Chapter 5: Assessment — Technology
Special Report on the Lawful Access to Communications by Security and Intelligence Organizations
Technology
168. The Committee did not see any clear, empirical data to substantiate claims by Canada’s security and intelligence organizations that they face serious lawful access challenges because of rapidly evolving technology. CSIS and the RCMP do not systematically track how often they encounter various technological challenges in their national security investigations, for example, instances in which communications content could not be accessed because of encryption. As a result, they do not know in quantifiable terms the degree of impact and overall significance of these challenges. Consequently, the Committee had no data to analyze to identify trends over time. This is an important omission because as these organizations advise the government and attempt to convince Canadians — particularly those concerned about the potential erosion of their privacy — that new legislation and resources are required to keep pace with evolving technology, they are only able to offer anecdotes and not concrete figures.
169. Senior officials from Public Safety, CSIS, and the RCMP repeatedly stated that in situations where CSIS or the RCMP ran into situations in which communications content was unavailable, they found other ways to get the information required. All organizations confirmed that, where known, available and precise enough, metadata was also useful in their investigations. This would appear to confirm that CSIS and RCMP are not “going dark,” rather that they experiencing what the Citizen Lab describes as “investigative friction.” Footnote 373
170. However, the Committee heard compelling and detailed testimony about how the rapid pace of technological change has increased the complexity, operational risk and cost of national security investigations. More digital devices, more communications applications or apps, and more operating systems mean that investigators need to develop more methods of access, with an impact on both time and resources. CNE is costly and not always effective (this is discussed further below). Other mitigation efforts to *** get access to encrypted communications content *** are now complicated ***. (The Committee notes that none of security and intelligence organizations cited concerns about artificial intelligence from a lawful access perspective, beyond surmising that increased use of artificial intelligence could assist with forensic debriefing efforts.)
171. In summary, notwithstanding CSIS and the RCMP’s failure to systematically track data about technological challenges encountered over the time period of the review, the Committee nonetheless believes there is sufficient information to confirm their claims that they face significant challenges in their ability to access relevant and timely digital evidence and intelligence.
F1
Canada’s security and intelligence organizations do not systematically track how often they encounter technological challenges in their national security investigations and whether they are successful in mitigating these challenges.
F2
The RCMP and CSIS face significant challenges in accessing communications content, for which metadata is not necessarily a substitute.
R1
Under the leadership of the Minister of Public Safety, the government develop and implement a comprehensive strategy to address Canada’s lawful access challenges, drawing from the Committee’s review and findings. Such a strategy should:
- Affirm key principles, such as legitimacy, necessity, and proportionality;
- Identify, track, and report on key lawful access challenges and associated risks;
- Include communications, stakeholder engagement and transparency commitments; and
- Consider challenges that may arise due to emerging technology, e.g., artificial intelligence.
172. The ubiquitous use of encryption presents an important dilemma. In reviewing the government’s policy response to encryption, despite the mounting challenges for national security investigations, the Committee believes that the government’s decision in 2020 not to proceed with new consultations on encryption was reasonable, as the views of key stakeholders were indeed unlikely to have changed since Public Safety-led consultations on national security in 2016. The Committee notes that almost no concerted policy work on encryption has occurred since then. Government departments and agencies do appear to have arrived at a common, internal working position: encryption is essential in a society that is digital by default and any effort to degrade its integrity is incompatible with cybersecurity. Importantly, the Committee did not hear any government official call for legislation to compel the creation of exceptional access or “backdoors” to get around encryption.
173. The government’s public statements to date, however, leave room for confusion. Canada’s signing of the 2019 Five Country Ministerial communique on encryption and the U.K.-led 2020 “International Statement: End-to-end Encryption and Public Safety” allows for an interpretation that the government is still considering such legislation. Indeed, the fact that NSTAG published a report as recently as the summer of 2024 expressing concern that this was the government’s position when it is clear to the Committee that it is not, suggests this remains important to clarify publicly in light of public concerns about cybersecurity and privacy.
174. In the Committee’s view, in articulating Canada’s position on encryption, the government will need to clearly explain that *** access encrypted communications content is more than just investigative friction. The Committee heard that CNE is not a panacea, and access to associated metadata is not the same as being able to access communications content in real time. As such, the Committee believes new laws, tools and resources for the security and intelligence community are required to mitigate this risk, but ones that leave encryption intact.
175. The Committee also observed that privacy and cybersecurity advocates and national security practitioners appear to be talking past one another in debates about encryption and exceptional access for law enforcement and intelligence organizations. As stakeholders debate policy initiatives or legislation, it will be critical for both sides to ensure a common understanding of key concepts. For the government, the Committee suggests that a robust, transparent communications strategy, which explains technical concepts in detail, is fundamental.
F3
There was consensus across appearances that legislation to compel the creation of exceptional access or “backdoors” to encryption platforms was neither required nor desired.
F4
Canada’s public position on lawful access to encrypted communication is unclear. National security practitioners, cybersecurity experts and privacy advocates do not have a common understanding of the problem.
R2
The government publicly clarify its position on exceptional access to communications information protected by encryption.
176. The Committee learned that the use of encryption and anonymizing technologies is also affecting how the RCMP and CSIS can obtain building block information required at the early stage of an investigation, ***. In this regard, the Committee heard that the Supreme Court’s 2014 decision in Spencer requiring judicial authorization to seek BSI has created delays and significant increased effort on the part of security agencies to investigate a potential national security threat. DoJ efforts to address this issue have failed for years to progress. In addition, the Committee understands that the absence of a data retention regime has had significant implications given the length of some complex investigations.
F5
The government’s failure to develop and implement a solution to the Supreme Court’s decision in Spencer is impeding CSIS and the RCMP's ability to respond to national security threats.
F6
Without a general legal requirement on CSP’s to retain metadata for a specified period of time, there is a risk that data sought pursuant to a warrant will be unavailable.
R3
The government table legislation creating new authorities in the Canadian Security Intelligence Service Act and the Criminal Code to enable the production of basic subscriber information, and the government consider legislation with respect to data retention.
177. Security and intelligence practitioners, privacy advocates, and cybersecurity experts alike point to CNE, including the deployment of ODITs, as one of the *** solutions to obtaining communications content in the face of ubiquitous encryption. The Committee learned that these tools are expensive and often unreliable, as targets have become increasingly cybersecurity savvy and as companies work to identify and address the vulnerabilities in operating systems and encryption platforms ***.
178. The use of CNE also raises important questions about the protection of investigative techniques. The Committee learned that because of the complexity of CNE, ***. The Committee heard that the RCMP faces particular challenges in using ODITs in support of investigations because Canadian intelligence *** do not have confidence in Canada’s legal system to adequately protect them from disclosure during court proceedings.
179. ***. ***, as well as legal experts, argue instead that provisions under the Canada Evidence Act have been shown to protect such information in legal proceedings and suggest that the problem may not be one with Canada’s legal framework, but with institutional risk aversion. The Committee also heard that in responding to threats to national security, criminal proceedings may not be the most effective means, and that disruption without prosecution may be more viable when sensitive techniques are at issue.
180. As advances in both the change and complexity of technology continue, the Committee surmises that Canada’s security and intelligence organizations ***. While CSIS and CSE appear to be secure because there is little risk of disclosure, the Committee is concerned that the RCMP will be limited in its ability *** technical solutions. While the Committee agrees that there may be some instances in which disruption is the most prudent response to a national security threat, the Committee has no information to suggest that Canadians want a legal system in which law enforcement regularly relies on disruption and not prosecution to address a national security threat.
181. The Committee notes that this particular challenge is a perennial feature in the larger, longrunning debate in Canada about the intelligence and evidence dilemma. The Committee is concerned that, like the encryption debate, this issue too has reached a stalemate. The Committee recognizes that there is no simple solution to the challenge of using intelligence, or sensitive tools and techniques, in a criminal proceeding; it also notes the efforts by CSIS and the RCMP to improve cooperation and collaboration through the 2019 Operational Improvement Review. However, regardless of whether the problem is legislative or driven by institutional risk aversion, the Committee believes that the lack of urgency the government has afforded to addressing the intelligence and evidence problem at a strategic policy level is having unintended consequences for the rule of law in Canada as it relates to responding to national security threats.
F7
The government’s inability to make progress on the intelligence and evidence dilemma, particularly with respect to the protection of investigative techniques, has contributed to a situation in which the RCMP is forced to choose either to not use sensitive tools and techniques during an investigation because of the potential disclosure issues, or risk not being able to rely on evidence obtained through their use at trial or having a prosecution stayed because of a court order to disclose.
R4
Further to the Committee’s 2024 recommendation in its Special Report on Foreign Interference in Canada’s Democratic Processes and Institutions that the government address intelligence and evidence challenges, the government develop and implement a solution to address concerns about the protection of investigative tools, which may include revisions to the relevant provisions of the Canada Evidence Act.
182. In addition to addressing the pressing need to improve the protection of investigative techniques, the Committee believes there is more policy work to do on the use of ODITs. The Committee was satisfied to hear that both CSIS and the RCMP ensure privacy safeguards are included in warrants authorizing the installation and use of these highly invasive tools. However, the Committee notes the lack of policy guidance on the procurement of commercial ODITs for use by law enforcement and intelligence agencies, beyond the general requirement to complete a Privacy Impact Assessment. The Committee believes that a policy is also required to address concerns about transparency in ODIT use, including with respect to the complex warrant application process.
F8
The government lacks formal policies to address the procurement, regulation and use of commercial On-Device Investigative Tools, and ensure transparency in reporting with respect to their use by law enforcement and CSIS.
R5
The government develop policies and guidelines on the procurement, use and reporting requirements for commercial On-Device Investigative Tools.