I must admit to being rather neglectful of this sad little blog of late. Nothing but summaries of tweets for quite some time, along with a long, long list of half-written (and unpublished) posts. In any event, in case anyone actually visits this blog anymore, here’s a piece I wrote for The Lawyers Weekly, which they have kindly permitted me to reproduce here. You can, of course, also read the article on The Lawyers Weekly site.
My thanks to Richard Skinulis, Focus Editor, for taking my vague ramblings and making it eminently more readable. Of course, responsibility for the substance of the piece (and of course any errors or omissions) remains solely with me.
The TL;DR version: Snowdon’s revelations shouldn’t have a material impact on companies choosing US vs. Canadian data service providers (IMHO).
Here’s the article:
In the aftermath of Edward Snowdon’s revelations regarding the extensive (if not pervasive) scope of the U.S. National Security Agency’s data-gathering activities, questions have again been raised regarding the implications, if any, those activities have on the selection of service providers that handle or process data, particularly those based in the U.S. This article attempts to answer some of those questions.
For example: If you use a U.S.-based service provider that physically stores data in the U.S., can it be accessed by American authorities? The answer is yes; the U.S. Stored Communications Act authorizes the U.S. government to gather information through warrants issued by federal courts, which generally have jurisdiction within the territorial limits of the U.S. The Foreign Intelligence Surveillance Act also permits electronic surveillance within the U.S. with a court order (and in some cases without) to gather foreign intelligence information.
Similarly, if you use a U.S.-based service provider who keeps your data in Canada, can it be accessed by U.S. authorities? Yes again. A recent decision from the U.S. District Court for the Southern District of New York confirmed that the scope of a warrant under the Stored Communications Act covers information within the possession, custody or control of the person upon whom it is served, regardless of the physical location of that information. Consequently, information stored in Canada by a U.S. company, and quite likely, by an affiliate that is controlled by that U.S. company, would be covered by such a warrant.
But what if you use a Canadian-only service provider who keeps your data in Canada; can it be accessed by U.S. authorities? Although it seems to be a widely held belief that data physically stored in Canada is less susceptible to surveillance, that belief is not entirely correct. Surveillance activities by U.S. authorities directed to foreign intelligence-gathering activities outside U.S. borders and which are not directed at U.S. persons are not subject to Fourth Amendment protection or similar protections afforded by the U.S. Electronic Communications Protection Act. Thus, to the extent U.S. authorities are able to access such data without the co-operation of the company holding such data, they may do so without a warrant.
Where security or other measures have been implemented that are sufficiently robust to prevent such access, U.S. authorities may still be able to access such data by enlisting the assistance of Canadian authorities through treaty arrangements such as the mutual legal assistance treaty between the U.S. and Canada, or the so-called “Five Eyes” treaty between the U.S., Canada, the U.K., Australia and New Zealand. Canadian government authorities could then undertake to execute warrants within Canada to obtain the desired data for use by U.S. authorities. Some of the more recent revelations from Snowdon clearly indicate close co-operation between the NSA and its Canadian counterpart, the Communications Security Establishment Canada, including surveillance activities requested by the NSA.
Even if you keep your data in Canada on in-house facilities, nothing really changes, except that to the extent a warrant is issued, it would be issued against you rather than your service provider.
And what about the Canadian authorities? While many concerns have been raised regarding the scope of U.S. surveillance activities, comparatively less attention has been given to the fact that Canadian law gives Canadian authorities many of the same powers?—?and sometimes, with even less oversight than in the U.S. These powers include the ability to obtain secret warrants (pursuant to the Canadian Security Intelligence Service Act) and surveillance activities with no judicial oversight (pursuant to the National Defence Act). Information recently released by the Canadian Wireless Telecommunications Association, in response to a request from the Privacy Commissioner of Canada, indicated that its members (comprised of telephone and internet service providers) received an average of 1.2 million requests annually for information from Canadian authorities up to 2011, suggesting that Canadian authorities are fairly active in their surveillance activities.
The intent of this article is not to assert that government surveillance is inevitable, unavoidable and that all hope is lost, but rather to suggest that it may perhaps be somewhat naïve to believe that either avoiding U.S. service providers, or keeping data physically stored in Canada, will necessarily result in it being more secure or less likely to be subjected to collection or surveillance, whether conducted by U.S., Canadian or foreign governmental authorities?—?or, for that matter, anyone else. Instead, what it does suggest is that companies should take reasonable measures to safeguard their data regardless of whether it’s located in Canada, the U.S., or elsewhere.