Full Report
In June 2023, the Citizen Lab submitted recommendations on combatting mercenary spyware risks to NSICOP. The post Submission to the National Security and Intelligence Committee of Parliamentarians appeared first on The Citizen Lab.
Analysis Summary
# Regulation/Compliance: Mercenary Spyware Regulatory Recommendations (Citizen Lab Submission to NSICOP)
## Overview
This submission outlines a proposed regulatory framework and set of recommendations directed at the Canadian government to mitigate the human rights and national security risks associated with the procurement and use of mercenary spyware (e.g., Pegasus, Cellebrite, Paragon). The submission argues that current oversight is insufficient for the high-risk nature of "zero-click" and forensic extraction technologies.
## Key Details
- **Issuing Authority:** Recommendations submitted by The Citizen Lab to the National Security and Intelligence Committee of Parliamentarians (NSICOP).
- **Effective Date:** N/A (Current status is a policy recommendation).
- **Jurisdiction:** Canada (Federal/National Security).
- **Status:** Proposed / Under Committee Review.
## Requirements
### Mandatory Requirements (Proposed)
1. **Human Rights Impact Assessments (HRIA):** Mandatory, transparent assessments prior to the procurement of any surveillance technology.
2. **Strict Judicial Authorization:** Requirement for high-threshold judicial warrants specifically tailored to the intrusive nature of spyware (beyond standard wiretap warrants).
3. **Public Reporting:** Mandatory annual disclosures by government agencies regarding the number of times spyware was used and the general types of investigations.
4. **Export Controls:** Implementation of rigorous "end-use" monitoring for any domestically produced surveillance tech sold abroad.
### Recommended Practices
1. **Vulnerability Disclosure:** Government agencies should prioritize disclosing software vulnerabilities to vendors rather than stockpiling them for use in spyware.
2. **Procurement Blacklisting:** Banning the procurement of technology from companies with documented histories of human rights abuses.
3. **Notification of Targets:** Requirement to notify individuals who were surveilled once an investigation is concluded and does not jeopardize ongoing safety.
## Affected Organizations
- **Industries:** Government agencies (RCMP, CSIS, CSE), Law Enforcement, and Private Intelligence/Defense contractors.
- **Organization Size:** All federal bodies involved in national security or digital forensics.
- **Geographic Scope:** Canadian federal jurisdiction and international forensic tool vendors operating within Canada.
## Compliance Timeline
- **June 2023:** Submission of recommendations to NSICOP.
- **September 2025:** NSICOP report and submissions officially published.
- **April 2026:** Citizen Lab public re-release of the "Going Dark" report recommendations.
- **Future:** Pending legislative action or updates to the *CSIS Act* or the *Criminal Code*.
## Implementation Guidance
### Assessment Phase
- **Gap Analysis:** Evaluate current technological extraction capabilities against existing judicial warrant authorities to identify "legal grey zones."
- **Vendor Audit:** Review current surveillance vendors (e.g., Cellebrite, Paragon) for history of misuse or involvement in "high-risk" jurisdictions.
### Implementation Phase
- **Policy Reform:** Codifing specific "Spyware Use" protocols within agency operational manuals.
- **Mechanism Design:** Establish an independent oversight body or empower NSICOP with greater "red-line" authority over targeted surveillance operations.
### Validation Phase
- **Audit Trails:** Ensure all spyware use generates immutable logs for independent review.
- **NSICOP Review:** External parliamentary review of agency compliance with new human rights mandates.
## Technical Requirements
- **Forensic Integrity:** Use of tools must be documented to ensure the integrity of seized digital evidence (referencing the Kenyan Boniface Mwangi case regarding Cellebrite use).
- **Zero-Click Mitigation:** Implementation of device hardening for government personnel potentially targeted by foreign mercenary spyware.
## Penalties & Enforcement
- **Fines:** Not specified in the recommendations; focuses on administrative and legal sanctions.
- **Other Consequences:** Exclusion of evidence in court (fruit of the poisonous tree) if spyware was used without appropriate judicial oversight; reputational damage to the Canadian state.
- **Enforcement:** Proposed oversight via NSICOP and the National Security and Intelligence Review Agency (NSIRA).
## Related Standards
- **International Human Rights Law:** Alignment with the UN Guiding Principles on Business and Human Rights.
- **NIST Privacy Framework:** Alignment on data processing and privacy-by-design.
## Resources
- **Official Documentation:** hxxps://www.canada.ca/en/national-security-intelligence-committee-parliamentarians/services/press-release-sr-2025-09-15.html
- **Guidance Documents:** hxxps://citizenlab.ca/wp-content/uploads/2026/04/citizen_lab_going_dark_report_en-2.pdf
- **Tools:** The Citizen Lab's "Security Planner" for digital self-defense.
## Practical Recommendations
1. **Modernize Warrants:** Legal departments should prepare for "Spyware-specific" warrant templates that demand higher levels of specificity than traditional telecommunications intercepts.
2. **Review Forensic Custody:** Ensure that devices seized (e.g., during political protests) are handled via strict chain-of-custody protocols regarding forensic extraction.
3. **Adopt "Privacy-First" Hardware:** Discourage the use of consumer devices for high-risk political or security work without enhanced security layers.