Members of the Royal Canadian Mounted Police (RCMP) have been using malware in their investigations since 2018 that can secretly turn phones and laptops into full-fledged spying devices, with the news, and some, but not all details about the program only just emerging now.
Traditionally unwilling to “share” what types of surveillance technology it uses unless it has to, mostly pressed during inquiries, this time once again the public is becoming aware of the facts a full four years after the software was first deployed.
The spyware has the capabilities that include remotely switching on camera and microphone in phones and laptops, and the RCMP has admitted, Politico reports, to using this in ten “most serious” cases from 2018 until 2020 – and those were both criminal, and national security-related – but has not disclosed the numbers for last year.
The federal Canadian police also claims that the spyware is not used for mass surveillance.
The process of getting to this point has been anything but transparent: first, the Covert Access and Intercept Team (CAIT), that carries out this program, was set up in 2016 circumventing the country’s federal privacy commissioner. Then, in 2018, CAIT started using the malware, and it took years to consider coming up with privacy impact assessment.
But according to Canada’s rules, what the RCMP should have done is draft these documents before launching the spying scheme in the first place, considering obvious implications regarding privacy violations.
The RCMP has not said who supplies the malware, but describes it as an “on-device investigative tool” installed on a suspect’s phone or computer in order to “collect electronic evidence.” This, they say, is necessary when regular wiretapping and information intercepting methods are not useful enough.
One of the reasons stated is that communications have mostly moved to electronic devices, which increasingly circumvent traffic conducted via cell towers, too.
And then there’s the issue of encrypted apps and devices that prevents third parties from accessing data exchanged between users – the technology that ensures a secure and private internet as a whole, but that has now become an enduring target of governments and law enforcement who use various explanations and excuses as they try to push for a dangerous practice that would put the internet at risk – the deployment of encryption backdoors.
But critics say that people are leaving enough data to be subjected to spying thanks to their huge “digital footprint,” and that it is not necessary to essentially “break the internet” to get more information – since more than ever before in history is already available to law enforcement.
In the meanwhile, the solution the RCMP has come up with, and which they say has been signed off by Canada’s courts, is to hack entire devices and gain access to all data on them before it gets encrypted. That’s a far cry from intercepting communications specifically of interest in an investigation. At the same time, one concern has to do with how well informed the judges who approve the use of the spyware are about its capabilities.
The “on-device tool” not only activates cameras and microphones – with the goal of recording audio and taking photos within the range of the hacked device – but also accesses and collects texts, video and audio files, emails, photos, calendar, and financial records.
The RMPC has withheld information about which vendor and which type of malware this is; observers speculate that it might be Israeli-made Pegasus that has been in the news a lot for all the wrong reasons.
But given the nature of their business, all of the third-party vendors that could be involved are murky operations that accountable law enforcement in democracies would be expected to steer clear of.
Reports refer to this partial disclosure now made by the RMPC as “remarkable.” What’s also remarkable is the lengths to which the force has gone in order to make sure the use of the spyware would remain under the radar.
Citizen Lab’s Christopher Parsons is quoted by Politico as saying that they have in fact done “everything possible to keep it incredibly quiet.” There has been no public debate, either.
“It’s really, really concerning that this type of intrusive tool is already in use, and we haven’t had that debate,” said Tamir Israel from the Samuelson-Glushko Canadian Internet Policy & Public Interest Clinic.