Researchers say Ontario Provincial Police (OPP) may have secretly used controversial Israeli spyware technology, raising concerns about potential spying on citizens.
Citizen Lab, which investigates digital espionage against civil society, released a report Wednesday identifying “possible links” between the OPP and Paragon Solutions, a company that sells military-grade spyware called Graphite to government clients.
Graphite can be used to hack into phones, and was recently found to have been used against an Italian journalist and activists who supported migrants, after Meta-owned messaging app WhatsApp reported to nearly 100 users in January that their cellphones may have been compromised.
Human rights group Amnesty International called the discovery out of Italy “alarming” and said it underscored worsening digital surveillance across Europe.
Based on a tip from a collaborator, Citizen Lab mapped out servers connected to Paragon’s Graphite tool and found suspected deployments at five IP addresses in Ontario. One of those IP addresses was traced to OPP headquarters in Orillia, Ont.
OPP did not confirm or deny the use of Paragon spyware. Acting Staff Sgt. Jeffrey Del Guidice said in an email to CBC News that the “interception of private communications” requires judicial authorization and is only used in serious criminal investigations.
“The OPP uses investigative tools and techniques in full compliance with the laws of Canada, including the Charter of Rights and Freedoms,” Del Guidice said. “Releasing information about specific investigative techniques and technology could jeopardize active investigations and threaten public and officer safety.”
Paragon was founded in Israel in 2019 and is now U.S.-owned. Its founders include former Israeli Prime Minister Ehud Barak, as well as Ehud Schneorson, the former commander of Israel’s Unit 8200, a secretive cyber warfare unit that was tied to last year’s pager attacks in Lebanon that killed more than 30 people and wounded thousands.
The company’s minimal website says it provides clients with “cyber and forensic capabilities to locate and analyze digital data, cyber workforce training, and critical infrastructure analysis and threat mitigation.”
Law enforcement use of spyware growing, researchers say
Kate Robertson, a senior researcher at Citizen Lab, says the findings underscore the need for governments and privacy regulators to raise questions about the use of spyware against citizens, and for law enforcement agencies to be transparent about the tools they’re using.
“When governments themselves become buyers in this proliferating hack-for-hire industry, they’re actually investing in the insecurity and vulnerability of our everyday devices that we depend heavily on to be safe for all of our daily needs,” Robertson told CBC News.
“It’s really turning cybersecurity on its head, to have governments themselves help actors to harbour and exploit vulnerabilities, as opposed to patching them.”
Citizen Lab also reported in 2020 that the OPP developed a technology to scrape communications from private, password-protected online chatrooms without obtaining judicial authorization.
Deputy RCMP Commissioner Bryan Larkin defended the national police force’s use of spyware to conduct surveillance and collect data from digital services. ‘We recognize that there’s legislative gaps, we want to mitigate those risks’ Larkin said.
The group’s Wednesday report also detailed evidence of “a growing ecosystem of spyware capability” among both the RCMP and Ontario-based police services.
In 2022, the RCMP admitted it had used spyware that it called an “On-Device Investigative Tool” (ODIT) from an unnamed vendor to collect data and infiltrate mobile devices in more than 30 investigations dating back to 2017, without consulting the public or the Privacy Commissioner of Canada.
Citizen Lab researchers obtained public court records showing OPP had also used the RCMP’s ODITs in a 2019 investigation, and that the Toronto Police Service (TPS) independently obtained ODIT software from an unknown source.
They say they also learned of other cases that have been before Ontario courts, or are currently before them, involving other police services that possess ODITS or have sought authorization to deploy them, including York Regional Police Service, Hamilton Police Service and Peel Regional Police Service, in addition to OPP and TPS.
“The apparent expansion of spyware capabilities to potentially multiple police services across Ontario reflects a widening gap in public awareness surrounding the extent to which mercenary spyware is being deployed in Canada,” the report states.
CBC News reached out to both the Information and Privacy Commissioner of Ontario and the Office of the Privacy Commissioner of Canada, but did not hear back in time for publication.
