Information & Ethics Committee on Feb. 15th, 2024

Good morning, ladies and gentlemen.

My name is Evan Light, and I am an associate professor at York University's Glendon College.

I am an associate professor of communications.

I will give my opening remarks in English, but I welcome comments or questions in French, as well.

I am, as one of you mentioned on Tuesday, the source of the documents from which Radio-Canada has been doing the reporting since November 2023 on the use of tools capable of extracting personal data from mobile devices and computers.

The speed with which you've taken up the challenge of investigating the widespread use of mobile forensic devices throughout the federal government is, for me, quite impressive and demonstrates a deep respect for the fundamental human right to privacy. Privacy is not an abstract thing. It is a fundamental human right that is tied to other human rights. In Canada, it's been a human right since 1977. We're talking about something that's quite fundamental.

For me, that means it's a right that should not be violated unless we have a very good, well-documented reason to do so. I think the testimony that's been given to you by agencies so far hasn't necessarily shown that their use is what we could call “necessary and proportionate”, which is a term that has come up at various times during your recent meetings.

From 1977 forward, successive governments have failed to protect our fundamental right to privacy. This committee, at this moment, has a really great opportunity—not just an opportunity but an obligation—to step up and examine how government protects the fundamental right to privacy.

I've forwarded numerous documents to the committee. Some have been translated and some have not, so you don't have everything I'll be talking to you about today. I want to talk about these issues and get into some of the testimony from the agencies you've spoken with so far.

I first encountered these devices in 2020 when doing research for a course. A group in the United States documented their use throughout over 2,000 police forces in the United States. There's been further documentation by the Carnegie Endowment in the United States, documenting the use of these tools by various regimes throughout the world and how they're tightly integrated with spyware.

As a quick note on terminology, I don't see MFDs—mobile forensic devices—as being spyware. It's come up numerous times at this committee. However, they have essentially the same capabilities. They're sold by the same suppliers and they're used by the same entities. I don't think we need to get hung up on terminology. I think it's important that they are equally invasive and equally unregulated in their use—if not more widespread and more unregulated in their use.

My concern is not that these devices exist, but that their use is completely unregulated. Various agencies that have testified to you have said that they don't really know how they use them. They don't keep numbers. CBSA said they use them all the time, but they can't tell us how many times they use them. Shared Services Canada testified on Tuesday that they don't have any actual policies or procedures on how they use them. Scott Jones decides, as an individual, when their use is warranted.

As noted by witnesses to this committee, the devices are relevant. They've been renewed many times. I believe Mr. Mainville, from the Competition Bureau, mentioned on Tuesday that they've been using these devices since 1996, which was an amazing revelation to me. It shows that these things have been used regularly by government for decades. They have been and continue to be unregulated and without any oversight.

Throughout the committee meetings related to this study, members of the committee and witnesses have used the phrase “necessary and proportionate”, or portions of it. I think this phrase is really key to understanding the use of mobile forensic devices or any sort of surveillance technology by government. It's actually tied to a document that came out in 2014, which was developed by 16 civil society organizations around the world. It's been endorsed by about 600 organizations and around 300,000 individuals. It's called “Necessary and Proportionate: International Principles on the Application of Human Rights Law to Communications Surveillance”.

There are legal frameworks to work on. There are standards for understanding how to do surveillance while respecting human rights, which is something that I think Canada can learn from and maybe should.

I'll be quick. I'm almost at my five minutes. I'll finish with a quick note on some of the recent testimony.

Shared Services Canada and various other organizations have said they only use mobile forensic devices in isolated labs, which gives the impression that they're really cut off from the world. Based on the capabilities of the devices they own, this is patently false. In the contracts that I forwarded to this committee, various entities, including CBSA, CRA, ECCC, the RCMP and TSB all have what's called UFED Cloud, which is a software package from Cellebrite that essentially lets someone access any cloud applications that are on somebody's phone. It's advertised as a way to get around warrants.

In addition, as my last comment, various agencies have ruggedized versions of these devices. “Ruggedized” means they're able to go into the field and be dropped and thrown around. They would not be buying ruggedized devices if they were to be used only in isolated clinical labs.

I welcome any questions.

Regarding their use internally, I think that most of the representatives of agencies who have testified so far say, “We use them on our employees, and we get their consent.” It's difficult if not impossible for employees to give informed consent in these situations, because there's an imbalance of power, and there's an imbalance of knowledge. We've seen in sessions of the committee just how difficult it is to explain what these devices are capable of. Consider this: If you are a junior employee and your manager says, “We're going to use this device on your cellphone”, you have no real alternative other than to say yes. I think that use internally is quite fraught and imbalanced.

In terms of its use with warrants, I think there needs to be a step before you get to a warrant. If we are talking about “necessary and proportionate”, there are questions that we should ask. Is this technology valid to be used to begin with? This is where privacy impact assessments come in, which I personally think are useless to a degree.

They basically account for self-regulation right now. There's no process that agencies or ministries are obliged to go through that would forbid them from using any technology. We saw in Scott Jones' testimony on Tuesday that he will buy this for anybody in government who wants it. There's no standard, which is mind-blowing.

Personally, I don't think it would be enough.

The Office of the Privacy Commissioner should be properly resourced and empowered with judicial authority and with proper financial resources to be a proactive regulator. In the whole process of procurement, the Privacy Commissioner should be the one to decide whether or not technology should be used and in what use cases. I think that agencies themselves are in a conflict of interest, really, when it comes to making their own decisions around whether things should be used or not. There should be an objective arbiter, which would be the OPC.

Absolutely. I think the privacy impact assessment is a useful tool for getting individuals and agencies to think about these ideas. I don't think it's a useful regulatory tool.

I have no evidence that would point one way or the other. I haven't done that research. I've done some.

Procurement is difficult to do research on. We work on contracts that are out there on the public record. I think that a lot of spyware companies sell their wares through third parties, so it's actually difficult research to do within government.

However, in the data that I've had, I haven't seen anything one way or another, so I cannot—

No, I don't.

Exactly.

You need to have the device initially. There are hardware components to mobile forensic devices that enable creating an image from a phone. Imagine that you're pulled over at the border and that you're asked for your phone. It can take maybe five minutes to make a copy of somebody's phone. Then you have an image, just like a CD image, that can be put on a USB drive and that can be shared between agencies. Data becomes a portable thing.

That's correct.

That's correct.

As well, I'm going on the basis of just the capabilities of these technologies and what they are advertised for. For instance, if you look into the Cellebrite marketing materials, you will see that they advertise their cloud capabilities as ways to work around warrants. In the past, you would need to get a warrant to use anybody's cloud account, to access their banking through their phone, to access their Google Maps or GPS history, etc. With regard to the cloud functionality that I mentioned these five agencies have, they advertise it as a way to work around warrants. You no longer need a warrant. You just need a phone or an image of the phone.

No, I don't.