Thank you, Mr. Chairman.
I am Ron Deibert, professor of political science and the founder and director of the Citizen Lab at the University of Toronto's Munk School of Global Affairs and Public Policy.
Since 2001, the Citizen Lab has researched information security issues, and one of the principal areas of our research has been the mercenary spyware industry, in which private actors sell hacking services to governments. We are widely recognized as one of the world's leading authorities on this topic.
My staff and I have testified or provided briefings numerous times to the U.S. White House, the Department of State, Congress, the European Parliament and other governments on this topic. I'm very pleased to be speaking about it for the first time before a Canadian House of Commons committee.
Today, I want to highlight several themes that arise from this research.
First, the mercenary spyware industry is very poorly regulated and is proliferating quickly. The industry lacks public accountability and transparency. It thrives in the shadows of the clandestine world and is spreading fast without proper controls.
Second, we have documented extensive harms and abuses in just about every jurisdiction in which spyware is deployed. Governments routinely use spyware to hack civil society, political opposition, journalists, lawyers, activists, family members and other innocent victims—both domestically and abroad—including victims living here in Canada.
Third, the mercenary spyware industry is not only a threat to civil society and human rights; it is also a threat to national security. We've observed heads of state and senior government officials who have had their phones hacked with spyware. Not long ago, we notified U.K. authorities about a device we observed being hacked at 10 Downing Street, the residence of the Prime Minister. In short, our 10-plus years of research show that the spyware industry is one of the most serious threats to civil society, human rights and democracy today.
The recent revelation about the RCMP using spyware raises serious concerns.
First, spyware is not like a traditional wiretap; it is more like a wiretap on steroids. Advanced spyware is to surveillance as nuclear technology is to weapons; it represents a quantum leap forward in sophistication and power. The latest versions provide silent and unfettered access to a target's entire pattern of life. Despite these nuclear-level capabilities, it is remarkable that there has been zero public debate in Canada prior to the RCMP's recent revelation.
Second, the threshold for use, oversight, transparency and public accountability must be much higher than for a traditional wiretap. This is especially critical because the RCMP and other security agencies in Canada have a well-documented history of abuses and discriminatory practices.
Third, we need transparency with respect to where Canadian agencies are procuring this technology. Yesterday, the Minister of Public Safety would not acknowledge to this committee from which vendor or vendors the Canadian government purchased spyware. There is absolutely no reason why that should not be disclosed, and there are plenty of good reasons that it should. Our procurement should be transparent and include rules for vendors so that we do not purchase from—and help enrich—firms that sell to governments abroad that threaten Canada's values and security.
Fourth, there are serious public safety concerns around the very existence of this technology. Mercenary spyware is founded on the discovery of software flaws that the software vendors themselves are unaware of or have not patched. The very use of this technology fuels a market that exploits collective insecurity on all of our devices. Canada's overall process, such as it is, to weigh the equities around these trade-offs is poor and opaque.
Fifth, the RCMP's quiet revelation sets a very bad example for the rest of the world. The Canadian government purports to protect human rights and stand for rule of law and democracy around the world. In adopting this technology without public debate and proper limits, we're essentially signalling to the world that we do not really care about these principles.
I will close my remarks with seven specific recommendations.
First, hold public hearings on the threats of the mercenary spyware industry, especially since Canadians have been victims.
Second, if Canadian agencies are going to use spyware, public consultation should be held, and the government should develop a legal framework that is compliant with the charter and international human rights law.
Third, Canada should develop strong export controls for the Canadian surveillance industry. Currently, there are none.
Fourth, Canada should penalize spyware firms that are known to facilitate human rights abuses abroad modelled after those in the United States.
Fifth, Canada should issue clear and forceful statements at the highest levels, for example, from the Prime Minister, Minister of Public Safety and Minister of Foreign Affairs, that we take this threat seriously.