“This is a remarkable discovery that, for the first time, publicly reveals that the RCMP uses spyware to infiltrate mobile devices, as well as the vast capabilities of their spyware,” he said.
The RCMP says the growing use of encrypted communications means police need new tools to keep up. But critics say the advent of the digital age means police have access to much more information than ever before. They say there needs to be a public discussion about limits on the use of malware and other intrusive tools.
The police service described the techniques used by its secret access and interception team in a document presented to the House of Commons last week. The RCMP provided the information in response to a question from a Conservative MP about government programs that collect data from Canadians.
The team, which exists to intercept communications that cannot be obtained using traditional wiretapping, uses “device investigation tools”. The RCMP defines them as computer programs “installed on a targeted computing device that enables the collection of electronic evidence” — spyware, in other words.
The RCMP can use spyware to collect a wide range of data, including text messages, emails, photos, videos, audio files, calendar entries and financial records. Police may also gather “audio recordings of private communications and other sounds within range of the targeted device” and “photographic images of people, places, and activities visible to the device’s built-in camera(s). targeted,” the document reads.
These tools are only used in serious criminal and national security investigations, depending on the force, and always require a judge’s authorization. The RCMP declined an interview request and did not respond to written questions prior to the publication of this article.
Parsons said experts have known or assumed for some time that police use these tools, but the RCMP has not confirmed this. “[This] is the clearest and simplest explanation of what they are capable of that I know of,” he said.
In the document, police say they must use spyware because traditional wiretapping is far less effective than it used to be.
“In less than a generation, many Canadians have migrated their day-to-day communications from a small number of large telecommunications service providers, all of which provided limited and centrally controlled services to customers, to countless organizations in Canada and elsewhere that offer a myriad of digital services to customers,” the document reads. “This decentralization, combined with the widespread use of end-to-end encrypted voice and text messaging services, makes it exponentially more difficult for the RCMP to conduct court-authorized electronic surveillance.
For example, the police can require mobile operators to forward a suspect’s text messages. But if the person uses an encrypted messaging service – Signal, for example – they may receive only gibberish, or nothing at all. The use of spyware allows police to intercept messages and other data before they are encrypted and sent, or after they have been received and decrypted, the agency explains.
This isn’t the first time the RCMP has had concerns about encryption. In 2016, the same year the CAIT program was launched, the police force donated CBC reporters and the Toronto Star an overview of 10 ongoing investigations he said were blocked by the use of encryption. The move came as the government presented four proposals to boost police capacity, including a law that would require suspects to unlock digital devices when requested by police with a warrant from a judge.
At the time, police said they wanted to launch a “public debate” about police powers and privacy. These four proposals did not pass, Parsons said. But none of them mentioned the use of malware to enable surveillance.
“We haven’t had a public debate about the adoption of these tools, when they are clearly used by at least the RCMP and potentially other police forces in Canada,” said Tamir Israel, attorney at law. University of Ottawa. Glushko Canadian Internet Policy and Public Interest Clinic. “It’s really, really concerning that this kind of intrusive tool is already in use, and we haven’t had that debate.”
Israel disputed the idea that the police are at a disadvantage because of the encryption. Thanks to our growing digital footprint, he said, law enforcement has seen a “massive increase” in their ability to monitor people. “That more than offset any potential decline in these new types of communication tools,” he said. “Overall they have a much stronger picture of what we do [and] who we do it with… than was the case historically.
Israel believes that Canada needs a legal framework that spells out what spyware can be used for law enforcement purposes and in what context.
Steven Penney, a law professor at the University of Alberta, said the use of this technology will eventually be challenged as defense attorneys will challenge these warrants. He suspects the courts will find that police can use these tools, but said parliament could choose to regulate their use. It’s a problem that’s “probably coming to the surface,” he said.
In the document, the RCMP says it did not consult with the federal privacy commissioner before launching the CAIT program in 2016. However, it says the police force began drafting an assessment of the factors in 2021 regarding CAIT’s activities, including the use of spyware, and plans to consult with the privacy watchdog as part of this process.
“RCMP CAIT tools and techniques are not used to conduct mass surveillance,” the document states. “The use of ODITs [spyware] is always targeted and time-limited.
A spokesperson for Privacy Commissioner Philippe Dufresne confirmed to POLITICO that his office had not been briefed on the CAIT program and said the office would follow up with the RCMP. Government institutions are required to notify the privacy commissioner of “initiatives that may impact the privacy of Canadians,” the spokesperson said in an email.
“The use of this type of technology raises important privacy considerations. We look forward to receiving a [privacy impact assessment] which describes when and how this technology will be used, and the measures the RCMP intends to take to ensure that its use remains compliant with Privacy Act.
Brenda McPhail, director of the Canadian Civil Liberties Association’s privacy, technology and surveillance program, said she was also interested in knowing which companies provide these tools to Canadian police. “Many of these companies have a history of selling these intrusive and dangerous tools to authoritarian governments where they are ultimately used against human rights defenders, journalists and others,” she said in an email.
Last year, a collaborative inquiry called Project Pegasus revealed that spyware licensed by Israeli firm NSO Group to governments to track criminals was also being used to hack into smartphones belonging to journalists and human rights activists.
In February, the Washington Post reported that the FBI had tested the NSO Group’s spyware for possible use in criminal investigations, although the agency said it had not been used in any investigations.
Parsons said it’s concerning that government agencies benefit from vulnerabilities in software used by their own citizens, which they have an interest in not patching. “Rather than coming out and saying, ‘Hey, this is a problem, we should fix it,’ they’re saying, ‘Oh, this is great. We’re going to exploit it,'” he said.
“The RCMP could use this [vulnerability] for their activities, but so could a foreign government actor, as well as criminal actors or other parties with malicious intent.
“Amateur web enthusiast. Award-winning creator. Extreme music expert. Wannabe analyst. Organizer. Hipster-friendly tv scholar. Twitter guru.”