Canada to Study Federal Departments' Use of Tools to Extract Personal Data

A recent report published by Radio-Canada has shown that several federal departments and agencies in Canada have been using tools that can extract personal information from devices such as phones, computers, or tablets, without conducting a Privacy Impact Assessment (PIA) beforehand, although this is a requirement under Canada’s directives, such as that issued by the Treasure Board of Canada Secretariat. 

The tools in question can recover and analyze data from various devices, even encrypted and password-protected information, such as text messages, contacts, photos, and travel history. An expert in privacy and surveillance technology at York University, Evan Light, called this “a bit ridiculous, but also dangerous” as this type of software can access cloud-based data, reveal internet search history, deleted content, and social media activity. The documents shared with Radio-Canada indicated that the equipment and software were acquired from suppliers Cellebrite, Magnet Forensics, and Grayshift, the first of whom has already clarified that its technologies are forensic and used in accordance with legal due process or appropriate consent after an event has occurred. Despite this, a concern has arisen from the absence of privacy impact assessments from the federal departments related to the normalization of extreme surveillance capabilities.

When asked about this, several of the 13 federal departments and agencies said either that they were intending to conduct PIAs following the publication of the report, or that they had not conducted privacy impact assessments because they had obtained judicial authorizations, such as search warrants. However, privacy commissioner Philippe Dufresne has emphasized that judicial authorization does not exempt the need for a privacy impact assessment, especially for new and powerful tools. Some departments have argued that they only use the tools on government-owned devices, citing internal protocols for protection, such as cases of suspected harassment.

The lack of privacy impact assessments in these cases has prompted calls for accountability and a closer examination of the tools' impact on privacy rights, which is why a parliamentary committee, responding to a motion by Bloc Québécois, has agreed to investigate the matter. The motion was adopted on December 6, 2023, with unanimous support from members of the standing committee on access to information, privacy, and ethics. 

Hearings are planned for January 2024, involving, among others, Treasury Board President Anita Anand, leaders of the 13 federal institutions using these tools, the Privacy Commissioner, or representatives of civil servant unions.