Is your phone secure? In Ontario, police are running spyware on suspects' devices — and going to extraordinary lengths to keep everything about it secret. Not the fact that they use it. The vendor. The name of the company that built the tool.
They call these tools ODITs — on-device investigative tools. Once one is on your phone, it can read your private messages, crawl your apps for data, log every keypress, and remotely switch on your camera and microphone — all without you ever knowing it is there. This is a record of what they do with them, and of the single move that keeps the whole apparatus out of reach.
Once it is on the phone, everything is on the phone.
An ODIT is not a wiretap on one line. It is total occupation of the device — the same category of tool the world knows by the names Pegasus and Graphite. The point is not that police can listen. The point is that there is nothing left they cannot reach.
- 💬Private messagesSignal, WhatsApp, iMessage — read after decryption, on your screen
- ⌨️Every keypressPasswords and drafts, logged as you type them
- 📷CameraActivated remotely, without the indicator light
- 🎙️MicrophoneThe room turned into a listening device
- 📍LocationContinuous, precise, retained
- 📂Every app's dataPhotos, notes, contacts, files — crawled
These tools work. That is not in dispute.
In April 2024, Ontario police arrested nine people and seized more than $2 million in drugs, cash and guns, disrupting an international drug-smuggling ring. In 2023, Windsor police made 23 arrests and recovered more than $9 million in stolen vehicles, taking down an international auto-theft operation.
Both investigations had stalled — despite wiretaps, secret recording devices, search warrants and physical surveillance. Police couldn't get the crucial evidence they needed to make arrests until they were granted a warrant for an ODIT. After that, the arrests came within months. So the tools are effective. Hold onto that, because it is the strongest thing the secrecy has going for it — and it still doesn't finish the argument.
They would rather lose the case than name the tool.
Here is where it turns strange. When these cases reach court, and a judge moves toward ordering disclosure of the ODIT, the Crown has in some cases indicated it would rather drop the prosecution entirely than reveal anything about the tool that gathered the evidence.
In the case of Project Fairfield, police and the Crown had agreed ahead of time that they would abandon the prosecution if the court ordered them to disclose the identity of the ODIT vendor. The decision to walk was made before anyone asked the question.
The crimes are real. The evidence is decisive. And it is still worth less to the state than the name of a company. That is the tell.
This is the move worth naming. A public power — surveillance, exercised by police, funded by the province — is kept out of every venue built to examine it. Not the courtroom, where disclosure would name the vendor. Not the privacy commissioner, who was never consulted. Not the public, who fund it. The secrecy isn't a side effect of the tool; it is engineered, in advance, by making disclosure cost more than justice. What gets laundered is accountability itself.
The reason is the same one they gave a decade ago.
The official justification is almost verbatim from years past. Back in 2014, the OPP bought a Stingray — an earlier tool, a physical device that intercepts and reroutes texts and calls by impersonating a cell tower. They paid about $2 million for it, and by 2017 had quietly stopped using it and pivoted to newer methods, without ever publicly accounting for what happened to it.
Pressed for transparency, a spokesperson said revealing specifics could jeopardize investigations, ongoing court proceedings, and public and officer safety. Which is true, to a point: a secret tool becomes less useful once criminals know what it is and how it works. On ODITs the Crown made the same argument in more formal words — that if disclosure results in police no longer having access to an effective technological tool to intercept communications, that will have a profound impact on public safety.
Same argument, bigger stakes. But with an ODIT it is more complicated than a jammed cell tower — because the identity being protected isn't just a method. It's a company, and that company has a reputation.
So who is the vendor?
ODITs in Ontario are managed by JTAC — the Joint Technical Assistance Centre, a provincially funded unit that pools spyware resources across multiple police services. JTAC holds the contract with a private vendor, and makes the Crown and local services sign agreements that they will potentially drop prosecutions rather than reveal the company's name. Reporting names York Regional, Hamilton and Peel among the services that have possessed or sought ODITs, alongside the OPP and Toronto police.
We don't know the vendor for certain — but there is an informed guess. In 2024, the Citizen Lab at the University of Toronto mapped the online infrastructure behind Paragon Solutions' spyware, Graphite, and traced suspected deployments in several countries, including Canada. Of the Canadian addresses — all in Ontario — one matched an IP belonging to OPP headquarters in Orillia.
Paragon has tried to set itself apart — insisting it sells only to governments that abide by international norms and respect fundamental rights, and that authoritarian or non-democratic regimes would never be customers. The pitch, in short: we're not like the other spyware. We are only used ethically. It is a nice thought.
You cannot abuse-proof government spyware.
In January 2025, WhatsApp notified roughly 90 accounts across several countries that it believed they had been targeted with Graphite — through a zero-click exploit. A user is added to a group, a PDF is delivered, the device parses it automatically, and the spyware loads. No tap required.
The targets were not criminals under investigation. They were journalists critical of the Italian government, and members of civil-society organisations that rescue refugees and migrants at sea. WhatsApp confirmed the attack used Graphite. Italy is a democracy. It abides by international norms. And the evidence indicates its government used the "ethical" spyware against reporters and rescue workers anyway.
That is the whole lesson in one line: the ethics live in the marketing, not the tool. A capability this total will be pointed wherever the state finds it convenient.
Rare here. A crisis elsewhere.
For now, ODIT use in Canada appears genuinely uncommon. The RCMP and OPP have confirmed ODITs were used in 37 investigations between 2017 and 2022, and say they have been used in only a handful of cases since. They are reserved for special circumstances — and they are expensive, on the order of $500,000 per deployment. There is currently no public evidence that ODITs are being used in Canada against people who aren't credibly suspected of a crime.
The same cannot be said elsewhere. Amnesty International says Europe is living through a spyware crisis. In the United States, ICE has reportedly moved to use Graphite as part of the current administration's mass-deportation push. And cybersecurity experts keep pointing out the irony underneath all of it: governments in democratic countries are investing in the insecurity of our phones — paying to keep the vulnerabilities that these tools exploit open, rather than helping to close them. Which may be part of why Ontario guards its vendor so tightly: naming the tool makes the vulnerability easier to patch.
Trust us — we just can't tell you anything.
Strip it down and the secrecy is one big request. The police are asking the public to trust that they only spy on criminals — while declining to say what the tool is, who provides it, how it works, who else receives the data, or why the vendor must stay secret. They're asking us to trust that they aren't using it the way much of Europe and the United States are using it: against people who have committed no crime.
That may well be true. But "trust us that we only use our secret spying tool ethically" is a very large thing to ask on faith — especially now. This all predates Bill C-2, the federal government's lawful-access legislation, which expands police reach into a user's location and online activity. The door widens as the lights go down.
◇ What you can actually do
- Check your own device. Amnesty International's Mobile Verification Toolkit (MVT) scans a phone for known spyware traces, including Pegasus and Graphite indicators.
- Harden the phone itself. Hardened operating systems (such as GrapheneOS) and Apple's Lockdown Mode shrink the attack surface these tools rely on.
- Name the tool. Once a vendor becomes public knowledge, it is far easier to defend against — which is exactly why disclosure is resisted. Demand that JTAC's vendor and capabilities be disclosed to a court or oversight body under seal, not buried under a dropped case.
Secrecy is the method.
If it's only ever pointed at criminals — why would naming the tool end the case?
Sourcing. Built on public reporting: the Citizen Lab report "Virtue or Vice? A First Look at Paragon's Proliferating Spyware Operations" (2024), which traced a Graphite-linked IP to OPP headquarters in Orillia; CBC News and Global News coverage of the OPP–Paragon links; Toronto Star reporting on the Crown's willingness to drop prosecutions (incl. Project Fairfield) rather than disclose the ODIT vendor; the RCMP's 2022 disclosure of ODIT use in 37 investigations (2017–2022); WhatsApp's January 2025 notifications of ~90 Graphite targets, including Italian journalists and refugee-rescue workers; and Amnesty International on Europe's spyware crisis. Key claims — the OPP–Paragon link, the identity of the vendor, and ICE's use of Graphite — are reported or alleged and presented as a claims map, not adjudicated findings. The 2024 pager attack in Lebanon was attributed to Israeli intelligence and is not connected here to Paragon or its founders. Verify before circulating as established fact. Not legal advice.