Skip to main content

Ron Deibert, founder of the University of Toronto's Citizen Lab, appeared at a parliamentary committee hearing looking at the RCMP's use of spyware on Aug. 9.J.P. MOCZULSKI/The Globe and Mail

A top security researcher is criticizing the federal government for refusing to disclose the entity that is providing the RCMP with the tools to secretly capture data from cellphones.

Ron Deibert, the founder and director of the University of Toronto’s Citizen Lab, a leading research group on information security issues, warned a parliamentary committee Tuesday that the global industry behind such technology is very poorly regulated and complicit in human-rights abuses around the world.

He said Canada’s procurement of spyware technology must be transparent and have rules for vendors, so that the federal government does not enrich firms that also sell to foreign governments that use spyware to target journalists, political opposition groups, activists and other innocent parties.

“Our procurement is a lever on the industry,” Mr. Deibert said. “If we’re going to spend millions of dollars buying this technology – it’s very expensive, by the way – we can impose conditions on the firms, and say, ‘You know what, we’re not going to buy from firms that have been widely associated with gross human-rights violations,’ unless they comply with certain standards.”

The House standing committee on access to information, privacy and ethics heard from the researcher during a two-day study on the RCMP’s controversial use of on-device investigative tools, or ODITs, which was revealed in June. While the hearings answered some questions, they also opened a Pandora’s box of questions about digital surveillance in Canada.

Using ODITs, the RCMP can covertly gain access to text messages, e-mails, photos and videos stored on a cellphone or other electronic device, as well as collect audio recordings from within range of the device and capture images using a built-in camera, according to the agency’s response to an order-paper question in the House of Commons. The RCMP has said in its testimony and its order-paper response that the tools are not used for “mass surveillance,” but are targeted and time-limited and require judicial authorization.

The RCMP has used ODITs in 32 investigations since 2017, during which 49 devices were targeted, according to a letter sent to the committee from RCMP Commissioner Brenda Lucki.

In testimony on Monday, RCMP officials and Public Safety Minister Marco Mendicino side-stepped a number of key questions over the tools’ use, citing “operational integrity.” While the officials would not confirm where the technology is sourced, they noted the RCMP is not using Pegasus – a highly controversial hacking software developed and licensed by the Israeli company NSO Group.

Liberal MP Nathaniel Erskine-Smith, who was sitting in for a committee member, called this refusal to identify the technology’s provider “concerning,” noting how Pegasus, as an example, has been used to undermine human rights around the world, including by targeting journalists and others. “Shouldn’t we know who the vendor is so we can conduct some level of due diligence?” he said.

Parliamentary committee to begin study of RCMP’s use of cellphone spyware

Mr. Deibert also told the committee that he found the refusal to identify the vendor problematic.

“When asked pointedly about this question, the Minister of Public Safety declined to answer and I don’t think that’s a legitimate answer,” he said.

The researcher said these surveillance tools are vastly different from a traditional wiretap, and should require higher standards for use. “Advanced spyware is to surveillance [what] nuclear technology is to weapons – it represents a quantum leap forward in sophistication and power,” he said.

Mr. Deibert made seven recommendations to the committee, including that Canada penalize spyware firms that are known to have facilitated human-rights abuses abroad and develop procurement guidelines to avoid ever contracting with such firms.

In her remarks, Brenda McPhail, director of the privacy, technology and surveillance program at the Canadian Civil Liberties Association, said Canada should consider creating a list of banned spyware vendors, stating the U.S. has already done so.

“[It] would provide some public assurance that our tax dollars are not going to support these dangerous and mercenary companies,” she said.

She also called for the creation of an independent advisory body to create national standards for the procurement and use of surveillance technologies.

The three witnesses who spoke on Tuesday afternoon – Mr. Deibert, Ms. McPhail, and national security and intelligence expert Michel Juneau-Katsuya – agreed that Part 6 of the Criminal Code, which deals with law-enforcement surveillance, is due for a review to keep up with changing technology. The section hasn’t seen a major amendment for more than 20 years, Ms. McPhail said.

Earlier in the day, Daniel Therrien, the former federal privacy commissioner, said he was “surprised” by the tool being used by the RCMP – and how intrusive it is. He did not, however, criticize the RCMP for its use of ODITs.

“I’m not saying that it is unacceptable for ODITs to be used, but it was surprising that in the context of many, many debates in the public about challenges of encryption that – when I was privacy commissioner – I was not told that a tool was used to overcome encryption,” Mr. Therrien said.

Mr. Therrien emphasized that safeguards are in place around the use of the tools, citing laws that require judicial authorization prior to their use, but when asked directly, he acknowledged the tools have the potential to violate Canadians’ Charter rights.

During the hearings, concerns were also raised about the use of invasive surveillance outside the context of law enforcement, with Mr. Juneau-Katsuya noting, “Private companies are using this kind of technology far greater and far more than law enforcement.”

For subscribers only: Get exclusive political news and analysis by signing up for the Politics Briefing.