The Auditor-General of Canada has accused the federal telecommunications regulator of lax enforcement and of refusing to pass along data to police that it collects about suspected criminals.
In a 35-page report released Tuesday, Karen Hogan said a “risk averse” culture, combined with organizational infighting that caused “delays and missed opportunities,” means the Canadian Radio-Television and Telecommunications Commission has failed in its mission to address serious cyberthreats.
The watchdog’s allegations led Opposition MPs at the House of Commons public accounts committee to question the CRTC’s investigative mandates and to accuse it of breaking the law.
In her report, Ms. Hogan noted the CRTC failed to relay to police a 2021 tip it received involving an individual allegedly seeking to sell child pornography. The report also said that, during a different probe, started by the CRTC in 2019, the regulator falsely told Quebec detectives it had destroyed data on seized cellphones that police were also seeking to access for their own criminal probe.
But the larger critiques in the Auditor-General’s report are that “thousands of cybercrime reports were not acted on by the CRTC” and that “the CRTC does little to protect Canadians from online threats.”
Cybercrime is a growing threat to all Canadians that is now said to be costing victims hundreds of millions of dollars each year.
In response to the allegations, the CRTC issued a statement saying it is trying to improve its investigations but it has no lawful authority to partner with police.
“There are clear legal and privacy constraints to disclosing information from civil regulatory bodies to criminal law enforcement agencies,” CRTC spokesperson Leigh Cameron said.
While the report focused on the failings of several federal police and intelligence agencies, it noted that the CRTC also plays a key, if obscure, role in the cybercrime fight that stands apart from its duties as an airwaves regulator.
The CRTC’s electronic-commerce enforcement division was created a decade ago to fight spammers and hackers under federal anti-spam legislation. According to the Auditor-General’s report, the regulator’s Spam Reporting Centre received more than 335,000 tips from Canadians in 2022. But the CRTC’s enforcement unit instigates only a couple of follow-up investigations into cybercrime-linked incidents each year.
One of them was the 2019 investigation in which the CRTC and the Granby Police Service in Quebec were investigating the same suspects for different offences. The CRTC seized the suspects’ devices and then handed over some data from them after police obtained a production order from a judge.
But then the municipal police force told the air-waves regulator its investigators intended to get a search warrant to allow police to take custody of the devices themselves for police searches. Investigators with the CRTC told the police, falsely, that they had destroyed the data before they actually did so.
“In an expedited fashion they did accelerate cleaning the devices or deleting the contents of the devices and returning them,” Ms. Hogan said when she appeared before the Commons public accounts committee Tuesday.
The Auditor-General’s report says the CRTC did this with the consent of a suspect and wrongly relayed to police the data was destroyed before this actually had happened.
“What we observed was that this was false information. The cellphones had not yet been wiped,” she said at the committee.
Conservative MP Frank Caputo asked Ms. Hogan to supply the committee with the names of CRTC investigators involved in these decisions. And Bloc MP Nathalie Sinclair-Desgagné likened the scenario to obstruction of justice.
“Could you talk a bit about possible criminal conduct on behalf of the CRTC?,” Ms. Sinclair-Desgagné asked of Ms. Hogan.
Ms. Cameron said in her statement to The Globe that the regulatory body’s actions were rooted in law. The statement did not explain why it would expedite the deletion of data on seized devices that police wanted to obtain.
Ms. Cameron would only say that the regulator “will continue its work to improve its procedures and will implement the Auditor-General’s recommendations.”
The Auditor-General’s report also faults the CRTC for failing to pass along to police a 2021 a tip it got about a spam text message sent from someone who said they were seeking to sell illicit child-sexual imagery.
The regulator refused to relay this information to authorities. Officials with Ms. Hogan’s office called police themselves. That happened as the watchdog completed its review in April, three years after the message was sent.
Editor’s note: A previous version of this article incorrectly stated that the Auditor-General's report faulted the CRTC's investigative unit for failing to pass along a tip to police. The report attributed fault to the CRTC, not directly to its investigative unit. This version has been updated. (June 6) This article was further updated upon clarification from the OAG that the phrase "offer to purchase", as published in its report, was intended to refer to a tip about an individual offering to sell (rather than buy) child pornography.