Information & Ethics Committee on Feb. 8th, 2024

Hello and good morning, Mr. Chair and committee members.

My name is Brent Napier. I am the acting director general of the conservation and protection directorate at Fisheries and Oceans Canada. I am joined today by my colleague Sam Ryan, director general of DFO IT operations.

Before I begin, I would like to acknowledge that I am grateful to be joining you here on the traditional, unceded territory of the Anishinabe Algonquin people.

Mr. Ryan and I appreciate the opportunity to appear before this committee on behalf of Fisheries and Oceans Canada and provide you with information on the conservation and protection program and our national digital forensics service, which fall under my responsibility, and the cybersecurity digital forensic investigator service, which is under Mr. Ryan's responsibility.

It is the enforcement program of Fisheries and Oceans Canada. The Department’s mandate is to sustainably manage fisheries and aquaculture. The proper management of fisheries and marine and aquatic resources requires a robust compliance verification program.

C and P has over 550 fishery officers in locations across Canada. Our officers work with the general public, harvesters, indigenous communities and industry to conserve and protect Canada's marine and aquatic resources. Fishery officers verify compliance with fisheries-related statutes, such as the Fisheries Act and the Species at Risk Act, and take enforcement actions, including undertaking investigations and recommending prosecution for offences.

Historically, the harvesting and reporting of fisheries resources was all done using paper forms, such as logbooks and charts. As technology has advanced, harvesters have adopted new technology, such as chart plotters, electronic logs and electronic communication devices into their harvesting operations. To remain an effective enforcement organization, C and P has adapted its capacity, tools and use of technology. This includes the implementation of new units to support complex investigations, including those involving complex digital files, components and data. Digital forensics examiners are now part of the C and P team. They use new digital technologies, technological solutions and approaches to support digital enforcement investigations.

C and P's digital forensics team is centrally managed in Ontario and supports fishery officers across the country through regional labs. The digital forensics team is made up of seven experienced, highly trained and highly skilled digital forensics examiners. The training and technical solutions used by the C and P digital forensics team is in line with Canadian municipal, provincial and federal law enforcement standards. Before deploying any technical solution or retrieving any digital data, C and P's fishery officers and investigators seek a judicial authorization or warrant.

The IT operations' cybersecurity digital forensic investigator team uses digital forensics tools to support the department's mandate to promote and maintain compliance with legislation and regulations as well as internal administrative investigations into violations of Government of Canada policies, such as fraud or harassment in the workplace, and for supporting such cybersecurity activities as investigating cybersecurity incidents.

In the context of an administrative investigation, it is important to note that judicial authorization is not required. It is conducted with the full awareness and co-operation of the involved individual. The nature of the allegations and the subsequent investigation are defined within the investigation's terms of reference, which are shared with the involved individual.

In closing, the Government of Canada, including Fisheries and Oceans Canada, is committed to working with other federal departments and agencies, provincial and territorial governments, indigenous peoples and other partners to fulfill its commitment to protect, enhance and restore the biodiversity and health of Canada's marine and freshwater environments through an integrated ecosystem approach that supports the sustainable use of marine and aquatic resources.

Thank you for your attention. I will be happy to answer any questions you may have.

Good morning, members of the committee. It is a pleasure to be here with you today.

My name is Donald Walker, and I am the chief enforcement officer at Environment and Climate Change Canada. I'm joined by my colleague Hannah Rogers, who is the director general of environmental enforcement.

We are pleased to be here to explain our mandate and provide you with an overview of our operations. I will also talk about our use of digital forensics software.

Environment and Climate Change Canada administers several environmental statutes and their associated regulations. These include the Canadian Environmental Protection Act, the pollution prevention provisions of the Fisheries Act, and the Greenhouse Gas Pollution Pricing Act, among others. We also enforce wildlife laws, such as the Wild Animal and Plant Protection and Regulation of International and Interprovincial Trade Act, the Migratory Birds Convention Act and the Species at Risk Act.

The Environment and Climate Change Canada enforcement branch was formed in 2005 with a mandate to conduct inspections to verify compliance with these laws and their associated regulations, investigate possible violations and take action to compel compliance when violations are identified.

With nearly 500 employees across Canada, the Environment and Climate Change Canada enforcement branch is comprised of uniformed enforcement officers who have the powers and protections of peace officers when enforcing the laws under which they are designated. These officers conduct thousands of inspections per year to verify compliance.

If enforcement officers find sufficient evidence of an alleged violation under the environment and wildlife protection acts for which they are responsible, they will take appropriate action in accordance with our compliance and enforcement policy. These actions are designed to restore compliance and may include issuing warnings, directions, compliance orders, tickets and administrative monetary penalties. When the environmental harm or the factual circumstances warrant it, officers conduct investigations and collect evidence to support the laying of charges.

To this end, Environment and Climate Change Canada's enforcement branch works closely with colleagues at the Department of Justice Canada and the Public Prosecution Service of Canada to build prosecutable cases.

Since the creation of the enforcement branch, the nature of the non-compliance we uncover has changed and the evidentiary requirements to establish non-compliance in court have grown more complex.

While the majority of our regulated sectors are compliant, we also respond to non-compliance by organizations and individuals who sometimes go to great lengths to conceal or hide the negligence that led to serious environmental damage or biodiversity loss. This has only increased as the courts have issued more serious penalties.

In response to this changing reality, enforcement received a mandate in 2020 to modernize its operations. This included the implementation of a risk-based approach for setting its inspection priorities to ensure that its resources are targeted where the potential for environmental damage or impact on wildlife is greatest. It also included investments in new information technology infrastructure, data analytics capacity and digital forensics software, in large part to ensure that we could meet modern information management expectations as well as provide evidence to meet the standard of the courts.

Our digital forensics lab is staffed by a small number of specialized analysts. These employees are highly trained professionals, who are trained first as enforcement officers and then as digital forensics experts. This training ensures that they understand the limits of their authorities and the specific mandate of the digital forensics unit.

The digital forensics software we use can only be employed under warrant, and only within the context of enforcing Environment and Climate Change Canada legislation. Digital data that can be imaged or acquired are extracted on site during the execution of a court order. Devices from which data cannot be extracted on site are collected and brought to the national laboratory. Digital evidence that is collected typically consists of information that can be stored on smart phones, laptops, cloud-based storage systems, servers and flash drives.

Digital forensics analysts are the only people within Environment and Climate Change Canada who use such tools. Our department must continue to evolve and innovate to remain effective, but these new tools require that we continue to pay close attention to how we manage information, particularly as it relates to privacy.

Environment and Climate Change Canada takes privacy very seriously and to this end enforced a comprehensive review of its information management procedures, including for the use of digital forensics software. We are completing new privacy impact assessments, with those that focus on our operational activities being prioritized. We communicated our intentions to the Privacy Commissioner in June 2022.

This review, which started in 2023, will include specific tools like digital forensics software. The operational components are our priority. The privacy impact assessment that covers forensics software will be completed in the upcoming fiscal year.

Thank you for your attention. I will be happy to answer questions from the committee.

Thank you very much for your question.

We do not have surveillance equipment. I think you asked about surveillance gear. We do not have surveillance equipment. The actual software that we have is used as part of our administrative investigations, and it's used with the full understanding of the employees involved. It follows a very rigorous process where we go through a terms of reference that is shared with the individuals, and they're fully aware about what is within and not within the scope.

Again, it's not surveillance, because we actually have to have the equipment. Whether it's a laptop in question or a government-issued phone in question, they have to be within our forensics unit.

I believe the software in question is one of our forensic tools. Again, like all software, it goes through many different iterations of the tool. I think that tool has been sold for many years, potentially more than 10 or 15 years. I believe it started to be used when it wasn't possible to actually copy your contact details from your flip phone. I believe that's how this software came into being.

Again, it's more than, I think, 15 or 20 years that these forensic tools have been in place, and I believe the PIA came into force in 2010 approximately.

Again, a PIA, as I understand it, is part of the overall process or program that's being evaluated. When we're looking at it, again from my perspective, it is administrative investigations, so that process or that program has been in place for many decades. The tool that we're talking about—

Again, the PIA is not software-specific. It is for the program. The tool is one part of the program.

I, personally, was not a part of those communications. I know within our department the ATIP office was in communication, I believe, both with the Privacy Commissioner and with Treasury Board. That is the mechanism by which the communication happens within our department, the central agency and the Privacy Commissioner.

We have acquired the same software about which we are speaking today.

It is not intended for ongoing surveillance of Canadians. We do not, in Environment and Climate Change Canada, use the software for employee devices.

I will turn shortly to my colleague, Ms. Rogers, to talk a little bit about the protections we have in place.

At the time that the digital forensics unit was established in 2013, this was viewed as a natural evolution of the search warrant process, where we seek court orders to acquire specific information.

Certainly, we would not expect that the enforcement branch of Environment and Climate Change Canada would not access information unless it had been printed for the purposes of pursuing non-compliance under environmental or wildlife protection legislation.

I would ask Ms. Rogers to speak briefly about the protections in place.

Like my colleague, I cannot say definitively whether the department received specific information from the Treasury Board, but Environment and Climate Change Canada already had a privacy impact assessment development process under way at the time of the reporting on this last year.

My understanding, and I will turn to my colleague for confirmation, is that it was in 2013 as part of the creation of the digital forensics—at the time computer forensics—program in the enforcement branch of the ECCC.

From an Environment and Climate Change Canada perspective—and I will turn to my colleague again to provide further details—the importance is to make sure that we have the rigours in place to ensure the proportionality of the tools we're using and that we have appropriate measures in place to protect the information.

Ms. Rogers.

Yes, I'd add that we have a number of safeguards in place. The information that is gathered using these tools is only accessed by highly trained officers in very few numbers.

We take the privacy of all Canadians very seriously.

As Mr. Walker mentioned, we have a PIA under way at the moment and we will continue to complete that work. We expect the PIA that relates to our operational activities to be completed in this next coming year.

At the time of the development of the program, it was viewed as a natural extension, and there was not an intent to collect personal information.

As Ms. Rogers mentioned, we have a specialized team that works on the computer forensics itself, which is separated entirely from the investigators on the file, so there is a wall in between the two pieces of information. The digital forensics experts are trained to seek out the exact information that is being sought under the court order and to disregard any personal information that is being collected.

At the time, and this would precede both of us, the understanding was that, because this was not intended to collect or store personal information, it might not have been required. We have since, out of an abundance of caution and starting in 2022, determined that with the modernization of our activities in the Environment and Climate Change Canada enforcement branch, there is value in conducting privacy impact assessments across the range of our activities.

We are not surveilling Canadians at large. There are occasions, as with any operational law enforcement organization, when we will monitor certain sites where we expect non-compliance to occur. For instance, in the case of the Migratory Birds Convention Act and the regulations that are associated with this, if someone has laid bait in a hunting zone within the 14 days prior to a hunting season's beginning, it's important for our officers, when a physical presence may serve as a deterrent, to observe more discreetly in order to determine who is engaged in non-compliant activity.

Perhaps I can start. It's to manage risk, to inform operations in process and to, of course, protect privacy above all.

Much like my colleagues from ECCC, these are legacy programs that predate many of our current rules and policies. They were seen as an extension of what we had conducted in the past. In fact, these tools are more surgical in the sense that they can direct us to the files we're looking for instead of having to comb through paper files, where you would basically be privy to information you wouldn't otherwise need.

We absolutely are in the fishery but not with these tools.

Fishery and Ocean fishery officers, some 550 of them, are on the water and conducting surveillance of the activities that are occurring there through more traditional means of patrols and inspections, but these tools are not part of that tool box for them.

We absolutely are not.

For us, it's all in relation to verifying compliance under warrant. For us, when moving from inspection to investigation, we use these tools to collect evidence and follow the evidentiary process. We use judicial authority with a warrant, where the warrant provides strict guidance and direction on the types of information we have access to and that governs our process and the use of these tools.

They absolutely are, because they have been served the warrant.

We benefit from having three labs that are especially designed to encase evidence, so they're air-gapped and secure. All information, including information that might be collected in the evidentiary collection process and private information that might not directly be relevant, is housed in this area as well. It's not in the cloud. It's not on the network, and it's well protected. There is limited access to these facilities with 24-hour surveillance, and only the examiners use it with fishery officer guidance.

We take privacy very seriously. I'll explain the problem we encountered.

When the program was introduced, we believed the existing measures were adequate to counter any privacy concerns stemming from our work. However, in view of the changing overall pattern of our work, we decided that the time had come for a complete review of these measures, with additional precautions to ensure that there was a proper framework for them and that they would include a privacy impact assessment.

You may be right. I can't remember exactly how we responded in connection with this story.

It was probably the third time in two years that the media had asked us questions like that, and information about obtaining this type of software is publicly accessible on the Internet. In each instance, I don't think we attempted to hide the fact that we were using tools like these in fulfilment of our mandate. On the other hand, I can't recall whether or not we had told the journalists that we were about to undertake an assessment.

By the story?

No. We sometimes field questions from the media about the use of various tools, including the software we've been discussing today. As I mentioned, that was the second time we received a request of that kind in 2023. I believe the first came from the Journal de Montréal.

Definitely. Not only that, but I will refrain from using the term "surveillance", because that's not at all what we're doing with this software. It's used to collect data from electronic devices. It's like opening a drawer while executing a search warrant. We only do it when there's a warrant.

It depends on the subject. My colleague's expertise might be helpful to you.

By all means.

When we look at the data, we're only looking for information we would like to find in connection with the investigation process. So if we look at what is…

For example, we apply the laws that relate to environmental protection and wildlife. For example, if a mining company has committed an infraction under the Fisheries Act, we will be looking for any evidence they have that shows they knew they were conducting such an event that might cause a spill, or for what kind of technical information they have that might be relevant to the investigation.

I definitely believe so. We can't obtain the information without these tools. For example, if we have a computer…

None that we could use if we want to continue the investigation.

We had paper. There were no electronic devices.

Our understanding of the program is that, when it was first inaugurated in 2013, the view at the time was that the protections in place to avoid the collection of personal information and simply focus on the evidence of non-compliance under a court order would not, under the decision tree, necessitate a privacy impact assessment. However, in 2020, as we were going through a modernization exercise with respect to implementing a risk-based approach to our enforcement activities and a periodic review of our directives, we felt that it was prudent to engage in new privacy impact assessments to cover not just a specific tool but also the activities we undertake so that it takes into account the context in which different tools are used.

To echo much of what was said, the other part for us is that there's reasonable belief that an offence has been created. It's not simply during an inspection or just to comb the area. We have a situation where we have reason to believe that an offence has been created. Now we're into the investigation stage of it, where we bring in a judicial authority. It's very clear at that stage. We have to present our case and we have a judge who says, yes, this is the type of information we're allowed to take and what is reasonable. At that stage, we execute.

In terms of your question on a PIA, again, the mechanics on evidence collection have not changed; the tools have. For our purposes, we're not focused on the tool. We're focused on the process. I think it is warranted at this stage to review those processes to ensure that we are protecting privacy. We feel that there are safeguards, significant safeguards, in place, but we have, ourselves, voluntarily agreed to go ahead with the PIA process. We have, ourselves, engaged with the Privacy Commissioner in December. We are executing that process as well, but on the process and not the tools.

The tools will change over time. They come out with new versions and new tools, and all of these tools are not the same. Some are designed to allow access to cellphones and technology. Others search deleted items and allow us to recover those files. There's a series of different tools for each of the different jobs, but again, they're strictly defined by a court order, or a warrant, in terms of what we're able to take.

Again, it's evidence. It's not the privacy part. Where there is private information, that is set aside, protected and destroyed once the investigation has concluded.

I'm not certain that we would see it as our place to comment on the Privacy Act itself. As an enforcement organization, we are responsible for taking the laws and regulations as they are written and making sure that we are acting accordingly.

I think what we have found is similar to what the Privacy Commissioner said during his testimony, that it is a resource-intensive activity to undertake a privacy impact assessment. We're prepared to put the appropriate resources against it. From our perspective, it's a matter of making sure we have the right expertise in place to help us identify places where putting a better written assessment around our procedures that are in place or refining our procedures is valuable for us to ensure that we have the confidence of the public in how we're using information.

I believe the mechanisms in place within the government, within the act, within the law and within the policy are appropriate. I think departments can use those. A PIA is an identified tool to assess risk and to support and inform process change as necessary. We heard from other members about the proportionality of it. It allows us to assess that as well.

In the case of Fisheries and Oceans, it's about managing a public resource, allowing access to a certain group to be able to use the sustainable resource and ensuring that it's being done appropriately on behalf of Canadians. These tools are put into place to ensure and verify compliance for that very important reason.

We keep a wall between what our forensic investigators find within the use of these tools and the actual investigation that is being completed, so they do not share anything that is not relevant or should not be included in the warrant with the actual investigators. That is one rule.

Also, we destroy any private information that we might discover when we are going through any equipment that we find. We follow international standards for that. As well, our officers are highly trained on exactly how to deal with private information when they do come across it.

Regarding people processing tools, we have safe storage. We have individuals who are trained. We restrict access and have a process and policy, and we make sure that information is safeguarded.

It's treated as evidence. It's coupled to the same process, which is a very strict process, to allow us to take it to court in a successful way.

Not at Environment and Climate Change Canada.

These tools have never been used at Environment and Climate Change Canada without a court order.

It is the same at DFO.

I'm sorry.... Maybe I'll have my colleague comment on an outside the enforcement use of the tool, because there might....

Again, for administrative investigations...and we're not talking about doing something without the knowledge of the employees. Within an administrative investigation that comes through the chief security officer, we have the terms of reference and then the actual employee is fully aware and part of that process, so if there is an investigation they may provide their laptop and their phone with their passwords as well.

Again, it is not used to break into the phone if that's the heart of the question, and no, we do not break into someone's phone. It is done with the understanding and the aid of the employees involved.

It is not currently possible for this tool to be used for administrative investigations at Environment and Climate Change Canada. It is not attached to the network, and it is used exclusively within the enforcement branch.

I think you've heard that many of these tools are long-standing, so 2013 was when DFO first started to use them. At that time there was a different environment. There were rigorous measures taken to secure and ensure that privacy was respected.

Certainly, I think the Treasury Board directive associated with privacy impact assessments appears to have been viewed, at the time, as not applicable to this particular work because it was not intended to collect, store or treat personal information. As a result of a more comprehensive review undertaken in 2022, the decision was undertaken to complete privacy impact assessments across areas of our work.

Yes. We established the computer forensics unit in 2013.

It was a different prime minister in 2013.

It was in 2013 as well.

It was Stephen Harper.

No, and I can pass it to my colleague for greater detail.

Unlike spyware, the tools that we use are for the extraction of existing data under a specific court order and with the owner's knowledge. It is not clandestine. It is not ongoing. There is no software installed on the device, and it is not conducted remotely. There's no ongoing component, which would be required for it to be spyware.

It's exactly the same answer, yes.

That is correct, except that in Environment and Climate Change Canada's case it is not a voluntary submission.

Every time you log into the network we have an acceptable use policy. Every time you reboot your computer you access via a virtual private network—a VPN—the acceptable use policy. You accept it. It details what you can and cannot do. Again, these are not Department of Fisheries and Oceans policies. These are Government of Canada policies, so we are applying all of those policies.

Fishery officers do monitoring, control and surveillance of the fishery, so there are Canadians active in the fishery—

That's exactly right; I was not clear.

That is correct, sir. I would suggest that there are some modern technologies such as an aircraft, but yes, it's definitely not these tools.

Again, we would not be using these tools to conduct surveillance activities. We may conduct surveillance activities like in the example I used, which was disrespect for the migratory birds regulations in terms of hunting. Generally speaking, compliant hunters would report that to us, and we may watch the site to determine who is engaged in activities.

That's correct.

That's correct.

I would argue that it is not, in fact, the case. I think we do everything to protect privacy, and that's why we get a judicial authority to go. We make a case, and we present the case to a judge who examines the evidence that we have before us and then provides us strict parameters in terms of what we can and cannot collect, all for the purpose of presenting, beyond a reasonable doubt, a case to a judge.

I wouldn't want to speak for either of the two. Certainly they could have their own opinions, but I think the legal system is well constructed in the sense of protecting Canadians and that information. In fact, the evidentiary chain of custody, etc., is probably the most strict; therefore, any information that might accompany evidence would be treated in a similar manner.

Not at all. In fact, we're happy to hear any advice or recommendation from the commissioner and evaluate our own processes to ensure that we're respecting privacy within our processes.

While it is true that we have conducted a large number of investigations, only 45 of these in the past 11 years have used the computer forensics tools we're discussing.

It's always a pleasure, sir.

I couldn't give you an exact number, but I know that over the last number of years it's been about 50 cases per year.

That's for the tools. There's a process-level PIA and then there are the tools themselves. There's a differentiation.

We have PIAs for the larger program, but we haven't adapted it—

It is correct that we have not had a privacy impact assessment for the use of this tool.

It's court-ordered consent, or it could be a witness who provides some form of electronic device. Even in those cases, we still seek a court order to access them.

Based on our procurement from the manufacturer, it requires consent or a court order. We would only operate under a court order. Once we have moved from an inspection into an investigation, we would not necessarily ask the regulatee to provide information that would be self-incriminating voluntarily.

I will pass it to my colleague shortly.

At the time we procured it in 2013, the circumstances were that many of our regulatees had moved from paper storage of documents into electronic storage of documents. That meant that, in order to retrieve the information we might get out of a filing cabinet in previous times, we actually needed to gain access to electronic devices to develop the evidence necessary to pursue the investigation.

It's very similar. When committing an offence with technology, that technology then becomes subject to these tools. It becomes evidence. It collects evidence. It's not unlike a filing cabinet. This is the new filing cabinet. In order to access that filing cabinet, which could have a lock on it, even in old times, we need these tools. That's how we use them.

Like our colleagues from ECCC, it will be this coming fiscal year. We've already made some headway in that direction.

We expect to have the privacy impact assessment associated with this technology completed by the end of the coming fiscal year.

Good afternoon and thank you for inviting us to appear before your committee.

Before I begin my remarks, I would like to acknowledge that we are gathered on the traditional, unceded territory of the Algonquin Anishinabe people.

My name is Steven Harroun. I am the chief compliance and enforcement officer at the CRTC.

I am joined today by the CRTC's general counsel, Anthony McIntyre.

The CRTC is an independent, quasi-judicial tribunal that operates at arm’s length from the government. We hold public hearings on telecommunications and broadcasting matters, and we make decisions based on the public record.

In addition, the CRTC plays a part in a larger federal government effort to protect Canadians from spam, malware, phishing and other electronic threats. The CRTC is one of three agencies, along with the Competition Bureau and the Office of the Privacy Commissioner, that work to promote and enforce compliance with Canada's anti-spam legislation, or CASL, as we call it.

The CRTC has a small team of less than 20 people that carries out this important mandate. CASL authorizes our investigators to request warrants from the courts to examine computers and other electronic devices when necessary. As part of those authorized activities, CRTC staff can use digital forensic tools during investigations. How we use these tools is very limited in scope and is done in keeping with the law. In the very limited circumstances in which we have used these tools, we have obtained judicial authorization through the courts in the form of a warrant.

Since 2022, the CRTC has only used these tools in two CASL investigations. In these cases, a warrant was obtained and the CRTC was successful in uncovering evidence related to potential CASL violations.

We take the use of digital forensics tools very seriously. We follow strict legislative and judicial parameters when using these tools.

Thank you for allowing us time to explain our limited use of these tools to help protect Canadians from harmful electronic threats.

We look forward to your questions.

Thank you, Chair.

Thank you to the Standing Committee on Access to Information, Privacy and Ethics for having us here today. My name is Eric Ferron, and I am the director general of criminal investigations at the Canada Revenue Agency, the CRA. I am accompanied by my colleague, Anne Marie Laurin, acting director general of the access to information and privacy directorate, and deputy chief privacy officer.

Within the scope of my responsibilities, the criminal investigations program investigates significant cases of tax evasion, tax fraud and other serious violations of tax laws and, where appropriate, refers cases to the Public Prosecution Service of Canada, the PPSC, for possible criminal prosecution.

Ms. Laurin's responsibilities include providing strategic direction, expert advice and leadership on all access to information and privacy matters in support of the CRA's programs, services and priorities.

I would like to start by stating that the CRA does not use spyware tools to monitor its employees or Canadians. The criminal investigations program does use the technological tools that are the topic of today's discussion.

CRA criminal investigators and computer forensics analysts are public officers as defined by section 2 of the Criminal Code. As public officers, CRA investigators can obtain evidence during the conduct of a criminal investigation by way of search warrants, preservation orders and production orders pursuant to section 487 of the Criminal Code. This is in addition to the search powers provided by the acts administered by the CRA.

Warrants issued by the court grant authority to CRA investigators to search and seize personal information or data that could otherwise be protected by section 8 of the Canadian Charter of Rights and Freedoms. In granting a search warrant, the issuing justice or judge must balance the rights of the CRA to gather evidence as part of a criminal investigation with the rights of individuals. Under section 487 of the Criminal Code, search warrants are sought when there are reasonable grounds to believe that an offence has been or is suspected of having been committed.

The evolution of technology has expanded the use of search warrants beyond traditional physical locations. Subsections 487(2.1) and 487(2.2) of the Criminal Code speak to search warrants of computers and electronic data, allowing the CRA investigators to search the electronic devices they have seized for data. It is during the execution of these judicial authorizations that the CRA may use technological tools to extract data from electronic devices.

A privacy impact assessment for the criminal investigations program has been in place since 2016, and the CRA was in the process of finalizing updates to it in late 2023. The update to the assessment has now been finalized, and in line with best practices the program intends to continue reviewing its PIA on a regular basis to ensure it is up to date and reflects current operations.

Mr. Chair, this concludes my opening remarks. Ms. Laurin and I would be pleased to answer any questions that committee members may have.

No, we do not procure surveillance gear. We have digital forensic tools, which we use to enforce CASL.

They do.

When CASL came into force in 2014, the CRTC conducted three PIAs, as it was a brand new program. One of those PIAs specifically references section 19, which is search warrants and the use of digital forensic tools. We've had a PIA since 2014.

That's correct.

Criminal investigations has tools that we're discussing here today. They're not surveillance tools. They are digital forensics tools that we use as part of our criminal investigations.

We've had a PIA for the criminal investigations program as a whole since 2016. The tools that we have were purchased right before that.

The discussions with the Privacy Commissioner happened with my colleague here, so I'll let her address that question.

Thank you for the question.

Both the OPC and Treasury Board sent follow-up questions regarding that. We indicated that we use the forensic tools for the purposes of criminal investigations. We did have a PIA in place. In fact, the Privacy Commissioner acknowledged receipt of that PIA and had no recommendations on it at the time.

We did not receive a direction from the Treasury Board. We advised Treasury Board that we had a PIA, as per my previous answer.

PIAs are submitted to both Treasury Board and the OPC, so they have an opportunity to provide feedback to us on those things.

We bought it in 2014.

It was 2012.

Since 2014.

That's correct.

That would be correct.

That is correct, yes.

That is correct.

Yes, and it's only once we have a judicial order.

Every time we obtain a device and/or use this tool, we have a search warrant that specifies the use of these tools.

Since 2022 we've used it twice. Overall, we've used it a handful of times in 10 years.

It has a very limited scope in a very limited type of investigation.

It is only used for CASL investigations and for a very specific type of CASL investigation. There is limited use of that tool. Even within my own team, there are only four or five technical experts who even know how to use it.

At the Canada Revenue Agency, we only use that tool for criminal matters when we have judicial authorization. Such authorization also allows us, once we have seized a device, to use the tool to gain access to its contents and withdraw information. That's the only use we make of the tool.

I would suggest “yes”.

Absolutely. We have a strong corporate team at the CRTC that looks at all the directives across government, be it the Treasury Board, the Privacy Commissioner or others. If it impacts my program and the work that we do, then I am directly involved in ensuring that we meet all those requirements.

We have a privacy management framework in the agency. We have a chief privacy officer as part of that privacy management framework. The pillar is privacy by design.

We monitor the completion of things like privacy assessments. In fact, we have key performance indicators that measure that. Quarterly updates are provided to senior management on the completion of privacy assessments.

Yes, and it's also with the Office of the Privacy Commissioner.

Our privacy management framework takes all dimensions of privacy into account and monitors all portions of that from a policy perspective as well as a practice perspective.

Yes. Privacy is an obligation of all parts of the agency. Senior management is regularly engaged in those obligations and understands those roles and responsibilities.

It's the same thing. The CRTC is in compliance with all federal government requirements.

Even more to your point about a minister, we are a quasi-judicial independent tribunal. We're even one step further removed.

I can try.

We have indeed had the PIA process in place since 2016. The assessment is for the program as a whole, and not the tools. When we were asked about it, we may not have been as accurate as we might have been with our answer. That may have caused some confusion.

So we have, since 2016, had a PIA in place for the program under which the tools in question are used.

My understanding is that the PIA is for the program. That's why we did what we did. In our assessment, we say that our experts use some tools when electronic devices are seized in order to extract information.

So there really is a PIA and it's been there since 2016.

That's right.

Thank you very much for the question.

I think we're in the same position as our colleagues.

A big question the reporter asked, I believe, was very specific. It was, “Do you have a PIA for this specific tool?” The response was “no.”

As I indicated, we do have a PIA for the program, which is typically how PIAs work. It's for the entire program where those digital forensics tools are identified. It's not by name. For example, if it became a different name, if it became “Cellebrex” or “Cellebrite 2.0”, then that PIA would no longer be valid. It's for the tools overall.

I would suggest that the program PIA covers it all, because it is very specific about the use of digital forensic tools and evidence gathering, etc.

It would be extremely challenging. For example, we use the digital forensic tools to gather information. For example, we all carry computers in our pockets. At the end of the day, these are now minicomputers. It's not like a laptop computer, where you can remove the hard drive, analyze that hard drive and put it back in. The only way into this phone and to know what's in this phone is to, literally, through this port—which is how Cellebrite works—connect to the phone. It makes a digital copy, a forensic evidentiary valid copy of that phone, and then Cellebrite allows us to analyze it and to preserve it for investigation purposes, for Federal Court purposes, etc.

As the regulator, we implement any legislation put forth by parliamentarians. If there were suggestions, be it through the Privacy Commissioner or others, that there should be changes to specific aspects, the CRTC would undertake to meet all those obligations.

Absolutely, I'll undertake that.

I don't have any suggestions right now. We follow the rules as written. As I said at the outset, many of them are in the Criminal Code. We stick to these rules to ensure that when we use the tool…

I don't have anything specific for you at the moment.

The criminal investigations program is responsible for investigating significant cases of tax evasion. That requires us to gather evidence, and our investigators will use the tools that they have at their disposal to gather this evidence. This can include interviews of suspects and of witnesses, but it can also include the use of judicial authorizations. This can be used for production orders or search warrants.

When we do search warrants, we can come across some electronic devices. We'll need to extract the data from these devices, these computers or cellphones, and it's with these tools we're talking about here today that we can do so. It allows us to get access in a very surgical way and not go through the whole phone by ourselves. The tools allow us to find what we're looking for. This will be used as evidence, ultimately, that we would present to the courts.

The authority we have is in the Criminal Code. That is what allows us to use the tool, to seize these electronic devices in order to use the tools to extract the data.

For the criminal investigations program at the CRA, the difference is that, when we have a judicial authorization that allows us to do a search, and if we come across an electronic device and we seize this device, we would then be able to extract the data from it. We have to have the tool connected to the electronic device—a phone or a computer—so the process is very limited that way. In other words, we can't be surveilling the Canadian population as a whole. These tools are made to be used with the actual phone, the actual computer or the electronic device that we have seized as part of a search.

I'll explain. There are several provisions under CASL, the anti-spam legislation that we have. Some of those provisions relate to the CRTC's ability to investigate the installation of software without consent, which includes viruses, malware, botnets and those types of activities—the more nefarious activities, if you will. When we're involved in an investigation related to those types of activities, we are often required to seek a search warrant to go collect devices to use this digital forensic tool to....

It comes down to the basics of evidence: We identify, analyze and preserve the evidence, and that's how we use this tool, in those very limited circumstances, on those very specific CASL cases.

For the CRTC, we do not have a reporting requirement. Because our scope and our use is so limited, as I said, it's less than a handful of times in 10 years. It is very specific.

We don't have any reporting requirements on the use of the tools. We do report various statistical data when it comes to criminal investigations, but not in terms of specific use of that tool.

I'm sorry, but I don't have the specific information you're looking for. We don't have the specific number of times we've used the tool to extract data from computers or cellphones we would have seized. It's something we can look into and provide that information.

Yes, we'll do our best to gather that information.

We'll do our best. We've had this tool for several years now. I don't know how far back we can go in terms of providing fulsome numbers, but we'll do our best.

The criminal investigations program does not have the mandate to investigate CERB offences. We do have the mandate to investigate other COVID benefits, and—

I believe it would be the ESDC or law enforcement.

The criminal investigations program, if we are investigating an offence of one of these pieces of legislation, we could use the tool to gather information if we've seized an electronic device during a search, but we would not use the tool to do an internal investigation of the actions of people within the agency.

No, not for the CRA.

No. You need judicial authorization to do your search, and that's when you would seize an electronic device. You have to have judicial authorization.

When we have a judicial authorization, that allows us to do a search and then we seize an electronic device. This would then be stored in a stand-alone computer, in an area that only our computer forensic analysts have access to. It's not connected to the Internet. It's not connected to the network of the CRA. These stand-alone computers are in a secure area that allows for maximum protection.

We have, in criminal investigations, approximately 700 employees. Approximately half of them are part of the investigative groups, but the computer forensic analysts are a very small subgroup of specialized people who can do this type of work. I don't have the exact number, but that's something we can provide to the committee.

It's only the people who are involved in the investigation. It's on a need-to-know basis, so it's not even all the investigators who would have access. It's only the people who are involved in the file, and actually, the investigators get access to only the information that is relevant. The CFAs—our computer forensic analysts—will sift through the electronic devices and take out what is relevant for the investigation, and that's what the investigators will look at.

Our criminal investigations, the investigators and the computer forensic analysts, have secret clearance, and the information that we have is stored in special areas that only our computer forensic analysts have access to on stand-alone computers. The security on these computers has been assessed to be adequate to protect the information, and the risks appear to be low.

Yes, but not me personally. Maybe, ultimately, if there were some wrongdoing—

The criminal investigations unit has some processes in place to limit who has access. Outside of criminal investigations, nobody has access to our files.

The tools we're discussing here today actually help us to ensure that we are thorough but at the same time very precise in what we get out of these computers, telephones or any electronic devices. It allows us to be more surgical, to seek out only what is relevant to the investigation.

When we have our judicial orders, there are terms of references in the actual order that explain what we can get access to, so those are other ways of limiting what we would get our hands on.

No. This tool does not work remotely. We actually have to connect to the device.

Absolutely. Through our search warrant it identifies what we're looking for and how we will obtain that information using these types of digital forensic tools. That search warrant is explained to the individual when we're executing the search warrant, so they are well aware of what's going to happen. They willingly, or at least by court order, offer us up that device. Even more importantly, often they're required to give us the password. If we don't have the password to that device, we cannot use this tool.

If it is deemed that the Privacy Act should be amended for whatever reason, we will comply with those amendments.

I agree with my colleague.

I don't have any comments on this for the committee today.

I have no suggestions.