A Study on the use of Technological Tools to Extract Information by Federal Institutions on Government-issued Devices

Issue

This note provides information on the tools capable of extracting data from Government of Canada (GC) devices that Shared Services Canada (SSC) uses in administrative investigations or to process some Access to Information and Privacy (ATIP) requests. ‌

Key messages

• SSC takes the protection of privacy for employees and all Canadians very seriously, while also ensuring the security of GC networks
• SSC only uses digital forensic tools on government-issued devices, not on employee-owned personal devices
• SSC uses digital forensic tools on devices and data in specific scenarios:
  • During an internal administrative investigation, when there is a credible allegation of employee wrongdoing
  • To gather evidence at the request of law enforcement to support a lawful investigation (e.g., court orders, warrants, subpoenas)
  • For the purposes of retrieving information for some ATIP requests
• Administrative investigations happen only when there is a credible allegation of employee wrongdoing or to ensure the security of government networks upon which Canadians depend
• Impacted employees are always made aware of the conduct of these investigations and procedural fairness is ensured
• Under no circumstance does SSC extend the use of digital forensic tools outside an administrative investigative mandate or beyond the processing of an ATIP request

If pressed on

If pressed on Administrative investigations

• All administrative investigations are conducted under the authority of SSC's Chief Security Officer (CSO), aligned with the department's standard operating procedures
• Examples of an allegation that would result in an administrative investigation include:
  • Suspected inappropriate website browsing
  • A malicious software installed on a device
  • A suspected false claim of overtime
• When needed in the course of an investigation, the CSO asks SSC's Forensics Team to collect and confirm evidence. This also ensures impartiality in data collection
• In those cases, digital forensic tools are used in a controlled environment to extract data. Electronic devices are brought to a physically segregated secret‑level lab where the tools are used for analysis. Devices are stored in a forensic vault, only accessible to a few employees of the Forensics Team
• Information in this lab is not accessible from the Internet and data extracted is not shared with the vendors of these tools under any circumstances
• Throughout the processes, the employee that is the subject of the investigation is informed of each step, and procedural fairness is top of mind

If pressed on the tools used

• The forensic tools used to support investigations include:
  • Magnet Axiom
  • EnCase
  • FTK Imager
  • Intella
  • Microsoft e-Discovery
• The tools used to support ATIP requests include:
  • Microsoft e-Discovery
  • Harvester Portable
  • Intella
• All of these tools are not deployed remotely or used on the network with the exception of Microsoft e-Discovery. This means that to extract data, the physical device is needed

If pressed on the capabilities of the tools

• Magnet Axiom (forensic investigations)
  • Performs forensics on computers, laptops, and cellular devices
  • Processes and extracts data such as email, chat, documents and Internet history
  • Processes and extracts deleted images
  • Processes and extracts Windows logs, application logs and security event logs
  • Filters and sorts data
  • Generates investigative reports
• EnCase (forensic investigations)
  • Performs forensics on laptops only
  • Same processes and data extractions as Magnet Axiom
  • Can be used to validate the results acquired from Magnet Axiom
• FTK Imager (forensic investigations)
  • Performs forensic acquisitions on tablets only
  • This is different from computers, laptops and phones, as tablet hard drives cannot be removed
  • The extracted data is imported to Magnet Axiom to perform forensics
• Intella (forensic investigations and ATIP requests)
  • Performs keyword searches on email and M365 cloud accounts (OneDrive, SharePoint, chats, meetings)
  • Filters and sorts data
  • Generates investigative reports
• Microsoft e-Discovery (forensic investigations and ATIP requests)
  • Extracts data stored in M365
  • Imports data to Intella to perform the keyword searches
• Harvester Portable (ATIP requests)
  • Performs keyword searches on data sets (e.g., in Oracle databases, Office documents)
  • Converts email from an EML to an MSG format, so ATIP can process them and provide the information to the requester

Issue

Media reported that the Government of Canada (GC) has been using tools capable of extracting data from government-issued devices (computers and mobile devices). Shared Services Canada (SSC) was named as purchasing and using the software on behalf of client departments across the GC. The software mentioned was Cellebrite and Magnet Axiom. SSC used Cellebrite tools until 2018 and is using Magnet Axiom. In addition to the software identified by the media, SSC also uses EnCase, FTK Imager, Microsoft e-Discovery, Harvester Portable and Intella.‌

Key messages

• The GC has been purchasing digital forensic tools for many years
• When SSC was created, the purchase of these tools was centralized at SSC to leverage the GC's buying power and to consolidate the number of smaller contracts that were prevalent across government
• As the IT service provider for the GC, SSC has put in place contracts to acquire these tools
• Aligned with its mandate as a common IT provider, SSC allows other departments and agencies to use SSC contracts to procure the tools in support of their operations
• The GC has also implemented a comprehensive supply chain integrity (SCI) process to ensure that only equipment, software, or services that have been subject to a security risk assessment are purchased
• The digital forensic tools undergo a rigorous process to ensure that they cannot be used to compromise the security of the GC's systems or information
• SCI verifications have been performed for each of the tools currently in use. These tools are deemed safe from cyber security threats

If pressed on

If pressed on the SCI review function

• The SCI function was implemented in 2012
• Prior to the creation of SSC, departments and agencies purchased digital forensic tools that were not subject to this review
• SSC relies on the Communications Security Establishment of Canada as the government centre of excellence for the SCI review function

Issue

This note provides information on the roles and responsibilities of involved parties in an administrative investigation.‌

Key messages

• Shared Services Canada (SSC), under the authority of SSC's Chief Security Officer, conducts administrative investigations when there is a credible allegation of employee wrongdoing
• When SSC conducts administrative investigations, the department is guided by both Treasury Board and SSC policies and guidance
• Key players involved in an administrative investigation include:
  • the Deputy Head
  • the Chief Security Officer (CSO)
  • the Deputy Chief Security Officer (DCSO)
  • Special Investigations Unit (SIU) investigators
  • Forensic and Administrative Investigations Team (FAIT) investigators
  • Labour Relations officials
  • the Centre for Labour and Employment Law, housed within the Treasury Board Secretariat
  • Access to Information and Privacy (ATIP) officials
  • affected employees

If pressed on specific roles

If pressed on The Deputy Head

• ensures security events are assessed, investigated, documented, acted on and reported to the appropriate authority and to affected stakeholders

If pressed on the CSO

• oversees administrative investigations and ensures they are conducted in a timely manner, in accordance with the principles of procedural fairness
• ensures any individuals, against whom allegations have been made, are advised that they will be the subject of an administrative investigation

If pressed on The DCSO

• actions the administrative investigation
• reviews the investigation report and findings and, if the allegations are founded, determines what administrative measures, if any, are warranted
• secures personnel, physical assets and information

If pressed on SIU investigators

• conduct thorough and impartial administrative investigations in a manner that protects evidence, respects the rights of individuals, does not hinder potential civil or criminal proceedings and is in accordance with the principles of procedural fairness
• inform all individuals involved in the investigation of their rights and obligations

If pressed on FAIT investigators

• retrieve data upon request from devices and provide it to the CSO

If pressed on Labour Relations (Director General, Human Resources and Workplace)

• advises the CSO (or delegated authority) on the scope of labour relations responsibilities
• provides advice on courses of action to ensure that labour relations obligations are considered
• provides recommendations on disciplinary actions to be taken, when applicable

If pressed on Centre for Labour and Employment Law

• provides legal advice during the administrative investigation on the legal implications, procedural fairness, protection of evidence and, in consultation with Labour Relations, appropriate measures to be applied when required
• provides advice on any security administrative action

If pressed on ATIP officials

• respond to privacy breaches and provide guidance and advice on the Access to Information Act and the Privacy Act
• collaborate during an investigation as it relates to ATIP legislative and policy requirements
• review the investigation report, when appropriate, and advise on the disclosure of information pertaining to the administrative investigation

If pressed on Affected employees

• during an administrative investigation, accurately and truthfully provide the information and documents for the investigation, in accordance with the required format and established timeframes

Issue

This note provides information on the standard operating procedures during an investigation by the Chief Security Officer (CSO) and Shared Services Canada's (SSC) Forensics and Administrative Investigation Team (Forensics Team).‌

Key messages

• When the departmental CSO receives an allegation of employee wrongdoing, the CSO may decide to launch an investigation if the allegation is credible
• These investigations are conducted under the authority of section 7 (Responsibilities and Powers) of the Financial Administration Act and in line with the Policy on Government Security
• The CSO follows a strict investigative mandate to ensure fairness, privacy and security
• A number of reporting phases occur during an investigation:
  1. The draft investigative report
  2. The individual's right to respond
  3. The conclusion of the investigation, including whether the allegations were founded or unfounded
• When needed in the course of an investigation, the CSO asks SSC's Forensics Team to collect and confirm evidence. This also ensures impartiality in data collection

If pressed on

If pressed on CSO procedures

• In an administrative investigation, the CSO approves a mandate detailing the allegations and the scope of the investigation
• The CSO notifies, in writing, the employee(s) under investigation. The notification letter is sent either by mail, email or delivered by hand
• The CSO first investigates the allegation by collecting evidence through their own security data systems
• In the course of the investigation, the CSO may determine that they require additional evidence to confirm all the facts. In that case, they request the services of the Forensics Team
• After interviews and a review of all relevant information, a draft investigation report is developed
• The draft report is shared with the person being investigated and on a need‑to‑know basis with CSO personnel conducting the investigation. It is also shared, if required, with Labour Relations personnel
• If the information must be disclosed to others in the department, it undergoes necessary review by the Access to Information and Privacy (ATIP) office
• Once the allegations have been fully investigated, the investigation is closed and records are retained for a period of 10 years, in accordance with relevant regulations, after which they are securely destroyed

If pressed on Reporting phases

Individual's right to respond

• The individual who is the subject of the investigation has the right to review the information
• They are given a minimum of 10 business days to provide comments in a written response
• They may invite their union representative or legal counsel

Unfounded allegations‌

• In the case of an unfounded allegation, the individual is informed in writing of the findings in a timely manner and may be provided with an ATIP-reviewed copy of the final investigation report

Founded allegations‌

• In cases where the allegations are founded, the senior authority leading the investigation will consult with management and Labour Relations to determine the most appropriate course of action

If pressed on Forensics procedures

• When further information is required from the Forensics Team, the CSO works with them to specify the request. The Forensics Team is not made aware of the allegations and the details of the investigation itself are not shared
• All communications between the CSO and the Forensic Team are through encrypted email and on a need‑to‑know basis
• The Forensics Team follows due diligence to ensure the protection of evidence and employee rights in retrieving the required data from devices and providing it to the CSO
• The Forensics Team performs its work in a physically segregated secret-level lab accessible only to them
• During the investigation, retrieved data and devices are stored in tamper-proof evidence bags in the forensics evidence vault
• The Forensics Team does not keep any devices or data; everything is provided to the CSO in an encrypted file and/or in an evidence bag

Issue

This note provides information on Government of Canada (GC) policies and regulations that guide Shared Services Canada (SSC) in conducting administrative investigations.‌

Key messages

• SSC, under the authority of its Chief Security Officer (CSO), is guided by GC policies and regulations when conducting an administrative investigation
• This direction comes from both the Treasury Board policies and SSC's own mandated guidelines

If pressed on

If pressed on Treasury Board policies

• The Policy on Government Security directs that SSC is responsible for the security of GC data and systems and for planning and operating efficient IT security infrastructure services
• The Directive on Security Management guides the role of the CSO in leading the department's security function
• The Treasury Board Secretariat (TBS) Handbook on Administrative Investigations for Security Functional Specialists details the Departmental Security Officer's (DSO) responsibilities under the Policy on Government Security
• Section 4.4.3 of the Policy on Service and Digital stipulates that the deputy head of SSC is responsible for the following:
  • Managing tools to support the monitoring of departmental electronic networks and devices
  • Providing reports as required about the use of Government of Canada electronic networks and devices to assist deputy heads in the identification and investigation of issues and in the implementation of corrective action in the event of unacceptable use
• Section 4.5 (Monitoring Networks and Reporting) of the Guideline on Acceptable Network and Devices Use provides guidance on network monitoring tools to identify and investigate suspected cases of unacceptable use:
  • Having the appropriate tools and processes in place to identify and investigate suspected cases of unacceptable use can support the accountability of deputy heads to address Policy non-compliance in an effective and organized manner
  • Data from network monitoring tools supply some of the evidence needed to recognize and confirm incidents of unacceptable use. The Policy requires that regular monthly, and as required, reports be provided based on this data to assist departments in the identification, investigation, and implementation of corrective action pertaining to unacceptable use. Where network services are supplied by Shared Services Canada, the responsibility for providing these reports lies with the deputy head of Shared Services Canada. For those departments not served by Shared Services Canada, the responsibility to meet this requirement resides with the individual department

If pressed on SSC's policies and guidelines

• The Policy on Departmental Security guides the role of the CSO to provide leadership, coordination and oversight for departmental security management activities
• SSC's Directive for Administrative Investigations defines the CSO's roles and responsibilities to respond to and conduct administrative investigations
• The Guideline for Administrative Investigations provides guidance when conducting administrative investigations
• SSC's Organizational Code provides guidance on ethical behaviour and decision-making

Issue

Concerns with the protection of privacy and personal information have been raised in connection with the use of digital forensics tools. Media reports suggest the Government of Canada (GC) has "ignored" the requirement to conduct privacy impact assessments (PIAs).‌

Key messages

• Shared Services Canada (SSC) takes the protection of employees and all Canadians' privacy very seriously
• SSC already has well-established standard operating procedures to protect privacy when using digital forensic tools
• There was no privacy breach in administrative investigations
• Notwithstanding this, SSC has started to work on a privacy impact assessment (PIA) on the activities related to SSC's use of tools to extract data from government-issued devices
• SSC's Access to Information and Privacy (ATIP) team and its Forensics Team are reviewing the process and procedures involved for the administrative investigations to determine if any improvements could be necessary to better safeguard personal information in the future
• SSC will assess the forensics operation as a whole, rather than just the tools which make up just one part of the overall PIA evaluation
• SSC will take the necessary steps to continue to protect the privacy of employees

If pressed on

If pressed on the use of tools to extract information in the context of ATIP

• Forensic tools are used for operational purposes to leverage automation. These tools are used to process ATIP requests faster and more efficiently
• For example, when receiving ATIP requests that require finding a massive amount of information or information in accounts of employees on long-term leave, the Forensics Team will use digital forensic tools to pull the information related to the request
• Records are only retrieved from SSC IT infrastructure
• The Forensics Team provides the information to the ATIP team based on very specific search terms and solely to respond to the ATIP request
• Once the information is retrieved, 2 reviews are completed:
  • 1 by the creator of the information to ensure the records pertain to the ATIP request
  • 1 by the ATIP team to ensure records released are in compliance with the Access to Information Act and the Privacy Act; for example, to protect personal information
• Once that work is completed, the information is released to the ATIP requester
• The benefits are two-fold: it allows the release of the information to the ATIP requester in a more accurate and timely manner, and it is a better use of resources within SSC

If pressed on the initiation of a PIA

• The Treasury Board Secretariat's (TBS) Directive on Privacy Impact Assessment provides direction on the use of PIAs for the GC
• A PIA is a policy process for identifying, assessing and mitigating privacy risks. All GC organizations are required to develop and maintain PIAs for all new or modified programs and activities that involve the use of personal information for an administrative purpose
• A PIA should be initiated in the following circumstances:
  • When personal information is used for a decision-making process that directly affects the individual
  • When substantial modifications to existing programs or activities are made involving personal information for an administrative purpose
  • When contracting out or transferring a program or activity to another level of government or the private sector results in substantial modifications to the program or activities

Issue

Based on the Treasury Board Secretariat (TBS) Directive on Payments, Shared Services Canada (SSC) is required to pay invoices within 30 days, otherwise interest is to be paid to the vendor. This issue was raised through Order Paper Question (OPQ) 2077 (December 7, 2023 – Mr. Scheer (Regina-Qu'Appelle)), which asked:

With regard to the late-payment charges incurred by the government related to any type of telecommunications or cable services (telephone, cellular, data, cable, etc.), since June 1, 2020, in total and broken down by year, including 2023 to date, and by department, agency, Crown corporation, or other government entity: what is the total amount of late-payment charges and interest charges incurred for services provided by (i) Rogers, (ii) Bell, (iii) Telus, (iv) other telecommunications providers, broken down by provider?

Key messages

• SSC is committed to paying invoices on time and efficient financial management practices have been put in place in order to minimize paying interest to vendors
• Since June 2020, SSC has paid invoices on time at an average rate of 97.8%
• Since June 2020, SSC has paid an amount of $49,433 in interest to various vendors (including telecommunication companies) on a total amount of invoices of $8.5 billion. This represents 0.0006% of the value of invoices.
  • In 2023-24, SSC paid $7,744 in interest
  • In 2022-23, SSC paid $18,212 in interest
  • In 2021-22, SSC paid $5,296 in interest
  • In 2020-21, SSC paid $18,181 in interest
• SSC is continuously improving its payment processes, including the consolidation of accounts, automation and the monthly monitoring of performance, with corrective measures undertaken to ensure interest paid is kept at a minimum
• SSC has an escalation process in place for all invoices over $100,000 to ensure these are paid on time. Targeted follow-ups are conducted and invoices nearing their due dates are escalated up to the comptroller
• Additionally, biweekly reports of all outstanding invoices are sent to the branches for their review and action. Monthly reports of interest paid are also created, and branches identified as being under 95% paid on time are contacted to discuss and implement corrective measures