RCMP Use of Malware for Investigations Surprises Privacy Commissioner. Strongly Worded Letter to Follow

Canada’s RCMP has yet another scandal on their hands. Their use of malware for investigations has been uncovered.

The Royal Canadian Mounted Police (RCMP) has taken quite a number of hits to their reputation in the last while. Whether it is the successive carding scandals where members of the black community were targeted, sexual harassment/assault from members within the ranks, the treatment of members of the first nations community (and metis for that matter), or accidentally releasing stock photo’s instead of photo’s of the actual suspects in an ongoing search, the force has taken a lot of hits to their reputation as of late.

Of course, the successive scandals didn’t completely avoid our area of news coverage – technology and digital rights. Last year, we covered the story of the RCMP using the controversial technology offered by Clearview AI. The scandal actually initially broke into the news back in 2020 when reports surfaced that the RCMP was using the technology. By June of 2021, Canada’s privacy commissioner ruled that the RCMP violated Canadian privacy laws when they used the technology – a technology the RCMP swears up and down that they no longer use now.

Now, we are learning that Clearview AI isn’t the only technology that the RCMP dabbled in. It turns out, the RCMP have also used spyware to break into people’s computers, turn on web cams, and surveil targets as well. The news apparently broke last month where Politico reported the disclosure:

OTTAWA, Ont. — In a “remarkable” disclosure, Canada’s national police force has described for the first time how it uses spyware to infiltrate mobile devices and collect data, including by remotely turning on the camera and microphone of a suspect’s phone or laptop.

The Royal Canadian Mounted Police says it only uses such tools in the most serious cases, when less intrusive techniques are unsuccessful. But until now, the force has not been open about its ability to employ malware to hack phones and other devices, despite using the tools for several years. Between 2018 and 2020, the RCMP said it deployed this technology in 10 investigations.

“This is a kind of capability that they have done everything possible to keep incredibly quiet,” said Christopher Parsons, senior research associate at the University of Toronto’s Citizen Lab.

“This is a remarkable finding and, for the first time, publicly reveals that the RCMP is using spyware to infiltrate mobile devices, as well as the broad capabilities of their spyware,” he said.

The RCMP says the increasing use of encrypted communication means police need new tools to keep up. But critics say the advent of the digital era means police have access to vastly more information than ever before. They say there needs to be a public discussion about what limits to place on the use of malware and other intrusive tools.

There is a number of troubling aspects to this story. For one, you kind of get the impression that the RCMP just arbitrarily decided to start using the technology without actually looking into its legality. Thanks to the Clearview AI scandal, this is the second time we have seen the RCMP take the “it’s better to ask forgiveness later than ask permission now” approach to investigative techniques. If anything, this is no longer a one off instance, but a trend. For another, the RCMP actively chose to keep these techniques quiet. It’s like they knew that the public would not look favourably to this and knew that if they kept this under wraps for as long as possible, they would have seemingly free reign to use this.

Additionally, the RCMP used the excuse that it’s all thanks to encryption that they need to use malware. Quite frankly, this is a bad excuse. You can’t just make the observation of “gee the public uses encryption” and immediately leap to “we need to use malware to counteract this”. There are plenty of options on the table including the standard investigative techniques that police have been using since before technology was such a huge thing. It is by no means a straight line.

What’s more is that there are a number of questions that this raises. First of all, what legal guidelines are there that says that such an investigative technique is necessary? There has to be a good list of options available in an investigation that should be exhausted before being this intrusive. As far as we know, there is not. What laws specifically cover this? Have we, as a country, had a debate over what is acceptable when it comes to malware or not? To my knowledge, that hasn’t happened.

Another serious question this raises is whether or not this malware was produced in house or was the production of this malware paid for by Canadian taxpayer dollars. If it was in-house, then what are the safeguards to ensure that such content isn’t misused. What’s stopping a member of the RCMP from leaking it to an unauthorized third party or using it for uses that go beyond police work?

If this malware was bought from a private vendor, then this raises a host of problems. First of all, you get into the territory of funding private entities to create and deploy malware. This is something that should be actively discouraged everywhere in the world. This is for the simple reason that it’s like funding the creation of nuclear weapons – no one wins when they are deployed. You might approach that private vendor and have the best intentions in the world. Precious little is stopping that vendor from selling that malware to a less well-intentioned individual.

While this sounds like a mere hypothetical, this actually happened. Back in 2021, NSO Group created malware to spy on targets using various commercial grade products. In turn, the malware was alleged to have been used against democracy activists in third world countries as well as politicians in first world countries. A lot of these allegations ultimately proved to be the downfall of the company, but largely thanks to those revelations coming to the light.

Simply put, the last thing the world needs is malware vendors getting public funding from different countries to help make the world less safe. I’m perfectly fine with white hat hacking and penetration testing simply because the sole purpose is to make a target system more secure. That can be done without malware (i.e. getting employees to stop clicking on phishing links in e-mails for instance). We well and truly need to make the world of technology more safe, not less. Funding private operations to create malware only contributes to the latter.

Since the revelations were made public, it seems that a special committee was struck to look into this particular investigative technique. From CTV:

OTTAWA – Expressing concerns over the RCMP’s yearslong use of spyware in major investigations, privacy and civil liberties experts say the previously undisclosed tools are “extremely intrusive” and they are calling for stronger oversight and regulation of spyware Canada-wide.

The experts also criticized the RCMP’s belated disclosure of its use of these tools, with the Canadian Civil Liberties Association (CCLA) saying it is part of “a pattern pointing to a crisis of accountability.”

Canada’s former privacy commissioner Daniel Therrien said that while he believes the RCMP when they say its use of spyware is lawful and warranted, there is “no doubt” the covert collection by police of personal and other information from Canadians’ devices “is an extremely intrusive practice.”

Given this, Therrien said there “needs to be an extremely compelling public interest to justify the state being able to have that kind of information and use these tools.”

The committee struck up the special summer study to further explore the RCMP’s use of these tools, after documents tabled in the House of Commons in June shed new light on the police force’s covert installation of spyware capable of remotely accessing cell phone and computer microphones, cameras, as well as other information on suspects’ devices.

“The revelations about ODITs are just the latest in a series of similar media-led reveals regarding invasive techniques… This isn’t a one off problem,” the CCLA’s director of privacy technology and surveillance program Brenda McPhail told MPs.

“Operational secrecy is a legitimate need in specific investigations. Secrecy around policies that apply to categories of dangerous surveillance technologies is not legitimate in a democracy. We must not allow law enforcement bodies to conflate one with the other to avoid accountability,” McPhail said.

The Office of the Privacy Commissioner did make an appearance before this committee. There are a lot of reasons to have respect for that particular office. At the same time, there are also a lot of reasons to not have any respect for the tools afforded to that office to properly do their job. At the end of the day, the worst that is going to come from that angle of the government is a strongly worded letter.

After the government dragged its feet for months, the Canadian government did table privacy reform as Bill C-27 right before the Summer break. Still, despite the tabling, it was met with warm reception simply because it only tweaked the language and didn’t really address many of the problems that critics raised during the last government (when it was known as Bill C-11). Even then, the government showed little interest in advancing the legislation and there are very few signs that this will change during this round as well.

So, there doesn’t appear to be much hope that the law will change to finally give the commissioner proper tools to hold public and private organizations accountable for their actions as it pertains to violations of privacy. So, the same old story is, at best, destined to repeat – the commissioner writes a strongly worded letter and we dust our hands of the problem after. That’s how much of a joke Canada’s privacy laws are. No fines, no possibility of jail time, and no other real repercussions as a result. Anything substantial coming from it would have to come from the public in the form of a lawsuit – assuming that lawsuit can prove that damages occurred.

Amidst the questions regarding this, it seems that the police have been quick to not only say that the use has been extremely limited, but that they also never used the NSO Group malware. From the CBC:

The RCMP says it is not using the controversial Pegasus spyware to circumvent encryption and monitor cellphone activity, but it has been using similar surveillance technology for 10 years.

The Mounties’ use of what they call on-device investigation tools is the subject of an investigation by the House of Commons ethics and privacy committee this week.

These tools enable police to access a phone or computer without a person knowing, allowing them to do everything from intercepting messages and phone calls to turning on the camera and microphone.

“These are used in extremely rare and limited cases,” said Bryan Larkin, the RCMP’s deputy commissioner of specialized policing services.

This is a weird line to take. It’s a bit like saying that you didn’t brandish a Glock handgun, but a lesser known kind of hand gun to intimidate someone. There, that makes it all better! What difference does it make? It was still a weapon and the use was specific. Saying that you didn’t use Pegasus malware really doesn’t change the situation in the end. At the end of the day, intrusive malware was used in the end.

Some apologists in all of this are going to say that malware is just another tool in the toolkit. The problem with this line of thinking is that it assumes that it is no more intrusive than any of the other investigative techniques out there. For instance, a wiretap on a phone means that you get to listen in on a conversation between two people for a single call. Malware on a device does far more than that. It not only monitors a particular communication, but also tracks what food you want to eat, what “adult entertainment” sources you go to, what government resources you access, what you watched on TV, your heart rate, what medications you use, and just about everything else in your life. The difference between a phone wiretap and malware is night and day.

This is one of the big reasons why there needs to be oversight over this. Warrants do help because it helps ensure that there are boundaries to what the police can take – as opposed to just randomly targeting people and peering into their daily lives in an unprecedented way. What’s more is there needs to be guidelines that specifically spells out when such a use of this malware is appropriate and when it is not.

The fact that this is happening without a good public debate about this is awful. At least in France, when they had the LOPPSI 2 debate back in 2009, they took that step. This situation shows that, here in Canada, the RCMP didn’t wait for that public debate with possible legislation, they just up and did it, hoping no one would notice. Little wonder why this debate got off to an extremely bad start. In the minds of some observers, you now have the prospect of one party acting in bad faith as a result.

This is a scandal that should be troubling to the public. Hopefully, one of two outcomes from this revelations occur. One is that this initiates a larger public discussion about the police use of malware – possibly in the form of legislation to hammer out boundaries. The second is that the RCMP drops the use of malware in their investigations entirely which would effectively turn the whole debate moot. It’s hard to say if either outcome is going to happen at this stage given that things are seemingly at its infancy. Still, there are gears moving in this, so we’ll have to see where this debate goes to from here.

Drew Wilson on Twitter: @icecube85 and Facebook.

1 Trackback or Pingback

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: