Longtime watchdog says RCMP's use of spyware came as a surprise
- Oops!Something went wrong.Please try again later.
OTTAWA, Ont. — Canada’s former privacy watchdog says he was “surprised” to learn the national police force has been using spyware to conduct covert surveillance for years, given the intrusiveness of the technology.
Daniel Therrien said he was never informed about the RCMP’s use of spyware, despite spending eight years as the federal privacy commissioner, from 2014 until earlier this year.
“It was surprising that in the context of many, many debates in the public about the challenges of encryption, that when I was privacy commissioner, I was not told that a tool was used to overcome encryption,” Therrien told the House of Commons ethics committee Tuesday.
The House committee launched a study this week of the RCMP’s use of spyware, prompted by POLITICO’s revelation in June that the police force had admitted to using spyware to hack mobile devices. The RCMP has the ability to intercept text messages, emails, photos, videos, financial records and other information from cellphones and laptops, and to remotely turn on a device’s camera and microphone.
Documents submitted to the committee by the RCMP say the force has used spyware to infiltrate 49 devices as part of 32 investigations since 2017. The investigations involved serious crimes, including terrorism, murder and drug trafficking.
On Monday, however, an RCMP official told the committee the police force has used similar technology as far back as 2002. Mark Flynn, the RCMP’s assistant commissioner for national security and protective policing, suggested the use of intrusive technology for surveillance has evolved gradually, as encrypted communication became more widespread, making traditional wiretaps less useful.
Therrien said he accepts that encryption is a challenge for law enforcement, and there could be compelling reasons to use spyware in certain investigations. But he disagreed with the RCMP’s characterization of spyware as simply another necessary tool.
“There is no question that this particular tool is extremely intrusive. It’s more intrusive than traditional wiretap tools,” he said. “It sits on the digital device of the individual and … the police has access to everything on that phone.”
The RCMP has previously spoken publicly about the challenges of encryption. In 2016, the police force gave two media outlets an inside look at 10 active investigations it said were being stymied by encryption. But at the time, the RCMP did not say anything about already having tools at its disposal to overcome encryption.
The police force says spyware is only used in the most serious cases, often involving national security and organized crime, and only with judicial authorization.
Therrien said he has no reason to doubt the force’s claims. “I don’t think the RCMP is a rogue institution,” he said. “I do not start from the premise that the RCMP wishes to disrespect these terms and conditions.”
Still, he agreed with the recommendation from current privacy commissioner Philippe Dufresne, who appeared Monday before the committee, that government institutions should be legally required to submit privacy impact assessments to his office prior to launching new programs that could affect people’s privacy. “If you want more transparency, make it a legal requirement,” he said.
In documents tabled in the House of Commons in June, the RCMP said it had only begun to draft a privacy impact assessment in 2021, despite spyware having already been in use for years. On Monday, Dufresne confirmed he had yet to receive any information from the police force about the spyware program, though he’s expecting a briefing later this month.
Therrien also echoed a warning offered to MPs yesterday by Flynn, who said foreign agents were likely targeting them using spyware. “There are a number of countries around the world that are not democratic, do not care much for the rule of law, and it is entirely possible … that other states do intercept the communications of foreign nationals, including Canadians, for their own purposes,” he told the committee. “According to the RCMP, it’s a fact.”
Though Therrien conceded the RCMP may have valid reasons to use spyware in certain cases, he said there should be laws governing the sale, import and export of such technology. He also suggested its use should be banned outside of law enforcement. “I cannot really see any compelling reason why someone in the private sector should be able to use this technology,” he said.
On Monday, the RCMP confirmed it does not use controversial Pegasus spyware from Israeli firm NSO Group. But the force has refused to say who supplies the technology it uses.
Testifying before the committee later on Tuesday, Ronald Deibert, director of the University of Toronto’s Citizen Lab, said the government should be transparent about its spyware vendors. “There’s no operational security reason why we shouldn’t do that,” he said.
Deibert said spyware is “nuclear-level technology” and represents “a gold mine of information that is available to clients.”
The RCMP has a “pattern” of adopting new technologies and disclosing them after the fact, Deibert said. “That’s not how you build trust in law enforcement in a country. And we are better than that.”
Brenda McPhail, director of the privacy, technology and surveillance program at the Canadian Civil Liberties Association, said there should be a moratorium on the use of spyware by law enforcement, pending a public discussion about whether and how such tools should be used.
She also raised concerns that law enforcement exploits vulnerabilities in software “rather than help get them fixed.”
Both Deibert and McPhail said there need to be strict export controls for the Canadian surveillance industry. The industry currently “operates in the shadows,” Deibert said. “We are really asleep at the wheel.”
