Given the large proportion of international Internet communications routed through the United States³ where foreigners’ data receives scant legal protection, a major focus of controversy is the NSA’s mass (near total) Internet traffic interception capability.⁴ Besides the extraordinary technical prowess the United States is able to deploy in the service of its perceived surveillance and security needs, it also enjoys a strategic advantage in that a disproportionate share of international data communications passes through it. This is an advantage the NSA is well aware of, as noted in a presentation deck for the top-secret PRISM program: “Much the world’s communications flow through the U.S. …Your target’s communications could easily be flowing into and through the U.S.” See Figure 1.⁵

This chapter examines the phenomenon of Canada-to-US-to-Canada boomerang traffic, focusing specifically on the privacy and related risks associated with NSA surveillance as well as the policy implications and remedial responses. As public understanding of how the Internet operates is generally inadequate for discussing the policy dimensions of Internet backbone surveillance, we begin with a brief overview of the technical aspects of Internet routing and then show how surveillance capabilities can be built into relatively few “choke points” yet capture the great bulk of Internet traffic. In contradistinction to the common metaphor of the Internet as a spaceless, featureless “cloud,” we demonstrate that, with interception points in under twenty major cities, the NSA is capable of intercepting a large proportion of US Internet traffic. We turn then to Canadian Internet routing patterns, showing that boomerang routing is commonplace, that such routing exposes Canadians’ data to NSA surveillance, and that Internet users across Canada conducting a wide range of everyday communications are subject to it. Even communications between public institutions across the street from each other can be routinely exposed to NSA interception. Both to collect data about these Internet routing patterns and reveal its physical, geographic characteristics, we draw on a research-based Internet analysis and visualization tool known as IXmaps, developed to map Internet exchange points and the traffic routed through them. The software tool found at IXmaps.ca⁹ aggregates crowd-sourced Internet users’ “traceroutes” and shows them where their personal traffic is likely to have been intercepted by the NSA.

The next section considers the policy implications of Canadian boomerang traffic, especially from the point of view of its privacy risks. We also consider the economic inefficiencies and point to the broader issue of the impairment of Canada’s network sovereignty. The final major section offers possible remedies for the various negative aspects of boomerang routing. To reduce boomerang traffic, we propose several ways for keeping domestic data within Canadian networks and legal jurisdiction. Building public Internet exchange points in Canada would contribute to keeping domestic traffic inside national boundaries while promoting more efficient routing. To mitigate the privacy and democratic governance risks in particular, we advance ideas for greater transparency and accountability on the part of telecommunications carriers and government agencies. While recognizing the need to address the risks from mass surveillance by Canadian state agencies as well as to develop stronger international regimes for protecting privacy, freedom of expression, and civil liberties online, we close by calling for a greater assertion of Canadian network sovereignty within the norms of a free and democratic society.

It is commonplace to refer to the Internet as a “cloud,” as a seemingly boundaryless ethereal space in which physical location of wires and equipment is largely irrelevant. While this metaphor may be helpful in marketing Internet services, it does not well serve understanding how the Internet actually works, especially in matters of public policy around state surveillance. In fact, Internet traffic switching is mainly done by massive banks of routers crammed into large anonymous buildings located in the downtown core of major cities. These switching centres are linked by bundles of fibre optic cables each capable of transmitting tens of billions of bits per second¹² Mainly large telecommunication companies own these cables and routers, and the policies they adopt for who can connect to their networks and on what terms fundamentally determines how the Internet operates. And gaining access to the routers and cables to intercept the data packets streaming through them for surveillance purposes typically requires obtaining the cooperation of these often giant telecommunications enterprises.