Canada’s privacy commissioner says the belated disclosure that RCMP has been using spyware for years capable of accessing microphones, cameras and other cell phone and computer data as part of major investigations is a clear example of why the Act Canadian privacy policy needs to be updated.
“The Privacy Act does not require the RCMP or any government institution to prepare privacy impact assessments… for my consideration, but the Treasury Board requires it in its policies. I look forward to seeing this included as a binding legal obligation in a modernized version of the Privacy Act,” Commissioner Phillippe Dufresne told the House of Commons Ethics, Privacy and Access to Information Committee on Monday.
The commissioner made the suggestion during the first of a series of special summer hearings scheduled to examine the use of software by national police forces to conduct surveillance and collect data as part of their investigations.
The committee launched the study to determine what “device investigation tools” the RCMP uses, as well as the terms and conditions of use of this software, after papers filed in the House of Commons in June shed new light on the installation of spyware by the police. to conduct surveillance and collect data from digital devices.
In the documents, the RCMP says the tools used by the Technical Investigative Services Covert Access and Intercept Team are used “primarily” to “covertly and remotely” access text messages and other private communications of suspected criminals. important national security and criminal investigations that could not be gathered through wiretapping or “other less intrusive investigative techniques.”
“Police sometimes need to use advanced technology-based capabilities to address investigative barriers such as those caused by encryption,” part of the RCMP submission to the House of Commons read. The agency also said that these “investigations in the device [sic] tools” were used 10 times between 2018 and 2022, and that “in all cases judicial authorization was obtained” before deploying the tools.
However, in a post-committee disclosure, read during the hearing by Liberal MP and committee member Lisa Hepfner, RCMP Commissioner Brenda Lucki informed the committee that the national police have used this technology in the device in 32 investigations to target 49 devices, since 2017.
RCMP STILL SHARES INFORMATION WITH THE COMMISSIONER
Parliament’s privacy watchdog said it first became aware of this spyware program in June, after papers submitted to the House at the request of a Conservative MP were first reported in the press.
At that time, his office contacted the RCMP seeking more information. The RCMP has not yet provided any, but has indicated that it aims to provide the commissioner with a briefing and demonstration later this month.
Dufresne said his office will review information obtained from that meeting to “ensure that any program or activity that invades privacy is legally authorized, is necessary to meet a specific need, and that the intrusion on privacy caused by the program or activity be proportional to the public. interests at stake”.
If the commissioner finds that the RCMP’s use of these spyware tools has privacy deficiencies, his office will provide the RCMP with recommendations for change.
“We would expect them to make the necessary changes,” he told the committee.
Learning of the failure to share information with the privacy commissioner, Conservative MP and committee member Damien Kurek said it was “disappointing” and “not a good precedent”.
Kurek said it reminded him of the behaviors of other federal agencies that the committee previously examined through its work on mobility data and facial recognition software.
‘WE ARE IN REACTIVE MODE’: DUFRESNE
Canada’s Office of the Privacy Commissioner has been advocating for years to update Canada’s privacy laws in various ways.
On Monday, the commissioner tried to argue that this instance is representative of why it should become a legal obligation for government departments and agencies, such as the RCMP, to submit a precautionary privacy assessment of any new tools.
He tried to argue that it would allow the commissioner to provide meaningful information, taking into account confidentiality concerns, before it is put to use.
In this case, the commissioner said RCMP began a privacy impact assessment on the spyware in 2021, years after it was first put into use.
“We see situations like this, where this is done very late, after the tools have been used for some time. So we’re not in a position where we can address or prevent, we’re in a reactive mode. And our advice and recommendation, my hope is that this becomes a legal obligation in the Privacy Act, because then there would be, hopefully, a more timely enforcement of this requirement,” Dufresne said.
“This is not about choosing between the public interest and the privacy of Canadians, but these checks and evaluations should be done before the fact and should not be something we find out about in a media article or at a committee meeting, for example. . So these preliminary checks should be made and my office should be consulted when necessary,” he said, suggesting that doing so would also go a long way toward increasing Canadians’ confidence in insights, knowing that the privacy implications of any new technology is evaluated from the start.
MINISTER, RCMP OFFICERS TO TESTIFY
On Monday afternoon, parliamentarians will hear testimony from Public Security Minister Marco Mendicino, as well as several senior RCMP officers, including a sergeant from the Technical Investigation Services team who the RCMP says uses the software.
RCMP officers are expected to face more questions about when and why spyware is specifically deployed, after Hepfner indicated during the morning hearing that Commissioner Lucki had also provided a list of the types of investigations for that the RCMP has used this technology, naming terrorism, kidnapping, trafficking and murder as examples.
A second full day of hearings is scheduled for Tuesday, where the committee will hear from expert witnesses, including former privacy commissioner Daniel Therrien, as well as representatives from the Privacy and Access Council of Canada and the Canadian Civil Liberties Association.
The study was proposed by the Bloc Quebecois deputy and the committee’s deputy chairman, Rene Villemure, and was supported by other members of the committee, although there was some reluctance from Liberal MPs.
In presenting his case to the committee to begin this study, Villemure echoed the concerns expressed by privacy and civil liberties groups when the use of these intrusive tools by police in Canada was revealed.
He said that while concerns were raised in the Commons when the RCMP first made the disclosure, questions remain such as the threshold for using these invasive tools, which vendors are being used, and what the authorization process is.
As part of its work, the committee has asked the RCMP to provide a list of court orders obtained, if any, from the use of this software, and is also seeking information related to possible wiretapping of MPs, their parliamentary assistants or any other employee of the Parliament of Canada.
Conservative members of the committee are pressing to see the documents provided to date, posted on the committee’s website.
The committee aims to finish its study and present a report to the House of Commons, with possible recommendations for changes to the law or oversight mechanisms, by the start of the fall session on September 19.
More to come…