The Mounties provided access to the files in a bid to demonstrate how investigations of tech-savvy suspected criminals are increasingly “going dark” because crucial evidence is beyond their reach.
The rare look inside active investigations comes amidst a thorny debate and public consultation on Canada’s Anti-Terrorism Act (C-51), which includes proposals to significantly expand police powers.
Four ideas floated in the federal government’s green paper on national security would enhance investigative capabilities, including the power to compel suspects to unlock their encrypted computers and cellphones and a law to require telecommunication and internet service providers to install interception and data-retention equipment in their networks.
But privacy and civil liberties advocates are fiercely opposed to such measures and demand police provide more evidence to justify their request for new powers.
RCMP Chief Supt. Jeff Adam admits law enforcement hasn’t done a great job explaining the investigative challenges of the digital world to the public.
“So far, [the debate] appears to be driven very much from one side, which is those that would like more privacy and more anonymity,” he said.
“What we need is an awareness of Canadians and lawmakers that our capabilities as they existed in the past, and the expectations of our ability to deliver on those, has changed significantly where we have less capability but potentially the same expectations.”
To bolster its case, the RCMP granted one CBC reporter and one Toronto Star reporter access to 10 “high priority” investigations. The two journalists underwent RCMP screening to obtain top secret security clearance. They were then provided details and summaries of the 10 cases, though police withheld names, locations and other details to protect the investigations and potential court cases.
Digital chatter unreadable
In one case, police say they obtained warrants to conduct surveillance on a group of people in Eastern Canada suspected in a terrorism conspiracy.
They discovered the main suspect’s phone was connecting to multiple cellular networks, none of which was technically equipped to intercept the suspect’s text messages and internet traffic.
In late 2014, the Mounties spent two months and $250,000 to engineer a custom tool to intercept the target’s communications only to discover all of it was encrypted and unreadable. The individuals remain under investigation.
Laptops, phones blocked
In another case, the RCMP, working with foreign intelligence agencies, obtained warrants to intercept home and cellular phone communications of a group of suspected “high-risk travellers” in a city in Western Canada. Police believed they were planning to join extremist groups overseas.
Investigators attempted to intercept more than 30 laptops, cellphones and computers being used by the group but could only “successfully infiltrate” two of them. While those two devices delivered a bounty of evidence — 4.4 million pieces of data, including videos, images, webpages, text messages and emails — some of the data was encrypted and unreadable.
It’s unclear whether the suspects have left Canada, and if so, whether they present any risk if they return. In eight of the ten cases, the key stumbling block for police was either a lack of interception capabilities at the phone and internet companies or the use of encryption.
Harold O’Connell, RCMP director general in charge of national security investigations, says this combination is proving fatal for high priority investigations.
“When we do actually get the data, and it’s encrypted, then we can’t see it,” he said. “And when we can’t see it, then we can’t analyze it … You can’t put together what the planning is. You can’t put together any of the organizational hierarchy as to who is directing what.”
Aaron Driver’s online chats
The RCMP says the fatal confrontation with Aaron Driver in Strathroy, Ont., back in August is a prime example of a case in which encryption thwarted law enforcement’s understanding of a threat.
Driver, a 24-year-old ISIS supporter suspected of planning a major urban attack, died after he detonated a bomb and was shot by police outside the house where he was staying.
“Hindsight would say that he was obviously farther along in preparing,” said Jeff Adam, the RCMP’s director general in charge of technical investigations services.
Driver attracted police attention in late 2014 when he posted comments online supporting ISIS and publicly defended Michael Zehaf-Bibeau, the extremist who gunned down a soldier at the National War Memorial and then charged across the street into Parliament’s Centre Block, wherepolice and security officers shot and killed him.
In early 2015, the RCMP and various international intelligence agencies discovered Driver was also communicating with well-known ISIS members and suspects directly involved in attacks in Texas and Australia. But the RCMP says his communication was via private Twitter messages and online chat forums protected by encryption and therefore unreadable by police.
In June 2015, police arrested Driver because they believed he posed a threat, but without hard evidence they couldn’t charge him. Driver was released on a peace bond.
A year later, on Aug. 10, the FBI alerted the RCMP of an “imminent” attack being planned in Canada after it obtained an anonymous martyrdom video.
The RCMP quickly identified Driver as the man in the video, and by the afternoon had dispatched surveillance and SWAT teams to the house in Strathroy. When they arrived, Driver was climbing into a cab bound for London, Ont. As police approached, Driver detonated a bomb in the back seat of the taxi.
The taxi driver dove out of the cab moments before the explosion and suffered minor injuries.
Adam says police had long feared Driver was capable of a terrorist attack, but had no evidence he was co-ordinating one using a homemade bomb.
“It was good police work that caught him before he could detonate it in public, if that was his intent,” Adam said. “The fact that he was out and available to do that is probably because we could not break the encrypted communications.”
“And that’s going dark. Couldn’t get the evidence to charge him.”
The Mounties have since completed forensic analysis and determined not all of the bomb material Driver was carrying exploded that day. Investigators found the detonator ignited only a small portion of the explosives, which they say could have instantly killed or severely injured anyone within 2.1 metres.
Police also say they found 139 steel ball bearings (.38 calibre), which they believe were intended as shrapnel and could have killed or badly injured many more bystanders outside the immediate blast zone. “The analysis tells us that if it had gone off, for example, on a city bus, there would’ve been death and grievous injuries,” Adam said.