Law360 Canada (May 20, 2026, 10:24 AM EDT) --

John L. Hill

The spectre of police surveillance has long occupied an uneasy place in Canadian constitutional law. Wiretaps, tracking warrants, production orders and covert searches have traditionally been constrained by judicial authorization and Charter scrutiny.

Yet the emergence of military-grade spyware threatens to move state surveillance into territory that Canadian law has scarcely begun to regulate. Recent reporting linking the Ontario Provincial Police to the Israeli spyware company Paragon Solutions illustrates how rapidly this legal vacuum is expanding.

The allegations stem from a March 2025 report by Citizen Lab, the internationally respected digital rights research group based at the University of Toronto. Citizen Lab reported a “possible technical link” between Paragon’s infrastructure and entities associated with the OPP. The report also identified evidence that Ontario police services have either used or explored advanced spyware capable of covertly infiltrating mobile devices.

What makes these allegations uniquely troubling is the technology itself. Paragon markets “Graphite,” a form of military-grade spyware reportedly sold exclusively to government clients. Unlike traditional interception methods, spyware can provide near-total access to a target’s digital life: encrypted messages, photographs, microphone and camera feeds, contact lists and location data. In practical terms, it turns a personal smartphone into a state-controlled surveillance device.

The legal implications are profound. Canadian jurisprudence under s. 8 of the Canadian Charter of Rights and Freedoms has repeatedly emphasized that individuals have a high expectation of privacy in personal electronic devices. In R. v. Fearon, 2014 SCC 77, the Supreme Court acknowledged that cellphones contain “immense amounts of information” about the “biographical core” of personal life. Fearon held that safeguards must be added to the law governing searches of cellphones incident to arrest to ensure that power complies with s. 8 of the Charter. Ultimately, the purpose of the exercise would be to strike a balance that gives due weight to the important law enforcement objectives served by searches incidental to arrest and to the very significant privacy interests at stake in cellphone searches. More recently, the court’s privacy jurisprudence in cases such as R. v. Marakah, 2017 SCC 59 and R. v. Reeves, 2018 SCC 56 reinforced the principle that digital communications attract robust constitutional protection.

Spyware fundamentally challenges the assumptions underlying those decisions. Traditional interception orders generally authorize the acquisition of specific communications. By contrast, spyware may permit continuous, invasive access that extends far beyond the scope contemplated by existing statutory frameworks. It blurs the distinction between interception, search and seizure, and raises the possibility of indiscriminate or collateral collection involving innocent third parties.

The most striking aspect of the Citizen Lab revelations may not be the technology itself but the lack of meaningful democratic oversight. In 2022, the Royal Canadian Mounted Police admitted it had used spyware to infiltrate mobile devices during criminal investigations. A parliamentary committee subsequently urged reforms to Canadian privacy law, yet no comprehensive legislation followed.

This legislative inertia is increasingly difficult to justify. Commercial spyware has become one of the defining civil liberties controversies of the modern era. Around the world, such tools have repeatedly surfaced in scandals involving journalists, dissidents, lawyers and human rights activists. Even Paragon, which has publicly claimed to maintain a “zero tolerance” policy against misuse, recently faced scrutiny after its spyware was reportedly used against an Italian journalist and migrant rights advocates. The company ultimately suspended its Italian government contract following those revelations.

The concern for Canadian lawyers is not merely hypothetical abuse, but structural opacity. The OPP has neither confirmed nor denied the use of Paragon technology. Instead, it has emphasized that any interception of private communications requires judicial authorization and occurs in compliance with Canadian law. That statement, while legally prudent, sidesteps the central issue: Canadian law itself may be ill-equipped to regulate technologies that can permeate every dimension of a citizen’s digital existence.

Judicial authorization alone cannot resolve the problem. Warrants are only as effective as the legislative frameworks that define their scope. Parliament has never enacted a comprehensive statutory regime governing the police deployment of commercial spyware. There are no publicly accessible standards for data minimization, retention, disclosure obligations, auditing procedures or independent review mechanisms tailored to cyberweapons. Nor is there meaningful transparency about how often such tools are used, against whom and under what investigative thresholds.

The warnings from Citizen Lab founder Ron Deibert deserve careful attention. His concern extends beyond federal intelligence agencies to the proliferation of spyware among local and provincial police services operating under comparatively limited oversight. Canada’s fragmented policing structure creates the possibility that extraordinarily invasive surveillance capabilities may diffuse across dozens of agencies without coherent national regulation. In 2016, a community radio station, Northumberland 89.7, reported on an answer to an access to information request filed with Correctional Service Canada (CSC) seeking the production of documents relating to the installation and use of a “Stingray” system used to collect cellphone data. CSC admitted that such an undertaking had been carried out at Warkworth Institution, for which the warden apologized. The Stingray machine was able to intercept calls beyond the fences of Warkworth Institution, including neighbouring property. An OPP investigation concluded without criminal charges being laid.

This raises difficult constitutional questions that Canadian courts will eventually confront. Does a general warrant adequately authorize persistent device compromise? Does spyware deployment satisfy the Charter’s requirement of reasonable limits and proportionality? What disclosure obligations arise when proprietary foreign-made malware is used in criminal investigations? How can defence counsel meaningfully test the legality or reliability of technologies shielded by national security claims and commercial secrecy?

There is also a broader sovereignty issue. Much of the commercial spyware industry operates through opaque transnational networks involving former intelligence personnel, private equity ownership and offshore infrastructure. Canadian policing agencies may increasingly rely on tools developed outside Canada by corporations with limited public accountability. This reality complicates both judicial scrutiny and democratic control.

The danger in these developments lies not in the proposition that police should never possess sophisticated investigative tools. Serious organized crime, terrorism and child exploitation investigations plainly require modern technological capabilities. The danger lies in allowing such powers to expand in secrecy while legislative safeguards lag far behind technological reality.

Canadian constitutional history shows that surveillance powers inevitably extend beyond their original justifications unless carefully constrained. Lessons from past controversies, from national security certificates to bulk metadata collection, suggest that oversight mechanisms introduced after abuses occur are often too late to restore public trust.

If the allegations involving the OPP and Paragon prove accurate, Canada may already have entered a new era of domestic surveillance without the public debate that such a transformation demands. The central legal question is no longer whether spyware exists within Canadian policing. Increasingly, the question is whether Canada possesses any adequate legal architecture to govern it.

John L. Hill practised and taught prison law until his retirement. He holds a JD from Queen’s and an LLM in constitutional law from Osgoode Hall. He is also the author of Pine Box Parole: Terry Fitzsimmons and the Quest to End Solitary Confinement (Durvile & UpRoute Books) and The Rest of the (True Crime) Story (AOS Publishing). His most recent book, Acts of Darkness, (Durvile & UpRoute) has been shortlisted as one of five nominees for the Crime Writers of Canada’s Brass Knuckles Award for Best Nonfiction Crime Book. Contact him at johnlornehill@hotmail.com.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the author’s firm, its clients, Law360 Canada, LexisNexis Canada or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.

Interested in writing for us? To learn more about how you can add your voice to Law360 Canada, contact Analysis Editor Peter Carter at peter.carter@lexisnexis.ca or call 647-776-6740.