RCMP says it has not used Pegasus spyware

·6 min read
Rick Bowmer/AP Photo

OTTAWA, Ont. — Canada’s national police force says it has used spyware to hack dozens of mobile devices in the past five years, and that it has used similar technology as far back as 2002.

However, the Royal Canadian Mounted Police says it has never used controversial Pegasus software to spy on Canadians.

The use of spyware “really is seen not as a first resort, not as a tool of convenience, but rather as a tool of investigative necessity," Public Safety Minister Marco Mendicino told a parliamentary ethics committee Monday. He said the widespread use of encrypted communication poses a challenge for law enforcement, and spyware is used to "frustrate the efforts of sophisticated criminal organizations."

The ethics committee kicked off a study Monday of the RCMP’s use of spyware, prompted by POLITICO’s revelation in June that the police force had admitted to using spyware for covert surveillance. The RCMP has the ability to intercept text messages, emails, photos, videos and financial records from cellphones and laptops, and to remotely turn on a device’s camera and microphone.

In a letter to the parliamentary ethics committee, Royal Canadian Mounted Police Commissioner Brenda Lucki said spyware has been used in 32 investigations since 2017. The police force has received warrants to hack 144 devices, Lucki wrote, but has actually targeted 49.

But during Monday's committee hearings, Mark Flynn, the RCMP's assistant commissioner for national security and protective policing, painted a picture of a technological arms race that has been underway for two decades.

“As encryption started to be used by targets that we had judicial authorization to intercept, and we were unable to hear the audio, hear the phone calls or see the messages that they were sending, that is when we developed the tool and technique to make it possible to intercept those communications," he said.

Flynn also offered a warning to members of Parliament, suggesting they are likely being targeted by foreign actors using spyware. "You should be aware that foreign states that are not partners would absolutely be utilizing these types of techniques," he said. "You must be concerned and must be aware that you are being targeted and I have very little doubt about that."

The RCMP is refusing to give the specific names of the spyware tools it uses, and several critics have raised concerns the police force could be using Pegasus software from controversial Israeli firm NSO Group.

Last year, an international investigation revealed that Pegasus spyware licensed to governments for tracking criminals was also used to hack smartphones belonging to journalists and human rights activists.

In her letter, Lucki confirmed the police force “has never procured or used Pegasus or any other NSO product.”

But she would give no further details, citing the “potential that criminal elements would use this sensitive information in order to render the tools ineffective.”

The RCMP is also refusing to provide a list of the warrants it has obtained to use spyware, but it did provide a breakdown of the types of cases that have involved spyware since 2017. Many are related to terrorism, murder and drug trafficking. Cyber crimes and breach of trust also appear on the list.

The list reveals that spyware has been used with increasing frequency during the past five years. In 2017, the software was deployed in just two investigations, whereas it’s been used in nine investigations so far this year.

Committee chair and Conservative MP Pat Kelly said the RCMP's "blanket refusal" to provide information the committee members had requested was "troubling."

A sample warrant provided by the RCMP gives some sense of the limitations a judge might place on the use of spyware. For example, it says no information will be collected from a bedroom or bathroom, nor any information that would compromise solicitor-client privilege.

However, a separate technical description provided to the committee hints at the extent of the information that can be collected using spyware. Because the software works by storing information on the targeted device and then transferring it to police servers, the RCMP can’t strictly limit the data it receives.

“As such live monitoring to minimize the interception of privileged or third party private communications is not possible,” the document reads.

RCMP officials appearing before the committee stressed the technology is used only rarely and in the most serious cases, and that the police force always obtains warrants prior to its use. Roughly one in 10 investigations where the use of spyware is considered might actually end up employing it, said Sgt. Dave Cobey with the RCMP's technical investigation services organization.

Testifying before the committee on Monday, Canada's privacy watchdog said the RCMP should be legally required to consult with his office about its use of potentially invasive technology, including spyware.

The police force has yet to provide the federal privacy commissioner’s office with an impact assessment regarding its use of spyware in surveillance, despite having used the technology for several years, privacy commissioner Philippe Dufresne told the committee.

Dufresne said he’s expecting a briefing from the RCMP at the end of August on its use of spyware to hack mobile devices.

But the yearslong delay puts his office in “reaction mode,” he said. He wants the Privacy Act to be updated to include a requirement that all government institutions prepare impact assessments before launching programs that could affect people’s privacy.

“Doing so would recognize privacy as a fundamental right, it would support the public interest and it would generate necessary trust in our institutions,” he said.

Dufresne told the committee his office was not aware of the RCMP’s spyware program until POLITICO reached out in June, and that he has still not received any more information from the police force.

“The impact of this type of information coming out in the public through media reports or questions can raise questions and can raise concerns,” he said, adding it would have been “far preferable” for the RCMP to submit a privacy impact assessment at the “front end,” before the program was launched.

Mendicino said it was "unfortunate" the privacy commissioner learned of the RCMP's use of spyware through the media, but wouldn't say whether he would support Dufresne's recommendation. He also wouldn't answer questions about whether other agencies, including Canada's spy agency (CSIS), also use spyware.

Mendicino did say, however, that he would support banning the use of Pegasus technology in Canada, as the United States has done.

In documents tabled in the House of Commons in June, the RCMP said it started to draft a privacy impact assessment in 2021, and would be consulting the privacy commissioner as part of that process. Dufresne said he doesn’t know whether the police force will have completed the assessment ahead of the briefing later this month.

The committee will submit a report to the House of Commons with recommendations by Sept. 19.