The use of IMSI catchers poses serious privacy risks. Unlike traditional wiretaps, which selectively intercept calls to and from a specified target, IMSI catchers pretend to be a cell tower and capture information from every cell phone in the vicinity. It is impossible to target specific mobile phone users with these devices; they scoop up information from every phone within range.
Recently released documents shed a bit more light on the issue. These new documents reveal Public Safety Canada approved requests from the RCMP, Canadian Security Intelligence Service, and the Department of National Defence, granting 13 licences to one or more unnamed companies for the purpose of possessing, manufacturing or selling devices “used primarily for the interception of communications.” The heavily redacted documents do not identify the devices or their capabilities. They do, however, indicate that some of the licences were issued retroactively.
The Stingray debate in Canada extends back to at least 2014. A former Member of Parliament posed a Question on the House of Commons Order Paper, “With regard to tracking by government agencies of customer’s usage of communications devices and services: do government agencies use their own (i) tracking products (e.g. IMSI Catchers), (ii) infiltration software (e.g. zero day exploits, malware such as FinFisher, etc.), (iii) interception hardware (i.e. placed within or integrated with a company’s network)?”
In response, the RCMP refused to disclose information because, “it could reveal details that would compromise the RCMP’s ability to conduct criminal investigations.” CSIS also declined, citing national security concerns. The agency also noted in their reply that they are “subject to scrutiny of the Privacy Commissioner.”
At the time, Tobi Cohen, a spokesperson for the Office of the Privacy Commissioner of Canada, said, “We have not been made aware by the RCMP of their use of this technology. If they were looking to use this type of technology, we would expect to be consulted.” Cohen also said that the Commissioner’s Office had not been made aware of Stingray use by government departments or agencies.
Two years later, in April 2016, the Privacy Commissioner opened an investigation into the use of of IMSI catchers by law enforcement. Results of the investigation are still pending. Court documents released from a Montreal case, that do not identify the specific technology, clearly establish that the RCMP used wireless signal catchers to target suspects’ BlackBerrys, intercept, and decrypt BlackBerry PIN-to-PIN messages.
By refusing to acknowledge even owning the devices, Canadian law enforcement and intelligence agencies are not fooling criminals and terrorists. They are, however, giving law-abiding Canadians a good reason to distrust them. Without further information, it is reasonable to assume that IMSI catchers are in widespread use.
Products such as Stingrays may be valuable in some specific circumstances, but they could also be used to commit large scale invasions of privacy. It is unclear whether judicial authorization is obtained, or even felt necessary, prior to deploying the devices. Previous federal governments have argued that capturing metadata, including telephone numbers and IP addresses, does not constitute intercepting a communication. Strong privacy controls are required, and they can not be established in secret.
The fact that questions from Members of Parliament go unanswered, and that the Privacy Commissioner needs to investigate, clearly demonstrates that much more transparency and oversight is required.
Have a security question you’d like answered in a future column? Email email@example.com
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…