Multiple police departments across Canada met with the beleaguered Italian tech company Hacking Team between 2011 and 2014 for demonstrations of its surveillance software services, Motherboard has learned.
The company's remote control service (RCS) software—essentially, malware that is surreptitiously installed by law enforcement on a device—is capable of intercepting phone calls, text messages, passwords and app data from compromised computers and phones, and can surreptitiously turn on a target's webcam and microphone.
Although the hacking software is marketed to law enforcement and government agencies, Hacking Team has drawn harsh criticism for also selling its services to repressive regimes in countries such as Sudan, Ethiopia, and Morocco.
Emails and documents leaked on Sunday show that the Royal Canadian Mounted Police (RCMP) tested surveillance software developed by Hacking Team in 2011. Hacking Team employees also flew to Vancouver and Calgary in 2013 and 2014, respectively, to demonstrate their software to local police.
A source with knowledge of the company confirmed the RCMP meeting, which took place in Ottawa in July 2011, and said that the RCMP started "a long trial" of the company's software. An email dating from October 2011 indicates that the RCMP was testing Hacking Team's Galileo remote control service (RCS) software at that time, but it is not clear when the trial began, nor when it ended.
"The product is MORE than what I had imagined. I think it is just what we need" — Vancouver Police
The source does not believe that the RCMP became a Hacking Team customer. There is no record of the agency amongst other client listings.
"I can tell you that the RCMP is open to considering new technologies to improve judicially authorized or lawful investigative practices," confirmed RCMP spokesperson Sgt. Julie Gagnon in an email Wednesday morning. "The RCMP tested the Hacking Team technology in 2011. The RCMP did not purchase and does not use the Hacking Team technology."
Leaked emails, calendar entries, and documents revealed that employees of the Calgary Police department also requested a meeting with Hacking Team late last year, as did the Vancouver Police Department in 2013.
"Our service is currently exploring options for tools that encompass network penetration solutions with an end-to-end command and control center capability," wrote Constable Shane Cross of the Calgary Police Service's Cybercrime Support Team in an email on September 30, 2014. "At this point we are trying to establish a 'ball park figure' price point for such a tool (Galileo). Subsequent to that, we would like to quickly arrange a more appropriate discussion of specifics and a possible demo."
Calgary Police first met Hacking Team at a National Technical Investigators' Association conference in 2013, according to emails, and had been trying to set up a demonstration with the company as early as May 20, 2014, when Cst. Matthew Landiuk emailed the company. Another employee, Sgt. Cory Dayley, followed up in June. Hacking Team eventually met with Calgary Police at police headquarters for a demo at 10 AM on November 24th, 2014.
According to a report written by Sergio Rodriguez-Solís, a Hacking Team Field Application Engineer (FAE), the company demonstrated its software's ability to infect Android and BlackBerry devices, record passwords, and observe targets logging into Gmail and Facebook.
"Very kind people, questions, more than 10 people attending," Rodriguez-Solís wrote in an email accompanying the report.
Two Hacking Team employees also met with Vancouver Police Department at 10 AM on July 10, 2013.
"The product is MORE than what I had imagined," wrote David Ainsworth, whose position at the agency is not listed, in a follow-up email after the meeting. "I think it is just what we need."
It is not clear whether Calgary Police or Vancouver Police Department sought a trial of Hacking Team's RCS software or became Hacking Team customers. There is no mention of either agency in the company's client listings.
According to another email, Gene Robinson, an IT infrastructure project manager with the Edmonton Police Service, contacted Hacking Team in April of this year to seek more information about the company's products, but it isn't clear whether any meetings took place.
"I checked with our Tech Crimes Unit and they have never used this service, and are not aware of the EPS using it either," wrote Patrycia Thenu, a spokesperson for the Edmonton Police Service, in an email.
"Software, services, or tools intended for investigative or security purposes is something we would not discuss," said Vancouver Police Department spokesperson Constable Brian Montague in an email. "Unfortunately I would not be able to confirm, deny, or share any information or details regarding your questions."
The Calgary Police Service had yet to respond to a request for comment as of Wednesday morning.
"A hammer can be used for murder, or a hammer can be used to build a house for Habitat for Humanity," said David Fraser
That Canadian police were interested in Hacking Team's services is "not surprising, but it should underscore a key difference between law enforcement in countries like Canada and the United States where, notwithstanding concerns many of us have over transparency and accountability, you cannot put those governments in the same category as Sudan and Ethiopia and Russia," said Ron Deibert, director of the Citizen Lab, a research group at the University of Toronto's Munk School of Global Affairs, which has published numerous reports on the sale of Hacking Team software to repressive regimes.
"These are products that are marketed to law enforcement and intelligence agencies, but the biggest concerns really revolve around their use in areas where there are no proper checks and balances, and they're likely to end up targeting civil society and human rights groups and what would be considered legitimate political opposition. At least in jurisdictions like Canada, the United States and Europe there's a greater degree of transparency and accountability. It's not perfect, but I think it puts it in a different category."
According to David Fraser, a partner at the Halifax law firm McInnes Cooper and an expert in privacy and internet law, the use of intrusion software or malware by Canadian police typically requires a warrant.
"A hammer can be used for murder, or a hammer can be used to build a house for Habitat for Humanity," said Fraser. "It comes down to what are they doing with it? Under what authorization? What circumstances? Would I have a problem if this tool were deployed against somebody who was actually plotting to kill Canadians? I'd have less of a concern about that. But if they were using it kind of on a 'Oh, well, we think this person must be up to no good' and they're deploying it in those sorts of circumstances I have a problem with that."
Nevertheless, police using the same techniques as hackers to access a suspect's webcam, for example, or log their passwords, has struck some privacy advocates as unethical—especially since judges often don't understand the depth of the hacking that's happening. The extent to which law enforcement and government agencies in both Canada and the US are using such techniques to hack into remote computers and phones is not clear.
In an email from November 19, 2014, Hacking Team employees weigh the benefits of cancelling a previously scheduled meeting in Mexico to fly to Calgary for their November meeting.
"I think they will be ok with our without our demo in Hermosio, Senora [sic], but we would be expanding our market by going to Calgary to demo. I will take the blame for no demo in Sonora that week, but I think that expanding the market to a new country is more interesting in the long run," wrote Alex Velasco, Hacking Team's key account manager in North America.
A document describing Hacking Team's "US Action Plan" last modified in April 2015 indicated the company's intent to "re-contact RCMP [...] as soon as Sales person is hired"
Hacking Team finally hired an employee to handle US and Canadian sales on July 1.
"It was pleasure meeting with you and the talented team of HT last week," wrote Ryan Oliaee, who appears to be a former senior federal account manager at security company HBGary, which is a subsidiary of ManTech Cyber Solutions International, in an email on June 15. "I am very proud and excited to be part of team and looking forward to our new chapter of expanded success in U.S. and Canada."