RCMP's spyware tools are 'extremely intrusive,' privacy experts say
OTTAWA -- Expressing concerns over the RCMP's yearslong use of spyware in major investigations, privacy and civil liberties experts say the previously undisclosed tools are "extremely intrusive" and they are calling for stronger oversight and regulation of spyware Canada-wide.
The experts also criticized the RCMP's belated disclosure of its use of these tools, with the Canadian Civil Liberties Association (CCLA) saying it is part of "a pattern pointing to a crisis of accountability."
Canada's former privacy commissioner Daniel Therrien said that while he believes the RCMP when they say its use of spyware is lawful and warranted, there is "no doubt" the covert collection by police of personal and other information from Canadians' devices "is an extremely intrusive practice."
"What's at play is the balancing of privacy and other public interests," Therrien said Tuesday during his testimony before the House of Commons Access to Information, Privacy and Ethics Committee as part of its study into the RCMP's use of "on-device investigation tools," or ODITs.
"There is no question that this particular tool is extremely intrusive, more intrusive than traditional wiretap tools. It does not just record communications on the phone between person A and B. It sits on the phone, on the digital device of the individual,” he said.
Given this, Therrien said there "needs to be an extremely compelling public interest to justify the state being able to have that kind of information and use these tools."
The committee struck up the special summer study to further explore the RCMP's use of these tools, after documents tabled in the House of Commons in June shed new light on the police force's covert installation of spyware capable of remotely accessing cell phone and computer microphones, cameras, as well as other information on suspects' devices.
"The revelations about ODITs are just the latest in a series of similar media-led reveals regarding invasive techniques… This isn't a one off problem," the CCLA's director of privacy technology and surveillance program Brenda McPhail told MPs.
"Operational secrecy is a legitimate need in specific investigations. Secrecy around policies that apply to categories of dangerous surveillance technologies is not legitimate in a democracy. We must not allow law enforcement bodies to conflate one with the other to avoid accountability," McPhail said.
SPYWARE USE 'SPREADING FAST': CITIZENLAB
Throughout the study, attempts have been made by MPs to clarify the RCMP's use of these tools are limited and not "mass surveillance," though in testimony on Tuesday afternoon, experts sounded alarm bells about the potential widespread accessibility of spyware software.
"The mercenary spyware industry is very poorly regulated and proliferating quickly. The industry lacks public accountability and transparency. It thrives in the shadows of the clandestine world and is spreading fast without proper controls," director of the University of Toronto's Citizen Lab Ronald Deibert told MPs.
Deibert said the spyware industry is a threat to civil society, human rights and democracy as a whole.
Therefore, he said Canada should take the threat seriously by imposing more oversight and export controls, and be more transparent about the use of spyware to ensure it is not being abused -- as its capabilities far exceed traditional wiretaps.
"There's a pattern of law enforcement in this country using investigative techniques and surveillance technologies, and disclosing them after the fact. That's not the way you build public trust in law enforcement... We are better than that," he said.
While the courts do have a judicial oversight role, Therrien is suggesting there could also be an additional layer of privacy-focused oversight from a body, such as the Office of the Privacy Commissioner of Canada.
"I don't think the RCMP is a rogue institution. And currently, they say, and I accept that they use ODITs only with judicial authorization… That said it might well be a good idea to have auditing processes," Therrien said.
FORMER COMMISSIONER 'SURPRISED'
To date, the RCMP has not consulted with Canada's privacy commissioner about the spyware use conducted by the Technical Investigation Services' Covert Access and Intercept Team. Privacy Commissioner Phillippe Dufresne says there are plans for a briefing scheduled later this month.
Therrien, who was Canada's privacy commissioner between 2014 and 2022, told MPs on Tuesday -- like his successor -- he also learned about the spyware use at the same time as the rest of the country.
The former privacy watchdog said he was "surprised by the tool itself, and how intrusive it is, and that it was used for so long."
"It is the inclusiveness of the tool that surprised me, not the fact that the state would use technology in the context of investigations," Therrien said.
Therrien added he was also surprised that given the years of public debate over lawful access and the issue of encryption, the RCMP did not inform him – in his capacity as the privacy commissioner -- of their ability to use spyware tools.
Privacy and Access Council of Canada President Sharon Polsky told MPs on Tuesday she agrees it is problematic the RCMP has not collaborated with the privacy commissioner, despite there being no legal requirement to do so.
"It's only after they get caught with their hands in the cookie jar. I think they're doing themselves a disservice, they and every law enforcement agency across the country, a disservice when they are not forthcoming," she said in response to a question from Conservative MP and committee member Damien Kurek on Tuesday.
"It also puts them on the defensive rather than coming forward and saying, ‘We need to use this type of tool' … Help educate the public as to why you need this particular type of tool. Don't wait to be put on the hot seat," Polksy said.
CALLS FOR RCMP TO DISCLOSE PROVIDER
Tuesday's hearings follow hours of testimony on Monday from Public Safety Minister Marco Mendicino, senior RCMP officers, and Canada's privacy commissioner.
During those hearings, it was revealed the RCMP has been using spyware for years longer and in more major criminal investigations than what was previously reported to Parliament.
The minister and top officers sought to emphasize to MPs how these tools to bypass encryption are used extremely rarely, in a targeted fashion that upholds the Charter, in a limited number of types of investigations such as terrorism and organized crime, and only ever with judicial authorization issued after demonstrating a high threshold of probable cause.
According to RCMP Commissioner Brenda Lucki, the RCMP has used ODITs in 32 investigations to target 49 devices since 2017. However, RCMP Assistant Commissioner Mark Flynn indicated to committee members on Monday the RCMP has actually been using technology with similar capabilities dating back to the early 2000s.
As part of its work, the committee has called for the RCMP to provide a list of warrants obtained as well as other related information about the use of spyware, however, this request has been met with resistance from the RCMP. This has prompted the committee to explore its options to compel further information in an appropriate setting such as an in-camera meeting or through redacted documents.
On Tuesday, Therrien told MPs from his years of experience pushing for updates to Canada's Privacy Act that, "to come to the conclusion that we need legislative change, we would first need to know how the current provisions have been applied, and to prove if there's to be any concern."
Further, the RCMP has refused offer any details about what specific software is being used, citing "the necessity to safeguard the ability to effectively use on-device investigative tools." While the government confirmed on Monday it is not the controversial software developed by Israeli firm NSO Group called Pegasus, MPs have questioned why the name of the vendor or vendors the RCMP uses are being withheld.
"It's hard to imagine how the name of a vendor would undermine national security," said Liberal MP Nathaniel Erskine-Smith during the first of Tuesday's two meetings.
"There is absolutely no reason why that should not be disclosed, and plenty of good reasons that it should," Deibert said.
While some committee members have expressed a desire to extend their probe, no further public meetings to hear from witnesses have been scheduled as part of this study. When the committee initially agreed to take on this special summer study, the aim was to finalize the report—with potential recommendations for changes to Canada's privacy laws or oversight mechanisms, as has been suggested by some witnesses— in advance of the start of the fall sitting, on Sept. 19.