Canada police’s spyware admission raises alarm

An admission from Canada’s national police force that it routinely uses powerful spyware to surveil citizens has prompted concern from experts, who warn the country is “asleep at the wheel” when it comes to regulating and reining in use of the technology.

During a parliamentary session in late June, the Royal Canadian Mounted Police submitted a document outlining how a special investigative team covertly infiltrates the mobile devices of Canadians. The tools, which have been used on at least 10 investigations between 2018 and 2020, give the police access to text messages, email, photos, videos, audio files, calendar entries and financial records. The software can also remotely turn on the camera and microphone of a suspect’s phone or laptop.

The RCMP, which has long evaded questions over whether it uses spyware to track Canadians, provided the information about its “on-device investigative tools” in response to a question from a Conservative lawmaker about how the federal government collects data on its citizens.

Ron Deibert, a political science professor at the university of Toronto and head of Citizen Lab, said the spyware, which gives police an “extraordinary window into every aspect of someone’s personal life” is akin to “nuclear-level technology” – but has little government oversight.

“There’s a culture of secrecy that pervades the intelligence and law enforcement community in this country,” he said

Deibert, one the world’s leading experts on the surveillance techniques used by authoritarian regimes, said he and others have long suspected police and government agencies in Canada were using the technology. But absent from the disclosure was any indication of who the government is purchasing the software from.

“That’s my biggest unanswered question,” he said. “Because we know there are some companies that are horrible when it comes to due diligence and routinely sell to governments that use it for grotesque human rights violations.”

Last year, a collaborative investigation between the Guardian and other major international outlets, called the Pegasus Project, revealed that spyware licensed by the Israeli firm NSO Group had been used to hack smartphones belonging to journalists, lawyers and human rights activists.

In 2021 the commerce department in the United States announced it had placed mercenary spyware companies like NSO on the country’s Entity List, effectively blacklisting them for their “malicious cyber activities” amid growing concern from US officials that the software posed a grave risk to national security.

In contrast, Canadian authorities have shown little appetite to take similar action, said Deibert, who has briefed senior Canadian officials within successive governments.

“Developing export controls and putting more transparency and accountability around procurement practice is a no-brainer,” he said.

The RCMP says it only uses the tools when less intrusive means have failed. In the document, the police force claims it needs to use spyware because new technologies, like end-to-end encryption, make it “exponentially more difficult for the RCMP to conduct court-authorized electronic surveillance”.

But privacy advocates disagree.

“The creation of the metaphor of ‘police investigations going dark’ because of advances in technology is the public relations coup of the 21st century,” said Brenda McPhail, director of the privacy technology and surveillance program for the Canadian Civil Liberties Association. “The case has not been made to the public for the use of this powerful spyware, particularly given the profoundly dangerous uses of this technology around the world.”

McPhail points to previous instances in which the RCMP has been evasive and misleading about the technology it uses for surveillance, including a recent controversy over mobile device identifiers, known as IMSI catchers or stingrays. In September 2017, Canada’s privacy commissioner found the police agency had broken the law six times when it used the technology.

“The policy has been, we’re going to do what we can and in secret. If it comes out, then we’ll see what we can do to mitigate the harm,” said McPhail.

In the parliamentary document, the RCMP says it didn’t consult the federal privacy commissioner before using the technology – but said it nonetheless needs the approval of a judge when monitoring Canadians.

The latest revelations about police surveillance power once again highlight the need for a debate over the “crisis of accountability” in law enforcement, said McPhail.

“We need to be having a conversation about what kinds of surveillance technologies – invasive tools being used without any evidence of due process or due consideration of the rights and freedoms of people – are acceptable in a democracy and under what conditions. And we need to determine what sort of safeguards there need to be as well.”

Plans to modernize the Privacy Act in the coming months give lawmakers a window of opportunity to adopt the right legislative framework to ensure police have access to tools they need for investigative work, said McPhail, and not broad powers “shrouded by secrecy” and without public accountability.

“The devices we hold in our hands are generally designed to extract as much personal information from us as they possibly can,” said Deibert. But a documented history of police abusing surveillance tools in the country meant that the recent admissions of the use of mercenary spyware should be enough to trigger an investigation into whether there is proper oversight to prevent abuse, he added.

“Private companies and banks presumably know a lot about your preferences, but only the government can take away your freedom and put you in jail. Only the government can end your life in some jurisdictions,” he said. “That’s why there should be a higher threshold for public accountability and transparency when these tools are used by state agencies.”