 Awesome. So I have a very non-technical kickoff for your conference. Thank you so much to the organizers for inviting me here to give this talk. I've given it to a few different sorts of audiences, lawyers, people who study the history of technology, so it's got a bit of a mix of everything. Honestly, if you find like some parts are dragging a little bit, just kind of say, that's cool, because I can work with that. I mean the abstract of the talk is supposed to do, basically tell three stories. First is how North American privacy law emerged. Second is how the history of the internet's development and other technologies have sort of overshadowed those privacy protections that we have. And then the third is really about the future. What are we as citizens, as consumers, as designers, as what are we supposed to do about it? So where do I start? I guess it would be impossible to start without acknowledging over the last two years privacy has kind of taken it on the chin. Since June of 2013, and the stories about surveillance started to appear in the global media. I mean, in all of the global media. I think the technical community, the legal community, government itself has been struggling with the idea of how you instill trust in consumers and citizens when all the evidence to the contrary, it appears that the security, the privacy, the anonymity protections that we expected around the architecture of the internet appeared to be thwarted or systemically broken. Paranoia could probably be redefined in the dictionary at this point as just right all along. And so there are all sorts of actors. Congress in the States, the entire Silicon Valley tech community. Now revisiting some basic fundamental questions about how encryption ought to work, how government ought to be able to compel keys, whether obfuscation and anonymizing technologies ought to be outlawed or regulated in a serious way. And so for, I think, folks who have studied how privacy protections have developed in the technical community, this is very, it's very 1994 all over again. It's like the crypto wars starting pretty much right back where they started. So I'll talk a bit about that as well. Okay, but that's enough preface. But before I even get to that, we have to talk about why privacy at all? Like why do people continue to value privacy in really an online environment that is not at its base designed with privacy in mind? It's designed with connectivity in mind. It's designed with redundancy in mind. But privacy was not out of the gate the way online infrastructure and networks emerged. But so really, I mean, who does care? And I'm sure that you've all heard versions of this before. It's quite common in the security in the technical community to run into folks who kind of dismiss privacy concerns. They usually have their own objectives or agenda. But they say, you know, in a, you know, people nowadays, they put everything online. Everybody has Facebook on their phone. You know, what really can these folks expect? They go into downloading these applications, using these applications, adopting the technologies. And they really ought to know better. They really ought to know that in the exchange that you make as a consumer, as a citizen, when you sign up for X and, you know, insert whatever app you want there, you are making a deal with that company, with that organization. Your privacy is one of the things that you are putting away. My favorite one that I often hear is back in the day, not so very long ago, you know, when everybody lived in small towns, no one had any privacy. Everybody knew everyone's business, you know. And that kind of casts privacy as sort of a contemporary hang-up, which I always tend to answer with Cicero. You get 2,000 years of jurisprudence and law based around the idea of privacy protection. This is from the 44 BC. Cicero is writing a book called The Offices of State for a nephew who is considering work in the Roman Imperial Public Service. And he's counseling his nephew to think about why we have government at all and what we want government to be, and one of the things that he says to his nephew is that we essentially have government to do two things. The first is the propagation of public goods, like roads, like aqueducts, like protection of markets, protection of legal rights. But the more important protection, the more important function of government, in Cicero's view, is the protection of private life. Because the state needs to not only have the power and the wherewithal to execute its sort of custodial responsibilities, its protective responsibilities, but it also needs to be strong enough to restrain itself when using those powers. And so that's a perennial question that we come back to again and again and again. Just keep it in mind next time someone tells you that this whole privacy thing is like new or a contemporary hang-up or it was invented when Facebook came along. Because, again, it pops up in the Magna Carta, it pops up in the Bill of Rights in the United States, it pops up in our own charter of rights and freedoms, all struggling with the idea of how do you constrain and ensure citizens trust in government? What legal bounds do you put on it? And really, if you were to reduce privacy to a definition, it is a metric of trust in government and trust in the organizations that you deal with. And I think, again, as developers and security folks, it is important to keep those questions in mind. But flash forward now, that's enough ancient history. Does anybody know who that guy is? Because this is really the father of privacy in North America. Americans and Canadians really have the dude on the left to thank for privacy protections. Anybody know who he is? Who? Deep throat. Perfect. Awesome. Somebody actually knew. You don't always get... He's not a face that everybody knows anymore. So back in 1970s, in a... Don't you think he kind of looks like Snowden age 20 years or 30 years? Back in the 1970s, Mark Felt was the FBI's chief counterintelligence director. So he hunted Soviet spies for a living. He knew lots about surveillance because that is what he signed off on all day long. And he was a career public servant. He was a loyal FBI man. But after he heard about some directives that were coming out of the White House in the midst of the turmoil around the Vietnam War, it became clear to him that the surveillance powers that he was responsible for overseeing were being turned less towards the purposes of counterintelligence and counterespionage and was basically morphing into a domestic spying program. And so when he saw that it was pretty clear that at the most senior levels of government there were folks who were interested in targeting political opponents, folk singers, academics, civil rights advocates. He did some soul searching and he said to himself, the United States is in a war with a totalitarian enemy and yet we are using the very tools of totalitarianism against our own political opponents. Gosh, I really don't know if I'm comfortable with that. And he called the two guys on the left, sorry, on the right, and basically blew the whistle on the whole thing. And that was the way it was done back then. This led, of course, to the Watergate hearings. It led ultimately to the impeachment and resignation of the President. It led to the passage of the U.S. Privacy Act. And it led to the Church Commission, which was the first time that the American public got a real glimpse into how both the CIA and the NSA actually worked. Now if all of this sounds kind of vaguely familiar, don't let anyone tell you that history doesn't repeat because this is sort of the process that we are going through now and as I'm fond of reminding folks, between the time that Deep Throat called the Washington Post and these sorts of proceedings and the establishment of the FISA Court in the U.S., which was another outcome of this whole imbroglio, it was six or seven years. And we're really just in year two of the sort of the fallout of what Snowden has disclosed. So I tend to remind people who are a little impatient about the rate at which things change that we're in for four or five years more of this sort of discussion and debate at the political level. I mean, if history is any guide. Now Canada didn't get out of any of this scot-free either. We had our own sort of version of Watergate right here, started in Montreal, basically in a nutshell. The RCMP, similar to what was going on in the States around the FBI, were dealing with radicalization again, not very different than today. Although the radicals at that time were the New Left, which they branded as including both nationalist union organizations and the Quebec sovereignty movement. This came to a head in the mid-70s when there appeared to be a linkage between some groups in the US, specifically the Black Panthers and the FLQ here in Quebec. And there was a meeting that was going to take place and again mirroring the sort of discussion that we have had in Canada around C-51. The RCMP was charged with the sort of pre-emptive disruption of this meeting and they stole some dynamite in downtown Montreal from a construction site and blew up a barn where the event, the meeting place, was supposed to happen. Is this like everybody know this already? No, no good. Okay, some people do. I see some people like, yes, of course, this is exactly what happened. But a lot of people don't know this. And what happened next, of course, given that the politicians, the ruling party of the day was largely based out of Quebec and was yet at the same time left completely out of the loop of this particular counterintelligence operation, the government of the day immediately launched an inquiry because they were very concerned that the RCMP and their roundup of files on the new left had in fact, and they did in fact target many people who were now senior politicians and cabinet ministers, and in fact the prime minister at that time. The end game of the McDonald commission was finding some of the things that I just talked about along with a legal interception of mail, break-ins, data theft, you name it. The ultimate outcome was the split of Canada's intelligence function from the old RCMP security branch into what is now the Canadian Security Intelligence Service. That was in 1984. It came along with, or around the same time as the Passage to the Privacy Act, which created the organization that I work for. It also created the Access to Information Act, the Information Commissioner's Office. Of course, the Charter was also passed around the same time. And so, going back to the whole issue of Cicero, here in the United States and in Canada, you had at the most political level, privacy and trust in government became the political issues of the day. And then the title of our talk this morning is supposed to be Privacy and Surveillance and then Oversight. Well, the government of the day tried to exert some accountability and some oversight. And the solution, as it will always be, and we'll come back to this, was imperfect. But it was all of these measures go into enforcing accountability and enforcing some oversight. That's why these laws were passed. Okay, so that's the history lesson over. How are we doing for time? That's like 10, 15 minutes. The next part of the talk goes into the fact that whether or not all of those things happened exactly as I just kind of laid out, because it's kind of a strong reading of history. It's good that they did, because putting aside the legal stuff, putting aside the counterintelligence stuff, putting aside the political debate around the control of intelligence services, another thing was, of course, happening, which was, of course, the internet. Of course, the internet looked pretty funky at the time. So there, on the left-hand slide, you have the internet. In 1969, it is a two-node network between UCLA and Stanford. It is, again, not built with privacy in mind, not really built with security in mind. They did it on a $100,000 grant from the $50,000 grant at the time, and they were particularly a link ladder, was trying to establish, I kid you not, a node network of communication that would survive a Soviet missile attack. That was the basic underlying premise of why the internet was supposed to be distributed. It was supposed to be nodal, and if the Soviets attacked and wiped out Chicago or wiped out Washington, you needed a network distributed enough, based on packet switching, in order to root around the big craters in the ground. And they got an enormous amount of money. And so by eight years later, as you can see, the nodes on the network have grown pretty exponentially. And most of the leading computer science, not what was it, computer science at the time, but most of the electrical engineering hotspots in North America are at that point connected, and you can see Stanford and all of the other folks who were originally in on the ground, but also in there, of course, is Pentagon, Fort Meade, University of Texas, et cetera, et cetera. And this really kick-started the sort of mass distribution not only of the treatment of information and the movement of information, but it also kick-started a massive concern within government about what this was going to lead to and how in God's name were you going to protect personal information. So again, in the late 1970s, both in the U.S. and Canada, got these big multi-year studies of computers and privacy, and how do you get ready for these big data information banks. Until you get to the point today, where this is, of course, a data map of one particular corporate system that is now the largest repository of personal information, certainly personal imagery on the planet, which is its Facebook's data map of their daily interactions between members. So you've essentially digitized, in many ways, personal information. You've digitized identification. You've even did, to some degree, commercialized and digitized the notion of identity itself. Used to be that government was the primary custodian of basic records around identity. It was the government that issued your driver's license. It was the government that issued your birth certificate, et cetera. Well, a little piece of cardboard in your wallet in no way compares to the scale of information, obviously, that an organization, I won't pick on them. I'll pick on them. Facebook or Google would have, on any individual citizen, once they are fully enrolled and using the network for a while. Silicon Valley companies like Facebook and Google in a whole different universe of responsibility, in some ways, in comparison to what the sorts of identity credentials that the traditional sort of government issues. And then, of course, there were a host of other technical problems that emerged with the system, of course, the issue of cybersecurity, hence bringing you to this very conference today. It continues to be a persistent concern both of government and companies and for very good reasons. There were also privacy concerns as a whole host of other technologies emerged. You had the development of high-resolution CCTV, so this is like a corner in downtown London, the UK being one of the countries most, or one of the planet's most dense nations to deploy, both CCTV and optical imagery, and the optical imagery, of course, gets better and better every year. We have now some pretty awesome infrared and scanning technology that can be mounted on just about any platform, including platforms that are unmanned and able to stay aloft for a very long time. All that I'm saying with these slides is that the rate of technological development did not quite manage, or as far outstripped, I should say, the whole issue of how you protect privacy in the legal realm. So privacy laws, data protection laws around the world are always trying to react to new technologies, and there's always a pretty persistent lag. Even in the United States, which is the center of development, I'll just use this one technology as an example, which is the center of development for unmanned aerial vehicles, and obviously be used for a whole host of surveillance capabilities that raise privacy issues. Even in the U.S., you have, at the federal level, continuing debate around how to regulate this new technology, and instead individual states in the U.S. have actually begun to pass drone laws. In some cases, I don't know if you've heard about this, there are some states where they're banned outright and they will actually give you a reward for shooting one down. I think that's Montana. Folks in Montana obviously take their privacy quite seriously. So now we're going to look at some data. Okay, so that's enough of the ancient history and sort of the technical aspect of the question. I think it would be useful, again, the purpose of the talk is to talk about surveillance specifically. And this, I'm going to go back in history one more time because it's important to know that the data I'm about to show you was put in place following a debate, again in 1969, around the role of ministerial and high-level government control when security authorities deploy specific surveillance powers. And so this was a conservative MP, stood up in the house and asked the government if the security and intelligence community in Canada did not at this point in 1969 represent a government within a government. So when you have elected officials asking the prime minister of a country questions like that, you're at the point where you're taking the whole issue of accountability and oversight quite seriously and we'll get into how the government reacted. But one of the ways that the members of parliament at that time reacted, they didn't leave it to the government at that point. They said, you know what? If you are doing surveillance, we have decided that we as parliamentarians need to know and we don't just need to know that you're doing it, we need to know why you're doing it and we don't just want to know why you're doing it, we want to know how you're doing it. And so Canada actually has unbeknownst to many folks about 40 years worth of public data on precisely this question and so I will try to walk you through some of the basic highlights now. So the first highlight is that, again this 40 years of data, that surveillance warrants issued by the federal court of Canada are actually at an all-time low, which strikes a lot of privacy people as either nonsensical, given what I have just said about the new technologies that are available, or that somehow the reporting scheme is seriously broken. So in 2013, the last year for which we have the records, there were 123 federal court orders issued for electronic surveillance. It's folks like the RCMP or Canada Border Services who would be applying for these warrants. And again, most people look at this slide and they're like, you know, what the hell happened? Like where did all of the surveillance exactly go? Because I think people have a gut feeling that there's something wrong with this data. But there's not. When you consider that the parliamentarians back in the 60s also required that if you were under surveillance and the police came finally to arrest you on the basis of what they learned in the surveillance is that they actually have to notify you. So in 2013, last year that we have for data, is 685 individuals were notified. Now I'll flick back and forth between the two slides here and see if you can come to your own conclusion. If there was 123 warrants issued and there were 685 people notified that year, it means. More than one individual is listed on warrants now. This is not something that the original scheme contemplated but if you want to know why the numbers have been dropping down so much is it is now typical on a single warrant to list 50, 100 individuals who may be associates of your primary investigative target or of course if it's criminal gang, if it's organized crime, if it is a radicalized group, you list crime, officer conducting surveillance and then all of the folks who you would like to put under surveillance. So you also get some sense of and I will, these slides I'm going to give to the organizers in case you can't read the fine details but you also get some sense of why or what crimes the authorities that are conducting the surveillance are interested in. The sort of swampy green color is the narcotics control act. So despite the fact that whenever new lawful access or surveillance powers are proposed by government and the rationale is always counter-terrorism or organized crime, the number one with a bullet criminal case that they are looking to investigate is almost always drug crime. So selling drugs, importing drugs, possessing drugs and that has always, as you can see from the data, has almost always been the case. Criminal code infractions where the terrorism stuff would fall is the blue band at the very bottom of the data. And only very recently, as you can see, has the priority of folks seeking surveillance warrants shifted to those sorts of crimes as opposed to basic drug crime and there are a number of reasons for that. Specifically, research in the U.S. has shown that the reason that this takes place is that traditionally when you do a drug investigation you also seize a lot of cash. So the cash that you seize ends up paying for the surveillance that you... sort of like a self-licking ice cream cone, really. So this is where the different offenses are spelled out. We also, again, thanks to the foresight of the parliamentarians, we know where surveillance is targeted. So back in the day when the reporting regime was first established, private residences were almost always the target. Over time you got more and more commercial residences. The light green is where vehicles start to become the premise that is under surveillance. And then finally you've got the growth of the other category, which is on top. And other is now the predominant place where surveillance is actually taking place. So what does... Of course raises the question, what goes into other? Initially, other was the bugging, the covert bugging of prison cells. You wanted a confession, you didn't know exactly if you had proof. You rounded a guy up, you threw him in a cell. You put him in there with someone he trusted or some sort of sympathetic ear. A guy is actually an informer. And you tape what the conversation is and you maybe find out if the guy that you've arrested has coughed up. That actually didn't stand chart or challenge and so it's now kind of illegal to do that. It's entrapment. But other places that you might put surveillance would be the interview room. And then finally the other category includes objects. And objects back then, or initially would have been things like a park bench or a public pay phone. But now of course objects are computers and objects are smartphones. And so that is where the majority of targeting for surveillance now is goes. And then you also get some discussion of how, or sort of the method of surveillance. And which is, I mean, again, it's kind of mind blowing in a way that the MPs would, or the lawmakers would put all of this in place because this is the very sort of trade craft that police and security agencies are really, really interested in protecting. But here, plain as day, you can see that microphones, so covert bugging is kind of out of fashion now. Covert video surveillance, not so interesting. Again, the other category picks up. This is generally, it is generally considered to be either a computer register or a suite of other sort of more experimental bugging devices, like using lasers and stuff. But by and far telecommunications services, telecommunications interception is, of course, makes up the majority of the surveillance. Now again, when most people look at the statistics, they wonder, okay, well maybe the reason is that the responsibility for surveillance has been handed off. But that doesn't really work as a theory either because CISIS, so all of that data that I just showed you, that's all federal law enforcement, CBSA, RCMP, folks like that. Well, CISIS also reports the number of warrants that it gets. And while CISIS authorizations are slightly higher than the overall other reporting, it's not enough to make up the whole story. And so there is a real question about how you enforce accountability and oversight with questions like this. Now, who has heard of the lawful access issue? Because I'm going to race through this part. We've just kind of got through this. It's the sort of 20-year debate that occurred in Canada around the idea that given the changes in technologies, we need to find a new way to regulate the way that surveillance is done. So, I mean, basically as backstory, in the 1980s what happened is you had all of this obvious, you had an uptick in computer crime, specifically after sort of the Soviet Union began to fall apart and was not really an economically viable place for folks with a lot of computing talent to do their thing. And so computer crime got to be a very serious international issue. The FBI and the US were asked to find a solution to this problem, find a way to get international police organizations to be a little more proactive and able to do investigations in a more efficient manner. And going back to parallels with the debate that's happening now, and then one of the FBI's serious solutions was something called the clipper chip. The clipper chip was going to be a specific piece of hardware that would go into any telecommunications device in any computer that would essentially allow authorized federal agents access to those communications or transactions if they had sought approval from court and gotten it. So that's literally baking the surveillance solution right into the hardware itself. And that was a full on publicly discussed option in the early 1990s. The other was regulating encryption like a weapons grade technology to the point where just having, at one point in the early 90s, having PGP on your computer and crossing a border out of the United States was in theory, I never actually tried to prosecute this, I don't think, but in theory it was a crime just to take PGP across the border out of the US. So that was, and it's funny, because now, just this week, most of the US's lead cryptographers and online service companies, like two days ago, wrote to President Obama and said, we are a little nervous about the fact that the FBI is now raising all of these arguments again. I thought that we had settled this 20 years ago that we weren't going to ban encryption, so we were not going to hand keys over to the government. They're talking about sort of a key escrow scheme where the government will have a master key, individuals will have their own personally generated keys, but the master key will sort of thwart the end to end encryption. They're very nervous. They're like, do we really have to have this debate again? And so all of these questions are new once again. Now it took Canada almost 20 years to do this reinvention of lawful access, and it was a term that was coined around surveillance law. I think it was actually supposed to be palatable rather than say, let's overhaul Canada's surveillance regime. You say, well, we're just trying to provide lawful access. We're the government, and we need to be able to access particular points of data in particular time, and I will not go into detail here. But this took 20 years, and if you ever come to Ottawa, you will meet some people who were around for this whole discussion. And whenever you get seven government departments and a piece of controversial legislation, it's going to take time. But this took 20 years of consultation where the bills were redrawn, redrafted. It bounced between Solicitor General of Canada, Justice Canada, Industry Canada, Public Safety Canada. They tabled their first version of the bill back in 2004. It was called the Modernization of Investigative Techniques Act. This was previous government. Then the government fell, there was an election, a new version of the bill passed. This is all in the wake of 9-11, and it's also, as other countries, like the UK and the US, are revising their laws. In 2007, you got the first New York Times story run about war-on-less wiretapping in the United States. It's pretty Snowden, but I think it was based on an AT&T engineer named Mark Klein, who basically went public with the story that the NSA had constructed a room in the back of a major internet exchange point in San Francisco, and was using narrow, deep packet technology to basically splice the data and send a lot of it off. People thought it was crazy at the time, the whole Snowden stuff makes it less crazy. Here in Canada, we then got this debate around, does anybody remember the whole Victaves Anonymous kind of blow up? This is where our public safety minister tried to table a piece of lawful access legislation and brought basically most of the privacy community, most of the legal community, and everyone else down on his head by saying in the house that you were either with us or you're with the child pornographers, you either want a surveillance bill or you don't, and that was the basic rationale. The government walked away from that piece of legislation, obviously, and then finally, and again bringing us up to the present, we had a bill C-13 tabled very tragically in the wake of Retea Persons' suicide in owing to cyberbullying, and so the emphasis moved from child pornography to a bill that would enable swift investigation of cyberbullying incidents. Without going into the fact that you can actually use the surveillance, of course, for any crime at all, and that is the bill that in fact passed in the Senate in December and came into force two months ago on March 10th. So what are actually in the powers, and this is where I'm going to start to wrap up because I think I'm probably getting close to time, how they would actually work in a real investigation, and this is probably the part that bears most on the reality that you work with. Now, again, I know you cannot read this, but the slides will be given to you. What the lawful access bill that came into force two months ago enables is for any police officer or public officer, and that definition is important because a public officer is defined as any government official who enforces any law, not just criminal law, tax law, any law. The new lawful access legislation will allow those officers to issue what are called general data preservation demands. So they self-authorize these. In other words, they sit down, they write out a form, I officer so-and-so have reason to suspect that this person, this IP address, this MAC address, this number locator is a hub of whatever crime they happen to be investigating. I would like you, Firm, to give that to the company to hold the data for 21 days. And in that 21 days, so the company that's been served the order now has to sit on that data and put it in a little box or hive it off. And for 21 days, the clock starts to tick, that officer then has to go to a court to get a warrant to seize the data. So the officer doesn't get to see it, but he does get to freeze it. So if you are a company that has, say, a retention policy that automatically eliminates SMS tax, you don't anymore. Because the moment you get one of these, you have to freeze the data. You don't have a choice, fines for non-compliance run to $500,000 and two years jail time. Also, the officers can get what is called a general data preservation order. So the first one was a demand, the second one is an order. There, the timeframe is increased to three months. So you will now be required to preserve data that maybe you would have gotten rid of normally from your web logs, whatever. You have to sit on that for three months. That requires a court order, but it only requires a court order at a grounds of suspicion, not belief. And that's very important because suspicion can be established in a page by a good lawyer, whereas reasonable grounds to believe requires much more substantiation before court. The other things are other powers that went into force two months ago include a communication trace production order, which will allow, and this would be in place for 60 days. So it allows the authority in question to collect 60 days worth of MAC address data or IP data or SMS data or email headers in order to do basic communications mapping, network analysis, traffic analysis, what have you. And that is also at grounds to suspect. Then you get transmission data production orders, location tracking production orders. All at lower threshold you get financial production orders at the lower threshold, tracking warrants for transactions and things. So that's where an ATM card is used, where any kind of like e-payment scheme is used. You can use that to actually map out an individual movement. You get transmission data recorder warrants. So that is basically for the installation of either spyware or an actual device like a packet sniffer or a DPI box. And then finally at the very bottom you get the general production order which gets you content. So all of that other stuff above that is considered non-content. It's all considered metadata. It's all considered you have a very low expectation of privacy around that. It's when you want to see the actual text of emails that a government or body would be required to get into a general production order. I'm going to speed ahead here because I am now taxing your patience I can tell. But the other thing to keep in mind and it was asked to me was how the lawful access legislation that I just described and those powers are going to work with a bill that is in fact not law yet but has been quite recently debated which is the new anti-terrorism law. And it's interesting. Like I said all of those new lawful access powers are now on the books. Those have already gone into effect. I could be the subject of those forms of surveillance at this exact moment. What remains to be decided is how that information will be shared once it is actually in the hands of government. So say for example CISIS has a warrant to use one of those powers mentioned or RCMP is a better example. RCMP is conducting a specific investigation. They conduct a warrant. They do some geo-tracking. They do some network analysis using those tools. They gather the data but their investigation craps out. They don't have enough to prosecute. Previously that data basically has to go away. And so much as they basically would put it in their archive. But what the government has done with their new legislation is allow for more sharing. And this goes into where individual government departments will be able to move data around. So say their investigation RCMP craps out. Well there are 16 other organizations that are in the business of law enforcement and intelligence at the federal level. So it could in theory put or push that data at CISIS, CSE, FINTRAC, National Defense, Canadian Forces. The new law will allow basically data that is collected and goes nowhere for one organization to be punted to any of those folks in the blue list. The Department of Transport, the Public Health Agency of Canada, the Canadian Nuclear Safety Commission. And that data from those surveillance operations can be punted over for those reasons in the pink. Terrorism, counterterrorism is one of those reasons. That's why the bill is called the anti-terrorism bill. But among the other reasons that are listed that haven't really been debated very much are detecting or countering interference with systems. Detecting or countering interference with operations, border security or police technologies. Disrupting actions that may attempt to replace the government of Canada. Countering sabotage, subversion, sedition or foreign manipulation. Halting proliferation of nuclear chemical radiological weapons. Monitoring or halting manipulation of any computer system attached to a health service, food, financial product, water. Information, communications, technology, energy or government program. It's a fairly long list and obviously they couldn't get all that in the title of the bill. So what you're going to see along with the lawful access powers is a lot more sharing of the fruits of these investigations within government. And I think that that's going to be a story around where our oversight mechanisms in Canada again have to change. Because right now our system for accountability around public security and intelligence looks a bit like this. Very, very complicated, very, very siloed, a lot of players involved. So you nominally have parliament at the top, you have cabinet below and then you have individual ministers responsible for individual operations. But going back to the 70s and the whole blow up around the RCMP's activities, it became very clear that at that time anyway that the minister wasn't fully aware of the depth of the investigations. And I think that there's, we've had three federal public inquiries into intelligence mishaps in Canada in the past few years. We've had the Arar, we had the Air India Bombing Commission of Inquiry. And all of these have pointed to problems in enforcing accountability. There's also the issue of what you want your elected officials to do because of course you can't, or it's not in the Canadian tradition to security clear elected officials for classified information. And yet how are parliamentarians nominally going to exercise any real oversight as they are paid to do of operations like that if they don't have the clearances? So there's a real question about what we as citizens are sending folks to Ottawa to do in the realm of ensuring national security. There's also the question of openness. This is the secret room that I mentioned that the AT&T techie was not secret obviously because it's right there in front of you. There's the issue of openness and this cuts both ways. Companies are expected under international data protection law to be pretty open and transparent about what they're doing with company data. But if there is only one individual in any given company who knows about the surveillance measures in place, and very often that is the case. Because the person who gets the warrant also gets the gag order, which means that he goes to jail if he tells anyone about it. So very often a company served with a surveillance warrant can with very good faith go public and say we have no idea what the heck this surveillance stuff is about. We've never gotten one of those because the guy who is saying that is the communications guy who didn't get the warrant. And he can say that knowing that it's okay, I didn't get a warrant. It doesn't mean that the company isn't subject to some sort of legal order. And so this is playing out in the US right now as the whole Patriot Act reauthorization question is coming to a fore. On June 1st, the provisions in the Patriot Act that allowed the NSA to do the bulk collection are going to sunset. And so there is a real question about what companies are going to be expected to do. One of the things that we in Canada wanted companies to do was be more transparent about when they hand data over. And while Google was first out of the gate on this issue, more and more companies in Canada have gotten involved. TechSabby, Rogers, TALUS, MTS, Allstream have all started to issue transparency reports. So you can Google these. These are online. So for example, here's Rogers. I'll just pick on them. Rogers in 2013 received 90,000 customer name and address checks from government. They received 74,000 court orders. They received 2,000 government requirement letters. They received 9,000 emergency requests from police. They received 40 international mutual legal assistance treaty requests. So a grand total of about 174,000 government requests. Some of them surveillance. Some of them more just identification. But that gives you an indication of the sort of the scale of activity. TALUS is in roughly the same ballpark. Bell Canada hasn't issued one of these reports yet. And Bell Canada obviously being the biggie in the space of owning the actual infrastructure in a lot of parts of Canada. It's going to be interesting once or if they actually do. But these are now sort of the rigor and they come out every year. And I guess the final thing that is important to consider in all of this is the role of the courts. Because the courts seem to be going one way. The government seems to be going on this idea that tools like Tor that things like PGP should effectively signal you as someone of suspicion. If you look at some of the NSA documents just using encryption will get you targeted. Just having some of these tools will sort of signal you out among the mass of 100,000 other people who don't use these tools. So that's from the security side. Well the courts are going the other way. The courts, there was a recent Supreme Court of Canada decision around the issue of when governments do and do not need a warrant in order to get telecom data. The court underlined the fact that a warrant really is required and that when folks use the internet if they choose to do so and use obfuscation tools they have a right to do that. And they have a right to interact just like you have a right to vote anonymously. You have a right to be online and browse and research anonymously. That's the Supreme Court of Canada. So the government has had itself to do a fair bit of rethinking around that issue. There's also the question of efficacy. This is the Canadian's federal intelligence budget. Who gets to ask the questions about how money is spent, where it's spent, is it well spent? CSE has been in the news quite a bit over the past couple of years in connection with the NSA stuff. But their budget is dwarfed, not dwarfed, but it is seriously overshadowed by the intelligence budget of National Defense and CESIS. National Defense is the blue, CESIS is the red. Much fewer news stories about those organizations in terms of how program is, program spending. And of course there's the question of how are we going to build, and this is really your question, how are we going to build privacy protections into new technologies that are used to do sort of data mapping like this and network analysis. It's increasingly coming down to those technical protections, which is maybe the subject of the next two, three, four days for you. Thank you very much. You've been incredibly patient. I hope you learned something. Thanks a lot.