Canadian Privacy Commissioner raises concerns about new technologies including spyware by the Royal Canadian Mounted Police

August 27, 2022 |

The Standing Committee on Access to Information, Privacy and Ethics has been examining investigation tools used by the Royal Canadian Mounted Police (“RCMP”), including spyware. Not surprisingly the Commissioner is playing catch up as the RCMP have not consulted/liased with the Commissioner notwithstanding the clear privacy issues and potential for misuse.  It is a classic and typical case of police and other agencies grabbing a new tool and then having to deal with the real policy issues of when and how to use it, usually after some publicity about its use. Such an investigation long overdue in Australia at the Federal and State level as the police forces embrace privacy intrusive technology and engage in ways inconsistent with respecting privacy.

The history of the enquiry is well described in Privacy committee to study RCMP use of spyware tools:

The House of Commons Access to Information, Privacy and Ethics Committee voted Tuesday to begin a special summer study to examine the RCMP’s use of spyware, calling on the national police force to be more transparent about the software it uses to conduct surveillance or collect data as part of its investigations.

MPs on the committee have decided to hold a series of meetings starting in August that will focus on determining which “device investigation tools” the RCMP uses, as well as the terms and conditions of using this software.

The committee has called for the RCMP to provide a list of warrants obtained, if any, for the use of this software, and are also seeking information related to the potential wiretapping of MPs, their parliamentary assistants, or any other Parliament of Canada employee.

As part of the study, MPs will be calling for any RCMP officers who have made decisions around the use of surveillance tools; Public Safety Minister Marco Mendicino; and the current and former federal privacy commissioners to testify, with the option to invite additional witnesses as desired.

Concerns over the RCMP’s use of spyware tools were sparked after documents tabled in the House of Commons in June shed new light on the police force’s use of spyware to conduct surveillance and collect data, including through accessing microphones and cameras of phones belonging to suspects of major criminal and national security investigations.

In the documents, the RCMP says the tools used by the Technical Investigation Services Covert Access and Intercept Team are used “primarily” to “covertly and remotely” access text messages and other private communications that couldn’t be collected using wiretaps or “other less intrusive investigative techniques.”

“Police sometimes need to use advanced technology-based capabilities to address investigative barriers such as those caused by encryption,” read part of the RCMP’s submission to the House of Commons. The agency also said that these “on-device investigate [sic] tools” were used 10 times between 2018-2022, and that “in every case, a judicial authorization was obtained” before the tools were deployed.

Bloc Quebecois MP and committee vice-chair Rene Villemure proposed the motion, telling his colleagues during a meeting on Tuesday to discuss taking up the study, that while concerns were raised in the Commons when the disclosure was first made by the national police force, questions remain.

“This document should be clarified. And the questions I would put have to do with this document. There are no accusations, we’re looking into things,” he said in French.

On the heels of the RCMP confirming it uses these tools, the Canadian Civil Liberties Association (CCLA) expressed concern about police in Canada using spyware against Canadians in targeted investigations.

“What we don’t know is vast. What kinds of investigations are deemed serious enough to use such invasive tools? What tools are being used, and who supplies them? Is it one of the many vendors of spyware known for selling such tools to authoritarian states who use it to target human rights defenders and journalists? What are the internal decision and authorization processes undertaken to authorize this nuclear option for surveillance of Canadians?” asked Brenda McPhail, the CCLA’s director of privacy technology and surveillance program in a statement calling for an open discussion on the use of these tools.

The proposal for this study was met with resistance from the Liberal members of the committee, who expressed hesitations over whether the panel of MPs was best placed to take on this work, attempting unsuccessfully to amend the motion to limit its scope.

“I agree with my colleagues, it’s important to hold our institutions to account but it’s also important at the same time to ensure that there is trust in public institutions that’s maintained at the same time,” said Liberal MP and committee vice-chair Iqra Khalid during Tuesday’s meeting. She suggested the subject matter may be better placed with the top-secret National Security Intelligence Committee of Parliamentarians (NSICOP).

“I understand that members would like to have that conversation in a more public forum, which obviously restricts the ability of us to ask those classified questions which we may not get answers to, or to receive those classified documents which we may not receive, because of the sensitive nature of this,” said Khalid.

Conservative MP and committee member James Bezan said he disagreed, and that the issue was something the committee should be delving into.

“I think that we want to be very cautious on how we deal with it, including on issues of national security. But, we don’t want the RCMP to use the guise of national security or public safety as a way to pull the veil over this information, and hide it from parliamentarians,” Bezan said.

The committee is aiming to finalize its study and submit a report to the House of Commons by the start of the fall sitting, on Sept. 19.

The Privacy Commissioner appeared during the hearing on 8 August 2022 stating:

Good morning Mr. Chair, Members of the Committee,

I am pleased to be here today to assist the Committee in its study of the device investigation tools used by the RCMP. I am accompanied by my colleague Gregory Smolynec, Deputy Commissioner, Policy and Promotion Branch.

This study follows media reports and a response to a Question on the Order Paper confirming that the RCMP was using technical tools to obtain data covertly and remotely from targeted devices, subject to judicial authorization. The response and media reports also indicated that the RCMP had not consulted my Office prior to using these tools.

As you know, as the Privacy Commissioner of Canada, I am responsible for the protection and promotion of the privacy rights of Canadians in the public and private sectors. My Office does so by investigating complaints, providing advice to government departments and private sector organizations, reporting publicly on compliance with privacy laws, and promoting public awareness of privacy issues.

When I appeared before you in June to discuss my proposed appointment as Privacy Commissioner, I indicated that I would have as my vision the following three elements:

    1. Privacy as a fundamental right;
    2. Privacy in support of the public interest; and
    3. Privacy as an accelerator of Canadians’ trust in their institutions and in their participation as digital citizens.

Applying these elements to the Committee’s study generally, I would say this.

Privacy as a fundamental right means that all institutions, including the RCMP, should have privacy as a key consideration when designing and deciding to use any technology that could have adverse impacts on the privacy of Canadians.

Privacy in support of the public interest means that by considering privacy impacts at the front end and by consulting with my office, organizations can prevent privacy harms at the outset and indeed improve the tools that will be used to further the public interest, whether it be the prevention of crime, the protection of national security, or the advancement of Canada’s competitiveness. Privacy and the public interest go hand in hand, they build on and strengthen each other and Canadians and their institutions should not have to choose between one or the other.

Privacy as an accelerator of Canadians’ trust in their institutions and in their participation as digital citizens means that when organizations such as the RCMP consider privacy impacts at the front end and are seen to be doing so, this generates trust and reassures Canadians about the necessity of the tools and the measures put in place to mitigate privacy impacts and ensure proportionality between the measures and the objectives.

In terms of specific background to your study, I would start by saying that the Privacy Act does not require the RCMP or any government institution to prepare privacy impact assessments (or “PIAs”) for my consideration, but the Treasury Board requires it in its policies. I hope to see this included as a binding legal obligation in a modernized version of the Privacy Act.

As you know, the RCMP recently indicated that it had put in place a program to use On-Device Investigative Tools (ODITs) and other methods to obtain data covertly and remotely from targeted devices. The RCMP confirmed that these tools could collect private communications such as texts and emails sent or received from the device, documents and media files stored on the device as well as sounds within range of the device and images viewable by the cameras built into the device. The RCMP has also stated that the use of these tools is subject to judicial authorization.

My Office was not informed of or consulted on this program prior to its implementation or since. After learning about this through the media in late June, we contacted the RCMP for more information and the RCMP has since scheduled a demonstration for my officials in late August. In its response to the Question on the Order Paper, the RCMP indicated that it began drafting a PIA in relation to these tools in 2021, but we have not yet seen it.

Once we receive the PIA, we will review it to ensure that it includes a meaningful assessment of the program’s privacy compliance and measures to mitigate privacy risks. We will also review it to ensure that any privacy-invasive programs or activities are legally authorized, necessary to meet a specific need, and that the intrusion on privacy caused by the program or activity is proportionate to the public interests at stake. This would require the RCMP to consider whether there is a less privacy intrusive way of achieving the same objective.

If we find shortcomings in terms of privacy protections, we will provide the RCMP with our recommendations, and we would expect them to make the necessary changes.

In conclusion, I would reiterate my hope that the timely preparation of PIAs be made a legal requirement in a modernized version the Privacy Act. Doing so would recognizes privacy as a fundamental right, it would support the public interest and it would generate necessary trust in our institutions, such as the RCMP, that are doing vital and important work for all Canadians.

I would now be happy to answer your questions.

The Commissioner later issued, on 24 August 2022, a letter to the Standing Committee on Access to Information, Privacy, and Ethics on a study of Royal Canadian Mounted Police’s use of spyware and  elaborated on two issues:

  • the OPC’s capacity to assess new and emerging technologies, and
  • the OPC’s recommendations for legislative change with respect to the provision of Privacy Impact Assessments (‘PIAs’).

The letter provides:

I am writing further to my appearance before the Standing Committee on Access to Information, Privacy and Ethics on August 8, 2022, in order to provide the Committee with some additional information, as requested.

I was asked to elaborate on two issues:

    1. my Office’s capacity to assess new and emerging technologies, and
    2. my recommendations for legislative change with respect to the provision of Privacy Impact Assessments.

With respect to the first issue, in response to the growing intersections of privacy and technology, in 2011 my Office established an in-house Technology Analysis Directorate, specifically dedicated to the analysis of technology, with a mandate to:

    • Identify and analyze technological trends and developments in electronic platforms and digital media;
    • Conduct research to assess the impact of technology on the protection of personal information in the digital world; and
    • Provide strategic analysis and guidance on complex, varied and sensitive technological issues involving government and commercial systems that store personal information.

The Directorate is staffed by highly skilled information technology research analysts with capabilities and expertise in different areas of technology, including reverse engineering and digital forensics, malware analysis, artificial intelligence and machine learning, dark web research and monitoring, among others.

To further support its work, the Directorate is also equipped with an on-site technology analysis lab with advanced IT infrastructure and state-of-the-art tools, which is housed within a secure room and provides secure computing facilities separate from my Office’s corporate network, to enable us to conduct hands-on testing and analysis of malware, hardware components, mobile applications, Internet of Things devices and digital forensic analysis of new and emerging technologies. The Directorate would be pleased to provide members of the Committee with a tour of the lab to demonstrate its capabilities.

On the question of legislative change, I would recommend that the obligation for government institutions to conduct timely privacy impact assessments and submit them to my office be codified in the Privacy Act with clear and binding statutory provisions to that effect. In this way, not only would government institutions benefit from our privacy expertise, but Canadians would be reassured that privacy risks are being appropriately identified and adequately mitigated. I would further recommend a modernized Privacy Act require that my Office be informed of programs or activities that have an impact on privacy prior to roll-out, so that we could proactively engage with institutions where we identify potential privacy risks.

I would also bring to the Committee’s attention the consultation paper prepared by the Department of Justice in November 2020, and my Office’s comments and recommendations with respect to this consultation. Lastly, and as you know, this Committee conducted a study on the modernization of the Privacy Act and made important recommendations, one of which dealt with the mandatory preparation of Privacy Impact Assessments.

I hope that this information is of assistance to the Committee and I look forward to reviewing the Committee’s report. Please do not hesitate to contact me should you have any questions or require further information.

Leave a Reply

Verified by MonsterInsights