Evidence of meeting #104 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was use.
A recording is available from Parliament.
Bloc
René Villemure Bloc Trois-Rivières, QC
Personally, if I'm using a government-issued device, my expectation of privacy is lower than if I'm using my own personal device, but that doesn't mean I have zero expectation of privacy.
Bloc
René Villemure Bloc Trois-Rivières, QC
All right.
You talked about the illegal use of cloud accounts by Cellebrite and others. Can you tell us more about that?
Associate Professor, As an Individual
Yes, absolutely, but I'm going to switch to English for the sake of efficiency.
Cellebrite and other companies, for instance—Magnet Forensics does this as well—have the ability to extract what are called “tokens”. When you have apps on a phone that connect to the cloud, you have tokens that essentially log you in. They serve as your unique identity to connect to a cloud service.
In fact, Cellebrite just updated its UFED Cloud, which is being used by at least five or six agencies, so that it can access Lyft and Uber logs. It can access DJI drone flight logs. It can access banking. It can access your Google history, your GPS history.
In the past, you would have needed a warrant for each individual action to access each individual connection to a corporation, and maybe those corporations would have been served with warrants and would have had to provide the information. Instead, now, with a device or an image of a device, this information can be accessed without a warrant.
Bloc
René Villemure Bloc Trois-Rivières, QC
I see.
All the witnesses said they got the message and would conduct privacy impact assessments.
Do you think it was negligence on their part, or an oversight? Why didn't they do the privacy impact assessments, in your opinion? I am not trying to criticize anyone. I am just trying to understand what happened. They all said they didn't do an assessment but would going forward. That tells me they recognize it's the right thing to do.
Associate Professor, As an Individual
Had it been just one agency, it would not be as serious. However, it happened everywhere, and that's the problem. The problem is systemic, not just an oversight. Disregarding privacy as a fundamental right is becoming somewhat normalized.
Bloc
René Villemure Bloc Trois-Rivières, QC
Perhaps that's the culture of public organizations.
You identified 13 departments and agencies. Have you identified other public organizations since then? Are there more?
Associate Professor, As an Individual
One of the contracts I mentioned a few minutes ago was with Teel Technologies. Recently, I saw that Shared Services Canada had changed its procurement practice. Now, instead of buying the technology directly from suppliers like Cellebrite, it goes through Teel Technologies, a company in Victoria, British Columbia. The current contract runs until the summer of 2024.
The Copyright Board of Canada is also one of the organizations—
Associate Professor, As an Individual
There are more than 13 departments and agencies. I was rather worried when I heard Mr. Jones say on Tuesday that he could purchase the technology for anywhere and anyone. If you're in government, you can place the order and buy it.
Conservative
The Chair Conservative John Brassard
Thank you, Mr. Villemure and Mr. Light.
Mr. Green, you have six minutes. Go ahead, please.
NDP
Matthew Green NDP Hamilton Centre, ON
Thank you so much.
I've taken a note from my good friend René's use of his iPad for timing, so hopefully I'll get it on, although certainly not with the same expediency as my friend Mr. Housefather in the way he was able to deliver questions.
We're well into this. One of the things that typically happen with expert testimony is that they are given time to situate themselves within their subject matter expertise. In your opening remarks, you didn't have an opportunity to do that. I want to give you that opportunity now. I understand, from your profile, that you publish widely on issues of privacy, surveillance and communications. Perhaps, as an opportunity to provide context to that, you can share what expertise you're here with today.
Associate Professor, As an Individual
Yes, happily.
I'm an associate professor of communications at York University's Glendon College. My background is actually in radio spectrum policy, which brought me into surveillance. A lot of the radio waves we use are also used for surveillance. I host an archive of the Edward Snowden documents. For about a decade now, I have been heavily involved in research on surveillance and privacy issues.
NDP
Matthew Green NDP Hamilton Centre, ON
Would it be your contention that you're here as somebody who advocates for open and transparent government?
Associate Professor, As an Individual
Absolutely.
I also have an IT background. Before becoming an academic, I worked in IT for about 10 years. Ultimately, I ended my career in IT as chief network technician of McGill's Faculty of Law, so I have an understanding from, I guess, the back-end perspective—
NDP
Matthew Green NDP Hamilton Centre, ON
One thing that strikes me is that, as legislators here, we're often tasked with trying to propound on technologies and subject matter that we don't have expertise in. I acknowledge that I don't have expertise in the things that you just stated you have expertise in.
While it is true that there are good public servants who, to the best of their ability, are making judgments day to day about the privacy and proportionality of the tools they're using, is it safe to say that the technology you're referencing here would likely go beyond the scope of an average person in government and probably even around this table?
NDP
Matthew Green NDP Hamilton Centre, ON
It was your contention earlier that one of the red flags—I'll call it a red flag; you didn't say that—in reviewing the companies from which the devices have been procured was that they were actually marketing ways to surreptitiously use backdoor devices to do things that they couldn't otherwise do directly through a warrant. Is that your assertion?