The contract, obtained under the Access to Information Act and shared with Radio-Canada, says spyware typically associated with intelligence agencies is used by 13 federal departments.
Radio-Canada also found that the use of spyware by these departments was not subject to privacy impact assessments as required by federal directives.
The tools in question can be used to recover and analyze data located on computers, tablets, and mobile phones, including encrypted and password-protected information.
This includes text messages, contacts, photos, travel history, and more.
It’s a little silly, but also dangerous.– Evan Wright, York University
Certain software can also be used to access your cloud-based data and reveal your internet search history, deleted content, and social media activity.
Radio-Canada has learned that other departments have obtained some of these tools in the past, but are no longer using them.
Evan Wright, an associate professor of communications and an expert in privacy and surveillance technology at York University’s Glendon campus in Toronto, said he was shocked by the widespread use of such spyware within the federal government. Stated.
“It’s alarming and it’s dangerous,” said Wright, who filed the initial access-to-information request to learn more about how Canadian police agencies are using the technology.
“I thought whether it was the RCMP or the police, they were just going to use these devices to find the usual suspects. [Canada Border Services Agency]. But it is used by many strange departments,” he said.
According to documents Light shared with Radio-Canada, Shared Services Canada purchased end-user equipment and software from suppliers Cellebrite, Magnet Forensics and Grayshift. (The latter two of his companies merged earlier this year).
According to their websites, the companies say they have strict controls in place to ensure their technology is used in accordance with the law.
“Normalization” of surveillance
A directive from the Treasury Board of Canada (TBS) requires all federal agencies to conduct so-called Privacy Impact Assessments (PIA) prior to any activity that involves the collection or handling of personal information, with the aim of identifying privacy risks. ) is required to be carried out. and how to reduce or eliminate them.
According to the directive, which came into force in 2002 and was revised in 2010, federal departments must provide a copy of the PIA to the TBS and the Privacy Commissioner.
Radio-Canada asked each federal agency that uses spyware whether it first conducted a privacy impact assessment. According to their written responses, none did so. The Department of Fisheries and Oceans said it intended to do so.
The fact that such an evaluation was never done “shows that it’s just become the norm and that breaking into someone’s phone is no big deal,” Wright said. “This really extreme surveillance capability is becoming the norm.”
Some departments argued that a PIA was not needed because they already had judicial authorizations, such as search warrants, that imposed strict conditions on seizing electronic devices.
Others said they only use the material on government-owned devices, such as in cases involving employees suspected of harassment.
Judicially authorized use of spyware:
search and seizure
However, according to Canada’s Privacy Commissioner Philippe Dufresne, judicial approval does not lift the PIA requirement.
“When these tools are new and very powerful and have the potential to penetrate, even in systems that have judicial regulation,” Dufresne told a parliamentary committee considering the RCMP’s use of spyware last year. It is also important to assess the privacy implications.” .
Dufresne explained that the PIA indicates whether the department can obtain the desired information in a less intrusive way.
You might conclude that the tool is a nuisance but necessary, he explained. But these questions need to be addressed, he says.
Wright argues that the use of spyware by regulators such as the Canadian Radio-television and Telecommunications Commission (CRTC) is “overreach.”
“The CRTC is bringing nuclear weapons to the fight against spam,” he said. “It’s a little silly, but it’s also dangerous.”
Some departments say they use the tool to conduct internal investigations, for example when employees are suspected of misconduct or workplace harassment. They say data is extracted only from government-issued devices in accordance with internal protocols governing the collection and storage of personal information to ensure the protection of personal information.
However, TBS confirmed to Radio-Canada that the PIA directive applies in such cases, adding that the government “takes seriously the privacy rights of Canadians, including our employees.”
Use of spyware for internal investigations:
The Canada Revenue Agency says it uses these tools to “analyze data related to suspected tax violations,” and the Transportation Safety Board of Canada uses them to “collect and analyze data related to incidents.” Said to be using the tool. The agency provided few other details.
When asked if they had also conducted a PIA, the departments referred Radio-Canada to Shared Services Canada, a signatory to the supplier agreement. Shared Services acknowledged that it does not conduct such evaluations.
View | The associate professor analyzes this as follows.
Privacy is “not an abstract concept”
Finance Board President Anita Anand declined Radio-Canada’s request for an interview.
Her office said federal agencies are responsible for enforcing privacy laws and policies, but did not say what would happen if those agencies fail to meet those obligations.
In an email to Radio-Canada, the privacy commissioner said privacy protections should be a key factor “before deploying risky technological tools to collect personal information.”
Dufresne also reiterated that he wants the federal government to make PIA a “binding legal obligation” under the Privacy Act.
Wright said he was disappointed that no one in the federal government was held accountable for the use of spyware, which can have a “drastic” impact on people’s lives.
“We have a right to privacy. It’s not an abstract concept,” he said.