Ontario Police Are Hacking Phones With Spyware — And Dropping Cases to Hide It

Ontario police have been using military-grade spyware to remotely take over smartphones -- capturing screenshots, reading encrypted messages, and activating cameras and microphones without the owner's knowledge. When defence lawyers ask how the technology works, the Crown's response is to drop the case rather than disclose the details. This is not a hypothetical. This is happening right now, in Canadian courts, with the full knowledge of the provincial and federal government. What ODITs Can Do On-Device Investigative Tools (ODITs) are the police term for what everyone else calls spyware. Once deployed on a target device -- without any action required from the phone's owner -- an ODIT can: Capture screenshots of everything on the device Monitor keystrokes in real time, including passwords Read encrypted messages (End-to-end encryption is useless if the spyware reads the message on the device before or after encryption) Remotely activate the device's microphone and camera Access all stored data including photos, contacts, and location history This is not wiretapping. This is full device takeover. And the legal framework being used to authorize it was written in the 1970s for listening in on phone calls. The Paragon Connection In March 2025, the Citizen Lab at the University of Toronto published a report titled "Virtue or Vice" that identified "possible links" between the Ontario Provincial Police and Paragon Solutions, an Israeli spyware company founded by former Israeli intelligence operatives. Paragon makes a product called Graphite, which can infect devices via zero-click exploits -- meaning the target does not need to click a link, open a message, or take any action at all. The phone is simply compromised. Citizen Lab traced a Paragon customer IP address to OPP general headquarters. Paragon, which deliberately "flies under the radar" and lacks even a website, was acquired in December 2024 by AE Industrial Partners, a Florida-based private equity firm. Its senior leadership includes a CIA veteran, a former Navy program director, and a former senior official with defense contractor L3Harris. In January 2025, Meta/WhatsApp discovered Graphite targeting and sometimes infecting devices of more than 90 WhatsApp users worldwide. In Italy, Paragon targeted journalists. The JTAC: Seven Police Forces, One Secret Unit The Joint Technical Assistance Centre (JTAC) is the secretive unit that manages ODIT access across Ontario. It pools resources from: Ontario Provincial Police (OPP) -- leads JTAC Toronto Police Service Peel Regional Police York Regional Police Durham Regional Police Ottawa Police Service Windsor Police Service JTAC is funded by the province. It makes the Crown and local police sign "engagement agreements" that require them to potentially drop prosecutions rather than reveal the vendor identity or tool capabilities. They Would Rather Drop the Case Two major cases reveal the extent of the secrecy: Project Fairfield (Windsor): Police used ODITs to investigate an auto-theft ring, resulting in 23 arrests and 279 charges with over $9 million in recovered vehicles. When defence lawyers challenged the ODIT use, the Crown fought disclosure under Section 37 of the Canada Evidence Act. Project Vegas (Brampton): In an opium-smuggling case, the same secrecy playbook is being deployed. The Public Prosecution Service of Canada argues that disclosure would "result in the police no longer having access to an effective technological tool" and would have a "profound impact on public safety." Translation: the tool is more important than the case. The secrecy is more important than the conviction. The Legal Gap Canada's wiretap laws were written for rotary phones. ODITs are authorized under general warrants in the Criminal Code -- a lower bar than the search warrants that defence lawyers argue should be required. Hacking into someone's phone to seize their data is, by any reasonable definition, a search. Key legal problems: No specific legislation governs ODITs in Canada The RCMP used ODITs for over a decade without Parliament being explicitly notified Former Privacy Commissioner Daniel Therrien testified he did not know the RCMP had been using ODITs for more than a decade The House of Commons ETHI Committee investigated and produced Report No. 7, but recommendations have not been implemented Evan Light of York University found that spyware is being used by 13 federal departments, not just police A single ODIT operation costs approximately $500,000 per target What Experts Are Saying Tamir Israel, CCLA director of privacy, surveillance and technology: "If police want to make the case that use of spyware is justified, they need to do this in a transparent manner that fully explains the details and level of intrusiveness of the tool." "If the secrecy makes it impossible for police to provide the information courts need to assess these tools, then these tools are inappropriate for police investigations, and police should not be using them." "This capability is among the most intrusive in terms of the detailed window it can open into any individual's life and in a democratic society." Ron Deibert, Citizen Lab founder: "The problem with most democratic countries, and I would say my country included, Canada, is you have a lot of local police, a lot of entities below national intelligence agencies that potentially could be customers and for whom there is not really adequate oversight." Brenda McPhail, CCLA, called for a moratorium on surveillance technology until public discussion occurs. The Bigger Picture: Digital ID and the Surveillance Ecosystem This spyware program does not exist in isolation. Canada is simultaneously building out digital identity infrastructure province by province, while passing legislation like Bill C-2 (lawful access) and Bill C-8 (cybersecurity information sharing) that compel service providers to build surveillance-friendly infrastructure. The combination is concerning: Digital ID credentials stored on smartphones become accessible to ODITs if the device is compromised Lawful access legislation makes it easier for police to demand data from service providers Police spyware can bypass encryption entirely by reading data on the device No independent oversight body specifically monitors ODIT use The federal government confirmed in January 2026 that there are no plans for a mandatory national digital identity system. But provincial digital credential systems are expanding, and the infrastructure being built today could easily be repurposed tomorrow. What You Can Do Check your devices -- Use our Browser Fingerprint Checker to see what your device is leaking Encrypt everything -- End-to-end encryption still protects against network surveillance, even if ODITs can read messages on compromised devices Use a VPN -- Test your VPN for DNS and IP leaks Contact your MP -- Ask them to support legislation governing police use of spyware Support the CCLA -- The Canadian Civil Liberties Association is leading the legal fight for transparency The Bottom Line Ontario police have military-grade spyware. They are using it on Canadian citizens. They would rather let accused criminals walk free than tell a judge how the technology works. The laws authorizing this were written for a world that no longer exists. They didn't ask. And they are fighting to make sure you never find out.