Canada’s former privacy commissioner says he was “surprised” to learn the RCMP had for years used “intrusive” spyware technology to monitor suspects’ encrypted devices.
And Daniel Therrien, who served as privacy commissioner from 2014 to 2022, confirmed that his office was not told about the secretive RCMP program, which hacked into 49 individual devices since 2017 while pursuing targets suspected of serious crimes like terrorism and murder.
“I was surprised by the tool itself and how intrusive it was, it is, and that it was used for so long,” Therrien told the House of Commons Ethics committee Tuesday.
“Certainly there have been many discussions over the years … on the ‘lawful access’ issue. And both in my term as commissioner and when I was at the Department of Justice, I was following and part of these discussions. But the use of this particular tool to go around encryption? Yes, it was a surprise.”
The RCMP revealed to Parliament in June that it used what it called “on-device investigative tools” or ODITs — spyware that gives the force a range of surveillance techniques such as remotely listening in on device microphones or activating cameras, along with collecting data like text messages or emails. The force said this type of electronic monitoring happened 10 times between 2017 and 2018.
In a letter to the committee released Monday, RCMP Commissioner Brenda Lucki revised that number up to 32 cases between 2017 and 2022, with 49 individual devices monitored.
Lucki said the force only used the investigative technique in the most serious cases, and “only if approved by a judge who explicitly authorizes the use of ODITs on a specific suspect’s device.” Of the 32 instances detailed by the RCMP to the committee, eight of them involved terrorism, six related to trafficking and five were murder investigations.
But civil society groups and privacy advocates argue that Canada should not be engaging in the “mercenary spyware” market that has targeted activists, political dissidents, political figures and journalists across the world.
Ron Deibert, the director of The Citizen Lab at the University of Toronto and an expert in surveillance technology, said comparing this type of spyware to traditional wiretaps is like comparing nuclear weapons to traditional armaments.
“For example, NSO Group’s Pegasus spyware provides unfettered access to a target’s entire pattern of life. The spyware’s capabilities include access to all the targeted phone’s contents, including encrypted apps (e.g. passwords, contact lists, calendar events, text messages, etc.), the ability to download files, the ability to listen to phone calls, track location, and remotely turn on/off the camera and microphone,” Deibert said in a written submission to the committee.
While the RCMP have denied they use Pegasus — only the most infamous and well-known version of spyware on the market — their ODIT program includes many of the same capabilities. The RCMP has declined to say what company or companies they purchase their spyware from.
“In order for their activities to be legitimate and lawful, law enforcement agencies in Canada need to explain what investigative techniques they are using and under what authority,” Deibert wrote.
“The secretive adoption and use of invasive surveillance technology erodes public confidence in law enforcement and more generally threatens democracy and rule of law. Despite the nuclear-level capabilities of such spyware, it is remarkable that there has been zero public debate in Canada prior to the RCMP’s … use of this type of technology.”
Therrien, who before being appointed privacy commissioner in 2014 worked on national security and law enforcement at the Department of Justice, has been a key player in the “lawful access” debate in Canada.
That debate centred on encryption. Millions of Canadians use encrypted communications every day — to protect their emails and text messages from hackers, to ensure their online financial transactions are safe, and to better secure their web traffic.
Police and intelligence agencies have long argued that encryption also allows criminals to hide their plans and activities — essentially scrambling their communications and making it more difficult to collect evidence.
But Mark Flynn, the RCMP assistant commissioner responsible for national security and protective policing, told the ethics committee that the RCMP has had tools since at least 2002 to circumvent encryption.
Therrien said he was surprised that, through years of debate about “lawful access” issues, he wasn’t aware that the RCMP had the capability to access suspects’ encrypted communications.
“Part of my surprise was there has been an ongoing debate, a public debate, in the context of lawful access about this specific issue: to what extent can the police use means to overcome challenges of encryption,” Therrien said.
“And it never came about in public debate that ODITs were used (to do that). So I’m not saying that it is unacceptable for ODITs to be used, but it was surprising that in the context of many, many debates in the public about the challenges of encryption that, when I was privacy commissioner, that I was not told that a tool was used to overcome encryption.”