“This is a remarkable finding and publicly reveals for the first time that the RCMP uses spyware to infiltrate mobile devices, as well as the broad capabilities of their spyware,” he said.
The RCMP says the increasing use of encrypted communications means police need new tools to keep up. But critics say the arrival of the digital age means police have access to far more information than ever before. They say there should be a public discussion about the limits on the use of malware and other intrusive tools.
The police station outlined the techniques used by the secret access and interception team in a document presented in the House of Commons last week. The RCMP provided the information in response to a question from a Conservative MP about which government programs collect data from Canadians.
The team, which exists to intercept communications that cannot be obtained with traditional wiretaps, uses “on-device investigative tools.” The RCMP defines those as computer programs “installed on a targeted computing device that enables the collection of electronic evidence” – in other words, spyware.
The RCMP can use spyware to collect a wide variety of data, including text messages, email, photos, videos, audio files, calendar entries, and financial data. Police may also collect “audio recordings of private communications and other sounds within range of the target device” and “photographic images of people, places and activities that can be viewed by the camera(s) built into the target device”, the document said.
These tools are only used during serious criminal and national security investigations, police say, and always require a judge’s approval. The RCMP declined an interview request and did not answer written questions before this article was published.
Parsons said experts have known or believed for some time that police are using these tools, but the RCMP has not confirmed this. †[This] is the cleanest, most direct explanation of what they can do that I’m aware of,” he said.
In the document, the police say it must use spyware because traditional eavesdropping is much less effective than it used to be.
“In less than a generation, a large number of Canadians migrated their day-to-day communications from a small number of major telecommunications service providers, all of which provided limited and centrally controlled services to customers, to countless organizations in Canada and elsewhere that provide a large number of digital services to customers,” it said. the document. “That decentralization, combined with the widespread use of end-to-end encrypted voice and text-based messaging services, makes it exponentially more difficult for the RCMP to conduct court-authorized electronic surveillance.”
For example, the police can require mobile phone providers to forward a suspect’s text messages. But if the person uses an encrypted messenger service, e.g. Signal, he may only receive gibberish, or nothing at all. Using spyware, the police can intercept messages and other data before they are encrypted and sent, or after they are received and decrypted, the agency explains.
This isn’t the first time the RCMP has been concerned about encryption. In 2016, the same year the CAIT program was launched, the police gave: reporters from the CBC and the Toronto Star a look at 10 active studies it said they were thwarted by the use of encryption. The move came as the government put forward four proposals to improve police capabilities, including a law that would force suspects to unlock digital devices at the request of the police with a court order.
The police said at the time that they wanted to start a ‘public debate’ about police powers and privacy. Those four proposals were not passed, Parsons said. But none of them talked about using malware to enable surveillance.
“We have not had a public debate about the adoption of these tools, when they are clearly being used by at least the RCMP and possibly other law enforcement agencies in Canada,” said Tamir Israel, a staff attorney at the University of Ottawa’s Samuelson-Glushko Canadian Internet Policy & Communications Department. Public Interest Clinic. “It’s really, really worrying that this kind of intrusive tool is already in use, and we haven’t had that debate.”
Israel disputed the idea that the police are harmed by encryption. Thanks to our growing digital footprint, he said, law enforcement has seen a “massive increase” in their ability to control people. “That more than makes up for the potential outages from these new types of communication tools,” he said. “Overall, they have a much more robust view of what we do [and] who we’re doing it with… than has historically been the case.”
Israel believes that Canada needs a legal framework that defines which police surveillance spyware tools can be used and in what context.
Steven Penney, a law professor at the University of Alberta, said the use of this technology will eventually be challenged as lawyers challenge these warrants. He suspects courts will find out that the police can use these tools, but said Parliament could choose to regulate their use. It’s a problem that is “probably bubbling to the surface,” he said.
In the document, the RCMP says it did not consult the federal privacy commissioner before launching the CAIT program in 2016. However, it says that in 2021 the police will begin preparing a privacy impact assessment regarding CAIT activities, including the use of spyware, and plans to consult the privacy watchdog as part of that process.
“RCMP’s CAIT tools and techniques are not used to conduct mass surveillance,” the document reads. “Using ODITs [spyware] is always focused and limited in time.”
A spokesperson for Privacy Commissioner Philippe Dufresne confirmed to POLITICO that his office has not been notified of the CAIT program and said the office will follow up on the RCMP. Government agencies are required to notify the privacy commissioner of “initiatives that could impact the privacy of Canadians,” the spokesperson said in an email.
“The use of this type of technology raises important privacy concerns. We would like to receive a [privacy impact assessment] describing when and how this technology will be used, and the measures the RCMP plans to take to ensure that use remains in accordance with the privacy law.”
Brenda McPhail, director of the Canadian Civil Liberties Association’s privacy, technology and surveillance program, said she also wants to know which companies provide these tools to Canadian police. “Many such companies have a history of selling these intrusive and dangerous tools to authoritarian governments, where they are ultimately used against human rights defenders, journalists and others,” she said in an email.
Last year a joint investigation called the Pegasus project revealed that spyware licensed by Israeli company NSO Group to governments to track down criminals was also used to hack into smartphones of journalists and human rights activists.
In February, the Washington Post reported that the FBI had tested the NSO Group’s spyware for possible use in criminal investigations, although the agency said it had not been used in any of the investigations.
Parsons said it is worrying that government agencies are taking advantage of vulnerabilities in software used by their own citizens and have a reason not to fix them. “Instead of going out and saying, ‘Hey, this is a problem, we need to fix it,’ they say, ‘Oh, this is great. We’re going to take advantage of it,'” he said.
“The RCMP may be using this [vulnerability] for their activities, but that could also be an actor of the foreign government, as well as criminal actors or other parties with bad intentions.”