Researchers behind a new report into an Israeli spyware program used to monitor civil society members say they have found “possible links” between the controversial technology and Ontario Provincial Police (OPP), suggesting it may have been used in investigations — an allegation the force doesn’t deny.
The report from Citizen Lab at the University of Toronto released this week said researchers traced the IP address of a Canadian-based customer of Paragon Solutions to the address of the OPP’s general headquarters in Toronto.
Paragon sells the military-grade spyware program “Graphite” to government clients for national security purposes, but the tool has been found on the phones of journalists, activists and other civil society members in countries around the world in recent years, using communication apps like WhatsApp.
“We’ve also uncovered court records that point to a growing ecosystem of spyware capability among police services in Ontario,” Kate Robertson, a senior researcher at Citizen Lab and a co-author of the report, told Global News.
“What these findings show is that there is a widening gap in public awareness about the extent to which spyware technology is being used in Canada.”
Researchers tracing servers connected to Paragon’s Graphite tool found additional suspected deployments at four other Ontario addresses, including a shared warehouse, a strip mall, a brewery and an apartment.
An OPP spokesperson declined to confirm if it has contracted Paragon for investigative purposes but also didn’t deny the report’s findings in a statement to Global News.
“The Ontario Provincial Police is mandated to maintain public safety and to prevent or investigate crime while respecting the rights and privileges of citizens and visitors to Canada,” Acting Staff Sgt. Jeffrey Del Guidice said, adding the interception of private communications “is only used to advance serious criminal investigations” and requires judicial authorization.
“The OPP uses investigative tools and techniques in full compliance with the laws of Canada, including the Charter of Rights and Freedoms. Releasing information about specific investigative techniques and technology could jeopardize active investigations and threaten public and officer safety,” the statement continued.
“The OPP respects Canada’s Charter of Rights and Freedoms and we remain committed to maintaining public trust and confidence.”
Paragon Solutions was founded in Israel in 2019 by former Israeli prime minister Ehud Barak and Ehud Schneorson, the former commander of Israel’s cyberwarfare and military intelligence group Unit 8200.
Get daily National news
Get the day’s top news, political, economic, and current affairs headlines, delivered to your inbox once a day.
Its spyware product Graphite is marketed as unique to other spyware tools like NSO Group’s Pegasus, in that it specifically grants clients access to a targeted device’s instant messaging applications, rather than the entire smartphone.
Citizen Lab says it shared details from its mapping of Paragon’s infrastructure, which established the potential OPP link, with Meta last year after determining WhatsApp could be used as an “infection vector” by Graphite users despite its end-to-end encryption software.
In late January this year, WhatsApp informed about 90 users in more than two dozen countries, including journalists and other civil society members, that they were likely being targeted by Paragon software.
The company subsequently closed a “zero-click” vulnerability that allowed Paragon to access devices without victims having to click on an infected link like common malware attacks. Instead, attackers would upload a PDF or other document to a WhatsApp group that would then be parsed by the device, giving the attacker access.
“We’ve seen first-hand how commercial spyware can be weaponized to target journalists and civil society, and these companies must be held accountable,” a WhatsApp spokesperson told Global News.
“Our security team is constantly working to stay ahead of threats, and we will continue working to protect peoples’ ability to communicate privately.”
The Citizen Lab report also details the use of Paragon’s spyware against journalists and human rights activists in Italy. The Italian government acknowledged last month it was a Paragon customer after previously denying knowledge of the issue, and the director of the external intelligence service confirmed the agency had deployed Graphite multiple times.
In previous years, NSO Group — which is also based in Israel — was found to be behind a spyware hack of WhatsApp accounts in 2019, and a subsequent investigation in 2021 found the company’s Pegasus program had been used to target journalists and activists around the world.
Paragon — which was reportedly acquired by Florida-based investment group AE Industrial Partners last year — has tried to position itself publicly as one of the industry’s more responsible players.
What is Canada’s history with spyware?
The RCMP publicly acknowledged in 2022 that it has used spyware tools as far back as 2022 to access the encrypted communications of investigative targets.
An RCMP spokesperson confirmed police still deploys spyware, which it refers to as “on-device investigative tools” (ODITs), but like the OPP stressed they are only used for “serious criminal and national security investigations” after obtaining judicial authorization.
“The RCMP’s cautious and measured approach is evidenced by the fact that from 2017-2024, ODITs have only been used in support of 35 investigations, in which a combined total of 57 devices were targeted,” Marie-Eve Breton said in a statement.
“To be clear, ODITs are used extremely rarely and in limited cases by the RCMP. Their use is always targeted. It’s always time-limited, and it’s never to conduct unwarranted and/or mass surveillance. These tools are not used in secret.”
The RCMP did not say if spyware is used to target civil society members or if it a client of Paragon, saying it will not comment on specific investigations or tools.
Canadian parliamentarians have undertaken studies on law enforcement’s use of spyware tools that concluded regulations were needed. Canada, along with nine other allied nations, also backed former U.S. president Joe Biden’s push in 2023 to counter misuse of commercial spyware and impose international controls.
But no Canadian legislation has been introduced to address or regulate spyware use.
A spokesperson for Public Safety Minister David McGuinty’s office did not say if the government was working on such legislation, referring questions about the Citizen Lab’s findings on Canadian police use of spyware to the OPP. The Ontario solicitor general’s office did not provide comment.
Robertson said it was critical for the government to ensure it’s not involved in the targeting of civil society members through programs that could risk national security.
“When governments become buyers of this proliferating hack-for-hire industry, it really should be understood that they’re investing in the insecurity and vulnerability of all people in Canada and around the world,” she said.
“That’s why it’s not only a question of what controls are needed about use, but also very significant questions about what’s proportionate and tolerable in the first place in a free and democratic society.”
—with files from Reuters
https://globalnews.ca/news/11092726/spyware-ontario-provincial-police-paragon-graphite/
