Regarding their use internally, I think that most of the representatives of agencies who have testified so far say, “We use them on our employees, and we get their consent.” It's difficult if not impossible for employees to give informed consent in these situations, because there's an imbalance of power, and there's an imbalance of knowledge. We've seen in sessions of the committee just how difficult it is to explain what these devices are capable of. Consider this: If you are a junior employee and your manager says, “We're going to use this device on your cellphone”, you have no real alternative other than to say yes. I think that use internally is quite fraught and imbalanced.
In terms of its use with warrants, I think there needs to be a step before you get to a warrant. If we are talking about “necessary and proportionate”, there are questions that we should ask. Is this technology valid to be used to begin with? This is where privacy impact assessments come in, which I personally think are useless to a degree.
They basically account for self-regulation right now. There's no process that agencies or ministries are obliged to go through that would forbid them from using any technology. We saw in Scott Jones' testimony on Tuesday that he will buy this for anybody in government who wants it. There's no standard, which is mind-blowing.