There is a false dichotomy that is set up in security debates; it is either privacy or security. It is a zero-sum game. With Bill C-11 proposing sweeping changes to Canada’s private sector privacy laws, it is time for a mature, strategic, and informed discussion. We have to move beyond simple conceptions because the cost of failing to get these changes right will be exceedingly high.
The problem with simple narratives is that the underlying policy challenge is complicated. Privacy is a fundamental human right. It goes to the core of our being. Privacy reinforces security, and national security reinforces privacy.
The crux of this comes down to data. The generation of data. The manipulation of data. The combination of data. The algorithmic assessment of data. The use of the insights generated from data.
The ability to protect the privacy of Canadian citizens now comes down to the governance of data.
On the one hand we will willingly cede vast troves of information about every aspect of our lives to private, often foreign, companies. There are cameras in our doors. There are sensors in our fridges. There are microphones in our living rooms and there are sensors on our wrists. This is okay though because we read and understand the terms of a 100-page legal agreement before use, right?
On the security side of the ledger, there are discussions about end-to-end encryption and lawful intercept. Lawful intercept is a short form for when a judge has issued a warrant to intercept communications based on “reasonable and probable grounds” (which means that a crime probably has been committed). But, if the data is encrypted, only intelligence services can break it (maybe). This allows for a protected avenue of communication amongst human rights activists, disaffected youths, the LGBTQ+ community and all others who do not want their conversations monitored, but also opens up a lane for criminals and their illegal activities.
Enter the rule of law and judges—judicial decisions made free from political interference. Based on a law passed by a democratically elected leadership, this is the cornerstone of democracy. This is what those framing the Charter of Rights believed in, too. No one is above, or more importantly in these times, below the law. We are the same. I don’t want you to see my private messages, and I should not see yours. Unless exceptional times call for exceptional measures.
Criminals are bad. They do bad things. They rape. They kill. They sell horrific drugs to good people and turn them into shadows. They traffic people across borders, and hurt children over video chat. We need to stop that. The best way is often through digital evidence. But, if it is end-to-end encrypted, good luck.
If Canadians were informed and concerned about data privacy (hint: this might be the wrong way of doing it), this might pose an issue.
How can you at one time allow a foreign company to learn, assess, and commercialize everything about you, then at the same time worry about lawful intercept?
Yes, lawful intercept is a court-sanctioned order permitting law enforcement to listen, to record, to capture your conversations, messages, emails, and texts. It is a truly exceptional level of interference with personal privacy, but judges permit this based on sworn evidence.
Contrast this with the commercial invasion of privacy though. What are the terms that you agree to? Here is what they can do: Everything. Sell you. Manipulate you. Rank you against others. Disagree? Check the terms and conditions that you agreed to.
This is not a trade-off. If we are serious about both privacy and security, we need to make sure that “lawful” access means something—it should be about catching bad actors. It should be about judges making that call. And, we should trust them. But, for this to work, judicial independence and rule of law cannot be buzz words. Data is the most important thing we have. We need to protect it, harness it safely, and prevent it from being weaponized against us. In order to do this, we need a national conversation that goes beyond a discursive narrative of either privacy or security to creating a framework that reinforces both.