Evidence of meeting #33 for Access to Information, Privacy and Ethics in the 44th Parliament, 1st Session. (The original version is on Parliament’s site, as are the minutes.) The winning word was rcmp.

A video is available from Parliament.

On the agenda

MPs speaking

Also speaking

Ronald J. Deibert  Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual
Brenda McPhail  Director, Privacy, Technology and Surveillance Program, Canadian Civil Liberties Association
Michel Juneau-Katsuya  Expert and Researcher on National Security and Intelligence, As an Individual

3:35 p.m.

Some hon. members

Oh, oh!

3:35 p.m.

Conservative

The Chair Conservative Pat Kelly

I believe it, but the time is—

3:35 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Thank you, Mr. Chair.

I was actually talking to Mr. Deibert about trust.

This brings me back to my main point. Do the RCMP's actions serve to maintain trust or, on the contrary, arouse doubt?

3:35 p.m.

Expert and Researcher on National Security and Intelligence, As an Individual

Michel Juneau-Katsuya

Is that question for me, Mr. Villemure?

3:35 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Yes, let's start with you.

3:35 p.m.

Expert and Researcher on National Security and Intelligence, As an Individual

Michel Juneau-Katsuya

I think the RCMP's actions are in fact really important in order to gain and keep the public's trust. The accountability and consultation mechanisms as well as the legal safeguards in place are needed to keep and strengthen that trust.

I would say lessons have been learned from the various situations that happened previously. The answers the committee heard yesterday, in particular, the thoughts Mr. Dufresne and others shared, will go a long way toward helping the committee make the right recommendations.

3:35 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Thank you.

Mr. Deibert, for the benefit of the general public, who may not fully understand all the ins and outs, can you explain what spyware is capable of?

3:35 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

We have been studying many different types of spyware, and the most advanced ones allow persistent access to a target's device, which, in turn, allows them to do anything on that device, and more than a user can do without the user knowing. Some of the latest versions of this spyware employ what's known as zero-click versions, meaning that there's no need to trick a target into clicking on a link of a fake message. A user, a government client of spyware, can simply issue a command to take over any device in the world that's vulnerable to this type of exploit.

Once inside a device, you can intercept and listen to any phone call. You can read emails and text messages—even those that are encrypted. You could silently turn on the camera and microphone; you can review all of the contacts; you can alter files on the device; you can access a person's cloud account; and you can track their location. It is extraordinarily powerful surveillance technology.

Keep in mind that we live in a different time than even 20 years ago, when a wiretap was something you put on a landline, or you'd place a bug or a GPS tracker in a suspect's car. This gives you all of that and more, because these devices are designed by their manufacturers to be as invasive as possible. They're designed, as well as the apps contained in them, to track every aspect of our lives, so this is a gold mine of information that is available to clients of spyware.

3:40 p.m.

Bloc

René Villemure Bloc Trois-Rivières, QC

Thank you, Mr. Deibert.

Yesterday, we heard about warrants and the fact that a judge had to approve and authorize the use of these investigative tools, under part VI of the Criminal Code. It's a good oversight mechanism, it would seem.

I'm not sure whether you agree with me that a situation can be lawful and unethical at the same time. As has been pointed out, the legislation is some 20 years old, and technology moves at a breakneck pace.

Even with legal safeguards in place, can the use of these investigative tools become unethical?

3:40 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

Thank you, Mr. Chairman.

I think the disclosure that there were warrants is certainly reassuring. I'm glad it's not the opposite case; however, I think that we need to put judicial oversight in the context of a number of different factors related to this environment—this topic that we're describing.

First of all, I think there is a problem with transparency and public accountability within our law enforcement agencies. In fact, there's a pattern, as my colleague Ms. McPhail said, of not disclosing ahead of time certain investigative techniques that require a public consultation. Again and again, these are coming out through media revelations or in a kind of backhanded way, and that's not the way to approach this topic.

Secondly, there's a—

3:40 p.m.

Conservative

The Chair Conservative Pat Kelly

We're out of time for an answer. Maybe you can sum up in a few seconds, and then I'm going to have to go to Mr. Green.

3:40 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

There are public safety issues with this very technology. There are equities involved because it involves exploiting flaws in software that make all of us insecure, rather than disclosing them to the vendors.

3:40 p.m.

Conservative

The Chair Conservative Pat Kelly

Thank you.

Mr. Green, for up to six minutes.

3:40 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

I would love to continue along that line, because I think it's important for the benefit of this committee that we get a better sense of just what this sector looks like.

I know, Professor Deibert, you talked about its being rogue, mercenary companies. Can you perhaps expand on this, from your research, and what this sector looks like, who's acting in it, where the subject matter expertise is coming from and why we should be concerned about that?

3:40 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

Very little is known about this industry; it operates in the shadows by definition. It's similar to the trade in weapons technology or private intelligence. These firms, generally speaking, don't like to publicly disclose what they're doing or who their clients are, which makes public accountability and transparency very difficult. We at the Citizen Lab, along with several other organizations, have spent well over 10, close to 15, years investigating this industry using a variety of technical methods and forensic methods.

What we've found is that there's almost no international regulation around this industry; they're selling to any government client. Most of the governments, unfortunately, in the world are authoritarian or illiberal, and naturally, they're using this technology not in the ways we're hoping for it to be used here. They're using it to go after political opposition, civil society, journalists, activists and others. They're making millions of dollars doing so, and they obfuscate their corporate infrastructure from investigators like us.

This is a very serious global human rights and national security issue. All you need to do is look at the reactions at the most senior levels of the United States government. The Biden White House, the Department of Justice, the Department of State and the U.S. Department of Commerce have all come out and said effectively exactly what I'm saying to you right now. We are really asleep at the wheel on the threats raised by the global mercenary spyware industry, and we need to urgently correct that.

3:45 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

I know there's been local reporting, and we've heard it today, in testimony from the government side referencing a former prime minister, Stephen Harper, being involved. I think there are reports of a former ambassador to Israel also being involved, or at least reported as being involved. Can you speak to the relationship between those within governments who've had perhaps some of the highest levels of security clearance then acting as—and I think you framed it quite rightly—a “mercenary” sector? Can you talk about the dangers of people who have access to top clearances then retiring into this sector, both from elected and civil agencies, but also from some of our highest law enforcement agencies as well?

3:45 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

This is a very serious concern, because there is a very well-documented revolving door, with people who work for intelligence services then going off and making money, some of them very honourably, unfortunately, and some of them not. I think it's shameful that a former prime minister would be involved in selling surveillance technologies, brokering Canadian firms' sales to Gulf clients who have a well-documented history of human rights abuses, which is why I said in my recommendations that we need to impose a lifetime ban on those who have worked for intelligence and law enforcement from ever working for mercenary spyware firms.

We also need to have clear rules in this country on export controls over surveillance technologies. Citizen Lab has documented the export of censorship and surveillance technologies made by firms based in Canada that have helped facilitate, frankly, violations of human rights abroad that would be unacceptable in this country. I'm shocked to say that there really are zero licensing or export controls in this country for the export or sale of spyware and surveillance technology of the type that we're talking about here. That needs to change.

3:45 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

Just to be clear so that we can have you on the record, sir, is that a recommendation you're providing this committee so that we would recommend, as a committee, that these things be implemented, or is that just a comment?

3:45 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

Yes, 100%, it was in my testimony as a specific recommendation. We desperately need guidance to Canadian businesses, clear ground rules on to whom they can sell their technology so that we don't end up having Canadian firms supplying surveillance technology like they have to regimes abroad such as the United Arab Emirates, Russia, Turkey and elsewhere around the world to help facilitate practices that would be clearly a violation of the charter in this country.

3:45 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

There's still the concern that our government could do indirectly what it's not allowed to do directly by then taking advantage, perhaps, of information that might be unlawfully obtained by foreign actors. They could be friendly foreign actors; you can look at the use of Pegasus in places like Mexico. Pegasus is just a brand. It's the technology that's out there that's pervasive.

3:45 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

That's correct.

3:45 p.m.

NDP

Matthew Green NDP Hamilton Centre, ON

Could you comment, perhaps, on the possibility of having, in the hands of government, information that might be politically sensitive? We've seen this technology used against the media and against partisan opposition. Is that something you'd care to expand on and comment on here?

3:45 p.m.

Professor of Political Science, and Director, Citizen Lab, Munk School of Global Affairs and Public Policy, University of Toronto, As an Individual

Ronald J. Deibert

Mr. Chairman, I would say that many of the manufacturers of spyware have close relationships, for geostrategic reasons, to the governments in the countries where they're located. I don't have any confidence that information that is collected by those spyware companies on behalf of government clients doesn't end up being passed on to specific individuals connected to their home government jurisdictions, which is why it's also a security risk.

We need to have better due diligence around procurement. With due respect to one of my fellow panellists here, I don't see any operational security reason that we cannot disclose from whom we're purchasing this technology. Disclosing that, frankly, has no bearing or tips off no one. It's good practice. It's mature, and a mature approach to a 21st century problem.

3:45 p.m.

Conservative

The Chair Conservative Pat Kelly

Thank you.

With that, we will go to Mr. Williams for up to five minutes.

3:45 p.m.

Conservative

Ryan Williams Conservative Bay of Quinte, ON

Thank you very much, Mr. Chair.

I'm going to stick to the professor as well.

Mr. Deibert, thank you for being here today.

In respect to the RCMP's use of this Pegasus-like cellphone hacking, this committee heard yesterday that these tools have been used since 2017, and not a single consultation has taken place with the Privacy Commissioner. They had to hear about it in the news. You understand well, as you've demonstrated, the implications this technology can have. Do you find the RCMP's decision to keep this information from Canadians acceptable?