OTTAWA, Ont. — In a “remarkable” disclosure, Canada’s national police force has described for the first time how it uses spyware to infiltrate mobile devices and collect data, including by remotely turning on the camera and microphone of a suspect’s phone or laptop.
The Royal Canadian Mounted Police says it only uses such tools in the most serious cases, when less intrusive techniques are unsuccessful. But until now, the force has not been open about its ability to employ malware to hack phones and other devices, despite using the tools for several years. Between 2018 and 2020, the RCMP said it deployed this technology in 10 investigations.
“This is a kind of capability that they have done everything possible to keep incredibly quiet,” said Christopher Parsons, senior research associate at the University of Toronto’s Citizen Lab.
“This is a remarkable finding and, for the first time, publicly reveals that the RCMP is using spyware to infiltrate mobile devices, as well as the broad capabilities of their spyware,” he said.
The RCMP says the increasing use of encrypted communication means police need new tools to keep up. But critics say the advent of the digital era means police have access to vastly more information than ever before. They say there needs to be a public discussion about what limits to place on the use of malware and other intrusive tools.
The police agency outlined the techniques used by its Covert Access and Intercept Team in a document introduced in the House of Commons last week. The RCMP provided the information in response to a question from a Conservative MP about what government programs gather data from Canadians.
The team, which exists to intercept communication that can’t be obtained using traditional wiretaps, uses “on-device investigative tools.” The RCMP defines those as computer programs “installed on a targeted computing device that enables the collection of electronic evidence” — spyware, in other words.
The RCMP can use spyware to collect a broad range of data, including text messages, email, photos, videos, audio files, calendar entries and financial records. The police can also gather “audio recordings of private communications and other sounds within range of the targeted device” and “photographic images of persons, places and activities viewable by the camera(s) built into the targeted device,” the document says.
These tools are only used during serious criminal and national security investigations, the force says, and always require authorization from a judge. The RCMP declined an interview request and did not provide answers to written questions before this article was published.
Parsons said experts have known or assumed for some time that police are using these tools, but the RCMP has not confirmed it. “[This] is the cleanest, most straightforward explanation of what they're capable of doing that I'm aware of,” he said.
In the document, the police force says it needs to use spyware because traditional wiretaps are much less effective than they once were.
“In less than a generation, a high number of Canadians migrated their daily communications from a small number of large telecommunication service providers, all of which provided limited and centrally controlled services to customers, to countless organizations in Canada and elsewhere that provide a myriad of digital services to customers,” the document reads. “That decentralization, combined with the widespread use of end-to-end encrypted voice and text-based messaging services, make it exponentially more difficult for the RCMP to conduct court-authorized electronic surveillance.”
For example, police can require cellphone providers to turn over a suspect’s text messages. But if the person is using an encrypted messenger service — Signal, for instance — they might receive only gibberish, or nothing at all. Using spyware enables police to intercept messages and other data before they’re encrypted and sent, or after they’re received and decrypted, the agency explains.
This isn’t the first time the RCMP has raised concerns about encryption. In 2016, the same year the CAIT program was launched, the police force gave reporters from the CBC and the Toronto Star an inside look at 10 active investigations it said were being stymied by the use of encryption. The move came as the government was pitching four proposals to enhance police capabilities, including a law that would compel suspects to unlock digital devices at the request of police with a judge’s warrant.
At the time, police said they wanted to start a “public debate” about police powers and privacy. Those four proposals have not been adopted, Parsons said. But none of them touched on the use of malware to enable surveillance.
“We haven't had a public debate over the adoption of these tools, while they're clearly being used by at least the RCMP and potentially other policing forces in Canada,” said Tamir Israel, staff lawyer at the University of Ottawa’s Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic. “It's really, really concerning that this type of intrusive tool is already in use, and we haven't had that debate.”
Israel disputed the idea that police are at a disadvantage due to encryption. Thanks to our growing digital footprints, he said, law enforcement has seen a “massive increase” in their ability to monitor people. “That's more than counterbalanced any potential drop-off there has been over these new types of communication tools,” he said. “Overall, they have a much more robust picture of what we're doing [and] who we're doing it with … than was the case historically.”
Israel believes Canada needs a legal framework that sets out which spyware tools can be used for policing and in what context.
Steven Penney, a law professor at the University of Alberta, said the use of this technology will eventually be litigated, as defense lawyers challenge these warrants. He suspects that courts will find police can employ these tools, but said Parliament may choose to regulate their use. It’s an issue that’s “probably bubbling to the surface,” he said.
In the document, the RCMP says it didn’t consult the federal privacy commissioner before launching the CAIT program in 2016. However, it says the police force began drafting a privacy impact assessment in 2021 regarding CAIT activities, including the use of spyware, and plans to consult the privacy watchdog as part of that process.
“RCMP’s CAIT tools and techniques are not used to conduct mass surveillance,” the document reads. “The use of ODITs [spyware] is always targeted and time-limited.”
A spokesperson for privacy commissioner Philippe Dufresne confirmed to POLITICO that his office has not been notified about the CAIT program, and said the office will be following up with the RCMP. Government institutions are required to notify the privacy commissioner of “initiatives that may have an impact on the privacy of Canadians,” the spokesperson said in an email.
“The use of this type of technology raises important privacy considerations. We look forward to receiving a [privacy impact assessment] that describes when and how this technology will be used, and the measures the RCMP plans to take to ensure its use remains in compliance with the Privacy Act.”
Brenda McPhail, director of the Canadian Civil Liberties Association’s privacy, technology and surveillance program, said she also wants to know which companies are providing these tools to Canadian police. “Many such companies have histories of selling these intrusive and dangerous tools to authoritarian governments where they are ultimately used against human rights defenders, journalists, and others,” she said in an email.
Last year, a collaborative investigation called the Pegasus Project revealed that spyware licensed by Israeli firm NSO Group to governments for tracking criminals was also used to hack smartphones belonging to journalists and human rights activists.
In February, the Washington Post reported that the FBI had tested the NSO Group’s spyware for possible use in criminal investigations, though the agency said it had not been used in any investigation.
Parsons said it’s concerning that government agencies are benefiting from vulnerabilities in software used by their own citizens, which they have an incentive not to correct. “Rather than going out and saying, ‘Hey, this is a problem, we should fix it,’ they say, ‘Oh, this is great. We're going to exploit it,’” he said.
“The RCMP might be using this [vulnerability] for their activities, but so might be a foreign government actor, so might be criminal actors, or other parties who have malicious intent.”