Tools capable of extracting personal data from phones or computers are being used by 13 federal departments and agencies, according to contracts obtained under access to information legislation and shared with Radio-Canada.
Radio-Canada has also learned those departments’ use of the tools did not undergo a privacy impact assessment as required by federal government directive.
The tools in question can be used to recover and analyze data found on computers, tablets and mobile phones, including information that has been encrypted and password-protected.
This can include text messages, contacts, photos, and travel history.
It’s a bit ridiculous, but also dangerous.
–Evan Light, York University
Certain software can also be used to access a user’s cloud-based data, reveal their internet search history, deleted content, and social media activity.
Radio-Canada has learned other departments have obtained some of these tools in the past, but say they no longer use them.
Evan Light, associate professor of communications at York University’s Glendon campus in Toronto and an expert in privacy and surveillance technology, said he’s shocked by the widespread use of such software within the federal government.
“It’s worrisome and dangerous,” said Light, who filed the original access to information request to find out more about how police agencies in Canada are using the technology.
“I thought I would just find the usual suspects using these devices, like police, whether it’s the RCMP or [Canada Border Services Agency]. But it’s being used by a bunch of bizarre departments,” he said.
According to the documents Light shared with Radio-Canada, Shared Services Canada purchased the equipment and software for the end users from suppliers Cellebrite, Magnet Forensics and Grayshift. (The latter two companies merged earlier this year).
The companies say they have developed strict controls to ensure that their technologies are used in accordance with the law, according to their websites.
After publication of this story, Cellebrite said in an email that its “technologies are not used to intercept communication or gather intelligence in real time. Rather, our tools are forensic in nature and are used to access private data only in accordance with legal due process or with appropriate consent to aid investigations legally after an event has occurred. The person/suspect does know our technology is obtaining data through court/judicial permission through a search warrant or consent by the individual.”
Read the full article here.