Information & Ethics Committee on Aug. 8th, 2022

Do you mean judicial authorizations, or requests to use ODITs internally?

The number of part VI authorizations denied is tracked in the annual federal wiretap surveillance report, so those numbers would be there. Do you want the other number as well?

Anecdotally, with regard to the number of investigators who request ODITs versus the number of investigations on which ODITs are deployed, I would say that one in 10 investigations that seek or are interested in using ODITs would actually make it through our process and have ODITs deployed. Because our process is quite rigorous and it's a very challenging practice to implement these tools, very few of the investigators who request them actually end up being able to use them.

The short answer is yes, there are protocols in place. The sample warrants you received, which is the sample part VI authorization, include specific terms and conditions related to solicitor-client privileges, and whether it be ODIT-collected information or information via a traditional telephone call, those terms and conditions must be followed.

I guess, again, that it goes back to the evolution of the technology, because in my history in the lawful access debate for 20 years now, the use of this type of technology and the challenges presented to the RCMP and policing in general from encryption have been a topic of discussion that involved the Privacy Commissioner, criminal law policy at DOJ and the human rights law section for many, many years.

Going back to a more recent time frame and the June date, I don't recall the exact order here, but I do know that technical operations did invite the Privacy Commissioner's office to the presentation that's occurring in August.

As well, you'll note some public articles that had been published by people such as Sergeant Dave Cobey here that are meant to bring more public visibility into what we are doing. We are pulling back the veil. We are trying to do that in a way that's professional, that respects both the law around the protection of tools and techniques—

Going back to the point I raised earlier, it is a debate that we have, and sometimes it involves a discussion with the government advisory group and with the Privacy Commissioner's office as well, but we do take a look at what we are doing.

As I said, whether we're intercepting an analog communication or an encrypted communication, the privacy is in the content, not in the method of delivery. As we moved through time, we were looking at whether we were invading people's privacy any more. When it gets to a point where we believe there are concerns.... I've personally been involved in meetings where we've received advice that no PIA is required because we are not hitting the triggers. As an organization, we are changing our position on those, and I would say that, even in one particular case, we are moving ahead with the privacy impact assessment even though all of the advice that we have had is that one is not required.

We are trying to lean forward. We are moving forward. You have three people at this table today who believe strongly in erring on the side of revealing the details and allowing people to properly assess whether or not there is an additional invasion of privacy or whether or not we are simply doing things using a new method, but still substantially invading privacy at the same level as we previously had when authorized by judicial authority.

To answer your question, there are more than two warrants. Predominantly, the omnibus order that we seek requires, in addition to a part VI, which is the interception of private communication warrant, a general warrant that is required for the deployment and use of the ODIT, the technology in the background. There's a transmission data recorder warrant that is required to collect the transmission data that we would collect to operate those, and then, if the ODIT is being used to collect information related to the location of the device, we also seek a tracking warrant. All of those warrants are included predominantly in the authorizations we seek.

Occasionally, we would seek only a general warrant if the objective were to only remotely search a device for historical information, but most of the time, we're using these tools for investigations that are ongoing and seeking prospective communications, private communications. So all of those warrants I listed, including a sealing order and an assistance order, are sought at the same time.

I'll add one element. I believe judges absolutely do understand privacy. That is their primary responsibility in weighing the needs of police to utilize such techniques.

Going back, in one of the previous questions the Delisle case was raised. If you look at the Delisle case, you will see in the news coverage that the RCMP, as part of our disclosure package, did present some of the material that was collected using the ODIT. This included screenshots of some of the communications between the accused in that case and what are believed to be the foreign actors he was engaged with.

When we speak about the technology, we hear “spyware”; we hear “malware”. I'll be frank. I don't believe it is either one of those. We are using tools and techniques that are designed to enable us to perform the duties that are expected to be performed by us in gathering evidence about criminal behaviour. You can see from the stats provided solely for 2017 onward that this involves serious cases with serious criminality.

Is there an openness to discuss the use of invasive...? I think the translation may have missed a fine point there.

I would say there's absolutely an interest in publicly discussing the use of invasive technologies. We're here. We're happy to have that discussion. Again, you'll see the news articles that cover it, so I won't waste your time.

I've been involved in this type of technology since 2002. I moved into a different position in 2015, and now I've been in my position in national security and protective policing since December, a year and a half ago.