Committee study launched after the revelation of POLITICO in June that the Royal Canadian Mounted Police admitted to using spyware for covert surveillance. The RCMP has the ability to intercept text messages, emails, photos, videos and other information from cell phones and laptops, and remotely turn on a device’s camera and microphone .
RCMP officials told the ethics committee that spyware — or device investigation tools, in their parlance — had been used in 32 investigations since 2017, targeting 49 devices. They also revealed that the agency has been using similar technology since 2002.
The RCMP had not alerted the federal privacy watchdog to its use of spyware, and Privacy Commissioner Philippe Dufresne told the committee he was unaware of the agency’s spyware program until POLITICO contacted him in June.
The first of the ethics committee’s nine recommendations would make government institutions an “explicit obligation” under the Privacy Act to conduct privacy impact assessments and submit them to the commissioner before use these “high risk” tools.
The committee also recommended several other changes to the Privacy Act, including one that would state that privacy is a “fundamental right.” Another would add “explicit transparency requirements” for government institutions, “except where confidentiality is necessary to protect the methods used by law enforcement authorities.”
The report also recommends that the government review Part VI of the Criminal Code, which deals with warrants for the interception of private communications. The RCMP says it only uses spyware in the most serious cases, including terrorism and drug trafficking investigations, and only with judicial authorization. But at least one of the committee’s witnesses questioned whether judges had all the training necessary to deal with requests to use such invasive technology.
“The committee recognizes that there is a legislative void regarding the use of new technological investigative tools,” the report concludes. “Neither Part VI of the Criminal Code nor the Privacy Act is currently fit for the digital age.
Most committee members also noted “the lack of cooperation shown by the RCMP in this study” and said they were “dissatisfied” with the agency’s responses. For one thing, the RCMP hasn’t revealed what type of spyware it uses, although police have confirmed that they don’t use the controversial Pegasus software from Israeli company NSO Group.
But the Ethics Committee only called for a moratorium on the use of spyware once the “legislative vacuum” was filled, as recommended by several witnesses.
Christopher Parsons, a senior research associate at the University of Toronto’s Citizen Lab, told POLITICO he found the committee’s recommendations “flourish and disappointing.”
“The RCMP is used to adopting new technologies [and] secretly using them for long periods of time,” he said. “Then it comes out, it’s already established practice, and the report we get from the committee is, ‘How do we handle what they’re doing? “”
Parsons said it is not enough to require privacy impact assessments, which are not necessarily made public. Government agencies are also not legally bound to comply with the Privacy Commissioner’s recommendations. “They are not a sufficient instrument on their own,” he said.
Parsons also said the report did not address whether the RCMP had a duty to alert Canadians to software vulnerabilities that police might want to exploit using spyware.
“The RCMP deliberately short-circuited a public discussion process,” he said. “The committee just failed, as far as I’m concerned.”
However, Brenda McPhail, director of the Canadian Civil Liberties Association’s privacy, technology and surveillance program, said the committee had come up with a “strong set” of recommendations.
In particular, she welcomed a recommendation calling on the government to establish an independent advisory body that would include members of the legal community, government, police, national security and civil society. The group would examine new technologies used by law enforcement and propose national standards for their use.
“The web of laws that aim to protect people across Canada from inappropriate and deeply intrusive attacks [technologies]… It was shown in those hearings that they were really not fit for purpose,” she said.