Question Period Note: Tools Capable of Extracting Data from GC Devices

Back to search

About

Reference number:
PSPC-2023-QP-00068
Date received:
Dec 13, 2023
Organization:
Public Services and Procurement Canada
Name of Minister:
Duclos, Jean-Yves (Hon.)
Title of Minister:
Minister of Public Services and Procurement

Issue/Question:

  • Media and MPs have raised concerns regarding the use of tools capable of extracting data from mobile devices and other assets within the Government of Canada (GC). While the media narrative makes reference to “spyware”, that is not an accurate description of these tools used by Shared Services Canada (SSC)

Suggested Response:

  • Shared Services Canada (SSC) takes very seriously the protection of the privacy of employees and all Canadians, while at the same time ensuring the security of GC networks

    • SSC uses digital forensics tools only on government issued devices and in very specific circumstances
    • Digital forensics tools are used in two specific scenarios:
    • When there is a credible allegation of employee wrongdoing

    • To gather evidence at the request of law enforcement to support of lawful investigations (e.g., court orders, warrants, subpoenas)

    • All administrative investigations are conducted under the authority of SSCs Chief Security Officer (CSO), aligned with the department’s standard operating procedures.

    • Under no circumstances does SSC extend the use of digital forensics tools outside an investigative mandate.

If pressed on use of these tools:

  • Digital forensics tools are not deployed remotely or used in any monitoring capacity
  • In the past two years, these tools have only been used six times at SSC, in the course of mandated administrative investigations under the purview of the CSO.
  • Examples of an allegation that would result in a review include:
  • Suspected inappropriate website browsing
  • A malicious software installed on a device

  • A suspected false claim of overtime

  • These tools are solely used for review when wrongdoing is suspected or to ensure the security of government networks for the benefits of Canadians.

If pressed on contracting:

  • As the IT service provider for the Government of Canada (GC), SSC contracts can be used not only by SSC directly, but also by the departments that SSC supports.
  • The contractual agreement for these device monitoring products may also be used by other departments of the GC.

If pressed on privacy impact assessment:

  • SSC takes the protection of Canadians’ personal information very seriously.
  • SSC’s uses digital investigative tools to conduct research within the guidelines of the investigative review mandate approved by the Chief Security Officer as per very strict standard operating procedures.
  • SSC only uses digital forensics tools on government-issued devices, not on employee-owned personal devices.
  • Privacy Impact Assessment are not completed for the use of software but instead for the administration of programs.
  • Officials are assessing all privacy issues involved and they will take the necessary steps to continue to protect the privacy of employees

Background:

Media began reporting on the use of “spyware” by thirteen government departments during the week of November 29, suggesting that government agencies are “ignoring” the federal mandate to conduct a privacy impact assessment (PIA). Since the media reporting began, the Standing Committee on Information, Privacy and Ethics has agreed to conduct a study of the use of these tools, beginning on January 29. SSC has been named as one of the witnesses to be called to the committee for this study.

Additional Information:

  • Departments use digital forensics tools for administrative investigations. These investigations are conducted under the authority of Financial Administration Act< section 7, and in line with the Policy on Government Security and under the authority of SSCs Chief Security Officer (CSO)
    • SSC uses digital forensics tools to investigate credible allegations of wrongdoing by GC employees in the course of an official administrative investigation
    • At the outset of an investigation, the CSO engages SSCs forensics team to collect and confirm evidence and to ensure impartiality in data collection
    • Digital forensics tools are used in controlled environments. Electronic devices are brought to a physically segregated secret-level area where the tools are used for analysis. Devices are stored in a forensics vault, only accessible to a few employees of the forensics team
    • Throughout the processes, the employee that is the subject of the investigation is informed of each step, and procedural fairness is top of mind