Security experts have been suspicious of the Canadian Police’s surveillance techniques for years, but their questions have always been met with stony silence. During a parliamentary session in late June 2022, the Royal Canadian Mounted Police (RCMP) admitted to using spyware technology on citizens.
The Civil Liberties Association (CCLA) claims it found the revelation buried in a report presented to the House of Commons. A Conservative lawmaker asked how the federal government collects data on its citizens. In response, the RCMP submitted a report outlining its investigative techniques, which includes spyware used to infiltrate devices to collect information.
The report also showed the RCMP used the software to remotely turn on people’s cameras and microphones to record them in real-time. This gross violation of people’s privacy has sparked debate about the Canadian government’s ability to regulate software and protect its citizens’ digital privacy.
Cybersecurity experts have started calling on Canadian leaders to take a more rigid stance against invasive software and data collection.
Canadian Police Spied on People During ‘Special Operations’
In its report, the RCMP mentions a “Covert Access and Intercept Team”, or CAIT program, that it put together in 2016 to secretly infiltrate the mobile devices of Canadians. The report doesn’t provide a full outline of how, when, or why it has deployed this team to spy on citizens. It mentions the malware was used to infect people’s devices at least 10 times during investigations between 2018 and 2020.
This software gave the police access to emails, text messages, photos, videos, audio recordings, financial records, and calendar entries. The RCMP tried to justify these measures, which it calls “on-device investigative tools”, as necessary because people increasingly use encrypted communication like WhatsApp and Signal.
The RCMP says the special investigative team is used to gather information when traditional methods, like wiretaps, aren’t viable. The report states the software is “installed on a targeted computing device that enables the collection of electronic evidence.” It can also be used to get “audio recordings of private communications and other sounds within range of the targeted device.”
While that explanation is phrased to sound reassuring, the truth is this type of software is no different from malware/spyware employed by cybercriminals. It also doesn’t bode well that the police have tried to keep this information under wraps for years.
Secrets and Spyware: A Page out of the Authoritarian Playbook
Despite having access to more information about their citizens than ever before, governments around the world are getting more desperate. As is evidenced by how many government agencies — including the FBI — bought the incredibly dangerous Pegasus spyware from the NSO Group. Spyware that was used by authoritarian governments to snoop on journalists and activists.
The RCMP’s report doesn’t mention where it got the spyware tools it uses, which cybersecurity experts also find worrying. While the police tried to assure lawmakers that it only uses the spyware for serious criminal and national security concerns, it doesn’t have an official oversight body for these covert operations. The report also reveals the RCMP didn’t consult the federal privacy commissioner before using the software.
More worryingly, no one can verify whether the Canadian police’s unnamed spyware is secure and if whoever developed it can’t abuse the technology or the information it gathers. This technology can just as easily be exploited by third parties. Government agencies are benefiting from the vulnerability, so they have no incentive to correct it.
Israel also said Canada needs to adopt a legal framework that declares what software authorities can use and in what context they’re able to use it. Without this, Canadian police can continue using (possibly unsecure) software to spy on citizens with zero oversight, allowing plenty of space for abuse.
It wouldn’t be the first time employees in positions of power abused their access to citizens’ data. It’s not the Canadian police’s first run-in with privacy violation either, as Vancouver police admitted to using stingrays in covert operations.
Canadians Need to Take Data Privacy Seriously
While the Canadian police refrained from explaining how they infect citizens’ devices with spyware, we can make a few guesses. The most likely scenario is that the police spread the spyware through spear phishing. That’s similar to phishing, but targets specific people using a text message or email tailored to them. The police could also have spread it through infected apps on app stores.
These are also methods cybercriminals use to infect people’s devices to spy on them and steal their data. Canadian citizens are prime targets for this type of legal invasion as the country doesn’t have rigorous legislation to deal with these cases. Instead, Canadian lawmakers seem to be more concerned with regulating streaming services.
Citizens can help change the narrative by writing to their local representatives and making their voices heard in public debate. Canadians can also take their personal privacy seriously by applying basic cyber hygiene and by using tools that protect their digital privacy.
CyberGhost offers a secure 256-bit AES VPN that supports major devices, and comes with a security suite for Windows and a password manager. We also regularly post security tips and cyber news that can help you stay on top of your privacy needs.