How Canadian cops keep their most powerful cellphone-tracking technology a secret from the courts
When Canadian police, sitting in the back of a surveillance van, flicked a switch on a metal box that could be confused for a transistor radio, it should have picked up a signal from a suspected mobster’s cellphone. It didn’t.
The machine couldn’t find the cellphone. Police said the reading was: “inconclusive.”
The RCMP kept that fact secret during their investigation into a high-profile Montreal mob murder, failing even to tell the judge that was signing surveillance warrants for the investigations. It wasn’t until the middle of the trial that the police revealed that these machines had failed to do what they were programmed to do.
The RCMP call these machines mobile device identifiers (MDIs), but they are more commonly referred to as IMSI-Catchers, or Stingrays — a brand name for a specific model that has become a catch-all term for all of these devices, regardless of their make or model.
And, years later, they still won’t say why the device failed during the mafia investigation. But thousands of court documents, obtained by VICE News, shed new light about how the police deploy this sort of technology, and how their secrecy could impact Canadians’ right to a fair trial.
In recent weeks, VICE News revealed how the RCMP is pushing a “new public narrative” around broadened surveillance powers, married to a public relations campaign aimed at making the police force look open and accessible. This case paints a clear picture of how the RCMP have fought transparency on their most secretive surveillance techniques at every turn.
Mobile device identifiers are essentially fake cellphone towers, which can trick all, or some, phones for miles around into connecting and handing over an array of personalized data, and can be used to pinpoint their location, often after multiple scans.
Some details have emerged across North America and Europe about how police forces use these devices to scan public areas for cellphones, without ever telling the public. But police forces have fought to keep these details secret.
VICE News and Motherboard previously wrote about this murder trial, and other aspects of the RCMP’s high-tech and secretive surveillance powers, in April.
No legislation in Canada governs this type of surveillance, and police rely on general, non-specific, warrants to authorize their use. Using one of these devices allows police to prove that a cellphone is in the possession of a suspect at any given time, and can serve as the basis for wiretap or interception warrants. Motherboard has previously reported that police agencies in Canada have used the machines without a warrant at all.
But police have invoked investigative privilege whenever the devices come up in court, refusing to break down the make, model, manufacturer capabilities, brand name, or even the specifications of the device or how it works. They spent months fighting in court to avoid that disclosure in court, did not respond to VICE News requests on the matter, and have denied access to information requests pertaining to the devices.
One official policy, filed with the court, even suggests that the RCMP was to be oblique about its investigative powers when filing for warrants in court, reading that: “The wording specific to the MDI must not reveal sensitive police techniques.”
That is backed up by internal RCMP documents obtained via the Access to Information Act, obtained by VICE News this month, which read that the police force “at trial, police investigative tools and techniques may be further safeguarded through means such as Common Law or the Canada Evidence Act.”
The RCMP contend that releasing any information on the mobile device identifiers — even the fact that they own one — could help criminals beat or elude the devices.
The government has been so aggressive in keeping these documents secret that when VICE News began publishing details of the case, government lawyers came calling, insisting that a non-publication order forbade journalists from publishing details within the documents.
VICE News went to court, arguing before a Quebec judge that the documents ought to be made public, and won. Thanks to that victory, many details of these devices that have never been published will now see the light of day.
As a defense counsel submission in the case sums it up: “Where the MDI is said to have made a positive identification, the [accused] is expected to take it on faith that the identification was accurate as he has no way of meaningfully challenging the reliability of any positive identification made using the MDI,” the defense submission reads.
“The [accused] is forced to simply trust the police.”
The documents paint a less-than-flattering picture of exactly how these devices work.
In a log prepared by RCMP officer Josh Richdale, cellphones picked up by the MDI were listed as “possible.” Sometimes, that number wouldn’t be connected to the suspected mobster at all — meaning the RCMP had entered an unwitting person’s cellphone information into their database under the identity of a suspected mafioso.
The device, after all, does not target one phone. It scrapes personal information from all phones in the area. Police only determine which phones belong to their suspects — or which phones they think belong to their suspects — through the process of elimination.
Other times, they simply didn’t see the phone they were looking for.
“There’s times where we have completed readings with the MDI machine and we were not able to identify a specific device associated with one of the known persons that we were following,” Richdale told the court.
The defense team was incensed when police finally disclosed that fact in court.
“The MDI’s accuracy and reliability in identifying or confirming phones in a target’s possession is relevant to whether the Crown can prove its theory about who was using which phones at which times beyond a reasonable doubt,” the defense submission reads.
“The Crown used MDI identifications to support its circumstantial theory of the case, yet it has provided no information about the error rate of the MDI, what if anything might cause the MDI to register a false positive, or the training received by RCMP officers on how to accurately operate the MDI and interpret its readings and whether any such protocols were followed in this case.”
The RCMP’s official policy on the devices, filed elsewhere in the documents, reads that for inconclusive results, the Special “I” team — the technology division where Richdale worked — were instructed not to tell investigators when a reading came back inconclusive, meaning that the court would likely never find out.
“All inconclusive results, information concerning non-targeted persons or other information gathered in the database are not given to the investigators and are kept under the control of the RCMP Special ‘I’ unit,” reads Richdale’s affidavit.
The only reason the defense lawyers found out in this case is because they fought tooth-and-nail to obtain detailed information on the device, and the court ordered the RCMP to turn it over.
In arguing that point, the defense contended that it was not the RCMP’s role to decide what was and wasn’t relevant for the court in renewing the warrants.
“It was not for the police to filter the information provided to the issuing justice nor was it open to the police to refuse to disclose proprietary ‘privileged information,’” the defense wrote in one submission.
But the defense objection boils down to a simple point: How can you defend yourself when so much of the evidence against you stems from what, in essence, is a magic box?
The RCMP tried to defend their devices, while still refusing to disclose exactly why they might fail — or, as Richdale phrased it, read “inconclusive.”
“Any time we’re unable to identify a cellular device, it would be considered an inconclusive result and not a failed result,” Richdale told the court.
Defense lawyer Frank Addario pushed Richdale, arguing that his definition of “inconclusive” would, for a layman, essentially read as: failed. “When I say failed,” the defense lawyer continued in his cross-examination. “I’m referring to a reading in which the phone that the investigators believed was present is not appearing in the data collect by the MDI.”
“OK, I see what you’re trying to say,” Richdale replied. “No, I would still consider that as an inconclusive result.”
Richdale defended his language. “But failing, by that sense, does not mean … that person was not in possession, until such time where you are one hundred percent conclusive that he is not…”
Addario interjected: “How do I prove that? How do I prove that I’ve never been to Moscow?”
The two didn’t come to agreement on which word was more accurate, but the RCMP eventually did provide a list of explanation for these inconclusive readings. A powerpoint slide listed the options: the phone was off, the device was out of range, or the suspect wasn’t in possession of the phone.
The fourth answer is a secret — redacted by a thick black line in all of the court documents. Even the defense lawyers were kept in the dark.
In cross-examination, Richdale admitted that the RCMP had witnessed the suspect using the phone. So Addario pushed Richdale: “If we can establish for His Honour that the [MDI] device was not off, the cellular device was not off and the [MDI] was not out of range, then we’re left with two possibilities.”
“That’s correct,” responded Richdale.
That is: either the police were wrong, and their surveillance and interception warrants were based on faulty evidence and these men were not using those phones when police said they were, or it was the fourth — secret — answer.
Michael Lacy was the defense lawyer for one of the men who pleaded guilty to conspiracy to commit murder. He says this practise, and its shortcomings, should be of tremendous interest to the public.
“They sold this as a very reliable technique,” he told VICE News. “When it didn’t work, or didn’t confirm [the suspect’s location], they just ignored the fact that it didn’t work … They oversold the value of the device to the issuing judge.”
Lacy underscores how critically important that is.
“This is what people have to understand about this technique, it’s not just that they’re accessing your cell signature,” Lacy added, referring to the phone number and device identifying information that can be picked up by the MDI. “This is a precursor to then getting an authorization to get an intercept to get all the messages on that device.”
There’s another angle that frightens Lacy: when the RCMP run the device, they collect data on every single cellphone in the vicinity. That information, as the RCMP admitted during the trial, can be kept indefinitely.
“There’s no limit on how they use the information,” Lacy says, adding that it runs the risk of “windfall investigations” — where police can constantly go back and check this ever-growing backlog of cellphone data.
The RCMP themselves admit they store the information.
“The data that is captured by the MDI is stored in a database,” reads the official policy. “Operators will save the database of their surveillance on a USB key which they keep control and possession of throughout the duration of the file. At the end of the file, the databases are consolidated onto a single media (CD or USB) and kept in a secure location at the RCMP Special ‘I’ office.”
To that end, the mobile device identifiers could act as a sort of omnipresent surveillance camera — capable of taking snapshots of every individual who was in a given area at a time. Since there are no public policies or legislation that governs this data or this technique, it appears that nothing stops the RCMP from consulting that growing library of data for any future crime it investigates, even though most of the data sitting in that Special “I” office pertains to Canadians not suspected of a crime.
It may sound like a scene from Minority Report, but it’s a real concern. This year, it was discovered that CSIS, the RCMP’s domestic spy sister organization, had been warehousing all the metadata it had been collecting from various surveillance operations, and using advanced analytics software to cross-reference it whenever they suspected it could help in an investigation.
Geoff Vaughan, a security engineer with Toronto-based Security Innovation and who has extensive knowledge of MDI technology, says there are plenty of reasons why one of these devices could simply fail. But he underscores that there’s a deep security problem with the devices.
“Consumers should have a way to know if they’re on a trusted network or not,” Vaughan says.
The RCMP themselves admitted in court that when “when it attracts all the mobile telephones in its range, the MDI may, depending on how it is used, temporarily take them off the public telecommunications network.”
The results could make it hard for cellphones in the area to make new calls and, according to the RCMP, could affect the ability of some older cellphones to dial 911. While the RCMP say they try to minimize the use of the device in public areas, it can often run for longer than stated by their official guidelines: Three minutes.
There’s also a painfully simple way to avoid one of these devices: Wi-Fi. A device not using its cellular services likely can’t be tracked by a mobile device identifier.
With such a simple way to beat the device, it draws the question of whether the MDI is worth the risks.
The police agency had used these devices for years prior to this murder investigation, and continue to use them. But as one officer stressed, unlike other devices like the Stingray brand, the MDI devices they used for the investigation could not intercept or alter communications, like text messages or emails.
But one courtroom exchange, with RCMP officer Jocelyn Fortin, suggests that the RCMP had come into possession of more powerful equipment following the wrap of the 2012 surveillance operation.
“So the device that you currently own [redacted] is it similar to the one that was used in the past?” asked the Crown prosecutor.
After some back and forth, Fortin confirms: “No. The one that we currently have has new, uh … capabilities that we didn’t have in the past.”
Despite an emerging conversation on these devices, the RCMP continue to refuse to either confirm or deny that they are in possession of MDI technology.
This, despite a promise from Justin Trudeau’s government to advance a new level of openness and transparency around national security, aimed at balancing Canadians’ privacy and public safety. The government launched an online national security consultation, open to all Canadians, for exactly that purpose.
But while the consultation and its background documents go on at length about ways in which new laws could reasonably limit personal or corporate encryption, and how police can obtain Canadians’ data without a warrant, there is no mention of the mobile device identifiers.
This week, VICE News asked Public Safety Minister Ralph Goodale why that is.
“It’s a topic that is very much a part of our examination of our national security review,” Goodale said.
When it was pointed out that this technology isn’t mentioned anywhere in the national security consultation, Goodale said it was up to the public to raise the issue, if they think it’s important.
“The document deals with ten particular topics. There are many that are under consideration. The point is that Canadians are perfectly at liberty to raise anything on national security.”
VICE News tried again: How can the public come forward on an issue that the country’s main police force refuses to tell anyone about?
Goodale laughed, and offered a final answer before walking away:
“I am interested in the topic and will do my very best to address it.”
Cover: Illustration by Ethan Tennier-Stuart