You hit “send” in Ottawa. The email pops into your Winnipeg girlfriend’s inbox.
That’s all nice and intra-Canadian and, hopefully, therefore protected by Canada’s data privacy laws, right?
Wrong. Welcome to the world of boomerang routing, where Canadian traffic is often routed through the US.
Once it heads south, that internet traffic can be subject to who knows what kind of inspection, filtering, NSA snooping, and/or an altogether foreign set of privacy laws.
A University of Toronto-led transparency project has published a report criticising how Canadian ISPs needlessly route traffic through the US in this manner.
In the report, the university’s Andrew Clement and Jonathan Obar provide an interactive map and rate 20 Canadian ISPs according to a number of transparency criteria.
The ratings are based on 10 data privacy transparency factors as gleaned by careful examination of each ISP’s website.
The researchers looked only at public statements, they said, on the assumption that the carriers would actually want to make it easy for customers to find this stuff:
This is what the report rated the ISPs on:
- A public commitment to compliance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA).
- A public commitment to inform users about all third-party data requests.
- Transparency about frequency of third-party data requests and disclosures.
- Transparency about conditions for third-party data disclosures.
- An explicitly inclusive definition of “personal information”.
- The normal retention period for personal information.
- Transparency about where personal information is stored.
- Transparency about where personal information is routed.
- Publicly visible steps to avoid US routing of Canadian data.
- Open advocacy for user privacy rights (such as in court and/or legislatively).
The ISPs didn’t do well. They averaged about 1.5 stars out of 10.
Although the US seems to be number 1 at snooping, on the plus side, its ISPs, to greater or lesser extent, are increasingly letting customers know how frequently law enforcement shakes them down for data and how they respond.
None of the carriers providing internet services directly to Canadians has yet followed the lead of companies such as AT&T, Verizon, Google, Facebook or Twitter in this respect, the report says.
As far as boomeranging traffic through the US goes, the report found that fewer than half – 8 out of 20 – of the carriers’ privacy policies refer to the location and jurisdiction for the information they store.
Only one of the ISPs – Hurricane – gives an indication of where it routes customer data, and none make explicit that they may route data via the US, where it’s subject to NSA surveillance, the authors note, leaving it up to individuals to dig out the information via specific enquiries.
Of course, even if Canadian traffic stayed within the country’s borders, it wouldn’t stop Canadian snoops from prying it open.
But, the authors point out, at least Canadians have some control over their own surveillance outfit, as opposed to the powerlessness they have to change anything the US decides it wants to do:
Canadian entities conducting surveillance within Canada are subject to Canadian law and its Constitution. Should Canadians determine that the Canadian surveillance apparatus is to change, that would possibly affect the level of surveillance on intra-Canadian traffic. The same cannot be said about traffic that passes through the US and other foreign countries as Canadians cannot easily force change in the laws and surveillance practices of foreign countries.
Among the report’s recommendations is that ISPs that handle Canadian traffic should make public the measures they adopt to keep Canadians’ data and domestic traffic within Canadian legal jurisdiction.
Or, at least, the report says, ISPs should protect data from foreign jurisdiction – most particularly that of the US – by adopting measures such as:
- storing data within Canada,
- exchanging traffic only with carriers providing data protection comparable to that expected under Canadian law,
- exchanging traffic at public internet exchange points in Canada,
- encrypting traffic when unavoidably subject to foreign jurisdiction, with the keys kept with the individual subscriber or within Canadian legal jurisdiction.
It just seems like a no-brainer that a country would, if at all possible, keep its traffic out of the hands of the US’s surveillance state and its data-protection laws.
But it isn’t necessarily a choice made by privacy-loving, surveillance-shunning citizens.
The choice has to do with technical, economic and policy issues, and it’s often made by private corporations.
Will that change in this post-Snowden era? Will the power balance be shifted?Follow @NakedSecurity