Tools capable of extracting personal data from phones being used by 13 federal departments, documents show

Tools capable of extracting personal data from phones or computers arebeing used by 13 federal departments and agencies, according to contracts obtained under access to information legislation and shared with Radio-Canada.

Radio-Canada has also learnedthose departments' use of the toolsdid not undergo a privacy impact assessment as required byfederal government directive.

The tools in question can be usedto recover and analyze data found on computers, tablets and mobile phones,including information that has been encrypted and password-protected.

This can includetext messages, contacts, photos and travel history.

It's a bit ridiculous, but also dangerous.- Evan Light, York University

Certain software can also be used to access a user'scloud-based data, reveal their internet search history,deleted contentand social media activity.

Radio-Canada has learned other departments have obtained some of these tools in the past, but say they no longer use them.

Evan Light, associate professor ofcommunications at York University's Glendon campus in Toronto and an expert in privacy and surveillance technology, said he's shocked by the widespread use of such software within the federal government.

"It's worrisome and dangerous,"saidLight, who filed the original access to information request to find out more about how police agencies in Canada are using the technology.

"I thought I would just find the usual suspects using these devices, like police, whether it's the RCMP or [Canada Border Services Agency].But it's being used by a bunch of bizarre departments," he said.

According to the documents Light shared with Radio-Canada, Shared Services Canada purchased the equipment and software for the end users from suppliersCellebrite, Magnet Forensics and Grayshift. (The latter two companies merged earlier this year).

The companies say they have developed strict controls to ensure that their technologies are used in accordance with the law, according to their websites.

After publication of thisstory, Cellebritesaid in an email that its "technologies are not used to intercept communication or gather intelligence in real time. Rather, our tools are forensic in nature and are used to access private data only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred. The person/suspect does know our technology is obtaining data through court/judicial permission through a search warrant or consent by the individual."

'Normalization' of surveillance

A directive from the Treasury Board of Canada Secretariat (TBS) requires that all federal institutions carry out what it calls a privacy impact assessment (PIA)prior to any new activity that involves the collection or handling of personal information, with the goal of identifyingprivacy risks and ways of mitigating or eliminating them.

According to the directive, which took effect in 2002 and was revised in 2010, federal departments must then provide a copy of their PIA to the TBS and the Office of the Privacy Commissioner.

Radio-Canadaasked each of the federal institutions using the softwareif they had first conducted privacy impact assessments. According to their written responses, none did. The Department of Fisheries and Oceans said it intends to do so.

The fact that these assessments were never done "shows that it's just become normalized, that it's not a big deal to get intosomebody's cell phone,"said Light. "There's been a normalization of this really extreme capability of surveillance."

Some departments said a PIA wasn't necessarybecause they had already obtained judicial authorizationssuch as search warrants, which imposestrict conditions onthe seizure of electronic devices.

Others said they only use the material on government-owned devices for example, in cases involving employeessuspected ofharassment.

Use with judicial authorization:

Search and seizure

According to Canada's Privacy CommissionerPhilippe Dufresne, however, a judicial authorization does not remove the requirement for a PIA.

"When these tools are new, very powerful and potentially intrusive, even in a system where there are judicial controls, it is important to assess the impacts on privacy," Dufresne tolda parliamentary committee looking into the use of the on-device investigative toolsby the RCMP last year.

A PIA will indicate whether a department can get the information it's after through less intrusive means, Dufresne explained.

We might come to the conclusion that a tool is intrusive but necessary, he explained. But these questions must be addressed, he said.

Light calls the use of these toolsby such organizations as theCanadian Radio-television and Telecommunications Commission (CRTC), a regulatory agency,"overkill."

"The CRTC is bringing a nuclear weapon to a spam fight," he said. "It's a bit ridiculous, but also dangerous."

Some of the departments say they use the tools to conductinternal investigationswhen employees are suspected of fraudor workplace harassment, for example.They say data is only extracted from government-issued devices in accordance with internal protocols that govern the collection and storage of personal information to ensure its protection.

But the TBS confirmed to Radio-Canadathat its directive on PIAs also applies to such cases, adding the government "takes seriously the privacy rights of Canadians, including its employees."

Use for internal investigations:

After this story was published,the Transportation Safety Board reached out to Radio-Canada on Nov. 30and said the"TSB has statutory powers pursuant to Section 19 of the Canadian Transportation Accident Investigation and Safety Board Act to collect information for its investigations."

The Canada Revenue Agency said it uses the tools"to analyze data related to alleged tax offences," whilethe Transportation Safety Board of Canada said it uses them "to collect and analyze data related to an incident." The agencies provided few other details.

Asked if they also conducted PIAs, both institutionsreferred Radio-Canada to Shared Services Canada,the signatory of the contracts with suppliers. Shared Services confirmed it did not carry out such assessments.

WATCH | An associate professor's analysis:

Use of tools capable of extracting personal data from phones by several federal departments 'worrying,' says privacy expert

10 months ago

Duration 0:38

Evan Light, associate professor of communications at York University's Glendon campus, said he's shocked by the widespread use of tools capable of extracting personal data from phones being used in 13 departments and agencies within the federal government. Radio-Canada has learned those departments' use of the tools did not undergo a privacy impact assessment required by the federal government.

Privacy 'not an abstract concept'

Treasury Board President Anita Ananddeclined Radio-Canada's request for an interview.

According to her office, each federal institution is responsible for enforcing privacy laws and policies, but her office did not say what happens when these institutions fail to fulfilthose obligations.

Privacy protection should be a key element "before adopting high-risk technological tools to collect personal information,"the privacy commissioner wrote in an email to Radio-Canada.

Dufresne also reiterated that he wishes the federal government made PIAs"a binding legal obligation"under the Privacy Act.

Light said he's disappointed no onein the federal government seems accountable for the use of these toolsthat could have a "dramatic"impact on people's lives.

"We have a right to privacy. It's not an abstract concept,"he said.