Senior Canadian Defence Department IT officials have been rebuked by an MP for not doing a privacy impact assessment on software that can extract personal data from military members’ government-issued computing devices.
Parliament’s privacy and ethics committee has been looking into a news report that 13 federal departments — including defence — have access to data extraction software, but haven’t completed privacy impact assessments (PIAs) as required by government policy.
According to the Office of the Privacy Commissioner, a PIA is a risk management tool that helps ensure the privacy impacts of technologies handling personal information are either addressed or minimized before a problem occurs.
On Tuesday, officials from five of the departments appeared before the committee, with some saying they were in varying stages now of doing PIAs on their applications.
Department of National Defence (DND) IT officials said they have an unnamed application and that it has been used.
Asked by MP Larry Brock if DND completed a PIA assessment before using it, the officials weren’t in alignment.
“I’m not sure, to be honest,” replied Sophie Martel, DND’s acting chief information officer.
“We did not,” said Brig-Gen. Dave Yarker, director general for the defence department’s Cyber Command and control information systems operations.
“Why do you think you don’t have to do it?” Brock demanded.
“Your members are Canadian citizens … Your failure to do a PIA is a failure to safeguard and protect the privacy of your members.”
The hearing was sparked by a Radio-Canada report late last year that “spyware normally associated with the intelligence world is being used by 13 federal departments and agencies,” including products from Cellebrite and Magnet Forensics.
None of the departments did a software privacy impact statement, the news story said. That was partly confirmed in testimony last week from federal privacy commissioner Philippe Dufresne. He found three departments had submitted PIAs on the software, but eight had only started the work, or were considering doing a new assessment or updating an existing one. One department believes a PIA isn’t required, while another said it bought the software but hasn’t used it, so hasn’t done a PIA.
That department would appear to be Natural Resources, whose staff testified Tuesday that if its tool has to be used, a PIA would immediately be filled out.
Witnesses — and some MPs — strove to make it clear there’s a difference between spyware — applications inserted surreptitiously on a mobile device to monitor communications — and forensic tools like Cellebrite or Magnet Forensics that are used to pull data from devices a department may have seized.
“We’re not surveilling Canadians,” Martel said. “We’re here to support Canadians. We’re here to keep them safe. We’re monitoring (DND) networks. We’re not monitoring people.”
“We would not be called upon to surveil Canadians,” added Yarker. “It’s not within our mandate.”
RCMP Deputy Commissioner Bryan Larkin confirmed the Mounties do use digital extraction tools including Cellebrite and Magnet Forensics. “These tools are not used for surveillance or mass surveillance,” he said.
PIAs for RCMP applications will be done by the middle of the year, he added.
The committee also heard Tuesday from officials from the Correctional Service of Canada and the Canadian Border Services Agency (CBSA).
Aaron McCrorie, vice-president of the border agency’s intelligence and enforcement unit, said data extraction tools are used to unlock mobile devices seized from people trying to enter Canada, under court orders.
France Gratton, assistant commissioner for correctional operations and programs at Corrections Canada, said the data extraction tool is used only on mobile devices seized from prisoners, which they aren’t allowed to have.
Officials from other departments are scheduled to testify Thursday. However, MPs appeared to be convinced there is no outbreak of spyware being used against Canadians by government departments. Instead, they seemed to agree upcoming hearings should focus on asking officials of Treasury Board why its policy that PIAs have to be done for all applications used by federal departments isn’t being followed, and asking unions representing federal employees if they have concerns about possible electronic surveillance in the workplace.
According to the federal privacy commissioner, a PIA should include:
a description of the planned program or activity and its objectives;
an assessment of the program’s privacy compliance as well as its potential impacts on individuals’ privacy;
the measures planned to minimize impacts and to comply with the Privacy Act (the privacy legislation federal departments and agencies must follow), applicable Treasury Board policies, directives, and guidelines, as well as best practices.