Mounties admit to using cellphone-snooping ‘stingrays’

Last week, Canada’s Mounties admitted for the first time that just like US police, they use stingrays – suitcase-sized cell site simulators that mimic a cell tower and trick nearby phones (as in everybody’s phones, not just crooks’) into connecting and giving up their identifying information and location.

Granted, it’s not exactly like the way tower dumps are used in the US, given that the Royal Canadian Mounted Police (RCMP) are reportedly pretty scrupulous about getting warrants first. The RCMP did, however, admit to using the devices for years without permission, which it only got two months ago.

The admission comes after revelations that somebody or somebodies has turned the tables on the RCMP: a CBC News investigation has found that the devices have been planted at Montreal’s Trudeau airport.

Somebody’s also been using International Mobile Subscriber Identity (IMSI) catchers in the area around Parliament Hill in Ottawa.

Earlier in the month, public safety minister Ralph Goodale had denied that the spying is being done by any Canadian agency. The RCMP and Canadian Security Intelligence Service (CSIS) have launched an investigation into who might be responsible.

The devices were discovered during a months-long investigation, when reporters from CBC News and Radio-Canada used a device called a CryptoPhone to detect the use of the IMSI catchers. From the German company GMSK, the CryptoPhone looks just like a regular cellphone.

The CryptoPhone picked up on stingrays in use at locations around Parliament Hill, including the nearby Byward Market, the Rideau Centre shopping mall and CBC offices in downtown Ottawa.

CBC reports that the IMSI catchers have a radius of about half a kilometre in an urban setting. That means that the devices that they detected could snoop on cellphones used around Parliament Hill, the prime minister’s office in Langevin Block, National Defence headquarters, as well as the US and Israeli embassies.

Last week, in the wake of news reports about the discovery, the RCMP for the first time lifted the curtain on its own use of the technology.

During a news briefing Jeff Adam, chief of technical investigations services, told reporters that while he isn’t “personally aware” of foreign agencies using the technology in Canada, “I can’t rule that out.” His office tracks all RCMP use of these devices.

The RCMP itself owns 10 stingrays, also known as Mobile Device Identifiers (MDIs). These things sell for around $400,000 each.

The RCMP said it’s used these “vital tools” scores of times to identify and track mobile devices: in 19 criminal investigations last year, and in 24 investigations in 2015, CBC News reported.

The only time police didn’t get a warrant before using the MDIs was an “exigent” circumstance – for example, an emergency situation “such as a kidnapping,” Adam said.

Some of these devices enable eavesdropping on phone calls and direct interception of text messages. Such invasive versions of the devices are illegal in Canada. Adams said that the devices used by the RCMP have software that blocks them from collecting anything beyond a mobile device’s identification number and its location:

What the RCMP technology does not do is collect private communication.

In other words, it does not collect voice and audio communications, email messages, text messages, contact lists, images, encryption keys or basic subscriber information.

CBC News and Radio-Canada reporters wanted to figure out who might be using the MDIs they detected around Parliament Hill, so they asked the supplier of the CryptoPhone – ESD America – to analyze what they found.

After ESD America looked over the configurations, CEO and co-founder Les Goldsmith told them that he believes the IMSI catchers detected in Ottawa could be foreign made:

We’re seeing more IMSI catchers with different configurations and we can build a signature. So we’re seeing IMSI catchers that are more likely Chinese, Russian, Israeli and so forth.

An expert in Canadian security who requested anonymity in order to protect his ongoing work said that the use of IMSI catchers, particularly given their placement adjacent to government offices, is very disturbing:

That an MP or a person who works on Parliament Hill could be exposed, that they could be a victim of this type of attack – it undermines our sovereignty.

He also said that Russian intelligence has been found eavesdropping near Canada’s intelligence outfit in the past:

We learned that Russian intelligence was parked near CSIS with equipment on board to do IMSI catching. After X number of days or weeks, they’re capable of identifying the IMSI numbers that belong to intelligence officers because the phones were spending eight hours a day in the same spot.

The Russian and Chinese embassies have vehemently rejected allegations that they might be behind the snooping. Israel has said it doesn’t know anything about it, and the US has declined comment.

Although last week’s admission to law enforcement’s use of stingrays was unprecedented, it’s been known since at least last June that the RCMP uses them. That’s when a court opened up documents in the case of the death of a high-ranking member of a New York crime family who’d been killed outside Montreal. It turned out that police were using IMSI catcher technology to investigate the 2011 death of the mob member, Salvatore (Sal the Ironworker) Montagna.

In the US, the Department of Justice told US law enforcement in 2015 that it had to get a warrant to use stingrays.

But the federal guidelines had a hole big enough to drive a police cruiser through. Namely, they didn’t apply to local law enforcement.

In September, a coalition of civil liberties organizations including the Electronic Frontier Foundation (EFF), the American Civil Liberties Union (ACLU) and the National Association for the Advancement of Colored People (NAACP) launched an effort to rein in surveillance that it says has run amok, be it by excessive use of stingrays or other surveillance technologies.

The coalition’s movement is also called #TakeCTRL. It’s focused on passing ordinances to control surveillance in 11 cities. That goes beyond stingrays: US law enforcement has for years been buying gunshot-detection sensors, license plate readers, and tools to enable data-mining of social media posts for criminal activity and tracking of toll payments when drivers use electronic passes. Texas police have purchased at least one drone.

Image courtesy of Darlene Munro /