The RCMP has deployed spyware to access the encrypted communications of targets as far back as 2002, a senior Mountie said Monday afternoon.
Mark Flynn, the RCMP’s assistant commissioner responsible for National Security and Protective Policing, told MPs that between 2002 and 2015, the Mounties deployed “Canadian-made technology” in order to covertly access electronic information.
“As encryption started to be used by targets that we had judicial authorization to intercept, and we were unable to hear the audio, hear the phone calls or see the messages they were sending, that is when we developed the tool and technique to make it possible to intercept those communications,” Flynn said.
“We have evolved in the use of the tools as individuals evolved in the way they communicate.”
Law enforcement has long complained about encrypted communications that allow suspects to “go dark,” and have the federal government to address the issue. But Flynn’s testimony suggests that the national police force has used methods to circumvent encryption for two decades.
Flynn made the comments to the House of Commons Ethics Committee, which is scrutinizing the national police force’s use of controversial cellphone spyware tools going back to 2017. He added a warning for MPs sitting around the committee table.
“From my position in national security, (MPs) must be concerned, you should be aware that foreign states … that are not (Canada’s) partners would absolutely be utilizing these types of tools and techniques,” Flynn said.
In June, the RCMP revealed it had used “on-device investigation tools” or ODITs – spyware that allows cops to access text messages, a device’s microphone and camera, as well as other sensitive data – in 10 instances between 2017 and 2018.
But in documents filed with the committee Monday, RCMP Commissioner Brenda Lucki admitted the number was higher – 32 investigations since 2017 that have targeted 49 individual devices.
“ODITs are used in extremely limited cases – only used for serious criminal offences and only if approved by a judge who explicitly authorizes the use of ODITs on a specific suspect’s device,” Lucki wrote.
“Their use is always targeted, time-limited, and never to conduct unwarranted or mass surveillance.”
Lucki’s letter does not explain the discrepancy between the information provided to Parliament in June and the revised numbers shared with the committee, which is scrutinizing the Mounties’ use of “device investigation tools.”
ODITs give RCMP investigators the ability to obtain “covert and remote” access to target cellphones or other electronic devices. Once covertly installed, these tools allow the RCMP to collect data such as text messages, audio recordings, photos, calendars, financial records – and even sounds picked up by the device’s microphones or images observed by cellphone cameras.
On Monday, federal Privacy Commissioner Philippe Dufresne told the committee that the RCMP had not consulted his office about the use of the invasive technology – and that he only found out about it through media reports.
“Given this new technology, are the safeguards sufficient? Or do we have recommendations to make it safer from a privacy standpoint? These tools may well be needed, but do they have an impact from a privacy standpoint that is greater than what is warranted? … This is the central question,” Dufresne said.
Dufresne declined repeatedly to pronounce on that question until the RCMP briefs his office later this month.
But he said the Mounties had only conducted a “privacy impact assessment” – a routine report into new technology or investigative techniques’ potential to infringe Canadians’ privacy – in 2021, four years after the RCMP had been deploying the spyware.
Testifying before the committee Monday afternoon, Public Safety Minister Marco Mendicino said it was unfortunate that Parliament’s privacy watchdog had to find out about the program through the media.
But NDP MP Matthew Green suggested that was a pattern in the RCMP’s use of invasive technology – like cell-site simulators that capture mobile phone data, the use of facial recognition software like Clearview AI, and now invasive cellphone spyware.
“We always have to be prepared to up our game on transparency,” Mendicino said.
“There is the annual report on the use of electronic surveillance. I think we should look at that as one of a series of tools so that we can shine a light on how we use these investigative techniques to protect Canadians.”
The use of these kinds of surveillance tools has been heavily criticized by civil society groups, press freedom organizations and by politicians. The Citizen Lab at the University of Toronto has been particularly diligent in documenting the spyware’s use by authoritarian regimes and other bad actors in recent years to target journalists, activists and political figures.
Citizen Lab director Ron Deibert, a world-leading expert on surveillance technology, said Canada is sending a bad signal by allowing its national police force to quietly deploy invasive spyware.
“The Canadian government purports to protect human rights and stand for rule of law and democracy around the world. The non-public adoption of spyware (and other surveillance technology) runs directly contrary to those principles,” Deibert wrote in a submission to the committee reviewed by Global News.
“In adopting this technology, we are essentially telling authoritarian states – as well as our allies – that we do not care about these principles.”
Citizen Lab has been tracking the use of Pegasus, a type of cellphone spyware developed by Israel-based technology company NSO Group. Both RCMP and Mendicino have said they do not use the Pegasus product.
Asked if Canada would ban Pegasus spyware, Mendicino responded simply: “Yes.”
In comments to Global News, Deibert said there is “absolutely no reason” why the vendors the RCMP is purchasing spyware from should not be made public.
“While it is encouraging to hear Minister Mendicino disclose the Canadian government intends to ‘ban’ Pegasus, it’s important to remember that NSO Group is only one vendor in a wild west marketplace,” Deibert said.
“Our research at Citizen Lab has profiled numerous vendors that have contributed to insecurities and harms worldwide. Rather than a band-aid solution, Canada should be adopting a comprehensive approach to regulating the mercenary surveillance industry.”