Language selection

OPC Logo Office of the Privacy Commissioner of Canada

Search

Study of device investigation tools used by the RCMP issue sheets

Table of Contents

OPC Involvement in the Royal Canadian Mounted Police Covert Access and Intercept Team Program

Relevant Investigative Findings

NuEnergy.ai

The Royal Canadian Mounted Police’s Response to the OPC’s investigation of its use of Clearview AI Facial Recognition Technology

Consultation Process and Privacy Impact Assessment Expectations

Breaches

Privacy Act Obligations

Current Privacy Impact Assessment Requirements

Privacy Act Reform

Role of the Office of the Privacy Commissioner of Canada

Statutory Authorities for the Royal Canadian Mounted Police’s Use of Investigative Tools

Encryption and Lawful Access

Spyware

OPC Involvement in the Royal Canadian Mounted Police Covert Access and Intercept Team Program

Key Messages

  • The OPC learned about the Covert Access and Intercept Team (CAIT) Program from a media request received on June 27, 2022.
  • Despite Treasury Board of Canada Secretariat (TBS) requirements that Privacy Impact Assessments (PIA) be completed prior to program implementation and despite regular meetings my office has with the Royal Canadian Mounted Police (RCMP), the OPC has neither received a PIA on the tool, nor been consulted on it by the RCMP. Given that, we are unable to identify risks or concerns with the program.
    • At our request, the RCMP will provide us with a one-day demonstration on the use of On-Device Investigative Tools (ODIT) later this month.
  • The OPC has not received a complaint or initiated an investigation at this time. Should information come to light suggesting a potential contravention of the Privacy Act, the OPC could launch an investigation based on the identified risks to Canadians.
  • CAIT is not the only RCMP program we have learned about through the media. For instance, in 2020 we learned about RCMP’s use of Clearview AI’s facial recognition technology.

Background

  • Section 6.3.1 of the Treasury Board of Canada Secretariat (TBS) Directive on Privacy Impact Assessment requires institutions to develop PIAs for new or substantially modified programs where personal information is used as part of a decision-making process that directly affects the individual.
  • Based on our understanding of ODITs, we would expect an institution to consult with our office and submit a PIA in advance of the program, allowing us sufficient time to review and provide recommendations.
  • Should we learn anything concerning about ODITs during the demonstration, we will provide thorough advice on how to mitigate these risks.

Prepared by: Government Advisory Directorate

In consultation with: Compliance Sector

Relevant Investigative Findings

Key Messages

  • In 2017 we found the RCMP’s collection of phone location data by cell site simulators compliant overall with the Privacy Act, except in six cases where there were neither warrants nor exigent circumstances. In those cases, we found the RCMP contravened section 4 [collection] of the Privacy Act.
  • We encouraged the RCMP to increase openness and accountability about technologies it uses and their capabilities.
  • When we investigated the RCMP’s use of Clearview AI in 2020-2021, we found systemic gaps in its policies and systems to track, assess and control novel technologies. The RCMP contravened section 4 of the Privacy Act by collecting information from Clearview AI that it itself had collected in contravention of laws to which it was subject.
  • RCMP also initially told the OPC it was not using Clearview AI, and only confirmed it was after it became public.

Background

  • Over the past year, we engaged with the RCMP in respect of its implementation of the eight recommendations from our investigation of its use of Clearview AI, including launching a National Technology Onboarding Program (NTOP). We are currently reviewing its final report, submitted last month, on the matter.
    • The RCMP has made progress, but we are concerned that NTOP may not be sufficiently authorized and resourced to effectively change practices across a large, decentralized organization.
  • The OPC is currently investigating a complaint about RCMP’s Project Wide Awake (open-source intelligence gathering). It does not involve on-device investigation tools. Given the investigation is ongoing, we can provide no further information.
  • The RCMP is consistently in the list of the top 10 federal institutions against which we receive complaints; over the last five fiscal years, the OPC has received a total of 1468 complaints. Half (655) relate to situations where the time limit to respond to a personal information request has been exceeded.

Prepared by: Compliance Sector

NuEnergy.ai

Key Messages

  • My office learned that the RCMP was potentially working with NuEnergy.ai, a Canadian AI management firm, to develop an AI framework in a media article, in November 2021. In December 2021, we asked the RCMP for more information about this work.
    • We have been told a briefing is being coordinated, but have not received further details to date.
  • I note that although NuEnergy.ai appears on the list of authorized providers in the Government of Canada’s AI Source List (developed by Public Services and Procurement Canada (PSPC), my Office cannot speak to their privacy posture as we were not consulted on their inclusion.
  • We welcome consultations on initiatives that impact privacy, especially those which involve the use of novel technology.

Background

  • In a letter written to ETHI in June 22, 2022, NuEnergy.ai described their work with the RCMP including a reference to “an OPC investigation” which we believe is to the RCMP Clearview AI investigation.
  • The RCMP recently provided a final report to our office in the context of our monitoring of the RCMP’s implementation of our recommendations in that investigation. We are still analyzing the RCMP’s submissions, and have no comments at this time.
  • The OPC’s business advisory team, which consults with the private sector on their privacy initiatives, has not had any direct dealings with NuEnergy.ai.

Prepared by: Government Advisory Directorate

In consultation with: Business Advisory Directorate and Compliance Sector (Compliance Intake and Resolution Directorate)

The Royal Canadian Mounted Police’s Response to the OPC’s investigation of its use of Clearview AI Facial Recognition Technology

Key Messages

  • The OPC has previously investigated the RCMP’s adoption of novel technology, including Clearview AI facial recognition technology (2020-2021).
    • In that investigation we found contraventions of section 4 of the Privacy Act.
  • My office became aware of NuEnergy.ai (which allegedly provides AI products to the RCMP) in November 2021 as a result of a media article. We have requested further information from the RCMP and have been told a briefing is being coordinated, but have not received further details to date.
  • My officials are continuing their analysis of materials recently submitted by the RCMP. As such, I have no further information to provide at this time.
  • We welcome consultations on initiatives that impact privacy, especially those which involve the use of novel technology.

Background

  • The RCMP is addressing eight recommendations from our investigation of its use of Clearview AI, including launching a National Technology Onboarding Program.
    • It has made progress, but I am concerned that NTOP is not sufficiently resourced to effectively change practices across a large, decentralized organization.
    • The scope of the recommendations from our investigation included any new technology involving the collection or use of personal information. Given we are reviewing the RCMP’s implementation of the recommendations, I cannot comment on its use of any such technology, including any related training.
  • The OPC’s business advisory team, which consults with the private sector on their privacy initiatives, has not had any direct dealings with NuEnergy.ai.
  • My office was not consulted on the list of authorized providers in the Government of Canada’s AI Source List (developed by PSPC), on which NuEnergy.ai appears.

Prepared by: Compliance, Intake and Resolution Directorate

In consultation with: Government Advisory Directorate and Business Advisory Directorate

Consultation Process and Privacy Impact Assessment Expectations

Key Messages

  • As required by the TBS Policy on Privacy Protection, the OPC expects institutions to notify our office of any planned initiatives that could impact the privacy of Canadians, and that PIAs are completed prior to launch of the initiative.
  • At a minimum, the PIA should include the elements of the Core PIA as required by the TBS Directive on Privacy Impact Assessment and:
    • Address the legal authority to conduct the activity;
    • Demonstrate that the initiative is necessary to meet a specific need, its impacts are proportional to its purported benefits, the program likely to be effective in meeting its goals, and minimality invasive given its objectives.
  • The Privacy Act does not give the OPC the power to endorse or approve PIAs, nor are we empowered to require institutions to conduct them.

Background

  • Section 4.2.2 of the TBS Policy on Privacy Protection requires heads of government institutions or their delegates to notify the Privacy Commissioner of any planned initiatives (legislation, regulations, policies, programs) that may have an impact on the privacy of Canadians.
    • This notification is to take place at a sufficiently early stage to permit the OPC to review and discuss the issues involved.
  • Consulting with the OPC in the early stages of program development allows institutions to obtain advice about how to embed privacy into the design and implementation of the program, resulting in more privacy-protective programs.
  • Expectations: OPC’s Guide to the Privacy Impact Assessment Process details the steps for institutions to take for any PIA, in particular highlighting the importance of assessing necessity and proportionality for high-risk programs.

Prepared by: Government Advisory Directorate

Breaches

Key Messages

  • Treasury Board policy requires federal institutions to report material privacy breaches to my office and to TBS – it is not a legal obligation.
  • The OPC has long been advocating for the inclusion of a safeguards provision and privacy breach reporting requirements in the Privacy Act.
  • In the last five fiscal years, the RCMP has submitted 46 material privacy breach reports to my Office, higher than most other security institutions. This raises concerns with its safeguarding practices, particularly given the sensitivity of the personal data it holds.
  • An organization’s ability to protect the personal information it collects should be commensurate with the sensitivity of that information.

Background

  • Material breaches are defined as involving sensitive personal information; could reasonably be expected to cause serious injury or harm to an individual; and/or involves a large number of individuals.
  • This paragraph contains information that has not been made public. Of the 46 material privacy breaches reported by the RCMP in the last five fiscal years, 35 involved unauthorized disclosures. This fiscal year, the RCMP has submitted four material privacy breach reports: [Redacted]. As a result, the OPC launched a commissioner-initiated complaint investigation. As this is an ongoing investigation, no further information can be provided at this time.
Breach Reporting by Institutions with Similar Mandates:
FY 17/18 to 21/22
RCMP CORRECTIONAL
SERVICES		 CBSA DND CSIS NSIRA
46 147 7 6 2 1

Prepared by: Compliance – Compliance, Intake and Resolution Directorate

Privacy Act Obligations

Key Messages

  • To be compliant with its obligations under section 4 of the Privacy Act, the RCMP must ensure that it is only deploying its investigatory tools in direct furtherance of an operating program or activity, and in a manner that respects the general rule of law.
  • The use of sophisticated collection technology by government institutions would be better governed if the Privacy Act were to explicitly require institutions to consider the principles of necessity and proportionality prior to their deployment.
  • Given that ODITs have the potential to collect vast amounts of personal information, the RCMP should only be deploying this tool when it has a valid Part VI, Criminal Code wiretap warrant in place.

Background

  • Necessity and Proportionality: Although not a legal requirement based on the current law, the OPC has long advocated that the collection of personal information by government institutions be governed by a necessity and proportionality standard, a position which was taken up by ETHI itself in 2016.
  • Privacy Act Modernization: Justice Canada’s November 2020 discussion paper on modernizing the Privacy Act goes some way towards codifying the principles of necessity and proportionality by introducing a “reasonably required” threshold, but as outlined in the OPC’s public submissions, more work needs to be done.
  • Warrant Should be Based on Collection Potential: The ODIT’s capabilities include the potential to intercept private communications. Even if the RCMP were to insist that it were only going to use the ODIT to collect data stored on a device, the RCMP should seek to obtain a judicial authorization that properly considers the tool’s potential to interfere with a reasonable expectation of privacy.

Prepared by: Legal Services Directorate

Current Privacy Impact Assessment Requirements

Key Messages

  • The obligation for federal departments to develop PIAs is currently a policy requirement under section 6.3.1 of the Treasury Board of Canada Secretariat (TBS) Directive on Privacy Impact Assessment.
  • The stated objective of the Directive is to ensure that privacy implications are identified, assessed and resolved before a new or substantially modified program or activity involving personal information is implemented.
  • The Directive requires federal departments to submit the final, approved versions of PIAs to the OPC and TBS, along with any further documentation we might ask for.
  • Federal departments are responsible for deciding whether and how to undertake PIAs. We are aware of many instances where programs are launched before PIAs are completed (e.g. the RCMP CAIT program).
  • The OPC has recommended a legislative requirement for PIAs to be undertaken as part Privacy Act reform.

Background

  • The TBS Directive requires at minimum the completion of a core PIA identifying levels and categories of privacy risk, personal information elements and data flows, ensuring compliance with sections 4 to 8 of the Privacy Act, and documenting the conclusions and recommendations drawn from the privacy analysis.
  • While the Directive requires that the PIA be provided to the OPC and TBS, it does not give timelines for this step. The OPC has no power to compel institutions to complete a PIA, nor do we have powers to sanction non-compliance.
  • TBS is responsible for monitoring compliance with the Directive. The OPC has the power to review compliance with sections 4 to 8 of the Privacy Act, and could audit and report to Parliament on departmental PIA processes.

Prepared by: Government Advisory Directorate

Privacy Act Reform

Key Messages

  • In November 2020, Justice Canada released a discussion paper on modernizing the Privacy Act which included several positive proposals, such as:
    • adding a purpose clause to the Privacy Act to provide guidance on protecting individuals’ human dignity, personal autonomy, and self-determination;
    • improved oversight and broader remedies, such as order-making and expanded rights of recourse to Federal Court;
    • a broader definition of “personal information”;
    • explicit requirements to protect information; and,
    • mandatory breach reporting.
  • The OPC made many recommendations to improve regulation in the digital context, including use of artificial intelligence, a strengthened collection threshold, a refined definition for publicly available personal information, and expanding proposed order-making powers for the OPC.

Background

  • Artificial Intelligence: We recommend inclusion of a definition of automated decision-making, a right to meaningful explanation and human intervention, a standard for the level of explanation required, and obligations for traceability.
  • Collection Threshold: A “reasonably required” standard is workable if the aim is to add clarity to the law while yielding results similar to the longstanding principles of necessity and proportionality. We proposed key modifications to improve requirements around specified purposes and proportionality.
  • Framework for “Publicly Available” Personal Information: We recommended the proposed definition explicitly state that publicly available personal information does not include information in respect of which an individual has a reasonable expectation of privacy.

Prepared by: Policy, Research and Parliamentary Affairs Directorate

Role of the Office of the Privacy Commissioner of Canada

Key Messages

  • The Government Advisory Directorate (GA) provides non-binding advice to federal public sector institutions on specific programs and activities involving personal information by reviewing PIA reports and engaging in advisory consultations.
  • The Compliance Sector investigates public complaints of potential contraventions of the Privacy Act.
    • The Commissioner can also self-initiate an investigation on any privacy matter where he is satisfied there are reasonable grounds, and can review an institution’s compliance with the personal information collection, use or disclosure practices in the Act.

Background

  • The TBS Directive on PIA requires PIAs be undertaken for programs or activities that use personal information as part of a decision-making process that directly affects the individual. Departments must send completed PIAs to the OPC, but we do not have the power to approve or endorse them.
  • The OPC (GA) triages and reviews PIAs on the basis of risk, such as the use of sensitive or large amounts of personal information, if the program impacts vulnerable populations or uses novel technology.
  • GA also offers advisory services to help departments identify and mitigate risk. Although there is no obligation for departments to use our services, we have found considerable benefits for those which choose to do so.
  • Subsection 29(3) and Section 37 of the Privacy Act empower the OPC to carry out self-initiated investigations where warranted.
  • In determining whether to conduct a self-initiated investigation, we consider the level of risk to the privacy of Canadians and the most effective strategy to address that risk. Risk is determined on the impact on Canadians, the impact on affected individuals, the actions of the institution in question and whether the matter involves novel issues warranting clarity.

Prepared by: Government Advisory Directorate

In consultation with: Compliance Sector

Statutory Authorities for the Royal Canadian Mounted Police’s Use of Investigative Tools

Key Messages

  • The RCMP may collect personal information in furtherance of its statutory and common law mandate to preserve the peace, prevent crime, apprehend criminals and offenders, and execute all warrants.
  • These statutory and common law authorities do not specifically speak to safeguarding any of the personal information collected by the RCMP, and are particularly insufficient when it comes to the collection of private communications.
  • Requiring the RCMP to obtain a valid Part VI, Criminal Code wiretap warrant to authorize collection by way of an ODIT goes a long way towards addressing privacy concerns because of the safeguards that this judicial authorization regime provides.

Background

  • RCMP Act and Regulations: The RCMP has historically taken the position, and the OPC has accepted, that the use of investigatory tools to collect personal information is authorized both by statute (section 18 of the Royal Canadian Mounted Police Act and paragraph 14(1)(a) of the Royal Canadian Mounted Police Regulations), and its common law police powers.
  • Wiretap Warrants Protect Privacy: People have the highest expectation of privacy when it comes to their communications. The Part VI warrant regime is designed so that a neutral judicial arbiter must decide whether an individual’s right to be left alone should give way to the state’s interest in this most sensitive type of personal information absent exigent circumstances.
  • Notice Requirements Mean Transparency: Part VI of the Criminal Code requires that persons who were the object of interception be notified of this. This is a critical transparency tool, and would enable individuals to avail themselves of the provisions of the Privacy Act to ensure that the RCMP abided by its obligations under that Act in terms of its collection, retention, use or disclosure of their personal information.

Prepared by: Legal Services Directorate

Encryption and Lawful Access

Key Messages

  • Encryption is crucial for securing Canadians’ communications, protecting Canadians’ privacy, and enabling trust in online commerce and digital government services.
  • In response to police concerns about access to data, some countries have weakened or banned certain forms of encryption. By contrast, Canada’s approach aims to both protect consumers’ privacy and maintain network security.
  • We believe – and have recommended previously – that provisions to circumvent device encryption should be exceptional (not systemic), and, in the context of policing, judicial oversight is vital.

Background

  • International Resolution on Government Access: In October 2021, the OPC co-led the development of a Global Privacy Assembly Resolution on Government Access to Data, Privacy, and the Rule of Law: Principles for Governmental Access to Personal Data held by the Private Sector for National Security and Public Safety Purposes, which was adopted by all member Data Protection Authorities.
    • The Resolution proposes principles on government access to data, which include: requiring clear legislative authority for access, assessing necessity and proportionality, ensuring transparency and accountability, supporting rights of data subjects, implementing independent oversight (e.g., judicial authorization) and review (e.g., auditing), limiting use, and providing effective redress.
  • OPC submission on securing telecommunications in Canada: in January 2019, the OPC provided input to the Government’s Review of the state of federal laws on broadcasting and telecommunications, one element of which focussed upon privacy and security.
    • We indicated existing rules and standards for lawful access were already extensive and effective. We did, however, recommend government improve its public reporting on data requested from service providers.

Prepared by: Policy, Research and Parliamentary Affairs

Spyware

Key Messages

  • Given the highly intrusive nature of spyware like Pegasus, the OPC would have expected the RCMP to have engaged with our Office prior to deployment, likely in the context of a PIA.
  • Until the RCMP engages with the OPC on this matter, we are not able to assess the privacy risks of RCMP’s “ODITs”.
  • Spyware which accesses any and all information on a mobile device, controlling microphones and cameras, with little or no interaction by the phones users, raises very serious privacy risks.
  • Given these very real risks, a case could be made for specific guidelines in legislation, above and beyond judicial authorization, to promote transparency over the procurement and subsequent use of surveillance technology by government agencies.

Background

  • Regulatory changes could address requirements to assess and mitigate risks prior to implementation. Those changes could include: identifying risks to the security and integrity of the target system/data, requiring audit trails, setting timelines for the destruction of data, and publishing information on approved and rejected applications to authorize hacking, as well as the offences specified in the applications and the method, extent and duration of authorized hacking measures.
  • Pegasus: this spyware can access any information on a phone, including message sent or received or the geolocation of the phone; it can record calls, turn on the camera without notice and activate the microphone. The latest version can infect a phone without any interaction from the phone’s owner.
  • In 2021, The Guardian and a consortium of journalists with Amnesty International analyzed a leak of 50, 000 phone numbers targeted by clients of NSO Group and were able to demonstrate that Pegasus was used to conduct surveillance on civilian targets. The Citizen Lab has been reporting on this since at least 2016.
  • UN human rights experts called for a global moratorium on the sale and transfer of surveillance technology until they have put in place robust regulations that guarantee its use in compliance with international human rights standards.
  • We are not aware of any Canadian government organization using Pegasus. In 2018, Citizen Lab reported that the phone of a Canadian permanent resident and Saudi dissident was infected with NSO’s Pegasus spyware by a Saudi operator.

Prepared by: Policy, Research and Parliamentary Affairs Directorate

In consultation with: Technology Analysis Directorate

Table of Contents

OPC Involvement in the Royal Canadian Mounted Police Covert Access and Intercept Team Program

Relevant Investigative Findings

NuEnergy.ai

The Royal Canadian Mounted Police’s Response to the OPC’s investigation of its use of Clearview AI Facial Recognition Technology

Consultation Process and Privacy Impact Assessment Expectations

Breaches

Privacy Act Obligations

Current Privacy Impact Assessment Requirements

Privacy Act Reform

Role of the Office of the Privacy Commissioner of Canada

Statutory Authorities for the Royal Canadian Mounted Police’s Use of Investigative Tools

Encryption and Lawful Access

Spyware

Date modified: