RCMP has been using spyware tools for years and in more cases than previously reported, MPs told
Public Safety Minister Marco Mendicino and senior RCMP officers are defending the national police force's years-long and previously undisclosed use of spyware—capable of remotely accessing cell phone and computer microphones, cameras and other data—as part of dozens of major investigations.
Over the course of hours of witness testimony at the House of Commons Access to Information, Privacy and Ethics Committee, a series of notable disclosures were made on Monday about the RCMP's use of "on-device investigation tools" or ODITs.
Specifically, it was revealed that the amount of years and number of investigations in which these techniques have been deployed expanded beyond what had previously been reported to Parliament, and that to date the RCMP has not consulted with Canada's privacy commissioner about its use of spyware to essentially hack into electronic devices.
"ODITs are used extremely rare[ly] and in limited cases. Their use is always targeted, it's always time limited, and it's never to conduct unwarranted and, or mass surveillance. These tools are not used in secret… and the evidence collected, including how it was collected, is subject to disclosure and court scrutiny," RCMP Deputy Commissioner for Specialized Policing Services Bryan Larkin told MPs, insisting that the RCMP's use of spyware is entirely within the law.
"The amount and type of data collected is determined on a case-by-case basis and in accordance with strict terms and conditions," Larkin said, explaining how the police force "covertly" installs a computer program on suspects' devices.
The committee struck up the study to determine which tools the RCMP uses, as well as the terms and conditions of using this software, after documents tabled in the House of Commons in June shed new light on the police force's installation of spyware to conduct surveillance and collect data from digital devices.
"Police sometimes need to use advanced technology-based capabilities to address investigative barriers such as those caused by encryption," read part of the RCMP's submission to the House of Commons. The agency also said at the time that these "on-device investigate [sic] tools" were used 10 times between 2018-2022, and that "in every case, a judicial authorization was obtained" before the tools were deployed.
In a subsequent disclosure to the committee, RCMP Commissioner Brenda Lucki confirmed that the national police force has actually used this on-device technology in 32 investigations to target 49 devices since 2017.
Lucki also provided a list of the types of investigations the RCMP has used this technology for, according to Liberal MP and committee member Lisa Hepfner who read out her response during Monday's hearing, naming terrorism, kidnapping, drug trafficking, and murder as examples.
The information evolved further Monday afternoon, when a senior RCMP officer suggested to MPs that the RCMP has actually used technology with similar capabilities for two decades.
“I'm not aware of where all the technology comes from that's utilized here, but I can say I have a long standing history in this and back in the days from 2002 to 2015. It was all Canadian technology that we were utilizing,” said RCMP Assistant Commissioner Mark Flynn.
"We have never utilized this tool without prior judicial authorization. However, having said that, if a situation were to arise that required it, there are provisions that allow us in certain designated individuals to utilize this type of tool for the interception of communications in emergency situations, but I am not aware of any situation where that has been done," Flynn said.
"And, the mere practicality of deploying this type of tool and technique would take it beyond the time period under which such an authorization would be valid."
SOFTWARE IS NOT PEGASUS: MENDICINO
Appearing just prior to the senior RCMP officials, Mendicino said that he's confident that the RCMP's use of software to conduct surveillance and collect data as part of its investigations has been limited by the law to only be permitted in "the most serious offences."
"There are stringent requirements in the Criminal Code that require accountability, including what facts the RCMP will be relying on prior to judicial authorization of this sort of technique. There are other safeguards that ensure that only designated agents put those applications to the court," he said during a hearing as part of its special summer study on the subject.
Mendicino said the kind of spyware tools under scrutiny by the committee are considered an "investigative necessity," only pursued as a last resort. He said in seeking court approval to use these tools, the RCMP has to "strike the balance of ensuring that the state has the tools that it is necessary to protect the security and safety of all Canadians, while at the same time upholding people's Charter rights."
While declining to offer many details about specifically what software is being used, citing "the necessity to safeguard the ability to effectively use on-device investigative tools," the government confirmed that it is not Pegasus.
The controversial spyware software developed by Israeli firm NSO Group has raised alarm bells internationally, after it was discovered to be used by governments in several countries to hack phones and spy on politicians, journalists, businesspeople and human rights activists.
"I want to be clear with the members of the committee that the Pegasus technology is not used by the RCMP," said the public safety minister, suggesting the federal government has forbid the use of this specific software.
Mendicino also said Monday that the tools were not used during the period of time in which the Emergencies Act was enacted in response to the "Freedom Convoy" protests and blockades earlier this year.
'WE'RE IN A REACTIVE MODE': COMMISSIONER
Prior to Mendicino's testimony, Canada's privacy commissioner testified before the committee, seeking to make his case that the belated disclosure of using these tools is a clear example of why Canada's Privacy Act needs updating.
"The Privacy Act does not require the RCMP or any government institution to prepare privacy impact assessments… for my consideration, but the Treasury Board requires this in its policies. I hope to see this included as a binding legal obligation in a modernized version of the Privacy Act," Commissioner Phillippe Dufresne told the committee on Monday.
The Office of the Privacy Commissioner of Canada has for years been advocating for Canada's privacy laws to be updated in several respects.
On Monday, the commissioner said it should become a legal obligation for government departments and agencies such as the RCMP to present a pre-emptive privacy assessment of any new tools, suggesting doing so would allow the commissioner to provide meaningful input, while being mindful of confidentiality concerns, before they are put into use.
In this instance, the commissioner said that the RCMP did begin a privacy impact assessment about the spyware in 2021, years after it was first put into use.
"We see situations like this one, where this is done very late, after the tools have been used for some time. So we're not in a position where we can address or prevent, we're in a reactive mode. And our advice and recommendation, my hope is that this be made a legal obligation in the Privacy Act, because then there would be hopefully, a more timely compliance with this requirement," Dufresne said.
"It's not about choosing one between public interest and privacy of Canadians, but these checks and evaluations should be done before the fact and it should not be something that we find out in an article in the media or in a committee meeting for instance. So these preliminary checks should be done and my office should be consulted when necessary," he said, suggesting doing so would also go a long way in increasing Canadians' trust in intuitions, knowing any new technology's privacy implications were assessed at the outset.
Mendicino said Monday that the federal government is "committed" to working with the privacy commissioner's office on this file, saying that it was "unfortunate" that the lead federal privacy authority was not involved from the outset, but wouldn't commit to pursuing new privacy requirements for the RCMP under the law.
RCMP YET TO SHARE INFO
Parliament's privacy watchdog said that he first learned about this spyware program in June after the documents tabled in the House at the request of a Conservative MP were first reported on by Politico.
At that time, his office contacted the RCMP seeking more information. The RCMP has yet to provide any, but has indicated it is aiming to provide the commissioner with a briefing and demonstration later this month.
Dufresne said his office will review the information gained from that meeting to "ensure that any privacy invasive programs or activities are legally authorized, necessary to meet a specific need, and that the intrusion on privacy caused by the program or activity is proportionate to the public interest at stake."
If the commissioner finds the RCMP's use of these spyware tools has privacy shortcomings, his office will provide the RCMP with recommendations for change.
"We would expect them to make the necessary changes," he told the committee.
Upon learning of the lack of sharing information with the privacy commissioner, Conservative MP and committee member Damien Kurek said it was "disappointing" and "not a good precedent."
Kurek said it reminded him of behaviours by other federal agencies that the committee has previously examined through their work on mobility data and facial recognition software.
PRIVACY EXPERTS TO TESTIFY
A second full day of hearings are scheduled for Tuesday, where the committee will hear from expert witnesses including former privacy commissioner Daniel Therrien, as well as representatives from the Privacy and Access Council of Canada and the Canadian Civil Liberties Association.
The study was proposed by Bloc Quebecois MP and committee vice-chair Rene Villemure, and was backed by other committee members, though there was some reluctance from Liberal MPs.
In making his case to the committee to begin this study, Villemure echoed concerns expressed by privacy and civil liberties groups when the use of these intrusive tools by police in Canada were revealed.
As part of its work, the committee has called for the RCMP to provide a list of warrants obtained, and also sought information related to the potential wiretapping of MPs, their parliamentary assistants, or any other Parliament of Canada employee.
This request has been met with resistance from the RCMP and the committee is exploring its options to compel further information in an appropriate setting, while looking to ensure any documents provided to the committee that can be made public be published on the committee's website.
“We’re having some trust issues,” said NDP MP and committee member Matthew Green to the panel of RCMP officers testifying on Monday.
“We had members of your service refuse to provide basic information in this committee, which in my opinion, is in contradiction to your duty of candor,” said Green.
The committee is aiming to finalize its study and submit a report to the House of Commons—with potential recommendations for changes to the law or oversight mechanisms— by the start of the fall sitting, on Sept. 19.