Ontario police can read your encrypted messages, capture keystrokes, and turn on your microphone. The Crown will drop the case before naming the vendor.
On May 19, 2026, the Toronto Star reported that the Ontario Provincial Police and Windsor Police Service have been deploying On-Device Investigative Tools — software that hacks into a target’s phone or computer to extract calls, photos, encrypted messages, and live audio. The reporting centred on two active prosecutions. Project Fairfield, a Windsor-led investigation into an international auto-theft network, produced 23 arrests, 279 charges, and more than $9 million in recovered vehicles. Project Vegas, a Brampton opium-smuggling case against three brothers, is one in which the Crown’s evidence rests almost entirely on data pulled from compromised devices.
What makes the investigation matter is not that the tools exist. It is what the Crown is willing to do to keep them secret. A court document filed in Windsor Superior Court shows prosecutors signed an agreement with police committing to abandon the prosecution rather than disclose the spyware vendor or how the tool works. Federal prosecutors are withholding more than 140 related documents in Brampton under Section 37 of the Canada Evidence Act. The judge’s 146-page disclosure ruling is under publication ban. Pretrial arguments are held behind closed doors. Hearings resumed May 19, the day the Star investigation broke.
The tool is not a wiretap
Traditional surveillance intercepts communication moving across a network. Wiretaps listen to calls in transit. Metadata requests ask telecoms what numbers contacted what numbers. ODITs do something categorically different. Installed on the target device at the operating-system level, an ODIT reads messages before encryption is applied and after decryption removes it, captures keystrokes as typed, downloads files and photos from storage, monitors communications across any installed application, and lets the operator remotely activate microphones and potentially cameras. The phone becomes a continuously running surveillance device transmitting its owner’s life to the agency that compromised it.
This matters legally because the Charter framework governing search and seizure was designed around physical intrusions and intercepted communications, not cognitive penetration of a device containing banking, medical records, political beliefs, location history, photographs, and unsent thoughts. Section 8 requires searches be reasonable, and reasonableness has to be evaluated against the scope of intrusion. Defence lawyers Kim Schofield and Miranda Brar argue in their Windsor factum that police obtained general warrants when they should have applied for search warrants — extracting data from a phone is functionally a search of the device. The threshold for general warrants is lower.
The infrastructure predates the public knowledge
The RCMP first publicly acknowledged ODIT use in 2022, after Privacy Commissioner inquiries and parliamentary pressure. Force figures put 2017–2024 deployments at 35 investigations and 57 devices. A former senior intelligence officer told a parliamentary committee one deployment costs roughly $500,000. The RCMP has declined to name the vendor. Citizen Lab identified the OPP as a likely customer of Paragon Solutions, an Israeli firm whose Graphite spyware has been found on the phones of journalists and rights workers in Italy. The OPP neither confirmed nor denied. Toronto Police, York Regional, Hamilton, and Peel also possess or have sought such tools.
None of this required Parliament’s approval. The Standing Committee on Access to Information, Privacy, and Ethics released a November 2022 report identifying a legislative gap and recommending statutory reform around ODIT use. None of its recommendations were implemented. Canada co-signed the 2023 US-led Joint Statement on countering commercial spyware misuse and continued procuring commercial spyware. The infrastructure has been operating across at least seven police services — RCMP and multiple provincial and municipal forces — for nearly a decade. Procurement contracts, technical units, authorizations issued in closed proceedings, vendor agreements the public has been actively prevented from inspecting.
The court secrecy is the constitutional problem
The Schofield and Brar factum in Windsor argues something important about the warrant process itself. They write that the authorizing judge was not told of the volumes of related material police possessed, nor of the secret agreement between police and Crown to abandon the prosecution if vendor disclosure was ordered. The judge issued the warrant without seeing the institutional architecture around the technology authorized. A warrant is only meaningful if the issuing judge understands what is being approved. If material facts were withheld, the warrant did not function as judicial oversight in any constitutional sense.
Tamir Israel, the Canadian Civil Liberties Association’s director of privacy, surveillance, and technology, summarized the problem to the Star. Police, he wrote, need to justify spyware use transparently, with full explanation of intrusiveness. If the secrecy makes it impossible for police to provide what courts need, the tools should not be in police hands. Ontario’s Information and Privacy Commissioner — which has previously raised alarms about facial recognition, AI, and genetic genealogy in policing — says the office is closely monitoring. None of this monitoring is the same as the public being able to see the documents the judge read.
The legislation catches up to the operations
This is unfolding while Parliament debates Bill C-22, the Lawful Access Act, introduced March 12, 2026. The bill would compel telecommunications providers and platforms — Rogers, Bell, Telus, Meta, Google, Signal — to retain user metadata for up to a year, build access mechanisms into their systems for law enforcement, and respond to ministerial orders without judicial pre-authorization in defined categories. Signal has said it would pull out of Canada. Apple and Meta have raised concerns. The C-22 architecture and ODIT deployments describe two flanks of one apparatus: forced platform cooperation and direct device compromise.
The two flanks are complementary. C-22 makes it harder for users to communicate without leaving a retained record visible to the state. ODITs make it irrelevant whether the communications were encrypted in the first place, because the device transmits its contents before any encryption is applied. Together they enclose the technological field. C-22 would legalize a portion of what is happening, retroactively framing the existing architecture as the natural extension of statute. The ODIT deployments now under court challenge are the other portion — operations the legislation does not address, run anyway behind sealed filings and publication bans.
The vendor and the pipeline
Paragon Solutions sits inside an Israeli cyber-intelligence industry that emerged through close traffic between military signals intelligence — primarily Unit 8200 — and private-sector commercialization. The same industry produced NSO Group, Candiru, and Cellebrite. The companies share former-military personnel, technical heritage, and one business model: state clients require secrecy, secrecy reduces oversight, reduced oversight enables broader deployment. Paragon was acquired by Florida-based AE Industrial Partners in 2025, fitting it into a North American defence-investment portfolio. Deployments documented against journalists and rights workers in Italy show the tools do not retain their stated purpose because the buyer calls itself democratic.
The procurement question goes beyond which agency bought what. The same spyware market supplying Italian state surveillance of civil society also supplies the OPP. The capabilities are identical. The legal architecture restraining them is whatever the buying jurisdiction chooses to construct — in Canada, whatever can be built inside sealed courtrooms when both Crown and police want the vendor protected. Citizen Lab’s Ron Deibert has written that secretive adoption of intrusive surveillance by Canadian police “threatens democracy and rule of law.” That is not a marginal statement. It is an empirical assessment from the country’s leading research lab.
What this looks like from the outside
Canadian political culture treats coercive state power as something that arrives loudly. Tanks. Emergency declarations. Visible police violence at protests. The architecture being built around ODIT deployment is the opposite of that. It arrives through procurement signed years before public knowledge, technical assistance units shared across police services, parliamentary committee reports that go unimplemented, judicial authorizations issued behind sealed doors, defence factums challenging warrants whose underlying documents the defence cannot read, and a 146-page ruling the public is forbidden from learning about. None of it is dramatic. All of it is permanent unless something interrupts it.
The Crown has indicated it would rather lose Project Fairfield — 23 arrests, 279 charges, $9 million in recovered vehicles — than let a courtroom name the vendor of a spyware product the same vendor is alleged elsewhere to have sold for use against journalists. That is the substantive position of the Canadian state. Major prosecutions are abandonable. Vendor secrecy is not. Once that ordering is established, the device in your pocket has already become contested political territory, and the apparatus contesting it operates outside the public’s ability to see what is being decided in its name.
Spark Solidarity 