A federal watchdog says the RCMP could be putting the privacy of Canadians at risk by hiring third-party technology companies capable of dredging up deeply buried internet information about the public.
In a report released Thursday to Parliament, Privacy Commissioner Philippe Dufresne questioned whether the force is relying on vendors whose services could circumvent privacy laws limiting law-enforcement searches.
Mr. Dufresne examined the RCMP’s Project Wide Awake, a data-mining effort that the force started in the wake of the 2014 killings of three Mounties. Internal RCMP reviews of that mass shooting found that the police force was unable to deal with the massive amounts of social-media information being posted by the public about the killer’s movements.
The RCMP now routinely hires software vendors and corporate contractors to assist in crime investigations, including ones that help officers delve into the internet’s more hidden corners.
Yet the sophistication of some vendors raises questions about whether police are accessing “open source” material – content sitting in plain view – or using the outside expertise to get at hard-to-access sources police could not likely tap into themselves.
The existence of Project Wide Awake was reported by online magazine the Tyee in 2019. The next year, NDP Ontario MP Charlie Angus laid a formal complaint about the initiative to the Privacy Commissioner.
On Thursday, Mr. Dufresne said elements of Mr. Angus’s complaint are “well founded.”
The commissioner wrote in the report that his office “recommended that the RCMP conduct comprehensive assessments to get a reasonable level of assurance that its third-party services are compliant with relevant privacy laws.”
“It also recommended that the RCMP be more transparent with Canadians about its collection of personal information from open-source intelligence gathering, and about the purposes for which the different types of information collected may be used.”
However, he wrote that “The RCMP did not agree to implement the recommendations.”
Mr. Dufresne said in his report that some of the third-party companies’ search capabilities get past online doorkeepers, like websites that require credentials. Others probe into sites that are hidden from public internet and which require specialized tools to access. Some such services even include repositories of “cellphone geolocation data (that can reveal sensitive information about patterns of movement),” Mr. Dufresne wrote.
The Privacy Commissioner does not argue that the Mounties have exploited such capabilities. But he questioned why contracts are being signed with companies who advertise such wares and whether the RCMP is conducting adequate privacy reviews.
For example, Mr. Dufresne highlighted the fact that the police force bought services from Babel Street. He said the U.S.-based company’s software, dubbed BabelX, is so invasive, he has asked the Mounties to stop using some capabilities.
“The RCMP did not agree to implement the recommendation,” Mr. Dufresne wrote.
The RCMP, which did not immediately respond to requests for comment, has already posted an online assessment saying its use of BabelX does not pose a threat to privacy.
“Contrary to media and other reports of public concern, Babel X is not used by the RCMP to spy on or monitor web users,” the assessment says.
“The platform cannot access, decipher, or unlock private data sources, and is not used to extract activity and other user information from private social-media accounts.”
The assessment goes on to say that any impact on privacy of individuals will be managed by the RCMP.
Babel Street did not immediately respond to an e-mailed request for comment. In a news release this month, the company announced that it has hired a former top data scientist from the U.S. Central Intelligence Agency.
In addition, the Privacy Commissioner is critical of an RCMP unit known as the national technology onboarding program (NTOP), which was created a few years ago to vet technologies and software vendors for privacy reasons. Mr. Dufresne alleges that NTOP ignored obvious red flags in its review of the RCMP’s contract with Babel Street.
In his report, Mr. Dufresne also accused the RCMP of failing to fully implement privacy fixes that were promised years ago.
In 2021, the Privacy Commissioner’s office faulted the RCMP for being among dozens of police agencies that had wrongly used a form of facial-recognition software known as ClearviewAI. The watchdog held that the RCMP use of that software was unlawful.
Shortly after, the new NTOP unit was created by the RCMP with a mandate to review dozens of police-used technologies including software, drones, databases, algorithms, body-worn cameras, and cellphone-hacking and interception tools.