“Widespread Use of Spyware by Federal Departments Raises Privacy Concerns in Canada”

Spyware normally associated with the intelligence world is being used by 13 federal departments and agencies. (Yosri Mimouna/Radio-Canada)

A recent disclosure has revealed that 13 federal departments and agencies in Canada are utilizing spyware tools, typically associated with intelligence operations, without conducting mandatory privacy impact assessments. This information, obtained under access to information legislation and shared with Radio-Canada, has raised serious concerns among experts and privacy advocates.

The spyware in question, procured from suppliers such as Cellebrite, Magnet Forensics, and Grayshift, is capable of retrieving and analyzing encrypted and password-protected data from various devices. This includes accessing text messages, contacts, photos, travel history, and even cloud-based data, internet search history, and social media activities.

Surprisingly, departments such as the Canadian Radio-television and Telecommunications Commission (CRTC) are among the users of this high-level surveillance technology. Evan Light, an associate professor of communications at York University and an expert in privacy and surveillance technology, expressed alarm over the broad use of such tools, calling it “worrisome and dangerous.”

According to a directive from the Treasury Board of Canada Secretariat (TBS), all federal institutions must conduct a privacy impact assessment (PIA) before engaging in activities that involve the collection or handling of personal information. However, Radio-Canada’s inquiries revealed that none of the departments using the spyware had conducted such assessments.

Federal privacy commissioner Philippe Dufresne appeared before a Parliamentary committee in August 2022 to speak about a study into RCMP investigative tools. ( Adrian Wyld/Canadian Press)

The Department of Fisheries and Oceans has indicated intentions to conduct a PIA, but the overall lack of compliance has highlighted a worrying normalization of surveillance practices. Some departments defended their use of spyware for internal investigations, such as employee fraud or harassment cases, asserting that data extraction was limited to government-issued devices and followed internal protocols for data protection.

Canada’s Privacy Commissioner Philippe Dufresne emphasized that judicial authorization does not negate the requirement for a PIA. He stressed the importance of assessing privacy impacts, especially with new, powerful, and potentially intrusive tools. Dufresne has also called for making PIAs a binding legal obligation under the Privacy Act.

This revelation has triggered a debate on the accountability of federal agencies in using spyware and respecting citizens’ privacy rights. Privacy is not just an abstract concept, but a fundamental right, as underscored by Light. The story raises critical questions about the balance between national security, law enforcement needs, and the protection of individual privacy rights in the digital age.