from the oh,-Canada-smdh dept
The Royal Canadian Mounted Police (RCMP) — Canada’s federal Dudley Do-Whatevers — is again belatedly admitting it has access to powerful surveillance tech its supposed oversight seems unaware the RCMP possessed.
This is par for the RCMP course. The agency tends to admit it has surveillance tech only after extended deployment periods. And, like its American counterpart (the FBI), it would rather undercut its own directives (make arrests, engage in prosecutions) than allow criminal defendants to examine the (often cutting edge) evidence used against them. This includes allowing known organized crime figures to walk away from criminal charges — something that seems incredibly counterproductive. This practice of dropping criminal prosecutions extends to cases where it just seems a bit too inconvenient to obtain a warrant.
These disclosures by the RCMP — often in response to oversight inquiries — tend to come months or years after the fact. And that is the case here, as reported by Maura Forrest for Politico. Time passes, the RCMP deploys new surveillance tech, and very eventually the public learns about it.
In a “remarkable” disclosure, Canada’s national police force has described for the first time how it uses spyware to infiltrate mobile devices and collect data, including by remotely turning on the camera and microphone of a suspect’s phone or laptop.
The Royal Canadian Mounted Police says it only uses such tools in the most serious cases, when less intrusive techniques are unsuccessful. But until now, the force has not been open about its ability to employ malware to hack phones and other devices, despite using the tools for several years. Between 2018 and 2020, the RCMP said it deployed this technology in 10 investigations.
“For the first time…” something that follows four years of deployment, only three of which are detailed in this “disclosure.” Sure, the fact that it has been limited to only ten cases in the three years suggests cautious use of powerful phone spyware, but the fact that this has never been discussed in court makes it clear defendants aren’t being told how they’ve been tracked down or rung up. And it strongly suggests the RCMP is engaged in parallel construction to launder the source of its evidence to prevent open discussion in court and limit the number of cases it would rather toss than engage in honest representations of its evidence-gathering methods.
The disclosure is further limited by the RCMP’s refusal to discuss which vendors it’s buying exploits from. There are only a handful of companies selling exploits that can compromise nearly any phone and every single one of those is currently in deep shit. Some are just facing unending negative news cycles. Some are facing sanctions. A few are facing both.
No law enforcement agency would be in any hurry to publicly announce it’s gotten in bed with shady malware merchants. But the only thing that comes from unnecessary opacity is less trust from the public and increased suspicion the government is doing things with the public’s money that the public would not approve of.
What the RCMP is using sounds suspiciously like Israeli malware manufacturer NSO Group’s flagship product: Pegasus. In most cases, it’s a zero-click exploit that cracks phones completely open and allows lawn enforcement offices (or batshit ex-husbands) to be a silent partner in all communications, including phone calls.
The team, which exists to intercept communication that can’t be obtained using traditional wiretaps, uses “on-device investigative tools.” The RCMP defines those as computer programs “installed on a targeted computing device that enables the collection of electronic evidence” — spyware, in other words.
The RCMP can use spyware to collect a broad range of data, including text messages, email, photos, videos, audio files, calendar entries and financial records. The police can also gather “audio recordings of private communications and other sounds within range of the targeted device” and “photographic images of persons, places and activities viewable by the camera(s) built into the targeted device,” the document says.
The RCMP offers several reasons for using malware over normal intercept methods. First off, regular wiretaps are no longer as effective as they used to be. Communications are rarely handled through landlines or regular cell tower-supported calls. Interception alternatives are necessary.
The RCMP also blames device and messaging encryption, which makes interception impossible. That’s an extremely narrow and short-sighted view of the problem facing law enforcement, but it’s a common complaint from federal agencies. (Not so much from local law enforcement, which suggests the problem is being overstated at the federal level to push for encryption bans/backdoor legislation.)
The RCMP also stresses that this is completely lawful, and approved by Canadian judges. And, while it’s true judges may have signed off on wiretap applications, it’s highly unlikely they were informed of the malware’s capabilities, which go far beyond intercepting communications. The sort of “on-device investigative tools” the RCMP appears to be using are also capable of activating mics and cameras, as well as providing officers and investigators with access to the entire contents of the target device — something that goes far beyond simply intercepting relevant communications.
And the RCMP appears to know what’s its doing isn’t exactly whatever the Canadian slang equivalent of “kosher” is. It began deploying this malware from its Covert Access and Intercept Team (CAIT) in 2018. It did not consult the federal privacy commissioner before forming this team in 2016 and, three years after CAIT’s first malware deployment, it is only now getting around to drafting the mandated privacy impact assessment that’s supposed to be handed over prior to engaging in new privacy-threatening activities.
For now, all we have is a vague admission the RCMP is deploying powerful malware provided by third party vendors. And we have the implicit admission the RCMP cares more about advancing its aims in ten cases that following the law, informing its oversight of its activities, or being honest with judges about the capabilities of its interception exploits. Hopefully, more details will arrive sooner than later.