Spyware being used by 13 federal departments, documents show

Spyware normally associated with the intelligence world is being used by 13 federal departments and agencies, according to contracts obtained under access to information legislation and shared with Radio-Canada.

Radio-Canada has also learned those departments' use of the spyware did not undergo a privacy impact assessment as required by federal government directive.

The tools in question can be used to recover and analyze data found on computers, tablets and mobile phones, including information that has been encrypted and password-protected.

This can include text messages, contacts, photos and travel history.

It's a bit ridiculous, but also dangerous.

– Evan Light, York University

Certain software can also be used to access a user's cloud-based data, reveal their internet search history, deleted content and social media activity.

Radio-Canada has learned other departments have obtained some of these tools in the past, but say they no longer use them.

Evan Light, associate professor of communications at York University's Glendon campus in Toronto and an expert in privacy and surveillance technology, said he's shocked by the widespread use of such spyware within the federal government.

"It's worrisome and dangerous," said Light, who filed the original access to information request to find out more about how police agencies in Canada are using the technology.

"I thought I would just find the usual suspects using these devices, like police, whether it's the RCMP or [Canada Border Services Agency]. But it's being used by a bunch of bizarre departments," he said.

According to the documents Light shared with Radio-Canada, Shared Services Canada purchased the equipment and software for the end users from suppliers Cellebrite, Magnet Forensics and Grayshift. (The latter two companies merged earlier this year).

The companies say they have developed strict controls to ensure that their technologies are used in accordance with the law, according to their websites.

After publication of this story, Cellebrite said in an email that its "technologies are not used to intercept communication or gather intelligence in real time. Rather, our tools are forensic in nature and are used to access private data only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred. The person/suspect does know our technology is obtaining data through court/judicial permission through a search warrant or consent by the individual."

'Normalization' of surveillance

A directive from the Treasury Board of Canada Secretariat (TBS) requires that all federal institutions carry out what it calls a privacy impact assessment (PIA) prior to any activity that involves the collection or handling of personal information, with the goal of identifying privacy risks and ways of mitigating or eliminating them.

According to the directive, which took effect in 2002 and was revised in 2010, federal departments must then provide a copy of their PIA to the TBS and the Office of the Privacy Commissioner.

Radio-Canada asked each of the federal institutions using the spyware if they had first conducted privacy impact assessments. According to their written responses, none did. The Department of Fisheries and Oceans said it intends to do so.

The fact that these assessments were never done "shows that it's just become normalized, that it's not a big deal to get into somebody's cell phone," said Light. "There's been a normalization of this really extreme capability of surveillance."

Some departments said a PIA wasn't necessary because they had already obtained judicial authorizations such as search warrants, which impose strict conditions on the seizure of electronic devices.

Others said they only use the material on government-owned devices — for example, in cases involving employees suspected of harassment.

Use of spyware with judicial authorization:

Search and seizure

According to Canada's Privacy Commissioner Philippe Dufresne, however, a judicial authorization does not remove the requirement for a PIA.

"When these tools are new, very powerful and potentially intrusive, even in a system where there are judicial controls, it is important to assess the impacts on privacy," Dufresne told a parliamentary committee looking into the use of spyware by the RCMP last year.

A PIA will indicate whether a department can get the information it's after through less intrusive means, Dufresne explained.

We might come to the conclusion that a tool is intrusive but necessary, he explained. But these questions must be addressed, he said.

Light calls the use of spyware by such organizations as the Canadian Radio-television and Telecommunications Commission (CRTC), a regulatory agency, "overkill."

"The CRTC is bringing a nuclear weapon to a spam fight," he said. "It's a bit ridiculous, but also dangerous."

Some of the departments say they use the tools to conduct internal investigations when employees are suspected of fraud or workplace harassment, for example. They say data is only extracted from government-issued devices in accordance with internal protocols that govern the collection and storage of personal information to ensure its protection.

But the TBS confirmed to Radio-Canada that its directive on PIAs also applies to such cases, adding the government "takes seriously the privacy rights of Canadians, including its employees."

Use of spyware for internal investigations:

The Canada Revenue Agency said it uses the tools "to analyze data related to alleged tax offences," while the Transportation Safety Board of Canada said it uses them "to collect and analyze data related to an incident." The agencies provided few other details.

Asked if they also conducted PIAs, the departments referred Radio-Canada to Shared Services Canada, the signatory of the contracts with suppliers. Shared Services confirmed it did not carry out such assessments.

WATCH | An associate professor's analysis:

Privacy 'not an abstract concept'

Treasury Board President Anita Anand declined Radio-Canada's request for an interview.

According to her office, each federal institution is responsible for enforcing privacy laws and policies, but her office did not say what happens when these institutions fail to fulfil those obligations.

Privacy protection should be a key element "before adopting high-risk technological tools to collect personal information," the privacy commissioner wrote in an email to Radio-Canada.

Dufresne also reiterated that he wishes the federal government made PIAs "a binding legal obligation" under the Privacy Act.

Light said he's disappointed no one in the federal government seems accountable for the use of spyware that could have a "dramatic" impact on people's lives.

"We have a right to privacy. It's not an abstract concept," he said.