Citizen Lab Uncovers Possible Use of Military-Grade Surveillance Tools by Canadian Authorities
NEED TO KNOW – A new Citizen Lab report links the Ontario Provincial Police (OPP) to Israeli spyware firm Paragon Solutions, raising concerns about Canada’s expanding use of surveillance technology and lack of privacy laws to regulate cyberweapons
Toronto, ON – March 19, 2025 – Researchers at the University of Toronto have uncovered “possible links” between the Ontario Provincial Police (OPP) and Paragon Solutions, an Israel-based military-grade spyware maker, raising concerns over the extent of Canadian authorities’ use of cyberweapons.
The findings were published by Citizen Lab at the University of Toronto, which tracks and identifies digital threats against civil society.
The report comes three years after a parliamentary committee urged Ottawa to update Canada’s privacy laws following revelations that the Royal Canadian Mounted Police (RCMP) had used spyware to hack mobile phones.
However, no laws were ever passed to regulate the use of such technology by law enforcement in Canada.
Possible Link Between OPP and Paragon Solutions
Citizen Lab’s March 2025 report identified a “possible technical link” between Paragon Solutions and entities based in Ontario, including one associated with an OPP address.
Paragon Solutions is known for Graphite, a spyware tool sold exclusively to government clients.
The report also exposed a growing use of spyware among Ontario-based police services, citing public court records that show the OPP used a similar surveillance tool in a 2019 criminal investigation.
It further revealed that Toronto Police and York Regional Police had considered deploying spyware tools in a 2023 joint investigation.
OPP Responds, Does Not Deny Use of Spyware
Following the report’s publication, the OPP did not deny using spyware but maintained that all surveillance activities comply with Canadian law.
“In Canada, the interception of private communications requires judicial authorization in accordance with the Criminal Code and is only used to advance serious criminal investigations,” the OPP stated.
“The OPP uses investigative tools and techniques in full compliance with the laws of Canada, including the Charter of Rights and Freedoms. Releasing information about specific investigative techniques and technology could jeopardize active investigations and threaten public and officer safety.”
Despite these assurances, privacy advocates remain concerned about the lack of transparency and oversight regarding the use of spyware by Canadian law enforcement.
Paragon Solutions Under Scrutiny for Human Rights Violations
Paragon Solutions, now U.S.-owned, does not disclose its clients and declined to comment on the report.
While the company claims its spyware is designed to combat serious crime and terrorism, its technology has been linked to human rights abuses. Recently, Paragon’s spyware was found to have been used against an Italian journalist and migrant rights activists, despite the company’s stated “zero-tolerance” policy for misuse. Following the revelations, Paragon suspended its contract with the Italian government.
Canada’s Growing Use of Spyware and Lack of Oversight
Canada’s use of spyware and hacking tools has been controversial since 2022, when the RCMP admitted—in what was called a “remarkable” disclosure—that it had used spyware to infiltrate mobile devices. The RCMP claimed at the time that the technology was only deployed in serious cases when other surveillance methods failed.
The Citizen Lab’s latest findings suggest that spyware use is expanding across Canadian law enforcement agencies, with little public awareness or oversight.
“What these findings show is that there is a widening gap in public awareness regarding the extent to which spyware technology is being used in Canada,” said Kate Robertson, a senior researcher at Citizen Lab.
“These findings raise important questions for the government and privacy regulators about what technologies are being used, and underscore again the need for law reform to address security and human rights risks.”
Despite growing concerns, Canada has yet to pass any new privacy laws to regulate law enforcement’s use of spyware and cyberweapons.
Privacy protection laws vary widely across the globe, with some countries implementing strict regulations to safeguard personal data, while others have more relaxed frameworks that give law enforcement and corporations greater access to digital communications.
Here is a breakdown of key privacy protection laws in different regions and an analysis of what works best.
Overview of Global Privacy Protection Laws
1. European Union – General Data Protection Regulation (GDPR)
✔ Strengths:
- Comprehensive: Covers all organizations handling EU citizens’ data, even if they are based outside the EU.
- Strict Consent Rules: Requires explicit user consent before collecting personal data.
- Right to Be Forgotten: Individuals can request that their personal data be deleted.
- Severe Penalties: Fines up to €20 million or 4% of global annual revenue for violations.
✘ Weaknesses:
- Complex Compliance: Many businesses struggle to understand and comply fully.
- Legal Loopholes: Some companies use “legitimate interest” as a way to continue tracking users without full consent.
✅ Effectiveness:
GDPR is widely regarded as one of the most effective privacy laws globally, setting the standard for data protection and consumer rights.
2. United States – Sectoral Approach (CCPA, FISA, Patriot Act)
✔ Strengths:
- California Consumer Privacy Act (CCPA): Gives residents rights similar to GDPR, including data access and deletion.
- Federal Trade Commission (FTC): Enforces penalties against companies that misuse consumer data.
- FISA & Surveillance Laws: Regulate government spying on U.S. citizens and foreigners.
✘ Weaknesses:
- No National Standard: The U.S. lacks a federal privacy law, leading to inconsistent protections across states.
- Mass Surveillance Concerns: The Patriot Act and FISA allow broad government access to personal communications.
- Big Tech Influence: Companies like Google and Meta lobby against stricter privacy regulations.
✅ Effectiveness:
The CCPA is a strong step toward privacy, but without a federal GDPR-like law, U.S. data protections remain patchy and inconsistent.
3. Canada – Personal Information Protection and Electronic Documents Act (PIPEDA)
✔ Strengths:
- Applies to all private-sector organizations handling personal data.
- Requires informed consent for data collection.
- Office of the Privacy Commissioner (OPC) investigates complaints.
✘ Weaknesses:
- Limited Enforcement Powers: The OPC cannot issue fines, reducing the law’s effectiveness.
- Surveillance Gaps: Intelligence agencies have broad powers to collect digital communications.
✅ Effectiveness:
PIPEDA is a good foundation, but it lacks strong enforcement mechanisms. Proposed updates under Bill C-27 aim to strengthen penalties and consumer rights.
4. Australia – Privacy Act 1988 & Surveillance Laws
✔ Strengths:
- Regulates personal data collection, storage, and use.
- Data Breach Notification: Organizations must report breaches affecting consumers.
- Consumer Rights: Allows individuals to access and correct personal data.
✘ Weaknesses:
- No Clear Opt-Out: Companies can still collect and share data unless users actively refuse.
- Government Surveillance Laws: Authorities can force companies to decrypt encrypted data, undermining privacy protections.
✅ Effectiveness:
The Privacy Act provides some protection, but government surveillance laws weaken personal privacy rights.
5. China – Personal Information Protection Law (PIPL)
✔ Strengths:
- Modeled after GDPR: Requires companies to obtain consent before collecting data.
- Tough on Foreign Companies: Requires data localization (keeping Chinese users’ data inside China).
✘ Weaknesses:
- Government Access to Data: The Chinese government has broad authority to collect and monitor personal information.
- Limited Individual Rights: Citizens have fewer ways to challenge state surveillance.
✅ Effectiveness:
While PIPL holds businesses accountable, it does not protect individuals from government surveillance, making it a one-sided privacy law.
What Works Best?
✅ Best Overall Model: GDPR (European Union)
- Strong consumer rights
- Tough penalties for violations
- Applies globally to companies handling EU citizens’ data
✅ Best for Corporate Accountability: PIPL (China)
- Strict rules on data collection and localization
- Prevents companies from exploiting consumer data
✅ Best for Balancing Privacy & Law Enforcement: CCPA (California, USA)
- Allows individuals to control their data
- Requires businesses to disclose what data they collect
- Provides exemptions for public safety investigations
Conclusion: The Future of Privacy Laws
As spyware and digital surveillance expand, governments must strengthen privacy laws to protect individuals while balancing law enforcement needs.
- Countries like Canada and the U.S. need stronger enforcement mechanisms.
- Governments worldwide must address corporate data collection and government overreach.
- Public awareness and advocacy will be key in pushing for better protections.
Privacy is a fundamental right, and the best laws strike a balance between security, transparency, and consumer protection.
