Citizen Lab researcher says government use of spyware is 'turning cybersecurity on its head'
Researchers say Ontario Provincial Police (OPP) may have secretly used controversial Israeli spyware technology, raising concerns about potential spying on citizens.
Citizen Lab, which investigates digital espionage against civil society, released a report Wednesday identifying "possible links" between the OPP and Paragon Solutions, a company that sells military-grade spyware called Graphite to government clients.
Graphite can be used to hack into phones, and was recently found to have been used against an Italian journalist and activists who supported migrants, after Meta-owned messaging app WhatsApp reported to nearly 100 users in January that their cellphones may have been compromised.
Human rights group Amnesty International called the discovery out of Italy "alarming" and said it underscored worsening digital surveillance across Europe.
Based on a tip from a collaborator, Citizen Lab mapped out servers connected to Paragon's Graphite tool and found suspected deployments at five IP addresses in Ontario. One of those IP addresses was traced to OPP headquarters in Orillia, Ont.
OPP did not confirm or deny the use of Paragon spyware. Acting Staff Sgt. Jeffrey Del Guidice said in an email to CBC News that the "interception of private communications" requires judicial authorization and is only used in serious criminal investigations.
"The OPP uses investigative tools and techniques in full compliance with the laws of Canada, including the Charter of Rights and Freedoms," Del Guidice said. "Releasing information about specific investigative techniques and technology could jeopardize active investigations and threaten public and officer safety."
Paragon was founded in Israel in 2019 and is now U.S.-owned. Its founders include former Israeli Prime Minister Ehud Barak, as well as Ehud Schneorson, the former commander of Israel's Unit 8200, a secretive cyber warfare unit that was tied to last year's pager attacks in Lebanon that killed more than 30 people and wounded thousands.
The company's minimal website says it provides clients with "cyber and forensic capabilities to locate and analyze digital data, cyber workforce training, and critical infrastructure analysis and threat mitigation."
Law enforcement use of spyware growing, researchers say
Kate Robertson, a senior researcher at Citizen Lab, says the findings underscore the need for governments and privacy regulators to raise questions about the use of spyware against citizens, and for law enforcement agencies to be transparent about the tools they're using.
"When governments themselves become buyers in this proliferating hack-for-hire industry, they're actually investing in the insecurity and vulnerability of our everyday devices that we depend heavily on to be safe for all of our daily needs," Robertson told CBC News.
"It's really turning cybersecurity on its head, to have governments themselves help actors to harbour and exploit vulnerabilities, as opposed to patching them."
Citizen Lab also reported in 2020 that the OPP developed a technology to scrape communications from private, password-protected online chatrooms without obtaining judicial authorization.
The group's Wednesday report also detailed evidence of "a growing ecosystem of spyware capability" among both the RCMP and Ontario-based police services.
In 2022, the RCMP admitted it had used spyware that it called an "On-Device Investigative Tool" (ODIT) from an unnamed vendor to collect data and infiltrate mobile devices in more than 30 investigations dating back to 2017, without consulting the public or the Privacy Commissioner of Canada.
Citizen Lab researchers obtained public court records showing OPP had also used the RCMP's ODITs in a 2019 investigation, and that the Toronto Police Service (TPS) independently obtained ODIT software from an unknown source.
They say they also learned of other cases that have been before Ontario courts, or are currently before them, involving other police services that possess ODITS or have sought authorization to deploy them, including York Regional Police Service, Hamilton Police Service and Peel Regional Police Service, in addition to OPP and TPS.
"The apparent expansion of spyware capabilities to potentially multiple police services across Ontario reflects a widening gap in public awareness surrounding the extent to which mercenary spyware is being deployed in Canada," the report states.
Ontario's information and privacy commissioner told CBC News that Citizen Lab's report "raises significant concerns" about police use of spyware.
"Our office has not been consulted on the use of ODITs, but we are concerned about the potential privacy implications that these tools could have for all Ontarians," a spokesperson said in a statement.
The spokesperson said police can use ODITs to access sensitive information on encrypted devices and cloud services, as well as to "secretly activate the microphone, camera, geolocation and other device functions."
"We have made it clear in the past that our office should be consulted before new policing technologies with significant privacy implications are procured, adopted or used," the statement said.
A spokesperson for the Office of the Privacy Commissioner of Canada said while the office does not oversee Ontario police, it is aware of the report and currently reviewing it.
https://www.cbc.ca/news/canada/opp-para ... -1.7488027
Ontario police may have secretly used controversial Israeli spyware, report finds
-
Michael Jack
- Site Admin
- Posts: 2823
- Joined: Sun Mar 25, 2012 5:18 pm
- Contact:
Ontario police may have secretly used controversial Israeli spyware, report finds
Michael Jack, Administrator
-
Michael Jack
- Site Admin
- Posts: 2823
- Joined: Sun Mar 25, 2012 5:18 pm
- Contact:
Ontario Provincial Police Linked to Israeli Spyware Firm Paragon Solutions: Report Raises Privacy Concerns
NEED TO KNOW – A new Citizen Lab report links the Ontario Provincial Police (OPP) to Israeli spyware firm Paragon Solutions, raising concerns about Canada’s expanding use of surveillance technology and lack of privacy laws to regulate cyberweapons
Toronto, ON – March 19, 2025 – Researchers at the University of Toronto have uncovered “possible links” between the Ontario Provincial Police (OPP) and Paragon Solutions, an Israel-based military-grade spyware maker, raising concerns over the extent of Canadian authorities’ use of cyberweapons.
The findings were published by Citizen Lab at the University of Toronto, which tracks and identifies digital threats against civil society.
The report comes three years after a parliamentary committee urged Ottawa to update Canada’s privacy laws following revelations that the Royal Canadian Mounted Police (RCMP) had used spyware to hack mobile phones.
However, no laws were ever passed to regulate the use of such technology by law enforcement in Canada.
Possible Link Between OPP and Paragon Solutions
Citizen Lab’s March 2025 report identified a “possible technical link” between Paragon Solutions and entities based in Ontario, including one associated with an OPP address.
Paragon Solutions is known for Graphite, a spyware tool sold exclusively to government clients.
The report also exposed a growing use of spyware among Ontario-based police services, citing public court records that show the OPP used a similar surveillance tool in a 2019 criminal investigation.
It further revealed that Toronto Police and York Regional Police had considered deploying spyware tools in a 2023 joint investigation.
OPP Responds, Does Not Deny Use of Spyware
Following the report’s publication, the OPP did not deny using spyware but maintained that all surveillance activities comply with Canadian law.
“In Canada, the interception of private communications requires judicial authorization in accordance with the Criminal Code and is only used to advance serious criminal investigations,” the OPP stated.
“The OPP uses investigative tools and techniques in full compliance with the laws of Canada, including the Charter of Rights and Freedoms. Releasing information about specific investigative techniques and technology could jeopardize active investigations and threaten public and officer safety.”
Despite these assurances, privacy advocates remain concerned about the lack of transparency and oversight regarding the use of spyware by Canadian law enforcement.
Paragon Solutions Under Scrutiny for Human Rights Violations
Paragon Solutions, now U.S.-owned, does not disclose its clients and declined to comment on the report.
While the company claims its spyware is designed to combat serious crime and terrorism, its technology has been linked to human rights abuses. Recently, Paragon’s spyware was found to have been used against an Italian journalist and migrant rights activists, despite the company’s stated “zero-tolerance” policy for misuse. Following the revelations, Paragon suspended its contract with the Italian government.
Canada’s Growing Use of Spyware and Lack of Oversight
Canada’s use of spyware and hacking tools has been controversial since 2022, when the RCMP admitted—in what was called a “remarkable” disclosure—that it had used spyware to infiltrate mobile devices. The RCMP claimed at the time that the technology was only deployed in serious cases when other surveillance methods failed.
The Citizen Lab’s latest findings suggest that spyware use is expanding across Canadian law enforcement agencies, with little public awareness or oversight.
“What these findings show is that there is a widening gap in public awareness regarding the extent to which spyware technology is being used in Canada,” said Kate Robertson, a senior researcher at Citizen Lab.
“These findings raise important questions for the government and privacy regulators about what technologies are being used, and underscore again the need for law reform to address security and human rights risks.”
Despite growing concerns, Canada has yet to pass any new privacy laws to regulate law enforcement’s use of spyware and cyberweapons.
Privacy protection laws vary widely across the globe, with some countries implementing strict regulations to safeguard personal data, while others have more relaxed frameworks that give law enforcement and corporations greater access to digital communications.
Here is a breakdown of key privacy protection laws in different regions and an analysis of what works best.
Overview of Global Privacy Protection Laws
1. European Union – General Data Protection Regulation (GDPR)
✔ Strengths:
Comprehensive: Covers all organizations handling EU citizens’ data, even if they are based outside the EU.
Strict Consent Rules: Requires explicit user consent before collecting personal data.
Right to Be Forgotten: Individuals can request that their personal data be deleted.
Severe Penalties: Fines up to €20 million or 4% of global annual revenue for violations.
✘ Weaknesses:
Complex Compliance: Many businesses struggle to understand and comply fully.
Legal Loopholes: Some companies use “legitimate interest” as a way to continue tracking users without full consent.
Effectiveness:
GDPR is widely regarded as one of the most effective privacy laws globally, setting the standard for data protection and consumer rights.
2. United States – Sectoral Approach (CCPA, FISA, Patriot Act)
✔ Strengths:
California Consumer Privacy Act (CCPA): Gives residents rights similar to GDPR, including data access and deletion.
Federal Trade Commission (FTC): Enforces penalties against companies that misuse consumer data.
FISA & Surveillance Laws: Regulate government spying on U.S. citizens and foreigners.
✘ Weaknesses:
No National Standard: The U.S. lacks a federal privacy law, leading to inconsistent protections across states.
Mass Surveillance Concerns: The Patriot Act and FISA allow broad government access to personal communications.
Big Tech Influence: Companies like Google and Meta lobby against stricter privacy regulations.
Effectiveness:
The CCPA is a strong step toward privacy, but without a federal GDPR-like law, U.S. data protections remain patchy and inconsistent.
3. Canada – Personal Information Protection and Electronic Documents Act (PIPEDA)
✔ Strengths:
Applies to all private-sector organizations handling personal data.
Requires informed consent for data collection.
Office of the Privacy Commissioner (OPC) investigates complaints.
✘ Weaknesses:
Limited Enforcement Powers: The OPC cannot issue fines, reducing the law’s effectiveness.
Surveillance Gaps: Intelligence agencies have broad powers to collect digital communications.
Effectiveness:
PIPEDA is a good foundation, but it lacks strong enforcement mechanisms. Proposed updates under Bill C-27 aim to strengthen penalties and consumer rights.
4. Australia – Privacy Act 1988 & Surveillance Laws
✔ Strengths:
Regulates personal data collection, storage, and use.
Data Breach Notification: Organizations must report breaches affecting consumers.
Consumer Rights: Allows individuals to access and correct personal data.
✘ Weaknesses:
No Clear Opt-Out: Companies can still collect and share data unless users actively refuse.
Government Surveillance Laws: Authorities can force companies to decrypt encrypted data, undermining privacy protections.
Effectiveness:
The Privacy Act provides some protection, but government surveillance laws weaken personal privacy rights.
5. China – Personal Information Protection Law (PIPL)
✔ Strengths:
Modeled after GDPR: Requires companies to obtain consent before collecting data.
Tough on Foreign Companies: Requires data localization (keeping Chinese users’ data inside China).
✘ Weaknesses:
Government Access to Data: The Chinese government has broad authority to collect and monitor personal information.
Limited Individual Rights: Citizens have fewer ways to challenge state surveillance.
Effectiveness:
While PIPL holds businesses accountable, it does not protect individuals from government surveillance, making it a one-sided privacy law.
What Works Best?
Best Overall Model: GDPR (European Union)
Strong consumer rights
Tough penalties for violations
Applies globally to companies handling EU citizens’ data
Best for Corporate Accountability: PIPL (China)
Strict rules on data collection and localization
Prevents companies from exploiting consumer data
Best for Balancing Privacy & Law Enforcement: CCPA (California, USA)
Allows individuals to control their data
Requires businesses to disclose what data they collect
Provides exemptions for public safety investigations
Conclusion: The Future of Privacy Laws
As spyware and digital surveillance expand, governments must strengthen privacy laws to protect individuals while balancing law enforcement needs.
Countries like Canada and the U.S. need stronger enforcement mechanisms.
Governments worldwide must address corporate data collection and government overreach.
Public awareness and advocacy will be key in pushing for better protections.
Privacy is a fundamental right, and the best laws strike a balance between security, transparency, and consumer protection.
https://www.netnewsledger.com/2025/03/2 ... -concerns/
Toronto, ON – March 19, 2025 – Researchers at the University of Toronto have uncovered “possible links” between the Ontario Provincial Police (OPP) and Paragon Solutions, an Israel-based military-grade spyware maker, raising concerns over the extent of Canadian authorities’ use of cyberweapons.
The findings were published by Citizen Lab at the University of Toronto, which tracks and identifies digital threats against civil society.
The report comes three years after a parliamentary committee urged Ottawa to update Canada’s privacy laws following revelations that the Royal Canadian Mounted Police (RCMP) had used spyware to hack mobile phones.
However, no laws were ever passed to regulate the use of such technology by law enforcement in Canada.
Possible Link Between OPP and Paragon Solutions
Citizen Lab’s March 2025 report identified a “possible technical link” between Paragon Solutions and entities based in Ontario, including one associated with an OPP address.
Paragon Solutions is known for Graphite, a spyware tool sold exclusively to government clients.
The report also exposed a growing use of spyware among Ontario-based police services, citing public court records that show the OPP used a similar surveillance tool in a 2019 criminal investigation.
It further revealed that Toronto Police and York Regional Police had considered deploying spyware tools in a 2023 joint investigation.
OPP Responds, Does Not Deny Use of Spyware
Following the report’s publication, the OPP did not deny using spyware but maintained that all surveillance activities comply with Canadian law.
“In Canada, the interception of private communications requires judicial authorization in accordance with the Criminal Code and is only used to advance serious criminal investigations,” the OPP stated.
“The OPP uses investigative tools and techniques in full compliance with the laws of Canada, including the Charter of Rights and Freedoms. Releasing information about specific investigative techniques and technology could jeopardize active investigations and threaten public and officer safety.”
Despite these assurances, privacy advocates remain concerned about the lack of transparency and oversight regarding the use of spyware by Canadian law enforcement.
Paragon Solutions Under Scrutiny for Human Rights Violations
Paragon Solutions, now U.S.-owned, does not disclose its clients and declined to comment on the report.
While the company claims its spyware is designed to combat serious crime and terrorism, its technology has been linked to human rights abuses. Recently, Paragon’s spyware was found to have been used against an Italian journalist and migrant rights activists, despite the company’s stated “zero-tolerance” policy for misuse. Following the revelations, Paragon suspended its contract with the Italian government.
Canada’s Growing Use of Spyware and Lack of Oversight
Canada’s use of spyware and hacking tools has been controversial since 2022, when the RCMP admitted—in what was called a “remarkable” disclosure—that it had used spyware to infiltrate mobile devices. The RCMP claimed at the time that the technology was only deployed in serious cases when other surveillance methods failed.
The Citizen Lab’s latest findings suggest that spyware use is expanding across Canadian law enforcement agencies, with little public awareness or oversight.
“What these findings show is that there is a widening gap in public awareness regarding the extent to which spyware technology is being used in Canada,” said Kate Robertson, a senior researcher at Citizen Lab.
“These findings raise important questions for the government and privacy regulators about what technologies are being used, and underscore again the need for law reform to address security and human rights risks.”
Despite growing concerns, Canada has yet to pass any new privacy laws to regulate law enforcement’s use of spyware and cyberweapons.
Privacy protection laws vary widely across the globe, with some countries implementing strict regulations to safeguard personal data, while others have more relaxed frameworks that give law enforcement and corporations greater access to digital communications.
Here is a breakdown of key privacy protection laws in different regions and an analysis of what works best.
Overview of Global Privacy Protection Laws
1. European Union – General Data Protection Regulation (GDPR)
✔ Strengths:
Comprehensive: Covers all organizations handling EU citizens’ data, even if they are based outside the EU.
Strict Consent Rules: Requires explicit user consent before collecting personal data.
Right to Be Forgotten: Individuals can request that their personal data be deleted.
Severe Penalties: Fines up to €20 million or 4% of global annual revenue for violations.
✘ Weaknesses:
Complex Compliance: Many businesses struggle to understand and comply fully.
Legal Loopholes: Some companies use “legitimate interest” as a way to continue tracking users without full consent.
Effectiveness:GDPR is widely regarded as one of the most effective privacy laws globally, setting the standard for data protection and consumer rights.
2. United States – Sectoral Approach (CCPA, FISA, Patriot Act)
✔ Strengths:
California Consumer Privacy Act (CCPA): Gives residents rights similar to GDPR, including data access and deletion.
Federal Trade Commission (FTC): Enforces penalties against companies that misuse consumer data.
FISA & Surveillance Laws: Regulate government spying on U.S. citizens and foreigners.
✘ Weaknesses:
No National Standard: The U.S. lacks a federal privacy law, leading to inconsistent protections across states.
Mass Surveillance Concerns: The Patriot Act and FISA allow broad government access to personal communications.
Big Tech Influence: Companies like Google and Meta lobby against stricter privacy regulations.
Effectiveness:The CCPA is a strong step toward privacy, but without a federal GDPR-like law, U.S. data protections remain patchy and inconsistent.
3. Canada – Personal Information Protection and Electronic Documents Act (PIPEDA)
✔ Strengths:
Applies to all private-sector organizations handling personal data.
Requires informed consent for data collection.
Office of the Privacy Commissioner (OPC) investigates complaints.
✘ Weaknesses:
Limited Enforcement Powers: The OPC cannot issue fines, reducing the law’s effectiveness.
Surveillance Gaps: Intelligence agencies have broad powers to collect digital communications.
Effectiveness:PIPEDA is a good foundation, but it lacks strong enforcement mechanisms. Proposed updates under Bill C-27 aim to strengthen penalties and consumer rights.
4. Australia – Privacy Act 1988 & Surveillance Laws
✔ Strengths:
Regulates personal data collection, storage, and use.
Data Breach Notification: Organizations must report breaches affecting consumers.
Consumer Rights: Allows individuals to access and correct personal data.
✘ Weaknesses:
No Clear Opt-Out: Companies can still collect and share data unless users actively refuse.
Government Surveillance Laws: Authorities can force companies to decrypt encrypted data, undermining privacy protections.
Effectiveness:The Privacy Act provides some protection, but government surveillance laws weaken personal privacy rights.
5. China – Personal Information Protection Law (PIPL)
✔ Strengths:
Modeled after GDPR: Requires companies to obtain consent before collecting data.
Tough on Foreign Companies: Requires data localization (keeping Chinese users’ data inside China).
✘ Weaknesses:
Government Access to Data: The Chinese government has broad authority to collect and monitor personal information.
Limited Individual Rights: Citizens have fewer ways to challenge state surveillance.
Effectiveness:While PIPL holds businesses accountable, it does not protect individuals from government surveillance, making it a one-sided privacy law.
What Works Best?
Best Overall Model: GDPR (European Union)Strong consumer rights
Tough penalties for violations
Applies globally to companies handling EU citizens’ data
Best for Corporate Accountability: PIPL (China)Strict rules on data collection and localization
Prevents companies from exploiting consumer data
Best for Balancing Privacy & Law Enforcement: CCPA (California, USA)Allows individuals to control their data
Requires businesses to disclose what data they collect
Provides exemptions for public safety investigations
Conclusion: The Future of Privacy Laws
As spyware and digital surveillance expand, governments must strengthen privacy laws to protect individuals while balancing law enforcement needs.
Countries like Canada and the U.S. need stronger enforcement mechanisms.
Governments worldwide must address corporate data collection and government overreach.
Public awareness and advocacy will be key in pushing for better protections.
Privacy is a fundamental right, and the best laws strike a balance between security, transparency, and consumer protection.
https://www.netnewsledger.com/2025/03/2 ... -concerns/
Michael Jack, Administrator
-
Michael Jack
- Site Admin
- Posts: 2823
- Joined: Sun Mar 25, 2012 5:18 pm
- Contact:
What to know about Israeli spyware allegedly used by Ontario police
Researchers behind a new report into an Israeli spyware program used to monitor civil society members say they have found “possible links” between the controversial technology and Ontario Provincial Police (OPP), suggesting it may have been used in investigations — an allegation the force doesn’t deny.
The report from Citizen Lab at the University of Toronto released this week said researchers traced the IP address of a Canadian-based customer of Paragon Solutions to the address of the OPP’s general headquarters in Toronto.
Paragon sells the military-grade spyware program “Graphite” to government clients for national security purposes, but the tool has been found on the phones of journalists, activists and other civil society members in countries around the world in recent years, using communication apps like WhatsApp.
“We’ve also uncovered court records that point to a growing ecosystem of spyware capability among police services in Ontario,” Kate Robertson, a senior researcher at Citizen Lab and a co-author of the report, told Global News.
“What these findings show is that there is a widening gap in public awareness about the extent to which spyware technology is being used in Canada.”
Researchers tracing servers connected to Paragon’s Graphite tool found additional suspected deployments at four other Ontario addresses, including a shared warehouse, a strip mall, a brewery and an apartment.
An OPP spokesperson declined to confirm if it has contracted Paragon for investigative purposes but also didn’t deny the report’s findings in a statement to Global News.
“The Ontario Provincial Police is mandated to maintain public safety and to prevent or investigate crime while respecting the rights and privileges of citizens and visitors to Canada,” Acting Staff Sgt. Jeffrey Del Guidice said, adding the interception of private communications “is only used to advance serious criminal investigations” and requires judicial authorization.
“The OPP uses investigative tools and techniques in full compliance with the laws of Canada, including the Charter of Rights and Freedoms. Releasing information about specific investigative techniques and technology could jeopardize active investigations and threaten public and officer safety,” the statement continued.
“The OPP respects Canada’s Charter of Rights and Freedoms and we remain committed to maintaining public trust and confidence.”
What is Paragon?
Paragon Solutions was founded in Israel in 2019 by former Israeli prime minister Ehud Barak and Ehud Schneorson, the former commander of Israel’s cyberwarfare and military intelligence group Unit 8200.
Its spyware product Graphite is marketed as unique to other spyware tools like NSO Group’s Pegasus, in that it specifically grants clients access to a targeted device’s instant messaging applications, rather than the entire smartphone.
Citizen Lab says it shared details from its mapping of Paragon’s infrastructure, which established the potential OPP link, with Meta last year after determining WhatsApp could be used as an “infection vector” by Graphite users despite its end-to-end encryption software.
In late January this year, WhatsApp informed about 90 users in more than two dozen countries, including journalists and other civil society members, that they were likely being targeted by Paragon software.
The company subsequently closed a “zero-click” vulnerability that allowed Paragon to access devices without victims having to click on an infected link like common malware attacks. Instead, attackers would upload a PDF or other document to a WhatsApp group that would then be parsed by the device, giving the attacker access.
“We’ve seen first-hand how commercial spyware can be weaponized to target journalists and civil society, and these companies must be held accountable,” a WhatsApp spokesperson told Global News.
“Our security team is constantly working to stay ahead of threats, and we will continue working to protect peoples’ ability to communicate privately.”
The Citizen Lab report also details the use of Paragon’s spyware against journalists and human rights activists in Italy. The Italian government acknowledged last month it was a Paragon customer after previously denying knowledge of the issue, and the director of the external intelligence service confirmed the agency had deployed Graphite multiple times.
In previous years, NSO Group — which is also based in Israel — was found to be behind a spyware hack of WhatsApp accounts in 2019, and a subsequent investigation in 2021 found the company’s Pegasus program had been used to target journalists and activists around the world.
Paragon — which was reportedly acquired by Florida-based investment group AE Industrial Partners last year — has tried to position itself publicly as one of the industry’s more responsible players.
What is Canada's history with spyware?
The RCMP publicly acknowledged in 2022 that it has used spyware tools as far back as 2022 to access the encrypted communications of investigative targets.
An RCMP spokesperson confirmed police still deploys spyware, which it refers to as “on-device investigative tools” (ODITs), but like the OPP stressed they are only used for “serious criminal and national security investigations” after obtaining judicial authorization.
“The RCMP’s cautious and measured approach is evidenced by the fact that from 2017-2024, ODITs have only been used in support of 35 investigations, in which a combined total of 57 devices were targeted,” Marie-Eve Breton said in a statement.
“To be clear, ODITs are used extremely rarely and in limited cases by the RCMP. Their use is always targeted. It’s always time-limited, and it’s never to conduct unwarranted and/or mass surveillance. These tools are not used in secret.”
The RCMP did not say if spyware is used to target civil society members or if it a client of Paragon, saying it will not comment on specific investigations or tools.
Canadian parliamentarians have undertaken studies on law enforcement’s use of spyware tools that concluded regulations were needed. Canada, along with nine other allied nations, also backed former U.S. president Joe Biden’s push in 2023 to counter misuse of commercial spyware and impose international controls.
But no Canadian legislation has been introduced to address or regulate spyware use.
A spokesperson for Public Safety Minister David McGuinty’s office did not say if the government was working on such legislation, referring questions about the Citizen Lab’s findings on Canadian police use of spyware to the OPP. The Ontario solicitor general’s office did not provide comment.
Robertson said it was critical for the government to ensure it’s not involved in the targeting of civil society members through programs that could risk national security.
“When governments become buyers of this proliferating hack-for-hire industry, it really should be understood that they’re investing in the insecurity and vulnerability of all people in Canada and around the world,” she said.
“That’s why it’s not only a question of what controls are needed about use, but also very significant questions about what’s proportionate and tolerable in the first place in a free and democratic society.”
https://globalnews.ca/news/11092726/spy ... -graphite/
The report from Citizen Lab at the University of Toronto released this week said researchers traced the IP address of a Canadian-based customer of Paragon Solutions to the address of the OPP’s general headquarters in Toronto.
Paragon sells the military-grade spyware program “Graphite” to government clients for national security purposes, but the tool has been found on the phones of journalists, activists and other civil society members in countries around the world in recent years, using communication apps like WhatsApp.
“We’ve also uncovered court records that point to a growing ecosystem of spyware capability among police services in Ontario,” Kate Robertson, a senior researcher at Citizen Lab and a co-author of the report, told Global News.
“What these findings show is that there is a widening gap in public awareness about the extent to which spyware technology is being used in Canada.”
Researchers tracing servers connected to Paragon’s Graphite tool found additional suspected deployments at four other Ontario addresses, including a shared warehouse, a strip mall, a brewery and an apartment.
An OPP spokesperson declined to confirm if it has contracted Paragon for investigative purposes but also didn’t deny the report’s findings in a statement to Global News.
“The Ontario Provincial Police is mandated to maintain public safety and to prevent or investigate crime while respecting the rights and privileges of citizens and visitors to Canada,” Acting Staff Sgt. Jeffrey Del Guidice said, adding the interception of private communications “is only used to advance serious criminal investigations” and requires judicial authorization.
“The OPP uses investigative tools and techniques in full compliance with the laws of Canada, including the Charter of Rights and Freedoms. Releasing information about specific investigative techniques and technology could jeopardize active investigations and threaten public and officer safety,” the statement continued.
“The OPP respects Canada’s Charter of Rights and Freedoms and we remain committed to maintaining public trust and confidence.”
What is Paragon?
Paragon Solutions was founded in Israel in 2019 by former Israeli prime minister Ehud Barak and Ehud Schneorson, the former commander of Israel’s cyberwarfare and military intelligence group Unit 8200.
Its spyware product Graphite is marketed as unique to other spyware tools like NSO Group’s Pegasus, in that it specifically grants clients access to a targeted device’s instant messaging applications, rather than the entire smartphone.
Citizen Lab says it shared details from its mapping of Paragon’s infrastructure, which established the potential OPP link, with Meta last year after determining WhatsApp could be used as an “infection vector” by Graphite users despite its end-to-end encryption software.
In late January this year, WhatsApp informed about 90 users in more than two dozen countries, including journalists and other civil society members, that they were likely being targeted by Paragon software.
The company subsequently closed a “zero-click” vulnerability that allowed Paragon to access devices without victims having to click on an infected link like common malware attacks. Instead, attackers would upload a PDF or other document to a WhatsApp group that would then be parsed by the device, giving the attacker access.
“We’ve seen first-hand how commercial spyware can be weaponized to target journalists and civil society, and these companies must be held accountable,” a WhatsApp spokesperson told Global News.
“Our security team is constantly working to stay ahead of threats, and we will continue working to protect peoples’ ability to communicate privately.”
The Citizen Lab report also details the use of Paragon’s spyware against journalists and human rights activists in Italy. The Italian government acknowledged last month it was a Paragon customer after previously denying knowledge of the issue, and the director of the external intelligence service confirmed the agency had deployed Graphite multiple times.
In previous years, NSO Group — which is also based in Israel — was found to be behind a spyware hack of WhatsApp accounts in 2019, and a subsequent investigation in 2021 found the company’s Pegasus program had been used to target journalists and activists around the world.
Paragon — which was reportedly acquired by Florida-based investment group AE Industrial Partners last year — has tried to position itself publicly as one of the industry’s more responsible players.
What is Canada's history with spyware?
The RCMP publicly acknowledged in 2022 that it has used spyware tools as far back as 2022 to access the encrypted communications of investigative targets.
An RCMP spokesperson confirmed police still deploys spyware, which it refers to as “on-device investigative tools” (ODITs), but like the OPP stressed they are only used for “serious criminal and national security investigations” after obtaining judicial authorization.
“The RCMP’s cautious and measured approach is evidenced by the fact that from 2017-2024, ODITs have only been used in support of 35 investigations, in which a combined total of 57 devices were targeted,” Marie-Eve Breton said in a statement.
“To be clear, ODITs are used extremely rarely and in limited cases by the RCMP. Their use is always targeted. It’s always time-limited, and it’s never to conduct unwarranted and/or mass surveillance. These tools are not used in secret.”
The RCMP did not say if spyware is used to target civil society members or if it a client of Paragon, saying it will not comment on specific investigations or tools.
Canadian parliamentarians have undertaken studies on law enforcement’s use of spyware tools that concluded regulations were needed. Canada, along with nine other allied nations, also backed former U.S. president Joe Biden’s push in 2023 to counter misuse of commercial spyware and impose international controls.
But no Canadian legislation has been introduced to address or regulate spyware use.
A spokesperson for Public Safety Minister David McGuinty’s office did not say if the government was working on such legislation, referring questions about the Citizen Lab’s findings on Canadian police use of spyware to the OPP. The Ontario solicitor general’s office did not provide comment.
Robertson said it was critical for the government to ensure it’s not involved in the targeting of civil society members through programs that could risk national security.
“When governments become buyers of this proliferating hack-for-hire industry, it really should be understood that they’re investing in the insecurity and vulnerability of all people in Canada and around the world,” she said.
“That’s why it’s not only a question of what controls are needed about use, but also very significant questions about what’s proportionate and tolerable in the first place in a free and democratic society.”
https://globalnews.ca/news/11092726/spy ... -graphite/
Michael Jack, Administrator