Public Safety Minister Marco Mendicino and senior RCMP officers are defending the nation’s police force’s long-standing and previously undisclosed use of spyware — capable of remotely accessing cell phone and computer microphones, cameras and other data — as part of dozens of major investigations.
During hours of testimony at the House of Commons Access to Information, Privacy and Ethics Committee, a series of remarkable revelations were made Monday about the RCMP’s use of “device investigative tools,” or ODITs.
Specifically, it was revealed that the number of years and the number of investigations in which these techniques were used exceeded what had previously been reported to Parliament, and that the RCMP had not yet consulted with the Privacy Commissioner of Canada on the use of spyware to essentially hack electronic devices.
“ODITs are extremely rarely used[ly] and in limited cases. Their use is always targeted, always limited in time, and never to carry out unwarranted and/or mass surveillance. These tools are not used covertly … and the evidence collected, including how it was collected, is subject to disclosure and judicial review,” Brian Larkin, the RCMP’s deputy commissioner for specialized police services, told MPs, insisting that the RCMP’s use of spyware is entirely within the scope of the Act.
“The amount and type of data collected is determined on a case-by-case basis and in accordance with strict terms and conditions,” Larkin said, explaining how police “surreptitiously” install a computer program on suspects’ devices.
The commission launched the inquiry to determine which tools the RCMP uses, and the terms and conditions for using that software, after documents tabled in the House of Commons in June shed new light on the installation of spyware by police to conduct surveillance and collects data from digital devices.
“Police must sometimes use advanced technological capabilities to address investigative barriers, such as those caused by encryption,” reads part of the RCMP’s submission to the House of Commons. The agency also said at the time that those “on the device are investigating [sic] tools” were used 10 times between 2018-2022 and that “in each case judicial authorization was obtained” before the tools were deployed.
In subsequent disclosure to the commission, RCMP Commissioner Brenda Luckey confirmed that national police had indeed used this device technology in 32 investigations to target 49 devices since 2017.
Luckey also provided a list of the types of investigations the RCMP has used the technology for, according to Liberal MP and committee member Lisa Hepfner, who read her response at Monday’s hearing, citing terrorism, kidnapping, drug trafficking and murder as examples. .
The information developed further Monday afternoon when a senior RCMP officer suggested to MPs that the RCMP had in fact been using technology with similar capabilities for two decades.
“I don’t know where all the technology that’s used here comes from, but I can say that I have a long history of this and back in the days of 2002 to 2015. We used all Canadian technology,” said RCMP Assistant Commissioner Mark Flynn.
“We have never used this tool without prior court authorization. However, having said that, if a situation arises that requires it, there are provisions that allow us in certain specified individuals to use this type of tool to intercept communications in emergency situations, but I am not aware of any situation where this is done,” Flynn said.
“And the simple practicality of implementing this type of tool and technique would take it beyond the time period in which such a permit would be valid.”
THE SOFTWARE IS NOT PEGASUS: MENDICINO
Appearing just before senior RCMP officials, Mendicino said he is confident the RCMP’s use of software to conduct surveillance and collect data as part of investigations is limited by law and only allowed in the “most serious crimes.”
“There are strict requirements in the Criminal Code that require accountability, including what facts the RCMP will rely on before court authorization for this type of technique. There are other safeguards to ensure that only certain agents bring these applications to court,” he said during a hearing as part of a special summer study on the subject.
Mendicino said the types of spyware tools being considered by the committee are considered “investigative necessities,” used only as a last resort. He said that in seeking court approval to use these tools, the RCMP must “strike the balance of ensuring that the country has the tools that are necessary to protect the security and safety of all Canadians, while at the same time upholding the rights to the Charter people.”
While it declined to offer many details about what specific software was being used, citing “the need to preserve the ability to effectively use investigative tools on the device,” the government confirmed it was not Pegasus.
Controversial spyware developed by Israeli firm NSO Group has sparked international concern after it was discovered that it was being used by governments in several countries to hack phones and spy on politicians, journalists, businessmen and human rights activists.
“I want to make clear to committee members that Pegasus technology is not used by the RCMP,” the public safety minister said, suggesting the federal government has banned the use of that specific software.
Mendicino also said Monday that the tools were not used during the time period in which the Emergency Law was enacted in response to the Freedom Convoy protests and blockades earlier this year.
“WE ARE IN REACTIVE MODE”: COMMISSIONER
Prior to Mendicino’s testimony, Canada’s Privacy Commissioner testified before the committee, attempting to make his case that the late disclosure of the use of these tools is a clear example of why Canada’s Privacy Act needs updating.
“The Privacy Act does not require the RCMP or any government institution to do privacy impact assessments … to my knowledge, but the Treasury Board requires it in its policies. I hope this will be included as a binding legal obligation in a modernized version of the Privacy Act,” Commissioner Philippe Dufresne told the committee on Monday.
The Office of the Privacy Commissioner of Canada has been advocating for years to update Canadian privacy laws in several respects.
On Monday, the commissioner tried to make the case that this case is representative of why it should become a legal obligation for government departments and agencies like the RCMP to submit a pre-emptive privacy assessment of all new tools.
He tried to make the case that this would allow the commissioner to provide meaningful input while keeping privacy concerns in mind before they go live.
In that case, the commissioner said the RCMP did start a privacy impact assessment on the spyware in 2021, years after it was first put into use.
“We see situations like this where it’s done very late, after the tools have been in use for a while. So we are not in a position where we can address or prevent, we are in reactive mode. advice and recommendation, I hope this becomes a legal obligation in the Privacy Act because then hopefully there will be more timely compliance with this requirement,” Dufresne said.
“This is not a matter of choosing between the public interest and the privacy of Canadians, but these checks and assessments should be done before the fact and should not be something we discover in a media article or a committee meeting, for example.” So those preliminary checks have to be done and my office has to be consulted when necessary,” he said, suggesting that it would also go a long way toward increasing Canadians’ trust in intuition, knowing that the privacy implications of any new technology are evaluated at the outset.
Mendicino said Monday that the federal government was “committed” to working with the Office of the Privacy Commissioner on the file, saying it was “unfortunate” that the top federal privacy watchdog wasn’t involved from the start, but that it would not committed to pursuing new privacy requirements for the RCMP under the Act.
RCMP HAVE NOT YET SHARED INFORMATION
Parliament’s privacy watchdog said it first learned of the spying program in June after documents brought into the House at the request of a conservative lawmaker were first reported by Politico.
At that time, his office contacted the RCMP seeking more information. The RCMP has yet to provide any, but has indicated it is looking to provide the commissioner with a briefing and demonstration later this month.
Dufresne said his office will review the information received from that meeting to “ensure that any privacy-infringing programs or activities are legally permitted, necessary to meet a specific need, and that the privacy intrusion caused by the program or activity, is proportionate to the public interest at stake.”
If the commissioner finds that the RCMP’s use of these spying tools has privacy flaws, his office will provide the RCMP with recommendations for change.
“We expect them to make the necessary changes,” he told the committee.
After learning of the lack of information sharing with the privacy commissioner, Conservative MP and committee member Damien Curek said it was “disappointing” and “not a good precedent”.
Kurek said it reminded him of the behavior of other federal agencies the committee has previously investigated through their work on mobility data and facial recognition software.
PRIVACY EXPERTS TO TESTIFY
A second full day of hearings is scheduled…
Add Comment