Canadians who use U.S.-based Internet services, or simply surf such popular websites as Facebook or Google, run the risk that their personal information is being caught up in a controversial American surveillance program.

In recent days, it has emerged that the U.S. National Security Agency (NSA) has been operating an Internet surveillance program called PRISM that gives it access to data from nine U.S. Internet companies, including Google and Facebook.

Another leaked program tracks "telephony metadata" related to millions of phone calls each day in the U.S. Both PRISM and the phone program apparently seek to collect information about online networks and connections between groups of users, as opposed to the content of actual emails or phone calls.

But Canadians who use U.S. services such as Facebook, Google or Gmail are also subject to the program, said Christopher Soghoian of the American Civil Liberties Union.

"I think Canadians really need to look at whether it's safe to be trusting foreign companies, in this case a U.S. company, with as much of their private data, given what the American government has been doing," Soghoian told CTV's Canada AM from Washington, D.C. on Monday.

"When you give your information, whether it's your personal emails or private photographs or social networking information, when you give that to a company not in your country you really give up control of that and you allow a foreign government to access that, in addition to your own."

Even Canadian emails sent through servers based in the U.S. would theoretically be subject to the program -- and most people will never even know their information was collected or monitored.

According to some estimates, 90 per cent of Canadian cyber traffic is routed through servers south of the border.

"The vast majority of our data and activities online is being routed through our neighbours to the south and so we are subject to all their regulations anyway, regardless of what the authorities in Canada might be doing," said Keith Murphy, a cyber-security expert.

In the past, U.S. authorities needed a warrant to search a home or hard drive. But since the Patriot Act was introduced after the Sept. 11, 2001 attacks in the U.S., the rules have changed so that companies can now monitor emails and social networks in search of suspicious connections and even terrorist networks, said David Hyde, a security and risk management specialist.

"What we've seen post-9/11 is a shift in the pendulum in terms of how authorities can access, without a warrant, this type of information," he said.

Hyde added that the rules concerning what the Canadian government can monitor are much stricter. Under the Anti-Terrorism Act of 2001, only the Communications Security Establishment Canada (CSEC) can actually eavesdrop or monitor online communications.

"But there are strict provisions in terms of when they're allowed to do that, how they must do that, who they must get permission from. So there's a lot of oversight built into that, but yes the potential is there that they could be monitoring Canadian communications," Hyde said.

On Monday, the Globe and Mail reported that Canada also has a secret metadata surveillance program that was renewed by Defence Minister Peter MacKay in 2011 after first being brought in by the former Liberal government in 2005.

The program had been on hiatus prior to 2011 over concerns it could lead to warrantless surveillance of Canadians, but was quietly reinstated after MacKay signed a ministerial directive on Nov. 21, 2011.

Both CSEC and the NSA have said that the programs can only look at the metadata surrounding communications, and not the communications themselves, which would be illegal without a warrant.