Skip to content

Just to clarify the VPD’s clarifications about cell phone tapping

November 30, 2015


On November 13, The Vancouver Police Department issued a press release that it said “clarifies misleading reports” that suggested the VPD randomly listens to private cell phone conversations.

The concluding paragraph of the press release states:

“What is important to know is that the VPD does not randomly listen to the cell phone conversations of citizens. Any covert monitoring of communications is only done during serious criminal investigations pursuant to the Criminal Code, and with prior judicial authorization from the courts.”

It is worth noting the careful language of both the press release and of Vancouver’s chief constable Adam Palmer, who, on November 26, reportedly assured Mayor Gregor Robertson, the head of the Police Board:

“We never have and never would and never will intercept any kind of private communications without judicial authorization.”

This led Mayor Robertson to just as carefully tell reporters that his police chief had assured the public that there was no mass surveillance or any surveillance done without the approval of the courts.

The press release and the chief’s statement were both meant to rebut reports surrounding the VPD’s stonewalling response to a July 23, 2015, Freedom of Information Request by the Pivot Legal Society, asking for any VPD documents, from January 1, 2010 to present, relating to the department’s interest in, purchase, or usage of a cell phone-tapping ISMI-catcher, popularly known as a “Stingray” or “Kingfish”, after brand name devices made by the U.S. Defense contractor, Harris Corporation.

However, Pivot’s question was not actually whether the VPD possessed so-called Stingray technology in order to perform “nass surveillance” or “randomly” intercept cell phone traffic but whether the VPD possessed the IMSI-catcher technology period.

Could you repeat the question, preferably into your phone?

A Harris Corporation StingRay II-brand IMSI catcher.

A Harris Corporation StingRay II-brand IMSI catcher.

An IMSI catcher is essentially the guts of a cellular tower — a large, microwave-sized base transceiver station (BTS) — modified and stuck inside of a vehicle, which can intercept and decrypt all data traffic to and from a target cell phone by pretending to be the closest cell tower in the target phone’s wireless network.

On September 11, 2015, the Information and Privacy Unit of the Vancouver Police Department replied to Pivot’s July 23, FOI request, explaining that it was unable to provide access to the requested information.

In accordance with section 15(1)(C) of the B.C. Freedom of Information and Protection of Privacy Act, the VPD refused to release the records that Pivot was requesting on the grounds that any disclosure would be harmful to law enforcement. And furthermore, in accordance with section 8(2) of the act, the VPD refused to confirm or deny that any such records existed.

The VPD’s response reminded many in the press that the Harris Corporation has, in the past, required U.S. law enforcement agencies buying its brand name StingRay technology to sign non-disclosure agreements (NDAs), requiring questions from the press and the public to be answered as obliquely as the VPD answered the Pivot FOI request.

Forget “Cops and Robbers”, U.S. police play at being spies

The ACLU's online map showing which U.S. police agencies have cell tower simulators.

ACLU’s online map showing U.S. police agencies with cell tower simulators.

The Harris Corporation may attach an NDA to the sale of its StingRay IMSI-catcher technolgy because the tech was originally designed just for sale to U.S. military and intelligence agencies and it may still be considered restricted government technology. In fact, many U.S. law enforcement agencies are buying StingRay equipment from Harris at the prompting of the U.S. federal government.

When the Illinois State police secretly bought $250,000 worth of “covert cellular tracking equipment” from the Harris Corporation in 2008, it did so using a grant for that specific purpose from the U.S. Department of Homeland Security.

According to the American Civil Liberties Union, IMSI-catchers are now used by police agencies in 24 states, or nearly half of the U.S. and by at least 12 federal agencies, including: the FBI, the DEA, the ATF and the IRS, as well as five military branches.

Thus far, no Canadian agency has been caught using IMSI-catchers but it’s assumed that both the RCMP and CSIS have been using such cell tower-simulating technology for years.

The Criminal Code and judicial authorization of cell phone spying

Mayor Robertson’s assurances that Vancouver police conduct no surveillance of cell phones without the approval of the courts should be weighed against the almost trivial ease with which police in Canada now appear to be able to get secret warrants for the tapping of cell phones and computers.

On March 9, 2015, Bill C-13, the Protecting Canadians from Online Crime Act ( SC 2014, c. 31), became Canadian law. It was framed as anti-cyberbullying legislation but it was much more about updating major sections of the Criminal Code to reflect the fact of the Internet and, apparently, to streamline the rules governing lawful state access to digital communications.

It’s fair to say that Bill C-13 gives police very broad leeway to collect signal intelligence (characterized in the Bill as a “transmission data recording”, for collecting user-created data  or a “tracking data recording”, for collecting location data, such as GPS).

Traditional wiretap search warrants in Canada require that police demonstrate reasonable and probable grounds that a specific offence has been, is being, or is about to be committed. Police must also have reasonable and probable grounds to think that the target will provide evidence towards the investigation. A “fishing expedition” (looking for random criminal activity) is not a proper basis to authorize a wiretap.

On the other hand, search warrants issued under Bill C-13, in order to covertly install and operate transmission data recorders (TDR) for up to one year, only require that police suspect that “an offence” (rather than a “specific offence”) has been or will be committed and that the data will assist the investigation. At the same time, police can request that a judge make all information relating to the search warrant for the TDR secret, on the grounds that making the warrant public will do more harm than good.

The catch-all categories of transmission data recorder and tracking data recorder could easily cover IMSI-catcher technology, which can perform both kinds of data collection.

Bill C-13 is worded so vaguely that I cannot see anything about  that stops Canadian police from using IMSI-catchers exactly the same way that U.S. police are believed to be using the cellphone tapping technology — to monitor the mobile phones of peaceful protesters.

If it’s enough to just suspect that an offence will take place, in order to secure a secret search warrant to intercept cellphone and computer transmissions, then what police officer can’t say that they suspect that civil disobedience won’t possibly result in trespassing, property damage or graffiti?

In addition to hardware such as IMSI-catchers, Bill C-13’s “data recorder” categories perfectly encompass the Galileo remote control service (RCS) interception and tracking software made by the Italian company Hacking Team, which leaked emails show the VPD took a good had look at in 2013.

Those emails end with the VPD requesting two price quotes from Hacking Team but offer no evidence that a sale actually took place.

I would suggest that this doesn’t mean that a sale didn’t place, because I doubt that the actual sale would have been concluded via email.

Vice, which has covered Hacking Team closely through its Motherboard website, was willing to say, on the strength of the same leaked emails that I saw:

“While it would appear that Vancouver purchased the software, the police service wouldn’t confirm.”

If, however, the VPD did purchase the Hacking Team’s RCS software, there is no evidence of the telltale server in Vancouver that is apparently an essential component.

In 2014, Canada’s Citizens Lab, endeavoring to map the collection network of proxy servers that RCS uses to exfiltrate data from infected computer devices, found RCS servers in 21 countries but not in Canada.

One of the leaked Hacking Team emails reveals the U.S. Army also bought Hacking Team’s RCS software but that its budget was cut following the purchase in 2013, denying it the funds necessary to set up a server necessary to actually use the software. Click the images to enlarge them.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: