The mercenary spyware industry develops and sells advanced tools that can covertly gain complete access to a cellphone’s microphone, camera, messages, photos and historical data – all without its user clicking any malicious links. The technology notoriously facilitates human rights abuses worldwide.

In Canada, NSO Group’s Pegasus was forensically identified in 2018 on the phone of a Canadian permanent resident and Saudi activist in exile, Omar Abdulaziz, who had been messaging with a close contact, Saudi journalist Jamal Khashoggi.

An analysis from the University of Toronto’s Citizen Lab attributed the spyware deployment to an operator linked to Saudi Arabia. Not long after the discovery of spyware on Abdulaziz’s phone, Khashoggi was killed in a Saudi consulate in Turkey.

Canadian police services are joining the spyware market

More recently, a March report from Citizen Lab marks the first time a Canadian police service has been directly linked to the mercenary spyware industry. The report identified the Ontario Provincial Police as a possible customer of a spyware company founded in Israel called Paragon Solutions. It also uncovered a growing ecosystem of spyware capability among police services in several Ontario cities.

Hours after the report was published, the CBC reported that Ontario’s privacy commissioner said it “raises significant concerns” and that none of the police services named in the report had consulted with the commissioner.

“We have made it clear in the past that our office should be consulted before new policing technologies with significant privacy implications are procured, adopted or used,” the commissioner’s office added.

The report and the commissioner’s response escalate the urgency of addressing gaps in Canadian laws, which are stuck in the era of 1970s wiretap technology and fail to draw any real boundaries around today’s advanced spyware.

Canada’s legal framework hasn’t kept up

Its findings also underscore the renewed need for action by federal lawmakers and privacy regulators across Canada to address the specific dangers of spyware technology, through both legislative reform and comprehensive oversight.

This is not a new problem. In 2022, the RCMP admitted it had been using on-device investigation tools (ODITs) – law enforcement’s euphemism for spyware – for many years. The RCMP refused to disclose its source of spyware technology, despite the fact that wiretap laws impose parliamentary reporting obligations on law enforcement agencies.

The RCMP’s admission that it had been using ODITs for years without Parliament being explicitly notified illustrates the many dangers of shoehorning new spyware technology into decades-old wiretap laws.

In response to the 2022 RCMP admission, a parliamentary committee recommended numerous law reforms. Notably, it concluded that the federal government should review Part VI of the Criminal Code governing police interception of private communications “to ensure that it is fit for the digital age.” But three years later, no efforts have been made to move this legislative needle.

The apparent inertia wasn’t always the case.

A legacy of privacy protection is eroding

Historically, the federal government has played an important role by defining law enforcement powers according to democratic standards. For example, the 1969 Ouimet Report set the stage for far-reaching reforms to Canada’s justice system. It led to the adoption of Canada’s current intercept regime in the 1970s to respond to the privacy dangers of the surveillance technologies of that time.

But Canada has fallen behind.

Our intercept regime is substantially out of step vis-a-vis the dangers born of the mercenary spyware industry. The expansive and intrusive capabilities of spyware make wiretap technology seem quaint in comparison.

A 2024 report by the Venice Commission of the Council of Europe set out minimum safeguards to comply with the rule of law and human rights for countries considering the use of spyware. On several fronts, Canada’s intercept laws fall short of even these minimum safeguards.

For example, the Venice report recommends the use of spyware be limited to a narrow set of serious offences. In Canada, Marco Mendicino, former public safety minister, emphasized in 2022 that Part VI would allow spyware deployments to investigate only “a limited number of very serious offences.”

But contrary to the Venice report’s recommended limits, the long list in Part VI contains nearly 200 offences that could be cited by law enforcement to justify spyware use in an investigation. It includes non-violent, petty offences such as mischief or theft; copyright or competition law offences; or obscure offences such as possessing unstamped vaping products or making an indecent communication with the intent to “annoy” someone.

The Venice report also calls for restricting spyware used to target persons suspected of a serious offence and recommends strict protections for professional privileges and groups historically targeted, including journalists, human rights defenders and government critics. Save for some measures concerning lawyer-client privilege, none of these limitations exist in Canada.

At its core, Part VI fails to distinguish and circumscribe the circumstances where targeted surveillance may be conducted with spyware instead of traditional, less-intrusive tools. This lack of precision means that upon authorization, any method – including spyware – may be installed and maintained to conduct an investigation.

Fixing the law may not be enough

It bears emphasizing that even if the federal government were to follow through with its study and reform of Part VI, there is no guarantee that new laws would be constitutional or human rights compliant. For example, Austria’s constitutional court struck down a proposed spyware law in 2019 because it disproportionately interfered with human rights.

In Canada, Part VI is still only part of the picture.

By signing the 2023 Joint Statement on Efforts to Counter the Proliferation and Misuse of Commercial Spyware and the recent G7 Leaders’ Statement on Transnational Repression, Canada has recognized that the commercial spyware industry is a threat to human rights and our national security.

However, the federal government has not put forward any concrete regulations to prohibit procurement of such spyware, as the United States did with Executive Order 14093.

Most people think of surveillance abuse as a problem in authoritarian countries. But Citizen Lab’s investigation into Paragon Solutions also led to the discovery of dozens of spyware victims in non-authoritarian countries, including documented cases in Italy targeting human rights groups, government critics, journalists and a priest.

Given that the company had sought to differentiate itself by citing internal safeguards, the March Citizen Lab report suggests: “Paragon’s claims of having found an abuse-proof business model may not hold up to scrutiny.”

Since the report’s publication in March, further reporting has revealed that even more journalists in Italy were targeted. These recent abuses echo what Citizen Lab also uncovered in Greece, Hungary, Mexico, Poland and Spain, showing it is a problem in democratic countries, too.

Authorities in democracies, including Canada, can also be tempted to abuse their power – and clearly many do. Without proper safeguards, it will be inevitable that spyware abuses will emerge here.

Spyware is also a cybersecurity threat

Spyware also represents a serious cyber and national security threat. In 2023, the cyber arm of the United Kingdom’s GCHQ warned that the commercial spyware industry “is creating an expanding number of elements for cyber defence to detect and mitigate.” Hackers-for-hire “raise the likelihood of unpredictable targeting or unintentional escalation through attempts to compromise a wider range of targets.”

As a result, when Canadian authorities use mercenary software, they fuel an industry that can create vulnerabilities in the smartphones we all use. The federal and Ontario governments have signalled they will have a more proactive role on cybersecurity. But cybersecurity stewardship should also mean recognizing when the call is coming from inside the house.

In its 2023 annual report, Canada’s National Security and Intelligence Review Agency announced it has been reviewing how Canada’s national security agencies and the RCMP handle “zero-day” vulnerabilities. Zero-day vulnerabilities include the powerful tools that cyber mercenaries wield to compromise our devices.

But who is tasked with asking these questions of local or provincial police services in Canada? Certainly, the judges currently tasked with authorizing spyware deployments are not mandated, nor necessarily technically fluent enough, to identify cyber risks with nationwide security implications.

Ontario’s privacy commissioner, who has a mandate over next-generation law enforcement technologies, will undoubtedly have a critical role to play, given that numerous police services in the province appear to have begun using one of the most controversial surveillance technologies of our time.

Federal leadership will also be crucial to make good on Canada’s commitment to address the human rights and national security dangers.

But as a starting point, lawmakers and privacy regulators both need transparency and accountability from law enforcement institutions themselves for our democratic systems to be meaningful.