RCMP use of spyware warrants update to Canada's privacy laws, MPs say
The federal ethics committee says Ottawa should make a list of banned spyware vendors and set export controls.
OTTAWA, Ont. — Canada should update its privacy laws in the wake of revelations that the country’s national police force uses spyware to hack mobile devices, a parliamentary committee says.
The House of Commons ethics committee is recommending the federal government require privacy assessments for the use of “high-risk technological tools” that collect personal data, according to a report tabled Wednesday.
The report, which received all-party support, also says Ottawa should make a list of banned spyware vendors and set “clear rules on export controls over surveillance technologies.” However, it does not recommend a moratorium on the use of spyware by police.
The committee study was launched after POLITICO revealed in June that the Royal Canadian Mounted Police had admitted to using spyware for covert surveillance. The RCMP has the ability to intercept text messages, emails, photos, videos and other information from cellphones and laptops, and to remotely turn on a device’s camera and microphone.
RCMP officials told the ethics committee that spyware — or on-device investigative tools, in their parlance — had been used in 32 investigations since 2017, targeting 49 devices. They also revealed the agency has been using similar technology as far back as 2002.
The RCMP had not alerted the federal privacy watchdog to its use of spyware, and Privacy Commissioner Philippe Dufresne told the committee he was not aware of the agency’s spyware program until POLITICO reached out in June.
The ethics committee’s first of nine recommendations would make it an “explicit obligation” under the Privacy Act for government institutions to conduct privacy impact assessments and submit them to the commissioner before using such “high-risk” tools.
The committee also recommended several other amendments to the Privacy Act, including one that would indicate that privacy is a “fundamental right.” Another would add “explicit transparency requirements” for government institutions, “except where confidentiality is necessary to protect the methods used by law enforcement authorities.”
The report also recommends the government review Part VI of the Criminal Code, which deals with warrants to intercept private communications. The RCMP says it only uses spyware in the most serious cases, including terrorism and drug trafficking investigations, and only with judicial authorization. But at least one of the committee’s witnesses questioned whether judges have all the training they need to deal with requests to use such invasive technology.
“The committee recognizes that there is a legislative gap regarding the use of new technological investigative tools,” the report concludes. “Neither Part VI of the Criminal Code nor the Privacy Act is currently adapted to the digital age.”
Most committee members also noted “the lack of cooperation shown by the RCMP in this study,” and said they were “not satisfied” with the agency’s responses. For one thing, the RCMP has not revealed what type of spyware it uses, though the police force has confirmed it does not use controversial Pegasus software from Israeli firm NSO Group.
But the ethics committee did not call for a moratorium on the use of spyware until the “legislative gap” has been filled, as several witnesses had recommended.
Christopher Parsons, senior research associate at the University of Toronto’s Citizen Lab, tells POLITICO he found the committee’s recommendations “mealy-mouthed and disappointing.”
“The RCMP has a history of adopting novel technologies [and] using them secretly for extended periods of time,” he said. “Then this comes out, it’s already established practice, and the report we get from the committee is: ‘How do we manage what they’re doing?’”
Parsons said it’s not enough to require privacy impact assessments, which aren’t necessarily made public. Government agencies are also not legally bound to abide by the privacy commissioner’s recommendations. “They’re not a sufficient instrument in and of themselves,” he said.
Parsons also said the report did not grapple with the issue of whether the RCMP has a duty to alert Canadians to software vulnerabilities that the police force may want to exploit using spyware.
“The RCMP has deliberately short-circuited a public discussion process,” he said. “The committee has simply failed, as far as I’m concerned.”
However, Brenda McPhail, director of the privacy, technology and surveillance program at the Canadian Civil Liberties Association, said the committee landed on a “solid set” of recommendations.
In particular, she was pleased with a recommendation that the government set up an independent advisory body that would include members of the legal community, government, police, national security and civil society. The group would review new technologies used by law enforcement and come up with national standards for their use.
“The network of laws that are meant to protect people across Canada from inappropriate and deeply invasive [technologies]… have been shown during these hearings to really not be fit for purpose,” she said.