Apr 042017
 
A CBC/Radio-Canada investigation has found cellphone trackers at work
near Parliament Hill and embassies

By Catherine Cullen, Brigitte Bureau, CBC News

http://www.cbc.ca/news/politics/imsi-cellphones-spying-ottawa-1.4050049

A CBC News/Radio-Canada investigation has revealed that someone is using devices that track cell phones near the heart of Canadian democracy.

A CBC News/Radio-Canada investigation has revealed that someone is using devices that track cell phones near the heart of Canadian democracy. (Adrian Wyld/Canadian Press)

 

A months-long CBC News/Radio-Canada investigation has revealed that someone is using devices that track and spy on cellphones in the area around Parliament Hill.

The devices are known as IMSI catchers and have been used by Canadian police and security authorities, foreign intelligence and even organized crime.

 

The devices, sometimes known by the brand name of one model, StingRay, work by mimicking a cellphone tower to interact with nearby phones and read the unique ID associated with the phone — the International Mobile Subscriber Identity, or IMSI.

That number can then be used to track the phone and by extension the phone’s user. In some instances, IMSI catchers can even be used to gain access to a phone’s text messages and listen in on calls.

At the heart of Canadian government

To do the investigation, our journalists used a device that detects IMSI catchers created by the German company GSMK. While it looks like a regular cellphone, the CryptoPhone emits an alert when a fake cellphone antenna intercepts its signal.

Media in the United States, Norway and Australia have done similar tests, but this is the first time it’s been used by a media outlet in Canada.

During tests in December and January, the CryptoPhone set off alerts at locations around Parliament Hill, including the nearby Byward Market, the Rideau Centre shopping mall and CBC offices in downtown Ottawa.

Cryptophone

ESD America’s CryptoPhone – purchased by CBC and Radio-Canada – can detect when an IMSI catcher is trying to intercept it. (CBC)

 

Because IMSI catchers have a radius of about half a kilometre in an urban setting, the IMSI catchers CBC detected could reach territory including Parliament Hill, the Prime Minister’s Office in Langevin Block, National Defence headquarters, as well as the U.S. and Israeli embassies.

We then used even more sophisticated equipment called an Overwatch Sensor that confirmed the presence of an IMSI catcher close to Parliament Hill.

Who is behind it?

We wanted to know more about who might be using the IMSI catcher or catchers that we detected, so we asked the U.S. supplier of the CryptoPhone to analyze the alerts we were getting.

ESD America specializes in counterintelligence and its clients include U.S. Homeland Security.

“Consistently you’ve been seeing IMSI catcher activity, definitely,” said CEO and co-founder Les Goldsmith, when we took our results to the company’s Las Vegas office.

Les Goldsmith

Les Goldsmith is CEO of Las Vegas-based ESD America, which specializes in counter-surveillance technologies including the CryptoPhone. (CBC )

We described the part of the city in which we detected the IMSI catchers — full of politicians, political staffers and civil servants.

“Somebody could be listening to calls right now and [the phone owners] have no idea,” he said.

 

As for who might be behind it, Goldsmith says IMSI catchers are used by law enforcement, federal agencies as well as organized crime and foreign intelligence.

Based on the configurations suggested by CBC’s results, he believes the IMSI catchers detected in Ottawa could be foreign made.

“We’re seeing more IMSI catchers with different configurations and we can build a signature. So we’re seeing IMSI catchers that are more likely Chinese, Russian, Israeli and so forth,” he said.

Foreign spies?

We also showed our results to an expert in Canadian security.

He knows a lot about IMSI catchers and comes from a Canadian security agency. We agreed to conceal his identity in order not to jeopardize that security work.

The expert found the results of our investigation disturbing.

“That an MP or a person who works on Parliament Hill could be exposed, that they could be a victim of this type of attack— it undermines our sovereignty,” he said.

Locations where CBC/Radio-Canada found IMSI catchers

The locations in black are where CBC/Radio-Canada detected IMSI catchers in Ottawa. The circles show the range the IMSI catchers could cover. (CBC)

 

Based on his experience, he sees two very different potential explanations for the results. One domestic, the other foreign.

He said Russia has used IMSI catchers in Canada before.

“We learned that Russian intelligence was parked near CSIS with equipment on board to do IMSI catching. After X number of days or weeks, they’re capable of identifying the IMSI numbers that belong to intelligence officers because the phones were spending eight hours a day in the same spot.”

He said when the Russians would do their next clandestine operation, they would use an IMSI catcher to see if any of the numbers associated with Canadian intelligence were nearby. If there were, they would call off the operation.

The Russian Embassy rejects any allegation that Russians have used IMSI catchers in Ottawa.

“Any suggestions as to that kind of activities are bogus and baseless,” said an embassy spokesperson.

A representative from the Chinese Embassy told us it was “not only unreasonable but even irresponsible” to suggest that country would be involved in the activity.

Israel said it had no knowledge of the issue, and the United States declined to comment.

Canadian spies?

Our security expert suggested the IMSI catchers we saw might be the work of a domestic agency, like Canada’s electronic spy agency, the Communication Security Establishment.

“One possibility is that the Communications Security Establishment has been mandated to monitor the network for protection purposes, in a defensive way,” he said.

CSE said it’s not allowed to do that.

“To be clear, by law, CSE is not permitted to direct its activities at Canadians anywhere or at anyone in Canada, ” a spokesperson said in a statement, adding that CSE respects the law.

 

How an IMSI catcher works

IMSI catchers pretend to be a cellphone tower to attract nearby cell signals and intercept the unique ID number associated with your phone, the International Mobile Subscriber Identity or IMSI. (CBC)

 

Police use of IMSI catchers

Last June it was revealed the RCMP uses IMSI catchers in its work. A Quebec Superior Court lifted a publication ban to reveal police were using the technology as part of an investigation into the 2011 death of Salvatore (Sal the Ironworker) Montagna, a high-ranking member of a New York crime family killed outside Montreal.

Court documents show the RCMP:

  • Purchased its first IMSI catcher in 2005.
  • Has used IMSI catchers in numerous investigations.
  • Keeps information about the cellphones of ordinary Canadians detected in the course of some investigations.
  • Recognizes phones may be affected while an IMSI catcher is in use, including possible delays in reaching 911.

The documents also show the RCMP obtained court authorization to use the IMSI catcher, which the RCMP refer to as a mobile device interceptor, or MDI.

Recent court proceedings may also shed light on the degree to which police are reluctant to discuss their use of the devices. Last month, lawyers for the federal government issued stays of proceedings against three dozen suspects out of the nearly 50 people rounded up in an operation targeting the Montreal Mafia.

A Crown prosecutor told reporters one of the reasons was that evidence gathered by the RCMP raised “unprecedented legal questions,” but declined to say more.

Some privacy experts believe the Crown is concerned about whether their use of IMSI catchers — including debates about how the data is collected — will hold up in court.

Municipal police forces use the technology as well. The Vancouver police have acknowledged they borrowed an RCMP IMSI catcher in 2007 and said they would use the technology again.

CBC News obtained documents showing that in 2016, Winnipeg police, Durham Regional Police, Ontario Provincial Police and the Canadian Security Intelligence Service had also gotten a licence from federal public safety officials to purchase an IMSI catcher.

 

Who is using IMSI catchers in Ottawa?

We reached out to police, security agencies, embassies and the federal government to ask if they were involved in the IMSI catchers we detected.

The Department of National Defence said it had no knowledge of IMSI catchers being used on the dates we saw activity.

The Department of Public Safety, the Ottawa Police Service, the RCMP and CSIS all gave similar responses: They don’t discuss specific investigative techniques but they do follow the law, respect the Charter of Rights and Freedoms and adhere to the appropriate judicial processes.

The detection of the devices is troubling to Teresa Scassa, Canada Research Chair in Information Law at the University of Ottawa.

Even if the technology is being used by public authorities, Scassa sees reason to be concerned.

She points to a lack of transparency if Canadians are only learning in 2017 that the RCMP has had an IMSI catcher since 2005.

Teresa Scassa

Teresa Scassa, Canada research chair in information law at the University of Ottawa, says the use of IMSI catchers in Ottawa is “hugely concerning.” (CBC )

She also said it’s not clear whether the authorities always get a warrant. Even when they do, there are still questions about what happens to the information of other people caught up in the investigation, Scassa said.

“Is it destroyed? Is it retained? Is it used for other purposes? It’s not always clear that warrants contain conditions that require something specific to be done with the information afterwards.”

Given that many groups may have access to IMSI catchers, Scassa argues there is a lot more the government could be doing to protect Canadians’ privacy.

She believes agencies that use IMSI catchers should be required to get a warrant whenever the devices are used, destroy information that is intercepted but not related to the investigation and to report to the privacy commissioner about some key pieces of information, like how often they are used and in what context.

 Leave a Reply

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

(required)

(required)