Chapter 3: Lawful Access Challenges
Special Report on the Lawful Access to Communications by Security and Intelligence Organizations
Mitigating the Challenges of New Technologies in the National Security Environment
73. According to CSIS and the RCMP, mitigating technological challenges requires activities that are resource intensive and present higher operational risk. Footnote 144 *** Footnote 145
74. Efforts to mitigate technological challenges include growing investments in *** intelligence collection capabilities and human source operations to collect information on warranted subjects of investigation. Footnote 146 Mitigation also includes more “high risk, high effort, and costly *** operations ***.” Footnote 147 *** Footnote 148
Computer Network Exploitation and the Use of On-Device Investigative Tools
75. One of the primary methods used by CSIS and the RCMP to bypass the challenge posed by encryption technologies in the period under review was computer network exploitation (CNE). Footnote 149 CNE refers to tools and techniques that exploit vulnerabilities in systems or software to surreptitiously obtain data that is stored on or transiting communications networks.*** Footnote 150 The RCMP uses the term “On-Device Investigative Tool (ODIT)” to describe its CNE tools. Footnote 151 An ODIT is “a computer program as defined in s. 342.1(2) of the Criminal Code that is installed on a targeted computing device that enables the collection of electronic evidence from the device.” Footnote 152 ***
*** It is however one of the most complex and expensive technical collection programs we maintain. Footnote 153
76. Where sufficient vulnerabilities can be identified, CNE enables *** the RCMP to collect information directly from a subject’s smartphone or computer and can allow investigators access to not only the subject’s cellular phone calls or texts, but *** the subject’s emails, encrypted messages, ***. Footnote 154 CNE can also allow investigators to turn on the microphone or camera of a subject’s phone. Footnote 155 The case study below describes an example of an investigation in which the RCMP successfully deployed ODITs in response to a national security threat.
Case study: RCMP Project Salento
***, the U.S. Federal Bureau of Investigation (FBI) provided the RCMP with intelligence about a Canadian (the subject) *** Footnote 156 *** Footnote 157 . The RCMP investigated the subject throughout 2018 in a criminal investigation called Project Salento. Footnote 158 *** Footnote 159
*** the subject: *** Footnote 160 who was reportedly building a bomb with the intent of committing a terrorist act in Canada, targeting a New Year’s celebration on December 31st. *** Footnote 161
In response, the RCMP took numerous investigative steps, including the deployment of ODITs on the devices of the subject and ***. The ODITs revealed text messages and schematics for a pressure cooker bomb. Footnote 162
On January 24, 2019, the RCMP arrested *** in Kingston, Ontario. Footnote 163 *** was ultimately charged with four terrorism offences to which he pleaded guilty on July 28, 2020. Footnote 164
Evidence collected by the ODITs supported the charges laid. According to the RCMP, the successful use of ODITs in Project Salento can be attributed to several key factors. First, the RCMP had an existing capability to deploy an ODIT on the make and model of phone used by the subject and ***, which is not always the case. Footnote 265 ***
77. While both CSIS and RCMP use CNE tools in national security investigations, CSE plays a leading role in the management of CNE policy and implementation for the government. Specifically, CSE manages the exploitation of system and software vulnerabilities, also known as “equities,” through an Equities Management Framework. The Equities Management Framework provides “a standardized decision-making process in which CSE experts consider all available information to responsibly manage equities associated with an identified vulnerability in an information system or technology in a way that puts the security interests of Canada and Canadians first.” Footnote 166 CSIS and the RCMP are members of the Equities Review Board as part of the Equities Management Framework. *** Footnote 167
78. For both CSIS and the RCMP, seeking judicial authorization for the use of CNE can be complex depending on what the activity seeks to do. The RCMP requires several authorizations, including a wiretap if using an ODIT to intercept private communications, as well as a general warrant and a transmission data recorder warrant. Footnote 168 *** Footnote 169 *** Footnote 170 *** Footnote 171
79. CSIS states that there are several privacy safeguards contained within the warrants authorizing the installation and use of ODITs, as well as within its internal policies, *** Footnote 172 *** Footnote 173 *** Footnote 174
80. According to CSIS, in 2018 it began providing the Federal Court an explanation of how CSIS’ ODITs function and the various methods by which they are deployed with every warrant application so that all designated judges were “provided with consistent information about the ODIT-related powers that they would be authorizing.” Footnote 175
81. Warrants granted to the RCMP for the deployment of ODITs to intercept private communications also include privacy safeguards. The issuing judge may attach terms and conditions to a wiretap authorization, Footnote 176 such as limits on topics and categories that may be searched in the data extracted from the device, or requirements to destroy collected data that falls outside the authorized time period or cease examination of data that does not relate to a target. Footnote 177
82. *** the RCMP deploy CNE in three different ways, ***: Footnote 178
- Remote access CNE: ***
- Near access CNE: *** Footnote 179
- Close access CNE: ***: *** Footnote 180
83. CNE is not a panacea. CNE relies on exploiting vulnerabilities ***. In recent years the number of devices and apps has increased the cost and complexity of CNE as operators need to search more devices and apps for vulnerabilities. Footnote 181 *** Footnote 182 *** Footnote 183
*** Footnote 184
*** Footnote 185 *** Footnote 186 ***
*** Footnote 187
86. In 2022, the RCMP advised the Standing Committee on Access to Information, Privacy and Ethics (ETHI) that since 2017 it had used ODITs in 32 investigations, targeting 49 devices. Footnote 188 Since then, the RCMP made 8 attempts at deploying an ODIT in 2023, of which only two were successful. The RCMP did not deploy any ODITs in 2024. Footnote 189 The RCMP similarly advised that increased cybersecurity awareness in recent years has led to a significant decline in their overall ODIT success rate. Footnote 190 Table 3.2 summarizes the number of ODITs deployed by the RCMP since 2017.
| Year | Number of Targeted Devices | Successful Deployments |
|---|---|---|
| 2017 | 2 | 2 |
| 2018 | 3 | 3 |
| 2019 | 2 | 2 |
| 2020 | 15 | 8 |
| 2021 | 16 | 9 |
| 2022 | 11 | 7 |
| 2023 | 8 | 2 |
| 2024 | 0 | 0 |
For both CSIS and the RCMP, the Committee understands a successful ODIT deployment to be that an ODIT collected information from the targeted device and generated a report, *** Footnote 192
Challenges Associated with the Protection of Investigative Techniques
87. The RCMP states that it is faces other acute challenges which make it increasingly difficult for investigators to use ODITs. As described in Chapter 2, during a prosecution, the Crown is obligated to disclose all relevant and material information, except that which is privileged, to the defence so that accused persons may make full answer and defence to any charges brought against them. Footnote 193 Under the Canada Evidence Act, the government can seek to prevent the disclosure of information relating to a sensitive law enforcement investigative tool or technique under section 37 and withhold access to information that is sensitive or injurious to Canada’s international relations, national defence or national security, including tools and techniques used by security and intelligence organizations, under section 38. According to the RCMP, although these provisions can be easily applied to certain traditional investigative tools and techniques, the complexity of going through this process with ODITs within acceptable timelines is challenging. Footnote 194
88. The RCMP states that it would like to rely on CSE through requests for assistance for ODIT deployment, due to the significant cost and resources required to use ODITs. Footnote 195 *** Footnote 196 If a particular tool or technical capability were made public in a court disclosure, it could affect other investigations underway. Footnote 197 The RCMP states that, consequently, CSE *** “increasingly unable, or unwilling to aid the RCMP out of concern that these tools are subject to disclosure in court.” Footnote 198 According to CSE, there is insufficient confidence that the Crown will be able to protect classified CNE capabilities in legal proceedings: “Using any of these capabilities as part of assistance to RCMP, with a not insignificant likelihood of them being exposed as part of legal proceedings, presents an unacceptable risk to CSE, to its operations and reputation, *** Footnote 199
89. The RCMP contends that this puts the RCMP position where they “must choose between ‘burning a tool’ ***, and staying the charges due to a lack of disclosure.” Footnote 200
90. *** Footnote 201 *** Footnote 202
91. According to the RCMP, concerns about disclosure have also forced Public Prosecution Service of Canada (PPSC) to stay charges, as the preparation to apply for protection under section 37 or 38 is so complex that the resulting delays are long enough to infringe on the accused’s right to be tried within a reasonable time. Footnote 203 *** Footnote 204
92. National security law expert and defence counsel, Anil Kapoor, advised the Committee that the prosecution of criminal cases did not always represent “the most effective way to manage national security threats,” due to their cost, the length of time involved, and the risk of the “disclosure of information which the agencies would wish to protect.” Footnote 205 However, he stated that, “when intelligence assets are at risk and the interest of the accused or constitutional imperatives may require disclosure, … that is the nature of criminal law proceedings and we shouldn’t be afraid of that or think that is somehow improper. It is entirely proper.” Footnote 206 According to Mr. Kapoor,
…current existing law provides a proper and well-balanced approach to the protection of information while protecting against the risk that innocent persons will be convicted. The problem, respectfully, is a cultural problem, and it is a concern that agencies may be too risk-averse, in taking decisions on how to manage a particular threat, and in particular, the use of criminal proceedings. Footnote 207
93. Mr. Kapoor suggests that agencies like CSIS and CSE may have an insufficient understanding of the extent to which the law can protect their sensitive information at trial. Footnote 208 Of note, in 2019 Mr. Kapoor authored a classified Operational Improvement Review, at the request of CSIS and the RCMP, which examined the Federal Court’s section 38 decisions from 2008 to 2018 relating to national security-related prosecutions. Footnote 209 The review found that the government had used section 38 to successfully protect sensitive information from disclosure in more than 85% of national security criminal cases, particularly information derived from international partners. Footnote 210 The review concluded that there was nothing about the section 38 process or test that necessarily led to the improper release of sensitive information. Footnote 211 The review, however, did not conduct a similar analysis on section 37.
Other Challenges Working with ODITs
94. *** Unlike the U.S., Canada does not have a clear policy that sets out guidance on what kinds of commercial ODITs may be approved for purchase and use by government investigative agencies. Footnote 212
95. Privacy advocates, as well as legal and cybersecurity experts, are highly critical of the use of CNE given the significant amount of private and personal information people have about themselves and others on their digital devices. In the context of Canada’s legal framework, they argue that CNE blurs the distinction between the prospective interception of communications and the retrospective retrieval of stored communications because the same tool may be used to accomplish both. They argue that current Criminal Code and CSIS Act provisions do not adequately address the degree of invasion of privacy that certain CNE capabilities pose such as the ability to “access all of an individual’s stored data — whether it is stored on the device itself, or accessible via a cloud computing service to which the device is connected.” Footnote 213 They also state that the complex and convoluted warrant application processes undermines transparency and accountability. Footnote 214 The BCCLA called for “a more robust set of statutory factors” to guide ODIT use by security and law enforcement organizations and provide transparency to Canadians about when courts might grant such a warrant. It also suggested a requirement to notify those investigated with an ODIT after an investigation, similar to the requirement for Part VI intercepts, so they could seek a remedy from the courts for any impropriety on the part of the investigating agency. Footnote 215
96. The Citizen Lab warns against the risks posed by the absence of state regulation of commercially available ODITs, which allows the industry to operate without effective public or government oversight: “The existence of this unregulated market has provided a growing number of countries — including countries hostile to Canada or with a history of human rights abuses — access to highly intrusive surveillance technology.” Footnote 216 Advocates may also assume that Canadian security organizations are using commercially available ODITs, arguing that the “characteristic secrecy of the spyware industry and its use by the government represents a significant barrier to any meaningful accountability in Canada.” Footnote 217
97. Some likeminded democracies have taken steps to update laws and regulations to better reflect modern technology and transparently share surveillance capabilities with the public. In 2017, Germany amended its Code of Criminal Procedure to better reflect modern law enforcement, amending provisions authorizing the retrieval of encrypted communications stored on an online device; law enforcement’s access to information technology systems to gather stored data; and the use of CNE to remotely activate an electronic device’s microphone and camera as a mode of surveillance. Footnote 218 In 2016, the U.K. publicly released its Equipment Interference Code of Practice for U.K. law enforcement and security agencies on how to lawfully conduct CNE. The Code of Practice includes guidance on the need to demonstrate the necessity and proportionality of activities, establishes rules for the handling of information, and outlines safeguards for oversight, such as obtaining authorization from the Secretary of State and review by the Intelligence Service Commissioner. Footnote 219
98. CSIS states that it does not believe a dedicated ODIT warrant is required due to the Federal Court’s awareness that “ODITs carry a high level of intrusiveness and [the Federal Court] balances privacy interests by imposing conditions within the warrants authorizing ODIT installation and use.” Footnote 220 According to the RCMP, the current provisions of the Criminal Code are adequate and in keeping with RCMP needs, although it welcomed any added simplicity in obtaining judicial authorization for the deployment of an ODIT. Footnote 221 According to Public Safety, ODITs are an area it intends to analyze in greater detail. Footnote 222