pass muster here).  But who am I to say?  Mr. Freeze's reporting suggests that the government may beg to differ.  And so resolving this may take a court case.  Imagine the size of the class action brought for damages (now available for constitutional breaches) if the government really is sweeping millions of phone calls into its metadata database, without warrant.

So much of this is speculation, which makes me uncomfortable since if you go too far down this rabbit hole you start wearing headgear wrapped in tinfoil.  But of course, speculation is all we are left with when transparency is resisted. 

And so to summarize the speculation: someone in government, presumably in the Department of Justice, may have offered a legal opinion about the nature of "metadata" to the effect that this is not a private communication. The government may have built the structure of a foreign intelligence metadata collection project on the basis of this legal opinion and we don't know if there is a "ministerial authorization".  We can wonder whether there may also be a domestic metadata equivalent that also relies on a legal opinion minimizing the privacy implications of metadata and is therefore conducted without judicial warrant.  If these (contestable) legal opinions are wrong and the information collected is private communication in relation to which one has a reasonable expectation of privacy, the government is committing a crime and violating the Charter.  And to be clear, no "ministerial directive" issued under the National Defence Act can exonerate such a violation -- indeed, the directive becomes part of the violation.

And so this is more than a privacy issue.  It is also a rule of law issue.

But this is the point where we raise the "what do we do as a policy matter" issue.  As I have suggested before, privacy rights built on a reasonable expectation of privacy foundation are unsustainable in a world of mass data amalgamation, storage and automated searching.  This is a 20th century rearguard action fought in a 21st century theatre.

The discussion on metadata has been largely about "what the government can collect".  It is a debate worth having -- as I have noted, there are important rule of law issues potentially in play.  But data is too readily available and too fungible to think that limitations on collection -- including a judicial blessing obtained in advance of collection -- amounts to a meaningful protection anymore.  That is a system that works when data needed to be collected directly, usually from a home that was the proverbial castle.

But the moat around the castle is breached, both because of the ubiquitousness of data and what (reportedly) are the government's efforts to limit the reach of older privacy doctrines to the new world of things like metadata.

New lines of defence are required, shifting the focus from a losing battle over "can the government collect the haystack".  It is instead, what can it do with the haystack?  When can the government keep in its databases?  When can it amalgamate databases?  What search terms can it use to find the needle in the haystack?  When can it de-anonymize data pulled up by those search terms?

It is possible to develop internal protocols on all of these issues. That is not enough.  The logic of our constitutional protections dictates that these are matters to be decided by independent actors -- judicial officers in particular. 

And so the future of privacy is what I have called "Firewall" warrants -- where judges approve (or not) database retention, combination and search procedures.  The revelations this past week suggest the time has likely arrived to move on this front.