2 years ago
OTTAWA, Ont. — Canada’s national police force says it has used spyware to hack dozens of mobile devices in the past five years, but has confirmed it is not using controversial Pegasus software to spy on Canadians.
In a recent letter to the parliamentary ethics committee, Royal Canadian Mounted Police Commissioner Brenda Lucki said spyware has been used in 32 investigations since 2017. The police force has received warrants to hack 144 devices, Lucki wrote, but has targeted only 49.
The ethics committee kicked off a study of the RCMP’s use of spyware on Monday, prompted by POLITICO’s revelation in June that the RCMP had admitted to using spyware for covert surveillance. The police force has the ability to intercept text messages, emails, photos, videos and financial records, and to remotely turn on a device’s camera and microphone.
The RCMP is refusing to give the specific names of the spyware tools it uses, and several critics had raised concerns the police force could be using Pegasus software from controversial Israeli firm NSO Group.
Last year, a collaborative investigation revealed that Pegasus spyware licensed to governments for tracking criminals was also used to hack smartphones belonging to journalists and human rights activists.
In her letter, Lucki confirmed the police force “has never procured or used Pegasus or any other NSO product.”
But she would give no further details, citing the “potential that criminal elements would use this sensitive information in order to render the tools ineffective.”
The RCMP is also refusing to provide a list of the warrants it has obtained to use spyware, but it did provide a breakdown of the types of cases that have involved spyware since 2017. Many are related to terrorism, murder and trafficking. Cyber crimes and breach of trust also appear on the list.
The list reveals that spyware has been used with increasing frequency during the past five years. In 2017, the software was deployed in just two investigations, whereas it’s been used in nine investigations so far this year.
A sample warrant provided by the RCMP gives some sense of the limitations a judge might place on the use of spyware. For example, it says, no information will be collected at the office or residence of a lawyer, or in a bedroom or bathroom.
However, a separate technical description provided to the committee hints at the extent of the information that can be collected using spyware. Because the software works by storing information on the targeted device and then transferring it to police servers, the RCMP can’t strictly limit the data it receives.
“As such live monitoring to minimize the interception of privileged or third party private communications is not possible,” the document reads.
Testifying before the committee on Monday, Canada's privacy watchdog said the RCMP should be legally required to consult with his office about its use of potentially invasive technology, including spyware.
The police force has yet to provide the federal privacy commissioner’s office with an impact assessment regarding its use of spyware in surveillance, despite having used the technology for several years, privacy commissioner Philippe Dufresne told the committee.
Dufresne said he’s expecting a briefing from the RCMP at the end of August on its use of spyware to hack mobile devices.
But the yearslong delay puts his office in “reaction mode,” he said. He wants the Privacy Act to be updated to include a requirement that all government institutions prepare impact assessments before launching programs that could affect people’s privacy.
“Doing so would recognize privacy as a fundamental right, it would support the public interest and it would generate necessary trust in our institutions,” he said.
Dufresne told the committee his office was not aware of the RCMP’s spyware program until POLITICO reached out in June, and that he has still not received any more information from the police force.
“The impact of this type of information coming out in the public through media reports or questions can raise questions and can raise concerns,” he said, adding it would have been “far preferable” for the RCMP to submit a privacy impact assessment at the “front end,” before the program was launched.
The RCMP says it uses spyware only in the most serious investigations, such as those involving national security and organized crime, and that it always obtains warrants.
In documents tabled in the House of Commons in June, the RCMP said it started to draft a privacy impact assessment in 2021, and would be consulting the privacy commissioner as part of that process. Dufresne said he doesn’t know whether the police force will have completed the assessment ahead of the briefing later this month.
Public Safety Minister Marco Mendicino and RCMP officials will appear before the ethics committee later Monday afternoon.
The committee will submit a report to the House of Commons with recommendations by Sept. 19.
English (US)