NEB plan to monitor social media en masse 'really alarms me,' says security researcher
'The line between what's public and private on social media is not very clear,' says Citizen Lab director
The National Energy Board's plan to hire a security firm to monitor "vast amounts" of social media chatter may seem like the simple aggregation of publicly available data but actually raises a host of privacy concerns, says a prominent digital security and human rights researcher.
Ron Deibert, director of the Citizen Lab at the University of Toronto's Munk School of Global Affairs, has written an open letter asking the Calgary-based NEB to clarify exactly why it wants to accrue all this data and how it plans to use and share the information.
In a recently posted request for information, the NEB — which is responsible for regulating pipelines and other energy infrastructure in Canada — says it is only looking to monitor publicly available data in accordance with existing privacy laws in order to identify potential risks or threats.
But Deibert says many Canadians don't realize just how much of their information could be considered public and the extent to which their online activity can be tracked.
"Many of these companies have technologies and tools that enable them to gather up a lot of information that they would consider to be public information but is much deeper and far more revealing than what is posted publicly on a Facebook page," he said.
Social media platforms are constantly changing, he added, and it's not always clear what defines public versus private data.
"We're going through this really revolutionary change in how we communicate in a very short period of time. And the line between what's public and private on social media is not very clear, and I think it's certainly not been defined legally."
NEB wants 'demo session' in July
Past hearings into the now-discontinued Energy East pipeline were also the subject of public outbursts and what the NEB described as "violent disruption" in Quebec.
The federal regulator is now seeking information from companies qualified to provide "real-time capability to algorithmically process vast amounts of traditional media, open source and public social media data."
It is asking prospective providers to offer a "short demo session" of their security threat monitoring services in early July.
The goal is obtain information from "potential third-party service providers about tools that could assist the NEB in meeting its obligation to identify and manage security risks," said Karen Ryhorchuk, a communications officer with the federal regulator, in an email.
The request for information says the threat-monitoring services are required under a broader federal directive on security management that was issued in 2009.
According to that directive, however, the protocols were supposed to have been implemented by 2012, and Deibert wonders why the NEB is now suddenly in such a hurry to solicit demonstrations from security firms.
The request for information was issued on June 19 and closes on Friday, he noted, providing just a 10-day window for responses.
In his letter, Deibert says that "raises concerns that NEB planning in relation to this new mass monitoring capability is already at an advanced stage, and has perhaps already encompassed substantive discussions with potential or likely vendors."
But Ryhorchuk said "there are no particular vendors in mind."
Potential for abuse
Deibert said when government agencies collect massive amounts of data, it can sometimes start out with the best of intentions but end up going awry when the information is used for other purposes — or by other people, if it falls into the wrong hands.
"We at the Citizen Lab have done extensive research on the abuse of commercial surveillance technologies worldwide," he said.
Mass state monitoring of social media can, at the least, have a "chilling effect" on legitimate political discussion, he added.
In his letter, Deibert asks the NEB who will own any data that is collected and with whom it will be shared. He also asks how the regulator intends to "differentiate between 'threats' and activities that constitute an exercise of Charter-protected freedom of belief, opinion, expression, association, or assembly."
"We're going through, really, a tectonic shift in how we communicate and the data we emit as we go about our daily lives, and, meanwhile, there is a wholesale change going on in the security architecture of this country," Deibert said.
"So, to see a regulatory agency put out this bid for a contractor really alarms me. I think it's something that definitely should require some close scrutiny."
Ryhorchuk said the request-for-information process "is not a commitment to issue a subsequent request for bids."
She also said the NEB has received Deibert's letter and "will provide a response in due course."