Revelations of the use of facial recognition and spyware by the RCMP results in a long list of recommendations and a call for accountability
The House of Commons’ Standing Committee on Access to Information, Privacy and Ethics (also known as “ETHI”) has had a busy few months examining how Canadian police have been using or have considered using particularly intrusive technologies and techniques to advance their examined. In two separate studies and reports, the Committee examined the use of facial recognition and artificial intelligence technology (report) and the use of so-called on-device investigative tools (report), principally by the Royal Canadian Mounted Police.
The review of the use of facial recognition by the Committee followed media reports and a Privacy Commissioner Investigation into the practices of Clearview AI. The company was actively crawling social media websites and ingesting billions of photos into its databases, analyzing them biometrically and then providing a service mainly to police agencies which it touted could identify a person or a suspect in any image. Initially the RCMP denied that it had used the company’s facial recognition services, but ultimately admitted they had trialed it. The Commissioner concluded that the images would have been harvested in contravention of Canadian law and that the RCMP should only use services where the underlying data had been lawfully compiled.
Among its 19 recommendations, the Committee recommended tighter regulation of the use of the technology both in the public and the private sectors, that there be a moratorium imposed on the use of facial recognition by the police until a framework for review has been approved and that there be a much more transparent approach to the use of facial recognition and artificial intelligence in the public sector. Scrutiny by the Committee and the Privacy Commissioner are credited with prompting the RCMP to establish a “National Technology Onboarding Program” to review police use and adoption of new technology and investigative tools.
The same Committee carried out a study of the police use of spyware as an investigative tool after documents tabled in Parliament disclosed that the RCMP had been using “on-device investigation tools” (or “ODITs”), akin to spyware, for some years. This coincided with media reporting on an Israeli cybersurveillance company, NSO Group, and their software called “Pegasus”, which has reportedly been widely used journalists, lawyers and politicians.
In testimony before the Committee, the RCMP stated that ODITs provide law enforcement agencies with the capability to secretly collect private communications and other data that can no longer be obtained through conventional wiretap activities or other less intrusive investigation techniques.
A range of witnesses commented on the fact that the use of ODITs relies on vulnerabilities existing in devices and operating systems that manufacturers are likely not aware of. If they exist on suspects’ devices, they exist on the devices of many others. As a result, they can be exploited by a range of actors, both foreign and domestic. The Privacy Commissioner confirmed that his office had not been consulted at any time regarding the use this invasive technology.
The recommendations of this study closely parallel, thematically, the recommendations of the facial recognition study. They focus on increased accountability, increased scrutiny and increased transparency about the use of these tools. The Committee recommended a review of the provisions of Criminal Code related to the interception of private communications and the creation of an independent advisory body composed of relevant stakeholders from the legal community, government, police and national security, civil society, and relevant regulatory bodies to review new technologies used by law enforcement and to establish national standards for their use.