Canadian Privacy Commissioner Says RCMP Broke The Law By Doing Business With Clearview
from the nice-work,-law-enforcers dept
Since its unceremonious exposure by the New York Times, internet-scraping facial recognition tech company Clearview has been the subject of nothing but negative press, lawsuits, and law enforcement denials of its self-proclaimed crime fighting abilities. Apparently to the surprise of Clearview, few people were receptive to the idea of having their personal info scraped from the web by the company and served up to law enforcement officers, private companies security personnel, and any billionaire wondering about what to throw their money at.
The dubious legality of its efforts has seen Clearview exit certain markets in the United States. It has also exited an entire nation, pulling the plug in Canada while under investigation by the country’s Privacy Commissioner.
Earlier this year, the Privacy Commissioner released part of its report, finding that Clearview’s offering was mass surveillance that was illegal under federal and provincial laws. The second half of its investigation deals with the Royal Canadian Mounted Police and its use of Clearview during investigations. The Commissioner’s conclusion? The RCMP also broke the law.
[O]ur most recent investigation has concluded that the RCMP contravened the federal public sector law, the Privacy Act, when it collected information from Clearview. In our view, a government institution simply cannot collect personal information from a third party agent if that third party’s collection was unlawful in the first place.
According to the Privacy Commissioner, RCMP violated the Privacy Act by using Clearview to search for information about citizens. It doesn’t matter that the database used to perform these searches was owned and maintained by a private company. If Clearview violated Canadian laws collecting and providing access to this data, the RCMP similarly broke the law when it accessed it.
The Commissioner notes the RCMP still does not believe it did anything wrong.
The RCMP is no longer using Clearview AI as the company ceased to offer its services in Canada in July 2020 in the wake of our then ongoing investigation. However, we remain concerned that the RCMP did not agree with our conclusion that it contravened the Privacy Act. The RCMP argued section 4 of the Privacy Act does not expressly impose a duty to confirm the legal basis for the collection of personal information by its private sector partners. Requiring the RCMP to ensure a third party’s legal compliance with PIPEDA would create an unreasonable obligation on the RCMP, the RCMP maintained.
That’s a pretty interesting counterpoint by the RCMP. It basically argues it should be able to do business with outside vendors that break the law. Despite its spicy take on the legalities of paying third parties to break the law for it, the RCMP has agreed to revamp its policies and procedures to provide more control and direct oversight of tech use by its investigators and officers.
But if the RCMP was so sure it was in the right, one has to wonder why it attempted to downplay its use of Clearview to mislead the Commission’s investigators.
We were also concerned that the RCMP at first erroneously told our office it was not using Clearview AI. When it later acknowledged its use, it said publicly it had only used the company’s technology in a limited way, primarily for identifying, locating and rescuing children who have been, or are, victims of online sexual abuse.
However, our investigation found the RCMP did not satisfactorily account for the vast majority of the searches it made.
These don’t appear to be the actions of an agency that firmly believes it’s in the clear, legally speaking. The most generous take is that the RCMP wasn’t tracking use of Clearview by its employees, which is its own problem and one hopefully addressed by the recommendations of the Commission. But more realistically it suggests the RCMP knew it probably shouldn’t be using the highly questionable facial recognition product and tried to cover up how often it had actually been used.
Most damning of all is the undeniable fact that the RCMP continued to use Clearview while it was under investigation by the government. It only stopped because Clearview decided to exit the Canadian market rather than risk any additional scrutiny of its software and site scraping efforts.
Filed Under: canada, facial recognition, privacy, rcmp
Companies: clearview
Comments on “Canadian Privacy Commissioner Says RCMP Broke The Law By Doing Business With Clearview”
Most likely, the RCMP does not have appropriate privacy controls in place.
As for the reason they’re against "fruit of the poisoned tree" interpretations: if that were taken further, it wouldn’t just apply to companies like ClearView who outright break Canadian law from the safety of the US and then sell services to Canadians based on their illegal activity; it would also apply to things like informants, who gather information about illegal activities while being part of those illegal activities, and then feed that information on to law enforcement.
Also, you get into situations like the RCMP’s relationship with Facebook. Sure, Facebook in general acts in a legal manner, but some of their data handling in the US does not pass Canadian privacy regulations. So then if the RCMP is requesting data from Facebook, who controls what data gets accessed? And who determines whether the original collection was legal in Canada? Facebook obviously doesn’t care, and neither does the RCMP, unless it forces them to toss out a case based on information obtained from Facebook. And that would require the defendant to somehow figure out that Facebook obtained the information in a way that was illegal in Canada, which they’re unlikely to do.
I always love seeing LEOs saying how it isn’t their job to know or abide by the law when it suits them.
So, the RCMP support criminals. Nice.