Evidence of meeting #33 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was rcmp.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Ronald J. Deibert  Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual
Brenda McPhail  Director, Privacy, Technology and Surveillance Program, Canadian Civil Liberties Association
Michel Juneau-Katsuya  Expert and Researcher on National Security and Intelligence, As an Individual

3:05 p.m.

Conservative

The Chair Conservative Pat Kelly

I call this meeting to order.

I'd like to welcome everyone to the 33rd meeting of the Standing Committee on Access to Information, Privacy and Ethics. Pursuant to Standing Order 108(3)(h) and the motion adopted by the committee on Tuesday, July 26, 2022, the committee is meeting to study device investigation tools used by the Royal Canadian Mounted Police.

Today's meeting is taking place in a hybrid format, pursuant to the House order of Thursday, June 23, 2022.

Today we have three witnesses on this panel. We're pleased to have Ronald Deibert, professor of political science and director of the Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto. We have Brenda McPhail, director of the privacy, technology and surveillance program at the Canadian Civil Liberties Association. We are also expecting Michel Juneau-Katsuya, researcher on national security and intelligence. My understanding is that we are in the midst of navigating some technical issues with this witness, so we will proceed with opening statements from the other two. We certainly hope to have our third witness here in time for him to deliver his opening statement.

With that, I will ask for Professor Deibert to begin.

You have the floor for up to five minutes.

3:05 p.m.

Ronald J. Deibert Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Thank you, Mr. Chairman.

I am Ron Deibert, professor of political science and the founder and director of the Citizen Lab at the University of Toronto's Munk School of Global Affairs and Public Policy.

Since 2001, the Citizen Lab has researched information security issues, and one of the principal areas of our research has been the mercenary spyware industry, in which private actors sell hacking services to governments. We are widely recognized as one of the world's leading authorities on this topic.

My staff and I have testified or provided briefings numerous times to the U.S. White House, the Department of State, Congress, the European Parliament and other governments on this topic. I'm very pleased to be speaking about it for the first time before a Canadian House of Commons committee.

Today, I want to highlight several themes that arise from this research.

First, the mercenary spyware industry is very poorly regulated and is proliferating quickly. The industry lacks public accountability and transparency. It thrives in the shadows of the clandestine world and is spreading fast without proper controls.

Second, we have documented extensive harms and abuses in just about every jurisdiction in which spyware is deployed. Governments routinely use spyware to hack civil society, political opposition, journalists, lawyers, activists, family members and other innocent victims—both domestically and abroad—including victims living here in Canada.

Third, the mercenary spyware industry is not only a threat to civil society and human rights; it is also a threat to national security. We've observed heads of state and senior government officials who have had their phones hacked with spyware. Not long ago, we notified U.K. authorities about a device we observed being hacked at 10 Downing Street, the residence of the Prime Minister. In short, our 10-plus years of research show that the spyware industry is one of the most serious threats to civil society, human rights and democracy today.

The recent revelation about the RCMP using spyware raises serious concerns.

First, spyware is not like a traditional wiretap; it is more like a wiretap on steroids. Advanced spyware is to surveillance as nuclear technology is to weapons; it represents a quantum leap forward in sophistication and power. The latest versions provide silent and unfettered access to a target's entire pattern of life. Despite these nuclear-level capabilities, it is remarkable that there has been zero public debate in Canada prior to the RCMP's recent revelation.

Second, the threshold for use, oversight, transparency and public accountability must be much higher than for a traditional wiretap. This is especially critical because the RCMP and other security agencies in Canada have a well-documented history of abuses and discriminatory practices.

Third, we need transparency with respect to where Canadian agencies are procuring this technology. Yesterday, the Minister of Public Safety would not acknowledge to this committee from which vendor or vendors the Canadian government purchased spyware. There is absolutely no reason why that should not be disclosed, and there are plenty of good reasons that it should. Our procurement should be transparent and include rules for vendors so that we do not purchase from—and help enrich—firms that sell to governments abroad that threaten Canada's values and security.

Fourth, there are serious public safety concerns around the very existence of this technology. Mercenary spyware is founded on the discovery of software flaws that the software vendors themselves are unaware of or have not patched. The very use of this technology fuels a market that exploits collective insecurity on all of our devices. Canada's overall process, such as it is, to weigh the equities around these trade-offs is poor and opaque.

Fifth, the RCMP's quiet revelation sets a very bad example for the rest of the world. The Canadian government purports to protect human rights and stand for rule of law and democracy around the world. In adopting this technology without public debate and proper limits, we're essentially signalling to the world that we do not really care about these principles.

I will close my remarks with seven specific recommendations.

First, hold public hearings on the threats of the mercenary spyware industry, especially since Canadians have been victims.

Second, if Canadian agencies are going to use spyware, public consultation should be held, and the government should develop a legal framework that is compliant with the charter and international human rights law.

Third, Canada should develop strong export controls for the Canadian surveillance industry. Currently, there are none.

Fourth, Canada should penalize spyware firms that are known to facilitate human rights abuses abroad modelled after those in the United States.

Fifth, Canada should issue clear and forceful statements at the highest levels, for example, from the Prime Minister, Minister of Public Safety and Minister of Foreign Affairs, that we take this threat seriously.

Sixth—

3:10 p.m.

Conservative

The Chair Conservative Pat Kelly

You're significantly over time. Go quickly, please, on the last two.

3:10 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

Sixth, Canada should impose a lifetime ban on those who have worked in our security agencies from ever working with mercenary spyware firms.

Last, Canada should make public which firms they are contracting with and develop procurement guidelines for Canadian agencies so they never contract with firms that are connected to human rights abuses abroad.

Thank you, Mr. Chairman. My apologies for going over.

3:10 p.m.

Conservative

The Chair Conservative Pat Kelly

That's all right.

Next I will ask Ms. McPhail to begin with her opening statements.

3:10 p.m.

Brenda McPhail Director, Privacy, Technology and Surveillance Program, Canadian Civil Liberties Association

Thank you for inviting the Canadian Civil Liberties Association to appear before you today. I'm grateful to the committee for commencing this study of the RCMP's use of on-device investigative technology, because it's an issue of national concern that is also a symptom of a larger problem of inadequate oversight and accountability when police acquire and use advanced surveillance technology.

The revelations about ODIT are just the latest in a series of similar media-led reveals regarding invasive techniques, from social media monitoring to cell site simulators to the illegal Clearview AI facial recognition. This isn't a one-off problem; it's a pattern pointing to a crisis of accountability.

Operational secrecy is a legitimate need in specific investigations. Secrecy around policies that apply to categories of dangerous surveillance technologies is not legitimate in a democracy. We must not allow law enforcement bodies to conflate one with the other to avoid accountability.

Why are these technologies dangerous from a civil society perspective? This committee is aware of the basic risks to privacy rights, so I'll focus on three other reasons.

First, our government agencies are encouraging an industry known for prioritizing profits over human rights and feeding the worst impulses of authoritarian governments. I work with a network of global civil liberties organizations where many of my colleagues see Canada as a role model on issues of law enforcement and due process. This kind of revelation diminishes our international reputation, not just at the level of governments but also on the ground.

Second, using these tools encourages law enforcement, as Professor Deibert noted, to exploit vulnerabilities in the technologies we all depend on, rather than to help get them fixed. We've known for some time that the CSE has duelling accountabilities in relation to their active cyber mandate and their responsibility to protect our cyber infrastructure. Now we know that the RCMP has a similar conflict. This is making us all a bit less safe daily in the name of public safety.

Finally, there's a question of due process. Your witnesses yesterday noted that an agreement detailing the ways the technology has to be protected is a condition of its use. What impact does that agreement have on court disclosures? Are cases ever not taken forward because to do so would reveal details of the technology? In other words, how does operational secrecy compromise the pursuit of justice?

Those are some of the problems. What are the potential solutions?

First of all, I do believe we need a moratorium. This study is just the beginning of an important public conversation we need to have in Canada. If it's true that this technology is a last-resort option, there can't be that much of a risk to public safety to pause its use briefly—certainly not when weighed against the privacy and due process rights at stake as well as the social and diplomatic impacts of the Canadian government condoning the sale and use of spyware.

Then we need to get back to basics, and the basic question isn't “How do we make sure the RCMP or any other body uses these tools lawfully?” Rather, it must be, “Is the use of such tools necessary, proportionate and in keeping with Canadian values?”

It probably won't surprise you that I think it is not. I think we should include, like Europe and the United States have done, the potential for a ban on state purchase of this kind of spyware technology in those conversations we need to have, but if it is democratically debated and determined that it is fit for a narrow purpose, the second question we then need to turn to is how to make the concept of lawful use more meaningful by updating our laws to appropriately govern the decisions to purchase and use these technologies, and to provide transparency and accountability sufficient to engender public trust.

For those laws to be good enough, we need stringent and effectively enforced import and export controls and limits. We need a system where decisions about using controversial potentially rights-infringing technologies can no longer happen behind the scenes. For that, we need not just mandatory privacy impact assessments but should also consider the creation of a truly independent advisory body working with appropriate transparency specifically to evaluate and set national standards for the procurement and use of surveillance technologies, as they have done in New York State.

We would also need public reporting obligations on the use of ODITs. The “Annual Report on the Use of Electronic Surveillance”, which has been repeatedly mentioned as an accountability measure, is insufficient. The tools used for this surveillance matter. That's why we're having this conversation. Yet that report simply gives statistics for any audio or visual surveillance. This leads to a final point.

Only one warrant application of the 331 in that report was refused between 2016 and 2020. That suggests that we need a public interest amicus present at those applications to provide a counterpoint to police positions. There are more problems and more solutions, but my five minutes is up, so I look forward to your questions.

3:15 p.m.

Conservative

The Chair Conservative Pat Kelly

Thank you.

Although I can't see him on the screen, let me ask, do we have witness Michel Juneau-Katsuya?

No? Are we in touch with him, though?

We're in contact with him. Okay.

Well, we may not get an opening statement from witness Juneau-Katsuya.

We will have to begin our questions.

Mr. Bezan, I would ask you to lead us off.

3:15 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Thank you, Mr. Chair.

I want to thank our witnesses for joining us today and for their expertise on this.

To both Professor Deibert and Ms. McPhail, have your organizations studied in depth which vendors are potentially being used here in Canada—those who sell spyware?

3:15 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

Which one should go first?

3:15 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

It's your choice.

You have your mike on, Professor. Why don't you lead off?

3:15 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

Sure.

We have extensively documented spyware vendors around the world. Unfortunately, we lack transparency on the answer to this question here in Canada. There is no public information available to any of us as to which vendors the government is procuring from. As I mentioned in my comments, this is very problematic.

As you heard yesterday, when asked pointedly about this question, the Minister of Public Safety declined to answer. I don't think that's a legitimate answer.

3:15 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Ms. McPhail...?

3:15 p.m.

Director, Privacy, Technology and Surveillance Program, Canadian Civil Liberties Association

Brenda McPhail

We have not done that research.

3:15 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Okay.

Ms. McPhail, you mentioned in your opening comments the concern that maybe the RCMP hasn't proceeded in the prosecution of certain criminal cases or national security threats because they would have to disclose that they used ODIT. Do you have any proof of that, that they would rather not prosecute to protect the technology?

3:15 p.m.

Director, Privacy, Technology and Surveillance Program, Canadian Civil Liberties Association

Brenda McPhail

There was a case in the past called Project Clemenza, where it was revealed that a number of prosecutions were dropped rather than reveal the fact that a key to access encrypted communications had been obtained by law enforcement. That's the only example I know of, but the mention of a specific agreement, which your witnesses yesterday described as constraining the use of the tools and what could be said about them in public, does give rise to concern about appropriate disclosures in court.

3:15 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Do you believe the failure of the RCMP to go forward with that prosecution was because they didn't have a proper warrant that they used to collect that information on those individuals, or that they did so under other mechanisms, such as national security?

3:15 p.m.

Director, Privacy, Technology and Surveillance Program, Canadian Civil Liberties Association

Brenda McPhail

Anecdotally, I'm led to understand that it was done to protect the use of the tool, not because correct warrants weren't acquired.

3:15 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Okay.

You know, often when I've travelled abroad, I've been briefed by the Department of Foreign Affairs officials or Department of National Defence officials about the potential of having my cellphone hacked, and that the camera and microphone could be turned on at any time. Do you believe we need to take extra precautions here in Canada as parliamentarians, as people who work on the Hill, in that our government-issued phones could potentially be hacked by not just foreign actors but others domestically as well?

I'll give that to both Ms. McPhail and Professor Deibert.

3:15 p.m.

Director, Privacy, Technology and Surveillance Program, Canadian Civil Liberties Association

Brenda McPhail

I do think it's a concern, but I also think Professor Deibert is best prepared to answer this question.

3:15 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Go ahead, Professor.

3:15 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

Yes, I think it's a major concern. The fact of the matter is that you have devices that are highly invasive and tend to be poorly secured overall, given the nature of the digital ecosystem that we live in, next to an industry that, as I've described, spends millions of dollars to identify software flaws without disclosing them to the vendors in order to provide this hacking as a service. We've also documented numerous cases of government officials and even heads of state having their devices hacked with the most advanced spyware. As I mentioned in my opening remarks, we observed a hack device at 10 Downing Street, the residence of the Prime Minister, and reported that to the U.K. authorities.

Really, no one is immune from the most advanced types of spyware. There are no international regulations. It's proliferating widely to governments around the world.

3:20 p.m.

Conservative

James Bezan Conservative Selkirk—Interlake—Eastman, MB

Professor, from the research you've done, do you believe that, although it would be unethical, employers, including the Government of Canada, would be able to get the clearance to use spyware as a way to monitor employees and people of interest who have government-issued or company-issued devices? Would there be a loophole where they could get around having to apply for warrants because it would be property owned by the employer?

3:20 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

Well, that's an interesting question. I know that there are all sorts of rules. Usually disclosures are made when anyone uses a device within an institution, public or otherwise. If it weren't disclosed, I would certainly say that it would be highly unethical and possibly illegal.

I think Ms. McPhail would be better positioned to answer that question on legal grounds.

3:20 p.m.

Conservative

The Chair Conservative Pat Kelly

You do have a few seconds, Ms. McPhail, if you'd care to answer.

3:20 p.m.

Director, Privacy, Technology and Surveillance Program, Canadian Civil Liberties Association

Brenda McPhail

I think a number of different interacting legal instruments would be relevant in that situation. They'd have to be examined carefully to really determine what kind of loopholes there might be.