from the fisheries-just-out-there-hacking-phones dept
Looks like everybody who’s anybody has got a set of hacking tools in Canada. Well, at least in terms of the federal government. Documents obtained by the CBC shed some light on the prevalence of phone-cracking tech within the government. And what that light shows isn’t all that flattering.
Tools capable of extracting personal data from phones or computers are being used by 13 federal departments and agencies, according to contracts obtained under access to information legislation and shared with Radio-Canada.
Radio-Canada has also learned those departments’ use of the tools did not undergo a privacy impact assessment as required by federal government directive.
Well, that’s pretty much how it goes here in the US, too. Tech is obtained and deployed. Years later — if ever — privacy impact assessments are delivered. Act first. Get into compliance later. And don’t even worry about apologizing. Sure, governments are supposed to serve the public’s interest. But if those interests don’t align with the government’s interests, well… tough shit, I guess.
It’s not surprising law enforcement and national security agencies have access to these tools. What’s a bit more surprising is how many regulatory agencies have (or have had) possession of device-cracking tech. The full list of agencies with these tools is bound to provoke some questions that won’t be all that easy to answer.
Fisheries and Oceans Canada
Environment and Climate Change Canada
Canadian Radio-Television and Telecommunications Commission
Canada Revenue Agency
Shared Services Canada
Competition Bureau Canada
Global Affairs Canada
Transportation Safety Board of Canada
Natural Resources Canada
Correctional Service Canada
Royal Canadian Mounted Police
Here are some details on just one of the oddities on this list. Shared Services Canada is the government’s IT wing, providing infrastructure and support for the federal government. This government agency acquired a whole suite of device crackers to crack devices.
According to the documents Light shared with Radio-Canada, Shared Services Canada purchased the equipment and software for the end users from suppliers Cellebrite, Magnet Forensics and Grayshift. (The latter two companies merged earlier this year).
No explanation was given as to why this entity should need this tech. The only explanation given for any of this was this defensive, nonsensical statement from Cellebrite, in which it defended itself from accusations no one was making.
After publication of this story, Cellebrite said in an email that its “technologies are not used to intercept communication or gather intelligence in real time. Rather, our tools are forensic in nature and are used to access private data only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred. The person/suspect does know our technology is obtaining data through court/judicial permission through a search warrant or consent by the individual.”
Um. OK. No one was accusing Cellebrite of engaging in illegal (or even legal) interception of communications or real-time surveillance. That the company chose to lead with that almost suggests that it does provide these services to other governments or government entities, just not the ones being discussed here. (It probably doesn’t. So far, Cellebrite has only been shown to provide phone-cracking devices that require those doing the cracking to have possession of the device being cracked. But still, it’s a weird thing to say when no one’s accusing you of doing those things.)
As for the mandatory privacy impact assessments that have yet to be created, only one agency (Fisheries and Oceans) said it planned to whip one up. The rest of the agencies that bothered to respond to this query suggested no privacy impact assessment was necessary because any deployment of the tech was backed by a court order or warrant. That’s an obviously wrong assumption, but that’s the excuse being given.
As for the legal justifications that supposedly allow these entities to skip publishing PIAs, they’re almost as ridiculous as the excuses offered for ducking their own legal obligations to the general public. Fisheries and Oceans listed “Fisheries Act” as its sole justification for deploying device-cracking tech. The Radio-Television and Telecommunications Commission claimed “Canada’s Anti-Spam Legislation” allowed it to break into devices and computers. The Environment and Climate Change agency was just as vague, citing “enforcement of different laws and regulations.”
The more plausible explanation for the possession of these devices by agencies that aren’t actually in the law enforcement/national security business is this: they’re being used to perform internal investigations.
Some of the departments say they use the tools to conduct internal investigations when employees are suspected of fraud or workplace harassment, for example. They say data is only extracted from government-issued devices in accordance with internal protocols that govern the collection and storage of personal information to ensure its protection.
And the statements provided by the Transportation Safety Board strongly suggest forensic devices are being used to search devices recovered from traffic accidents, most likely to determine whether or not they were due to distracted driving.
All in all, a pretty eye-opening set of revelations. Agencies one would never suspect had any need for these powerful tools not only have them, but are using them for reasons that are mostly left unexplained. The lack of privacy impact assessments isn’t surprising, though. It’s just disappointing. Obligations to the public are always put on the back burner, especially when agencies possess little-known tech with capabilities that have yet to be fully exposed. They want every chance to exploit these before their oversight catches on and/or public records requesters figure out what questions to ask and who to ask them to.