On Jamaica’s beaches, Stanley Saunders didn’t exactly stand out. He looked like a lot of other Canadian tourists: middle-aged, pale and paunchy, with a full grey beard and matching long hair. But Saunders didn’t visit the Caribbean for the sun and surf. His winter vacations to Jamaica were largely about having sex with children.
In 2004, on one such visit, Saunders met a seven-year-old girl. Over the next five years, Saunders frequently sexually assaulted her, photographing and videotaping both the girl and himself. In the summer of 2009, from his home in Cambridge, Ont., he uploaded some of these images to photo-sharing site Flickr. Flickr flagged them, alerting Waterloo Regional Police’s Cybercrime-Internet Child Exploitation Unit. Detectives raided Saunders’s home and seized his computers. He was charged with possession of child pornography and served a five-month sentence. When he got out, he went right back to Jamaica and continued to prey on the island’s kids.
Saunders thought he had eluded Canadian police. And for another five years, he would. What he didn’t know was that the Waterloo Regional Police Service had a secret weapon: Jad Saliba. Saliba’s modest CV—three years at Mohawk College, a stint as a network admin at Open Text, three years of policing—didn’t fully capture his fascination, or wizardry, with computers. When he was just 15, Saliba developed a disk utility program he sold to a Danish bank, and he spent his free time, even after becoming a cop, writing software.
He’d joined the force at the tender age of 23 to, as he put it, “help people in the community.” But after only a few years as a constable, he was diagnosed with Hodgkin’s lymphoma and forced to take a year off for treatment. When he returned, he was assigned to a desk job in the digital forensics unit. He expected it to possess a dizzying array of tools for extracting and examining digital evidence. It was 2008, and the amount of data flowing into the department was exploding. But Saliba was dismayed to find its software was slow and manual, and required significant technical training to use. And the stakes were uncomfortably high: If evidence wasn’t analyzed quickly or comprehensively enough, offenders might be charged with lesser crimes—or get off altogether.
Soon after joining the unit, he started spending his evenings and weekends building a tool he called the Internet Evidence Finder (IEF). The IEF allowed investigators to search an entire computer hard drive for so-called artifacts—image files, emails, web browser history, social networking—with just a single search request. It was fast and easy to use, with an aesthetically pleasing interface. Investigators loved it.
And when they applied the IEF to Saunders’s computers, they found not only the Flickr images, but also videos showing him sexually abusing the girl. They recovered Yahoo chat logs in which Saunders described his trips to Jamaica. “Sometimes just a small bit of evidence can really unlock a case for you,” Saliba says now. Indeed, the IEF gave detectives enough evidence to charge Saunders again—this time with child sex tourism, then a relatively new law in Canada.
By then, Saliba was no longer a cop. He’d sent his program to law enforcement agencies globally, and it had proven extremely popular. “I was getting emails from people all around the world,” he says, “saying it had helped them rescue a child or put a murderer in jail.” But he knew it needed to be better and do more. The volume of digital data was growing exponentially, likewise the speed, power and variety of devices criminals were using. “There are great things about the growth of the internet and the app ecosystem that we spend so much of our lives in,” says Saliba. “But there’s obviously a lot of bad that comes from that, that enables a lot of criminal behaviour.” In 2011, Saliba left the police department to start JADsoftware, which he later renamed Magnet Forensics.
Today, 90% of all criminal cases have some kind of digital component, and Magnet has grown accordingly: 4,000 organizations in 100 countries use its products, many of them public safety agencies like the Los Angeles Police Department and Europol. But a growing proportion are private enterprises. While Magnet’s origins are in cyber-enabled crime, cybercrime itself has become an increasingly significant part of its business, and its tools are now routinely used to investigate data breaches, ransomware attacks and the like by organizations including Bank of America and Chevron.
In May 2021, Magnet closed a $115-million initial public offering, and it’s been one of the only tech companies in Canada thriving during the recent rout, consistently trading above its target price and adding staff as its peers laid theirs off. In hindsight, it seems inevitable that a buyer would come knocking. In January, American private equity giant Thoma Bravo acquired Magnet for $1.8 billion, with plans to merge it with another of its portfolio companies, Atlanta-based Grayshift LLC. It specializes in software used to crack mobile devices to obtain the data they contain, and it’s frequently used in concert with Magnet’s products.
It says a lot about the company’s bootstrapped bona-fides that its CEO, former BlackBerry executive Adam Belsher, will reportedly remain at the helm of the combined entity. Jim Balsillie, a major shareholder and chair of Magnet’s board, will have a seat on the new board. But the company will potentially no longer be headquartered in Canada, and it will disappear from our public markets.
Still, Magnet’s owners aren’t positioning this deal as a takeout (not surprising, considering Balsillie has been railing against selling our tech IP into foreign hands for years). Instead, he, Saliba and Belsher insist it’s an opportunity for Magnet to become an even stronger defender of justice. As Belsher puts it: “We are in a cyber war, whether we admit it or not.”
Magnet’s headquarters are housed in a former BlackBerry building near RIM Park in Waterloo. In early January, the office was still pandemic-quiet, with an entire floor of unoccupied cubicles and a large auditorium-cum-lunch room sitting completely empty. The most notable thing about the place was the winking names of its meeting rooms: Scully, Le Carré, Skyfall, Ronin, Sneakers.
But the seemingly empty office is misleading. While the rest of the tech sector struggles and continues to shed jobs, Magnet has kept on growing. In 2021, it had 270 employees; it now has about 500. It maintains offices or teams in Ottawa, Virginia, the United Kingdom, Singapore, Germany and India; in September 2022, it expanded to Australia.
I sat down with Saliba and Belsher in a boardroom called Homeland. Saliba, now 42, is stocky and bald, with an easy grin. The 48-year-old Belsher is tall and thin, with an even easier grin. The two men first met in 2011. Belsher had been at BlackBerry for 13 years when he started to feel an entrepreneurial itch. He contemplated a few options—a car dealership, a Cheese Factory franchise—before his accountant, who also did Saliba’s books, put the two men in touch. They got along, had kids the same age, shared similar values. Belsher was also impressed with the IEF and the impact it had already made. They decided to leave their jobs and join forces, Saliba as CTO, Belsher as CEO. After three months working from home, they took a space in the Accelerator Centre, and in 2012, they started hiring.
Belsher persuaded several of his former BlackBerry colleagues to come over to Magnet. Balsillie was the company’s first investor. He felt that Belsher knew how to scale a business globally and that Saliba knew precisely the problems facing law enforcement agencies and how to solve them. “They both had strong character and focus, and a mission orientation,” says Balsillie.
When Belsher joined Magnet, Saliba had, as Belsher put it, already “done the job of the customer.” He had a well-tested product he’d just started licensing. The company had already accrued real revenue. He also had an aversion to debt. Together, he and Belsher decided they wouldn’t seek any external financing. Unlike just about every other tech firm, they concentrated on profitability instead of growth, bootstrapping for the next 10 years. “It forces a certain discipline about how you run the business,” Belsher says. “Our thing was like, how can we continue to grow this on our own terms and maintain control of the vision?” Balsillie was in complete agreement: “I encouraged them to remain in control of their destiny, and not be at the whim of investors who are looking for a quick exit and opportunities to meddle,” he says. Maintaining this control meant a laser focus on product development—that is, prioritizing which ones to build and which markets to explore—while also staying lean. For a long time, Saliba was the firm’s only developer.
In 2012, the company had its first million-dollar quarter, and the growth continued. In 2015, it announced a partnership with In-Q-Tel, an American not-for-profit venture capital firm that invests in companies of interest to the CIA. The next year, the IEF was a vital part of one of the FBI’s most high-profile modern cases, sifting through the 20,000 pieces of data tied to the Boston Marathon bombings in 2013. (Saliba is understandably tight-lipped about how his products are used; an FBI investigator mentioned Magnet’s involvement on the witness stand.)
The IEF was a hit with law enforcement largely because it prioritized the artifact, whether it was an AOL message or an Instagram video. Digital forensic teams didn’t need to write their own scripts for each new platform or application, as they did in the past. But the number of artifacts was multiplying rapidly, with new platforms and apps introduced, sometimes several a year. Each form of software stored its data differently, and operating systems were also being constantly updated. There were new forms of data security and encryption. From a general user perspective, these were all beneficial changes. For investigators, it meant increasingly complex challenges. And while Magnet originally focused on the evidence available on a computer’s hard drive, each year there were new places that held data: mobile phones, cloud services, eventually vehicles and other internet-connected appliances.
The IEF accordingly evolved into a whole suite of products—Axiom (which recovers, catalogues and analyzes data from multiple sources), Automate (which structures and catalogues data using machine learning), Atlas (case-management software), Review (which presents evidence in an easy-to-read format for investigators) and others. Ultimately, all the products worked together to speed up the discovery of evidence and make it intelligible. One key goal with all of this evidence was to precisely identify when a person was using a device and for what purpose—sending an email, downloading an image and so on.
Speeding up that discovery is paramount. Canada, like many other countries, affords its citizens the right to a fair trial in reasonable time. But many police departments, with few investigators trained to analyze digital data and an overwhelming amount of data to process, are grappling with a six-month backlog of cases. In the U.K., according to a December report from the fire and rescue service, there’s a backlog of 25,000 digital devices waiting to be examined, not even counting the number of devices already in the system. Getting to trial without delay has become increasingly difficult. Magnet’s tools allow police departments to never stop working, to never stop going through evidence. As part of a year-long pilot, the Greater Manchester Police, in conjunction with the U.K.’s Forensic Capability Network, deployed Automate on its child sexual exploitation cases. With Automate running 24 hours a day for 365 days, and simultaneously processing evidence from multiple cases, the department completed cases 9.5 hours faster than it did before. It now plans to expand the use of Automate in all digital criminal cases.
When I spoke to Chad Gish, a detective with the Metro Nashville Police Department, in early January, he was already drowning in cases—11 homicides in the city already this year. In his forensic work, Gish uses several different digital tools, including Grayshift’s, all of which have greatly accelerated his ability to process those cases. What he found most powerful about Magnet’s specific products was how elegantly they could determine TTE—time to evidence. If he sat down with an iPhone, say, that had 250 gigabytes of data on it, but all he wanted to find were pictures and text messages in a certain window of time, many other companies could apply filters to isolate those images and texts. But what Magnet Axiom or Automate does, Gish told me, is present the relevant data as if it were the only thing on the phone. “Everything else is moved to the background,” Gish said. “Not even in view. Here’s what you need to focus on. Here’s what happened in those 34 minutes. I’ve saved myself a lot of time by not getting lost and wading through a bunch of non-relevant data.”
Wading through data can be tedious and time-consuming. It can also be soul-destroying. When Saliba was with the Waterloo police, he and fellow investigators had to scan and analyze countless graphic and disturbing images and video clips. “It never gets any easier,” Saliba wrote in a blog post in 2014. “But I’ve been able to deal with the terrible things I’ve seen by trying to make a difference where I can.”
Online child exploitation was once commonly known as child pornography. Law enforcement largely eschews that term now because it’s considered euphemistic and normalizing—pornography is, of course, legal and generally consensual. The term is also not capacious enough. Online child exploitation includes all manner of abhorrent behaviour and criminality: child abuse, trafficking, grooming and luring, and “sextortion” (using coercion, threat, or fraud to extort sexual imagery from underage kids). The National Centre for Missing and Exploited Children’s CyberTipline, the world’s largest such hotline, averages approximately a million reports of child sexual exploitation every month.
Child sexual abuse material (CSAM) is a subset of online child exploitation. In 2021, according to the Canadian Centre for Child Protection (CCCP), 85 million suspected pieces of CSAM were found online. The pandemic only exacerbated things. With lockdowns compelling children to spend more time on their devices, and with more platforms through which criminals could reach into those kids’ devices, 2021 became the worst year on record for online child sex abuse. “Those who have a sexual interest in children have been around since the dawn of time,” says Signy Arnason, associate executive director of the CCCP. “Technology has connected these people at such a mass scale. Couple that with the anonymity of the internet and the fact that the platforms are set up with no regulation, and it’s a recipe for disaster for kids.”
Law enforcement has struggled to keep up. Waterloo, for example, with a force of 800 officers, still has only about eight dedicated to digital forensics, and two or three focused on online child exploitation. A recent budget meeting of the region’s police services board, however, highlighted an overwhelming increase in child exploitation incidents: In November 2022, the department still had 418 tips from 2021 and 2022 waiting on investigative resources.
CSAM has also become increasingly violent, and features younger and younger children. A 2016 Cybertip.ca study showed that the vast majority of the material depicted children under the age of 12, with 63% of those kids younger than eight. Recruiting people to do this work can therefore be a challenge for law enforcement agencies. A data analyst can make a lot more money, and experience significantly less duress, working for, say, Deloitte than reviewing CSAM.
To mitigate this problem, in 2016, Saliba started to build into his systems a set of officer-wellness features. Five years ago, the only way an investigator could assess a video clip was to sit through the whole thing. They may have had to get through 8,000 such files. Axiom, however, will extract key frames and only show those. In a 10-minute video, say, it might show one key frame per minute, and in an hour-long video, a key frame every eight minutes or so. It can also be set to audio only. Known CSAM files—many of these images are traded and part of familiar collections—will also be instantly recognized by Axiom’s algorithms and categorized accordingly, so investigators only need to search through new images and video. The platform can also turn off sound, blur images or render them in black-and-white, or even remind investigators to take breaks—all features designed to reduce the difficulty of viewing such abhorrent material. But also to increase the speed with which that material can be processed and, hopefully, used to prosecute an abuser. “The bottom line is, how do we rescue more children?” Saliba says. “That’s the most important thing.”
Five or so years ago, many of the police investigators who’d worked with Magnet’s tools retired from law enforcement and moved into private-sector security jobs—at RBC, Goldman Sachs and the like. It was easier work with better pay, and there was also, suddenly, a lot of it: fraud, IP theft, employee misconduct and, most perniciously, cyberattacks. According to the Canadian Centre for Cybersecurity, in the first half of 2021, global ransomware attacks increased by 151% compared to the first half of 2020. In Canada, the estimated cost of a single data breach is $6.4 million, and more than half of reported ransomware victims were providers of critical infrastructure: hospitals, banks, power utilities. In the past few months alone, there have been high-profile cyberattacks at Sobeys parent company Empire Co., the LCBO and Toronto’s SickKids hospital.
These investigators tended to take Magnet with them to their new firms, so Magnet, in turn, retooled its software for the corporate environment, adding artifacts like Slack messages and Microsoft 365. The private sector now comprises about 35% of Magnet’s business. As a percentage, however, it’s growing faster. While most businesses now invest in perimeter security to prevent breaches in the first place, Magnet’s tools are used after a breach—to determine the scope of an attack, where it might have originated, remotely and covertly acquire data from devices, and report evidence in an accessible form to executives. “It’s a different tool than the other cyber tools a business might have,” says Thanos Moschopoulos, an analyst for BMO Capital Markets. “It’s what you would use to do a deep-dive forensic analysis after you’ve been hacked, after the ransomware attack, to get a better understanding of what was done. It goes an extra layer deeper.”
Magnet is still relatively small. In 2021, it had revenue of about $70 million (up 37% from the previous year), and through the first nine months of 2022, it was already sitting at $68 million. Its decade-long focus on profitability, meanwhile, has distinguished it from most other tech firms, which often post losses as they race to grow. In 2021, Magnet had adjusted EBITDA (a metric commonly used by tech companies) of $18.6 million, an increase of 21%. More important, it had actual net income of $7.3 million.
Magnet’s primary rival is Israel-based Cellebrite, whose technology can both unlock devices and analyze data on them. It’s used by 6,700 public safety organizations around the world. Last year, in a bid to comparably expand its offerings, Magnet set out to buy Grayshift and its device-unlocking capabilities, but it was outbid by Thoma. Three months after that deal closed, Thoma, Grayshift and Magnet began talking about a merger. The combined companies’ expertise will be “very complementary,” according to Moschopoulos. “It’s a good business. It’s hard to say, ultimately, what the size of the market will be, because it’s an emerging one. But clearly they’re going to have a lot of weight in that space.” (Magnet execs can’t publicly discuss the merger pending shareholder approval.)
Much of that growth, tragically, will happen because online child exploitation continues to grow at such a stomach-turning pace. It remains Magnet’s core business.
But there are, from time to time, happy endings. After the Stanley Saunders case was closed, a Waterloo detective named Sandor Illes took Saliba out for lunch. Illes, a victim-identification specialist, took over as the case’s lead investigator in 2015, and he spent a long time poring over the images from Saunders’s computers. He studied every detail—the victim’s school uniform, the kind of Barbie doll he glimpsed in the background. Eventually, he travelled to Jamaica to canvas teachers in person. With the help of local police, Illes finally found the girl, who was by then a teenager. She immediately identified Saunders and recounted his years of abuse. In February 2016, Saunders was arrested in Jamaica and extradited. He pled guilty and was sentenced, in 2017, to six years in prison. He died in early 2021.
With Saliba’s help, Illes had effectively rescued Saunders’s victim. But he wanted to do more. The girl had been born into extreme poverty. Illes proposed that Magnet help fund the girl’s postsecondary education. Saliba immediately said yes, and the girl attended college in Jamaica. She graduated last year.
“We can’t necessarily stop crimes from happening,” Saliba says now. “But we can do our small part to support people who are dedicating their lives to protecting their communities. If we can support them to rescue a child or make sure a hospital is operational so they can provide care, that’s what it’s all about for us.”
With files from Colin Freeze
Your time is valuable. Have the Top Business Headlines newsletter conveniently delivered to your inbox in the morning or evening. Sign up today.