Canadian provincial police appear to be using advanced commercial spyware

There is evidence suggesting that Canadian provincial police are using powerful advanced commercial spyware, the Citizen Lab said in a report released Wednesday.

The internet protocol address of a spyware customer detected by the Citizen Lab matches that of the general headquarters for the Ontario Provincial Police (OPP), the University of Toronto-based research organization says in the report.

The vendor, Paragon Solutions, makes the powerful commercial spyware Graphite. In January, Meta said it discovered Graphite targeting and sometimes infecting devices belonging to more than 90 users of its subsidiary WhatsApp messaging platform. 

The Citizen Lab said it analyzed many devices belonging to victims in those attacks, and it also shared its Graphite research with Meta to enhance the social media company’s investigation of Paragon’s activities on its platform.

Court records obtained by the Citizen Lab showed the OPP has used surveillance tools to infect mobile devices in the past. 

Police use of commercial spyware draws scrutiny from privacy advocates because of documented abuses by law enforcement agencies around the world. The Citizen Lab did not specify whether Ontario police were using spyware improperly. Commercial vendors typically say they only sell spyware for lawful use.

The Citizen Lab’s new findings were first reported by The Guardian.

A spokesperson for the OPP said in a statement that the agency is required to receive judicial authorization to intercept private communications, a step it only takes to “advance serious criminal investigations.” 

“The OPP uses investigative tools and techniques in full compliance with the laws of Canada,” the statement said. “We remain committed to maintaining public trust and confidence.”

In an interview Recorded Future News published Wednesday, the Citizen Lab’s founder and executive director, Ron Deibert, said he fears more state and local agencies like the OPP will begin using spyware.

“The problem with most democratic countries, and I would say my country included, Canada, is you have a lot of local police, a lot of entities below national intelligence agencies that potentially could be customers and for whom there is not really adequate oversight,” he said.

Paragon is owned by the Florida-based private equity firm AE Industrial Partners, which acquired it in December. A spokesperson there did not immediately respond to a request for comment.

By mapping Paragon server infrastructure, the Citizen Lab says it also found several suspected deployments of Graphite in Australia, Canada, Cyprus, Denmark, Israel, Singapore and elsewhere, the report said.

Paragon was founded by former Israeli intelligence operatives and deliberately flies under the radar, lacking even a website.

The company’s senior U.S. leadership includes a CIA veteran, a former Navy program director that also worked at Twitter and a former senior official with the defense contractor L3Harris, the report says.

Wired reported late last year that U.S. Immigration and Customs Enforcement (ICE) signed a $2 million contract with Paragon in September. After the contract was reported, ICE said it put the agreement on hold.

Deibert said in the interview with RFN that “we should all be prepared for the worst” when asked if the ICE contract and the Trump administration’s recent actions suggest the American government could begin deploying spyware.