An RCMP officer and a retired Vancouver cop say not even police are safe from high-tech spyware

Retired Vancouver police officer Paul McNamara was out with his family in August 2023 when he had a phone conversation with a friend, Ontario RCMP officer Pete Merrifield.

As he talked, he noticed his phone became unusually hot, "like it was about to melt down."

At the time, McNamara, who retired from the Vancouver Police Department in 2016, was on vacation in Montreal. When he tried to order an Uber, he says his phone was locked due to "too many password attempts."

He found it odd, but brushed it off as a glitch.

Then, that fall, he learned that the national police force had used controversial spyware called an On-Device Investigative Tool (ODIT) to remotely hack into his and Merrifield's phones. This was revealed thanks to evidence in an ongoing court case involving another former RCMP officer where McNamara and Merrifield were witnesses.

McNamara says ODITs allow police to read messages on a person's phone in real time, even on encrypted apps like Signal, but two-step authentication can still otherwise block access to data on certain apps that would require police to know the person's password.

While concerns from privacy advocates and human rights groups have focused on these tools being used to spy on journalists and other citizens, in this case spyware was used on a current and former police officer who say they were only ever told they were witnesses, not suspects, in a foreign interference case. 

The two are now raising alarms about how the invasive technology was used in their case and the implications it has for broader police use. Meanwhile, one expert told CBC he worries this type of spyware has surpassed legal frameworks protecting Canadians' privacy rights.

In 2022, a House of Commons privacy committee ordered the RCMP to disclose its "device investigation tools." In response, the RCMP revealed it had been using ODITs to hack phones and other devices since 2017 without notifying the public or the federal privacy commissioner.

Canada currently has no legislation regulating spyware use.

A 2024 RCMP report says the force only deploys ODITs "for serious criminal investigations, such as organized crime, national security and terrorism, cybercrime, or other serious crimes," and that the technique is only used with judicial authorization, and "when other investigative means of collecting evidence have proven to be ineffective."

According to the report, some of the tool's technical capabilities include "intercepting communications, collecting and storing data, capturing computer screenshots and keyboard logging, and/or activating microphone and camera features."

Canada's Public Safety ministry has refused to disclose which vendors supply the RCMP with ODITs and has not denied that other government agencies might also use them. 

Just last month, a Citizen Lab report detailed "a growing ecosystem of spyware capability" among the RCMP and multiple Ontario-based police services.