The Canadian government is backing a U.S. effort to restrict the use of powerful commercial spyware that is used to surveil activists, journalists and dissidents.
While the two governments maintain their own sophisticated spying programs, the Biden administration has recently signalled growing concern with private market surveillance tools that can steal data like text messages and other sensitive information from mobile phones.
That concern was framed in Biden’s executive order on Monday, which restricted the U.S. government’s use of commercial spyware that poses “significant counterintelligence or security risks” to the U.S. or where the software could be improperly used by foreign governments.
Now, Canada and nine other nations — including Five Eyes intelligence allies Australia, New Zealand and the U.K. — are joining the Biden administration’s push.
A joint statement published Thursday acknowledges that “powerful and invasive” spyware has been abused by both authoritarian regimes and democracies, and commits the countries to enact “robust guardrails” to prevent misuse of the tools by their own governments.
“The misuse of these tools presents significant and growing risks to our national security, including to the safety and security of our government personnel, information, and information systems,” the document stated.
The countries recognize a “need for strict domestic and international controls and use of such technology,” the statement said.
The move sends a “strong signal” to spyware vendors and their investors that “business as usual is over, and that the very lucrative U.S. federal government market is out of bounds” for firms engaging in human rights abuses, according to Ron Deibert, director of Citizen Lab.
“The joint statement shows that the U.S. is actively encouraging other governments to follow suit,” Deibert, whose organization has documented the growth of “mercenary” spyware for years, told Global News Wednesday evening.
“Is there more work to be done? Absolutely. But the bottom line is a dial was turned a few notches and a giant machine has been moved in ways that will make life difficult for firms, their investors and government clients that profit from and cause harm worldwide.”
It remains to be seen what steps the Canadian government will actually take — if any — to limit the use of commercial spyware by its own department and agencies. The Prime Minister’s Office acknowledged Global News’ request for comment Wednesday evening, but did not respond as of deadline.
It’s also largely unclear what surveillance tools have been and are continuing to be used by federal law enforcement and intelligence agencies, such as the RCMP, the Canadian Security Intelligence Service (CSIS), and the Communications Security Establishment (CSE).
The RCMP denied they were deploying controversial facial recognition software Clearview AI, for instance, before admitting they used the tool after the Toronto Star obtained the company’s Canadian client list.
Last year, RCMP Assistant Commissioner Mark Flynn told a House of Commons committee that the Mounties have been deploying cell phone spyware since at least 2002 — with little public or political awareness the national force was using such invasive tools.
According to the joint statement released by the White House, Canada will establish “robust guardrails” to prevent spyware misuse by government departments and agencies, prevent the export of software to those who would use it for “malicious cyber activity,” and boost information sharing with allies about the proliferation of spyware tools.
“Our efforts will allow us to work collectively for the first time as we develop and implement policies to discourage the misuse of commercial spyware and encourage … (uses) consistent with respect for universal human rights, the rule of law, and civil rights and civil liberties,” the statement concluded.
Despite spearheading the initiative, the U.S. government does not appear to be open to discussing how often its own departments and agencies have made use of the technology.
In a background briefing with reporters on Monday, a senior U.S. administration official said they could not get into “additional details” about how often commercial spyware has been used by the U.S. government and federal law enforcement. The official said they publicly announced they were pursuing a ban last year, however, in order to send a message to companies attempting to make “inroads” with federal agencies.
“This is partly us getting ahead of a challenge, foreseeing the fact that there (were) no standards — no concrete and consistent standards across the U.S. government — and also, as a result, allowing us to lead by example with other partners around the world,” said the official, who spoke on the condition they not be named.
Even with the ambiguity about what, precisely, Canada is committing to do, Deibert called it a “positive” that Ottawa signed on to the initiative.
“History shows that there have been several Canadian firms engaged in providing surveillance services to autocrats and despots without any proper oversight or public accountability,” Deibert said.
“Alongside the recent and very vague RCMP disclosures on spyware, these demonstrate a policy and regulatory vacuum in Canada.”
“Hopefully, signing on to this pledge will trigger more substantial initiatives following the U.S. lead.”
— with a file from the Associated Press.