Investigation of the RCMP’s collection of open-source information under Project Wide Awake
Special report to Parliament
February 15, 2024
For more information, contact:
Office of the Privacy Commissioner of Canada
30 Victoria Street
Gatineau, Quebec K1A 1H3
Toll-free: 1-800-282-1376
Phone: 819-994-5444
TTY: 819-994-6591
© His Majesty the King in Right of Canada, for the Office of the Privacy Commissioner of Canada 2024.
Cat. No.: IP54-114/2024E-PDF
ISBN: 978-0-660-69054-4
Letter to the Speaker of the Senate
BY EMAIL
February 15, 2024
The Honourable Raymonde Gagné, Senator
Speaker of the Senate
Senate of Canada
Ottawa, Ontario K1A 0A4
Dear Madam Speaker:
I have the honour to submit to Parliament the Special Report of the Office of the Privacy Commissioner of Canada entitled Special Report to Parliament: Investigation of the RCMP’s collection of open-source information under Project Wide Awake. This tabling is done pursuant to section 39(1) of the Privacy Act.
Sincerely,
(Original signed by)
Philippe Dufresne
Commissioner
Letter to the Speaker of the House of Commons
BY EMAIL
February 15, 2024
The Honourable Greg Fergus, M.P.
Speaker of the House of Commons
House of Commons
Ottawa, Ontario K1A 0A6
Dear Mr. Speaker:
I have the honour to submit to Parliament the Special Report of the Office of the Privacy Commissioner of Canada entitled Special Report to Parliament: Investigation of the RCMP’s collection of open-source information under Project Wide Awake. This tabling is done pursuant to section 39(1) of the Privacy Act.
Sincerely,
(Original signed by)
Philippe Dufresne
Commissioner
Introduction
Policing is important and complex work that requires effective tools designed for today’s digital environment. Rigorous vetting of privacy impactful third-party services is essential to ensuring that the fundamental right to privacy is respected.
These issues are at the heart of the Office of the Privacy Commissioner of Canada’s (OPC) investigation into the Royal Canadian Mounted Police’s (RCMP) Project Wide Awake initiative.
The initiative uses privacy impactful third-party services to collect personal information from a range of sources, including social media, forums, the dark web, location-based services and fee-for-access private databases. The data is used for a variety of policing purposes, including investigating suspected unlawful activity, locating missing persons, identifying suspects, detecting threats at public events attended by high-profile individuals, and maintaining situational awareness during an active situation.
The OPC’s investigation identified concerns related to both accountability and transparency, namely that the RCMP did not take the necessary steps to ensure that the personal information collection practices of all of its service providers were compliant with Canadian privacy law.
More broadly, the OPC raised concerns about the RCMP’s processes for onboarding new private sector services. This was an issue that was raised in a previous OPC investigation involving the RCMP and Clearview AI’s facial recognition technology. Those concerns were to have been addressed through the creation of the RCMP’s National Technology Onboarding Program.
The OPC recommended that the RCMP conduct comprehensive assessments to get a reasonable level of assurance that its third-party services are compliant with relevant privacy laws. It also recommended that the RCMP be more transparent with Canadians about its collection of personal information from open-source intelligence gathering, and about the purposes for which the different types of information collected may be used. The RCMP did not agree to implement the recommendations.
It remains the OPC’s position that rigorous vetting processes and transparency surrounding the use of investigative tools that could have an impact on the privacy of Canadians will support public trust in our national police force and will allow the RCMP to fulfill its important public interest mandate in a privacy protective way.
About this Special Report
Under the Privacy Act, OPC Reports of Findings may only be shared publicly in a special report or annual report to Parliament. In order to ensure more timely reporting, the Privacy Commissioner has included the findings in the following investigation in this Special Report to Parliament.
Overview
Since at least 2015, as part of what it characterizes as Open Source Intelligence Gathering, the Royal Canadian Mounted Police (“RCMP”) has been using private sector services to collect personal information from a range of sources, including: social media, forums, the dark web, location-based services and fee-for-access private databases. In late 2020, following media articles flagging the RCMP’s previous use of private sector surveillance/monitoring services (Navigator, Babel X, and WIST) and the RCMP’s Project Wide Awake (“PWA”), we received a complaint. The complaint, referencing PWA, alleged that the RCMP may be using private sector services to breach individuals’ privacy and to target people engaged in their legal right to protest without proper oversight protocols or judicial oversight, and that the RCMP may be inappropriately hiding these activities.
During the course of our investigation of PWA, we learned that PWA refers to a particular procurement vehicle used centrally by the RCMP, and that the RCMP has procured and uses a range of private sector surveillance/monitoring services both under the PWA umbrella and outside of it. Our investigation focused on the services used by the RCMP under PWA: Salesforce’s Social Studio and Babel Street’s Babel X. That said, important lessons from our investigation are applicable across the RCMP’s use of private sector surveillance/monitoring services.
We did not identify any contraventions of the collection provisions of the Privacy Act (“Act”) in relation to the RCMP’s use of Social Studio. However, with respect to the RCMP’s roll-out of Babel X under PWA in late 2021, we found that the RCMP failed to conduct due diligence to ensure that the original collection and subsequent disclosure to the RCMP of personal information by the private sector surveillance/monitoring services via Babel X are compliant with Canadian privacy laws.
In our view, as found by the OPC and expressed to the RCMP in a prior investigation of its use of Clearview AI, Section 4 of the Act cannot be read to permit the collection of personal information from a third party agent that collected, used, or disclosed the information in contravention of a law that the third party is subject to. Consequently, in our view, the RCMP is obligated to inform itself of the lawfulness of the collection practices of partners from whom it collects personal information. As a result of the RCMP Clearview investigation, the RCMP committed to conduct “...fulsome privacy assessments of third-party data collection practices…to ensure any personal information is collected and used by the RCMP in accordance with Canadian privacy legislation.” As the OPC confirmed to the RCMP in March 2023, the RCMP subsequently fulfilled the commitments that it made in our investigation of its use of Clearview AI to establish related structures and training, including through the establishment of its National Technology Onboarding Program (“NTOP”)Footnote 1.
Unfortunately, the NTOP review of Babel X, completed after March 2023, did not include comprehensive assessments of all the services included in the RCMP’s contract with Babel Street, despite indicators and red flags in its own materials of potential non-compliance. In fact, the conclusions of the NTOP review were often contradicted by the prima facie information that the RCMP had assessed.
We are therefore unable to conclude that the RCMP’s ongoing collection of personal information from the wide range of data sources available via Babel X is compliant with Section 4 of the Act.
We recommended that the RCMP cease collecting personal information via Babel X from sources that require logins or authentication to access (i.e. ones not indexable by traditional search engines that respect do-not-index tags) until it has completed a thorough review for compliance with Canadian privacy law. The RCMP did not agree to implement the recommendation, and therefore, we consider this matter to not be resolved.
Further, we find that the RCMP has not met its transparency obligations under Section 11 of the Act. Specifically, the publicly available descriptions of its Personal Information Banks (“PIB”s) do not adequately describe the information that it collects via open-source intelligence gathering, including from these private sector services, nor does it provide comprehensive descriptions of the purposes for which different types of “open-source” personal information may be used.
We made related recommendations, including that the RCMP develop one or more PIB descriptions that provide comprehensive descriptions of the open-source personal information that it collects. The RCMP did not agree to implement the recommendation, indicating that while it would work with TBS to update the relevant PIB descriptions, it would likely only include broad statements acknowledging the RCMP’s collection of open-source information at a high level. The transparency component of the complaint is therefore well-founded and not resolved.
Background
- From March of 2019 to November of 2020, the Tyee news outlet reported on PWA and the RCMP’s use of Open Source Information (“OSI”) collection tools.Footnote 2 The complainant, the Member of Parliament for Timmins-James Bay, Charlie Angus, subsequently asked our Office on November 23rd, 2020 to investigate these reports about the RCMP. In his submission, the complainant expressed concerns that the RCMP may be:
- collecting information unlawfully or without proper judicial oversight;
- disregarding the privacy rights of citizens;
- failing to ensure proper oversight protocols;
- misrepresenting the nature of PWA when engaging with our Office;
- intentionally obscuring its procurement and use of certain tools from the public; and
- using these tools to specifically target Indigenous citizens and individuals engaged in their right to protest.
- PWA was initiated by the RCMP in 2016 following a review of an attack that killed three police officers in 2014.Footnote 3 The review found that the RCMP was unable to effectively use information posted on social media by members of the public during the course of the attack due to the volume of posts and recommended that the RCMP improve its ability to monitor social media in real time.
- Salesforce’s Social Studio was used by the RCMP under PWA from June 2017 to January 2022. Social Studio is designed for marketing, including assessing the effectiveness of online campaigns. It facilitates its customers’ searches of social media by offering features above that of a traditional search engine, such as the ability to save and automatically rerun searches and to enable Boolean search terms.
- Babel Street’s Babel X was used by the RCMP in several RCMP Divisions across Canada from 2016 onward. Most recently, after a procurement exercise in mid-2020, the RCMP rolled out the use of Babel X as a centrally procured open-source intelligence gathering service under PWA beginning with a single license in April 2020 and 16 additional licenses in December 2021. Babel X is a more complex service than Social Studio and is designed specifically for use in relation to security and law enforcement. In addition to similar enhanced search options offered by Social Studio, it includes features such as search term translation and image search capabilities.
- More notably, for the purpose of our investigation, included in the services that the RCMP pays Babel Street for is: (i) the ability to search content, including on certain social media and forums, that are not indexed by traditional search engines, and (ii) access to a range of for-fee data sources collected by third parties.
- While our investigation focused on Social Studio and Babel X, we obtained information from the RCMP about two other services that were noted in media articles published shortly before the complainant filed his complaint: LTAS Technologies’ Web Identity Search Tool (“WIST”) and LifeRaft’s Navigator.
- WIST is a service that is no longer available, which internal RCMP documents described as being able to, among other things, “unlock Friends on a private [Facebook] friends list.” Our research indicated that the service circumvented Facebook users’ privacy settings for their friends lists by extrapolating a particular Facebook user’s hidden friends lists from public friends lists of other Facebook users. The RCMP indicated that WIST was only used for a limited time by the Unit which procured it and that it was not used by the Unit in any of the reports or products that it produced.
- LifeRaft’s Navigator service is designed for private sector security professionals and law enforcement. It collects information from various sources, including the dark web and social media. It has been used by 6 separate RCMP divisions since at least 2015 and is still in use by at least one division, though the RCMP indicated that it does not currently use Navigator’s dark web functionality.
- The RCMP categorizes the personal information that it collects from (or via) the private sector services above as OSI. It defines OSI as “unclassified, raw data that is derived from a primary data source (e.g. the Internet) and can include any type of media in any format. The information is obtained, derived, or recovered lawfully, and is purchased or viewed from open or encrypted publicly available sources.”
Analysis
Issue I: Is the RCMP collecting information in compliance with Section 4 of the Privacy Act?
- We considered whether the RCMP’s collection of personal information using private sector surveillance/monitoring services under PWA is compliant with the collection provisions of the Privacy Act. We find that the RCMP did not demonstrate that it adequately assessed the collection and disclosure practices of the private sector services from which it collects personal information under PWA. As such, we are unable to conclude that collections from the range of private sector services the RCMP is paying for via Babel X are compliant with Section 4 of the Act. We make related recommendations in paragraphs 63, 69 and 78.
- Section 4 of the Act states that no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.
- As a law enforcement agency carrying out police duties, the RCMP has broad authority to collect personal information, often without the knowledge or consent of the individual(s) involved. These police duties range from investigating serious criminality to keeping the peace. There is no debate that in a broad sense, the investigation of crimes and preservation of the peace fall under the RCMP’s common law powers and the authorities found in Section 18 of the Royal Canadian Mounted Police Act (the “RCMP Act”) and generally constitutes a “program or activity” of the RCMP.
- However, with such broad authority comes an important obligation to ensure that the collection of personal information is limited to police purposes and avoids unwarranted surveillance of Canadians beyond those purposes.
- Further, as highlighted in a previous investigation of the RCMP’s collection of personal information from another private sector surveillance service (Clearview AI), in our view, “…Section 4 of the Act cannot be read to permit the collection of personal information from a third party agent that collected, used, or disclosed the information in contravention of a law that third party is subject to. …To find otherwise would be to permit government institutions to advance their mandates while rewarding organizations whose personal information collection practices are unlawful, including non-compliance with Canadian privacy laws.”
- In that previous investigation we highlighted to the RCMP that “…under PIPEDA and provincial privacy laws, private sector organizations must obtain consent from individuals for the collection of their personal information unless certain specific conditions are met (as described in the laws and specific regulations defining ‘publicly available’ information).” We drew the relevant paragraphs (44-46) of our related investigation of Clearview AI to the RCMP’s attention, noting that the information collected by Clearview from various sources across the open internet did not qualify as “publicly available” under the definition set out in the Personal Information Protection and Electronic Documents Act (“PIPEDA”) regulations and requirements in applicable laws in Quebec, Alberta, and BC.
- The RCMP disagreed with our finding in that matter that it had contravened the Privacy Act by collecting personal information from Clearview AI. Notwithstanding this disagreement, in response to our investigation, the RCMP committed, in May 2021, that as part of its new National Technology Onboarding Program (“NTOP”) framework:
“…the RCMP will undertake fulsome privacy assessments of third party data collection practices, in collaboration with our Access to Information and Privacy Branch and Legal Services Unit to ensure any personal information is collected and used by the RCMP in accordance with Canadian privacy legislation. …We recognize the need to balance the advantages of these technologies with the need to protect the Charter and privacy rights.”
- In response to a preliminary version of this report, the RCMP asserted that this statement was only intended to be a commitment to assessing the “RCMP’s own compliance with Section 4 of the Privacy Act” not compliance of third parties with privacy laws those third parties are subject to. This was contrary to both the OPC’s understanding and the clear context of the RCMP’s commitment. The use of an unverified and third-party service provider acting unlawfully (ie. Clearview AI), was the central matter in that investigation.
- Given that: (i) assessing its own compliance with the Privacy Act is clearly a foundational obligation, (ii) the RCMP indicated at the time that it was committed to “implementing the principles of [our] recommendations” and (iii) its statement references “Canadian privacy legislation” rather than the “Privacy Act”, the OPC accepted the RCMP’s commitment to assessing third parties’ data collection practices for compliance with Canadian privacy legislation that those third parties are subject to.
- Given the relevance to this matter, which similarly involves collections using private sector surveillance/monitoring services, we incorporated these commitments into our analysis below, particularly with respect to the RCMP’s roll out of Babel X as its new service provider under PWA in late 2021.
Collection of Personal Information via Social Studio
- We first examined the RCMP’s collection of information using Social Studio, described in paragraph 3 above. The RCMP did not complete a Privacy Impact Assessment (“PIA”) prior to using Social Studio as required by Treasury Board Secretariat (“TBS”) policy (and as recommended by the OPC when the RCMP consulted OPC about its use of Social Studio). We remind the RCMP of its obligations, under mandatory TBS Policy, to complete PIAs in advance of collecting personal information under new or substantially modified programs.
- While the RCMP did not complete an adequate assessment of Social Studio’s compliance with Canadian privacy legislation, we note that it discontinued use of Social Studio in December 2021, shortly after the commitments it made above in May 2021. Further, we saw no indications that Social Studio collected or disclosed personal information to the RCMP in contravention of Canadian privacy law that it is subject to.
- We reviewed procedures in place for the use of Social Studio as well as a sample of search queries run in Social Studio prior to the RCMP discontinuing its use. We found no indications from these records that Social Studio was being used for purposes outside the RCMP’s mandate. We also found that the RCMP had controls in place to limit and document the creation of Social Studio accounts and the use of the software, accompanied by central audit functions that were exercised by the RCMP’s Tactical Internet Operational Support Unit (“TIOS”). Access to the tool was restricted to authorized users who received training in advance of having access.
- On the basis of our review, we found no indications that the RCMP’s use of Social Studio contravened Section 4 of the Act. This aspect is therefore not well-founded.
Collection of Personal Information via Babel X
- As noted in paragraph 4 above, Babel X is a more complex service than Social Studio. In addition to enhanced search features, such as search term translation, the Babel X services includes access to a range of for-fee data sources collected by third parties, which the RCMP can search, as well as Babel X’s own archive. According to information provided to the OPC by the RCMP, these data sources include databases of content collected by various private sector services from: (i) the dark web (i.e. sites that require specialized tools to access and which include tags telling search engines not to index their content), (ii) cell phone geolocation data (that can reveal sensitive information about patterns of movement), and (iii) a range of other sources.
- Throughout the investigation, the RCMP consistently described all the information available via Babel X as “publicly available” and therefore identified no issues with respect to its collection either by the RCMP or by Babel X and the related for-fee data sources.
- However, as we described to the RCMP in our report of findings on its use of Clearview AI, and as was explained in greater detail in our related earlier investigation of Clearview AI, PIPEDA imposes important constraints on the collection of personal information by commercial entities operating in Canada.Footnote 4 Notably, commercial entities are required to obtain valid consent from individuals for the collection, use and disclosure of personal information unless certain limited exceptions apply. One exception is where the information is publicly available and specified in the PIPEDA Regulations Specifying Publicly Available Information (the “Regulations”).
- Not all information that is publicly accessible online will be considered “publicly available” under PIPEDA. Only the limited categories of information included in the Regulations will be considered publicly available and exempt from the requirement for consent. For example, our Office has accepted that information included in a telephone directory, where the individual could choose not to be included in that directory, would be publicly available pursuant to Section 1(a) of the Regulations, whereas we found, in several circumstancesFootnote 5, that social media profiles were not a publicly available “publication” pursuant to Section 1(e).
- The RCMP also asserted that: “With respect to the application of PIPEDA to Babel X, the RCMP’s position is that it is not relevant, since it does not collect any personal information from the Babel X platform – it collects personal information directly from the online source where it originally appeared.” Specifically, it explained that RCMP policy and the Babel Street contractual agreement do not allow capturing information directly from Babel X.
- The RCMP argued that practitioners therefore do not copy information that they view in Babel X or use hyperlinks provided within Babel X to gain access to a post. Instead, they open a separate window, go to the applicable program or application where the information was originally posted, and then search for and copy information (if still available) from within that program or application.
- In other words, while Babel X and its data providers do disclose information to the RCMP, and the RCMP does use the information (to inform their subsequent information gathering), the RCMP asserts that it does not collect information from Babel X or its data providers because it does not record the information directly from the Babel X platform. We disagree.
- The RCMP accesses personal information on the Babel X platform. The RCMP then ultimately collects at least some of the same information, albeit from a different, but clearly related source. Given that the underlying information will almost always be inextricably linked if not identical to what the RCMP initially retrieved from Babel X, we find that such information can be said to have been collected from Babel X, (as well as from the other source).
- The source that the RCMP used to record the information may be relevant from an evidentiary perspective, (i.e. the RCMP may elect to record information directly from the source where it was posted to facilitate their reliance on this information as evidence in court). However, as far as the application of the Privacy Act is concerned, the information is still collected from one source even if it is recorded using a different source. In other words, the fact that the RCMP accessed information in Babel X but physically recorded that information in a different source does not invalidate the fact that the information was collected from Babel X. Babel X’s collection is integral and cannot be dissociated from the RCMP’s collection.
Inadequate assessment of lawfulness of collection practices of Babel X and its data providers
- We therefore expected that in keeping with its commitments to the OPC in May 2021, the RCMP would do a fulsome assessment of Babel X, including the for-fee data sources, prior to collecting personal information from them under PWA. Specifically, we expected that the RCMP would carry out a fulsome assessment to ensure that the collections by those data sources, and the disclosure of personal information from those data sources to the RCMP was compliant with Canadian Privacy law, including PIPEDA.Footnote 6
- Unfortunately, this did not occur. We requested from the RCMP a copy of its analysis of the lawfulness of collection via Babel X, including compliance with Canadian private sector privacy law, in the fall of 2021 prior to its roll out of Babel X under PWA. In response the RCMP simply referenced Section 18 of the RCMP Act and Section 4 of the Privacy Act supported by a 3 paragraph internal legal opinion citing that the information was publicly available.
- There has been an exponential growth in the availability of personal information about individuals over the last two decades. The idea that the government could collect and use any personal information that can be purchased or accessed online without a fulsome assessment of the legality of the vendor’s practices cannot be accepted as it would fail to recognize and give effect to the privacy rights of Canadians.Footnote 7
- After we asked the RCMP to commit to suspending the roll-out of Babel X under PWA until completing a PIA, the RCMP did not agree to suspended use, only committing to limiting the use of Babel X and letting the OPC know about such use until it completed a PIA.
- Over the next year, our investigation attempted, through repeated requests, demonstrations, and interviews, to obtain a clear and detailed picture of the personal information that the RCMP had collected and could collect via Babel X and other online surveillance/monitoring services. The RCMP provided only limited information about how the services had been used and what information had been collected. On several occasions, it was unable to answer our questions about the sources of data that it could collect via Babel X.
- For instance, the RCMP noted in August 2022 that:
“… in several instances, the RCMP does not have sufficient information to provide the OPC with precise answers to the very specific questions that were posed. As part of the RCMP’s commitment to provide comprehensive and accurate responses – and indeed our responsibility to ensure that the functionalities of third-party platforms are well understood so that we can ensure that all potential privacy risks are properly mitigated – we will be conducting additional follow-up with the vendor(s) in order to obtain more information.”
- To date the RCMP has not responded to a number of questions about how Babel X itself, and other data sources, collect personal information.
- The OPC attempted to gain more information by directly contacting Babel Street. Babel Street declined to provide the OPC with information about the data sources that its customers can access via its platform, citing trade secrets and non-disclosure agreements.
- In July 2022 the RCMP provided the OPC with a 72-page draft PIA for its use of Babel X. The PIA indicated that the RCMP had: (i) reviewed Babel Street’s Privacy Policy and terms and conditions, (ii) obtained express confirmation from Babel Street that Babel X’s features, functions and search and analytic activities comply with federal laws, (iii) added contractual provisions to ensure that Babel Street is bound by and complies with obligations set forth in relation to privacy, data security and proper handling of personal information, and finally (iv) assessed Babel Street’s privacy program to ensure that the company can support and demonstrate compliance with Canadian privacy laws.
- The RCMP also included statements such as: (i) “Unlike some advanced analytic providers, Babel Street is not a bulk data provider. It does not scrape information from the internet in support of its Babel X platform and does not create private or proprietary databases of information in the service of its customers.” (ii) “The Babel X platform cannot access, decipher, or unlock private data sources or content…” and (iii) “The platform is not used to gain access to or infiltrate internet sites requiring login credentials, or to access private content including conversations otherwise hidden from search engines.”
- However, the draft PIA provided limited information about the more potentially privacy invasive functionality and data sources available through Babel X. The PIA included only a single line about the collection of information from the dark web, two passing references to the collection of geolocation data and no references to the collection from for-fee privately curated databases. Further, as detailed below, our examination of the materials provided by the RCMP with the PIA and in response to our follow-up questions did not support, and in certain cases contradicted, the assurances noted in paragraph 42 above.
- Among other contradictions, while the PIA indicates Babel Street is not a bulk data provider, Babel X provides the Babel Archive and includes “through-access” to a range of for-fee databases. Babel X’s End User Terms agreed to by the RCMP note, in relation to access to data sources paid for under Babel X, that Babel Street does not “accept any liability in connection with any Data Feeds and/or other information, content, or records that may contain personally identifiable information.” It also notes that “Data Feeds are provided and accessible through, but are not part of, the Application itself….”
- The RCMP informed the OPC that in addition to reviewing Babel Street’s privacy program, it had also assessed the privacy practices of these available data sources and identified no risks. However, when, after multiple requests, the OPC received a copy of this assessment, it consisted solely of reviews of Babel X’s End User Terms and privacy policies and the privacy policies of sources available to the RCMP via Babel X.
- Each review consisted of a brief (less than half page) description of the data source, a hyperlink to the data source’s privacy policy and a “yes” or “no” checklist of whether the data source’s Privacy Policy included certain elements. The checklist included a column for risks and risk mitigation, but for the dozens of data sources that it reviewed, the RCMP identified no risks. This was contrasted by the fact that its own brief reviews described practices substantively at odds with the assurances about the limits on personal information collection via Babel X found in the PIA. These privacy invasive practices included: scraping, bulk data collection and collection from private data sources without any indications of consent having been obtained from individuals, which is generally required under Canadian private sector privacy laws.
Indicators of potential non-compliance of Babel X data providers with Canadian privacy laws
- The RCMP’s brief descriptions for multiple sources made it clear that the data sources were private databases whose contents were accessible only to customers, and therefore not accessible via a public search engine. The RCMP also confirmed that Babel X itself collects and stores information which it makes available to customers via Babel Archive. The RCMP could not provide further details about this repository. In multiple cases, the information used to populate the databases was not sourced from the open internet searchable by traditional search engines.
- For instance, one data source was described by the RCMP as providing “…the world’s largest commercially available database of DARKINT. …automatically, anonymously, and continuously collects, indexes and ranks actionable darknet data.” The RCMP noted no potential risks with respect to compliance with Canadian privacy laws based on their review of the company’s privacy policy, despite the fact that the privacy policy includes no information about the company’s privacy-invasive collection, use or disclosure of information that it scrapes from the dark web (whose pages contain “do not index” tags), or the lawful basis for this collection under Canadian privacy law. Instead, the Privacy Policy exclusively describes the handling of the personal information of the data source’s customers (like the RCMP).
- Further, the company’s website indicates that due to their “…combination of account-level access and advanced machine learning technology, 99% of all [company]’s coverage goes ‘deeper’ than the landing page of the websites we collect from, across all sources. In fact, an estimated 60% of all [company’s] data comes from sources that require some form of authenticated, or account-level access.” The company’s publicly accessible License Agreement on its website further state that: “The search results displayed or returned by the Software in response to Customer’s search queries may contain information referring to or describing content collected from third-party Internet sources, including information located in the surface web, deep web or dark web (‘Result Content’). Result Content may include secret, non-public or otherwise sensitive information that is not intended to be published or accessible by Customer or other third parties and may be illegal for Customer to access or possess.”Footnote 8 In our view, such language should have been a prima facie red flag of potential compliance issues under Canadian privacy law that therefore warranted further review.
- Another data source description provided by the RCMP indicated that the “[Source] is a local search and discovery service mobile app which provides a personalized local search experience for its users. By taking into account the places a user goes, the things they have told the app that they like, and the other users whose advice they trust, [company] aims to provide highly personalized recommendations of the best places to go around a users [sic] current location.” The RCMP’s description goes on to mention a companion app that allows app users to share their location with other users of the app and to broadcast their location to other social media networks.
- The second paragraph of the source’s privacy policy, reviewed by the RCMP, states: “Most importantly, location data should only be collected when you say it is okay to do so, and you should be able to change your mind at any time. The collection of location data should also benefit you, the user. That’s why we only allow partners to use our location technology if they can demonstrate that the use of our technology is necessary to offer benefits or provide value to consumers who opt-in to sharing their location data.”Footnote 9
- During the course of our investigation the RCMP indicated that it acknowledges that cell phone geolocation data can reveal sensitive patterns of mobility, and that it would work with its legal services to consider the legal implications prior to collecting what it calls ad tech data. Despite this acknowledgement and the privacy policy above, the RCMP’s review flagged no risks that the collection of location data from the above source for law enforcement purposes could raise any issues with compliance with Canadian privacy laws. In response, the RCMP noted that location information can only be searched via Babel X for posts where individuals have chosen to publicly broadcast their location. However, it provided no details about what constitutes “publicly broadcasting”. It also did not clarify how Babel X lawfully searches this source, whose terms of use specify that “partners” may only use the service if they offer benefits to consumers, and “users” may not crawl any page of the Site. Crawling is automated online browsing used by search engines to provide search results (as well as other uses).
- Lastly, while the RCMP indicated that Babel X could not access or unlock sites that required login credentials or authentication, the RCMP’s PIA describes one of Babel X’s sources as being able to “[focus] on infiltrating and maintaining access to closed sources where threat actors collaborate, communicate, and plan cyber attacks”.
- As with all the other data sources, the RCMP’s review noted no potential risks with respect to compliance by this service provider with Canadian privacy law and did not probe further despite indications that this and other third-party service providers might not be compliant with PIPEDA. It simply checked off that the company’s privacy policy covered certain elements, notwithstanding the statement in the above paragraph, and despite the fact that the privacy policy includes no information about its handling of personal information that it collects in the course of infiltrating these closed sources.
- In short, as demonstrated by the examples above, the RCMP’s due diligence and analysis was limited to brief, broad contractual language and a cursory review of privacy policies using a narrow checklist - all of which did not account for, or was contradicted by, prima facie red flags of potentially non-compliant collection techniques that warranted further review.
Finding I – The RCMP’s due diligence on third-party sources under PWA is inadequate
- The examples outlined above demonstrate a lack of due diligence by the RCMP to ensure that the data sources it pays to access via Babel X are compliant with Canadian privacy legislation – as it committed to do in order to “…balance the advantages of these technologies with the need to protect the Charter and privacy rights.” The examples also demonstrate a lack of due diligence to ensure that its PIA accurately represents the collection practices in question to meaningfully assess privacy risks.
- As articulated in our investigation on the RCMP’s use of Clearview AI, we find that Section 4 of the Act cannot be read to permit the collection of personal information from a third-party agent that collected, used or disclosed the information in contravention of a law that third party is subject to. Given the lack of due diligence and the lack of details provided to the OPC about the practices of Babel X and its sources, we are unable to determine whether the RCMP’s collection of personal information from all the sources available to it via its contractual arrangement with Babel Street complies with Section 4 of the Privacy Act.
- We accept that the RCMP can source third-party tools to collect personal information from social media, dark web, location services, etc. under appropriate circumstances which may at times require judicial approval. However, there are different limits on what personal information private sector commercial entities, making their service available in the marketplace, may collect, retain and disclose – versus what personal information law enforcement may itself collect and disclose.
- Finally, with respect to internal controls, the use of OSI by the RCMP for intelligence and criminal investigations is governed by Section 26.5 of the RCMP Operational Manual (“OM 26.5”), entitled Using the Internet for Open Source Intelligence and Criminal Investigations. The RCMP’s Tactical Internet Operational Support unit is the national policy center for OM 26.5 and is thus responsible for overseeing its implementation across the force.
- However, an Audit of Open Source Information completed by the RCMP in 2020 found that internet-related open-source activities conducted across the organization were not consistent nor compliant with the RCMP’s internal policies. Most members were unaware of internal policies and there were opportunities to develop a more robust governance framework and to enhance oversight of open-source activities.Footnote 10 The audit team recognized that TIOS lacked the capacity, resources and authority to fulfill their monitoring and oversight responsibilities. As a result, the RCMP has been working to overhaul their OSI practices, policies, oversight mechanisms and training.
- Notwithstanding the above efforts, the Babel X PIA, completed two years later in July 2022, still identified weaknesses in the following: (i) OSI policy framework and operating procedures, (ii) internal controls, (iii) centralized governance, (iv) oversight, and (v) compliance monitoring. Internal controls were highlighted as an area of high risk and the PIA made related recommendations to address these gaps.
Recommendations
- We made three related recommendations, none of which were accepted by the RCMP.
Recommendation 1
- First, we recommended that the RCMP complete the implementation of comprehensive measures to address the recommendations made in the Babel X PIA within 12 months. These are recommendations that the RCMP made to itself in their PIA.
RCMP Response 1
- The RCMP did not commit to implementing their own PIA’s recommendations within 12 months, indicating that they would consider measures to be taken and a feasible timeframe once the OPC’s recommendations for the Babel X PIA are received.
- It had been communicated to the RCMP on January 26, 2023 that given the current investigation, feedback and recommendations on their practices relating to PWA generally, and the PIA specifically, would be shared through our investigative report.
- Our preliminary report provided that feedback, including the above-noted concerns with factual inaccuracies in the existing version of the PIA. We further conveyed that due to the lack of due diligence to ensure that the PIA accurately represents the collection practices under Babel X, it was an essential first step for them to address the inaccuracies.
- The RCMP stated that the PIA does not reference the information collected by Babel X (in the Babel Archive) and collected by the other “fee for access” private databases because the RCMP does not access any such databases provided by Babel X. However, all of the examples of sources cited in paragraphs 47 to 55 above were included in the assessment that the RCMP conducted in support of the PIA and provided to the OPC (see paragraph 45) – without any notes that the RCMP has prohibited staff from using any of the sources. With the possible exception of the source providing location information (paragraph 50), these are all “fee-for-access” sources. Further, during our investigation the RCMP specifically indicated that it does use the “fee for access” source described in paragraph 48.
- Once the RCMP is in a position to address these accuracy issues, by conducting thorough assessments for compliance with Canadian privacy laws, we would invite the RCMP to consult with OPC’s Government Advisory directorate before redrafting the PIA. In the interim, we reiterate our recommendation that it implement its own recommendations within 12 months to address the gaps in privacy protections identified in the PIA.
Recommendation 2
- Second, we recommended that the RCMP cease collecting personal information via Babel X from sources that require logins or authentication to access (i.e. ones not indexable by traditional search engines that respect do-not-index tags) until it has completed a thorough review of each one for compliance with Canadian privacy laws.
- To conduct these assessments effectively, we encouraged the RCMP to follow the process that it has established under NTOP, which, as noted in the Overview, it had recently operationalized.
RCMP Response 2
- In response to this recommendation the RCMP provided a copy of an NTOP review memo for Babel X completed in April 2023, which “provisionally” approved the use of Babel X “contingent on the understanding that …TIOS will undertake immediate measures to implement any/all recommendations by the OPC that are practicable and agreeable to the RCMP.” However, despite this, and despite the gaps in its assessment of compliance with Canadian Privacy legislation that our report identifies, the RCMP asserted that it has done enough to review Babel X and will therefore continue to use it.
- The RCMP went on to assert that the contracts between Babel Street and its data providers are commercially protected and that the RCMP has no authority to investigate these. It stated that an incursion into proprietary information of companies headquartered outside CanadaFootnote 11 for this purpose would likely expose the RCMP to litigation and damage its reputation.
- In our view, the fact that the RCMP chose a subcontracting model to pay for access to services from a range of vendors does not abrogate its responsibility with respect to the services that it receives from each vendor. For clarity, we have not recommended that the RCMP conduct formal investigations or forensic audits of its service providers. However, clients, like the RCMP, contracting for services that are potentially privacy invasive, can and should obtain sufficient information from service providers or other sources to meaningfully ensure that the third party has legitimately and legally obtained the personal information that will be provided to the institution.
- The RCMP also asserted that Innovation, Science and Economic Development Canada advised the RCMP, in July 2023, that:
“based on their understanding of current TBS privacy policies, in cases where a government institution contracts out a program or service that involves the collection or use of personal information, institutions are required only to go as far as ensuring that appropriate privacy protection and management requirements are built into contracts...”
- The RCMP noted that its contract with Babel Street states that Babel Street must abide by PIPEDA, the Privacy Act (which does not impose requirements on the private sector) and the European Union’s General Data Protection Regulation. It notes that Babel Street’s contracts with Babel X data providers state that the “Provider shall at all times and at its sole expense, perform its obligations hereunder in compliance in all material respects with all applicable laws and regulations…” The clause cited by the RCMP between Babel Street and its data providers does not detail any specific laws, such as PIPEDA or other Canadian privacy laws, or detail any specific limits on collections or disclosures. In our view such broad and generic clauses do not constitute meaningful contractual protections of privacy.
- Further, by themselves, contractual provisions may not always constitute a sufficient level of due diligence. For institutions contracting for services with low potential privacy risks, clear and concrete contractual clauses alone may be sufficient. However, for the type of potentially invasive services that the RCMP is contracting for via Babel X, and for the broad range of law enforcement purposes for which the information may be used, contractual clauses alone are not sufficient.
- This is aligned with the Privacy Implementation Notice: Guidance pertaining to the collection, use, retention and disclosure of personal information that is publicly available online, recently issued by TBS and effective August 1, 2023. The guidance states that contracts with third parties should clearly outline measures to protect personal information. It also states that: “When employing a third-party service or data provider, institutions must take care to ensure that they have legitimately and legally obtained the personal information that will be provided to the institution.” This TBS notice, which was issued pursuant to paragraph 71(1)(d) of the Act, not only aligns with our findings in the RCMP Clearview investigation but with the RCMP’s resulting commitments.
Recommendation 3
- We are aware that the RCMP also uses other private sector surveillance/monitoring services to collect what it categorizes as OSI, including LifeRaft’s Navigator (see paragraph 8). We recommended that: (i) the RCMP apply the recommendations above to its use of Navigator, including a comprehensive assessment if one has not already been conducted and (ii) it apply the findings of this investigation to other such services that it is currently using or considering using, including through comprehensive assessments, where they have not already been conducted.
RCMP Response 3
- In response the RCMP noted that its policy is for NTOP to be consulted when any new operational technology is being considered. It did not commit to reviewing the use of existing tools. Further, as described above, it did not agree to conduct comprehensive assessments.
Acceptable Level of Assessment
- For clarity, the objective of the assessments in this case should be to provide a reasonable level of assurance that the third-party agents the RCMP is collecting personal information from, i.e. Babel Street and its data providers, are compliant with relevant privacy laws, particularly Canadian privacy laws applicable to the third parties.
- The assessments need not involve forensic auditing or formal investigation but should be based on a fulsome understanding of:
- the types of personal information that are collected by the service providers (and made available to the RCMP),
- the methods of collection and lawful basis of collection (including consent if relevant),
- the sources of the information collected, and
- the purposes for which the RCMP intends to use any personal information that it gleans from the services.
- The information needs to be broken down into sufficient detail to meaningfully assess the service providers’ practices against the relevant provisions of applicable laws, such as the PIPEDA regulation specifying publicly available information, as well as the collection, consent, disclosure and appropriate purposes provisions of PIPEDA or similar provincial privacy laws.Footnote 12
- If assessments are conducted by the third parties in question (or another third party), at a minimum the RCMP should seek a formal attestation of the detailed conclusions, with supporting information provided to validate the conclusions. The assessments should also be informed by any material concerns about privacy that have been raised publicly or by Privacy Authorities about the service provider or the type of collection in question.
Issue II: Is the RCMP meeting its transparency obligations under the Privacy Act with respect to open-source information collection?
- The complainant expressed “grave concerns about the level of secrecy and duplicity the RCMP has gone through to hide their activities into procuring and using these online tools to gather information on Canadians.” Following the review detailed below, we determined that a contravention of Section 11 of the Act occurred given that the Personal Information Bank (PIB) descriptions published in the government’s personal information indexFootnote 13 do not adequately describe the personal information held by the RCMP as a result of its open-source intelligence gathering, or the purposes for which this information may be used.
- Section 11 of the Act requires the designated Minister (President of the Treasury Board, who is responsible for the Treasury Board Secretariat) to publish, at a minimum annually, an index of all personal information banks of government institutions, and all classes of personal information under the control of government institutions that are not contained in personal information banks. The index shall include, among other elements: (i) descriptions of the personal information banks, (ii) descriptions of the classes of individuals to whom the personal information relates, and (iii) the purposes for which personal information in the PIBs was obtained or compiled and a statement of the uses consistent with those purposes for which the information is used or disclosed.
- Section 11 of the Act specifies that it is the designated Minister who is responsible for publishing the index. Currently this is done via the TBS’s “Information About Programs and Information Holdings” page, and for the RCMP, via the RCMP’s own institution-specific index/page. However, in our view, ensuring accurate and timely content to meet the requirements of Section 11 is a shared responsibility with individual institutions. For the TBS to publish an accurate personal information index, government institutions need to provide it with complete information about their PIBs and the classes of personal information that they collect both within PIBs and outside PIBs.Footnote 14
- Although the Act does not explicitly describe the purpose of Section 11, it is our view that when read harmoniously within the overall scheme of the statute, the purpose is to promote transparency and access by individuals to their personal information.
- Accordingly, we assessed whether the information collected by the RCMP via open-source intelligence gathering, including using Babel X, is included in PIB descriptions and if so, whether the descriptions are sufficiently detailed and transparent. Individuals consulting the index should be able to meaningfully: (i) determine whether their personal information is held by the RCMP, (ii) determine the nature of that information, and (iii) understand the purposes for which that type of information could be collected.
Finding II - Published descriptions of RCMP’s open-source information gathering should be granular
- The level of detail needed in descriptions of personal information and classes of individuals published in the index to fulfill the obligations under Section 11 of the Act is highly context specific. The appropriate level of transparency that law enforcement should have with respect to its surveillance/monitoring of places, physical and virtual, that could be considered public, is not an area where there are clear and established norms. It is evident that a balance needs to be struck between protecting the viability of police investigative techniques and ensuring public trust and enabling public discourse about the appropriate limits on police surveillance.
- Recent trends in North America have seen the promotion of detailed levels of police transparency about collection via surveillance tools, with regulations now requiring some of the biggest police forces in North America (e.g. New York Police Department, San Francisco Police Department) to publish detailed descriptions of all the surveillance tools that they use.Footnote 15
- With respect to what the RCMP characterizes as open-source, publicly available information; we see the risks of revealing key enforcement techniques as low (though not non-existent). Further, the number of individuals implicated by the collections are high, and the potential impact on an individual is also high. In this context, our view is that descriptions of the personal information collected under open-source intelligence gathering should be granular by default – at the level of individual sources, with particular emphasis on collections that individuals might not expect.
- This is aligned with the approach taken to RCMP’s procurement of tools and services, where granular transparency is the default, and exceptions must be justified.Footnote 16 We note in this respect that the (publicly available) standing offer for social media monitoring used to procure Babel X under PWA listed fourteen different categories of data sources, with examples of specific companies provided for each category.
Finding III - The RCMP’s descriptions of open-source information collection and related purposes are inadequate
- In our view the description of purposes for which different types of open-source information may be collected should be clearly described in the RCMP’s index and should enable readers to understand any relevant limits on the purposes or circumstances that particular information may be used for.
- The RCMP stated in their PIA that they collect the broad range of different types of personal information potentially accessible under PWA and other open-source intelligence gathering activities primarily for Federal Policing program activities, including activities described in RCMP PIBs: PPU 015 (Criminal Operations Intelligence Records), PPU 025 (National Security Investigations Records), PPU 005 (Operational Case Records), and PPU 055 (Protection of Personnel and Government Property). The PIA listed the following range of purposes for the collection of information via Babel X:
- threat detection and prevention for events (e.g., G7 summit, public protests, etc.) and high-profile individuals (e.g., the Prime Minister of Canada);
- maintaining situational awareness during an active threat, crisis or public event;
- responding to disasters and humanitarian relief efforts;
- investigating unlawful activity and/or allegations of unlawful activity;
- locating missing persons;
- identifying suspects or persons of interest;
- identifying emerging trends or safety concerns in a given community; and
- monitoring for terms related to unlawful behavior and/or violent extremism.
- We reviewed the PIB descriptions published on the RCMP’s institution-specific index/page, including but not limited to the four PIBs noted in paragraph 94. In our view, none of the PIB descriptions meaningfully describe the wide range of personal information that the RCMP collects via Babel X and other open-source intelligence gathering activities, or the wide range purposes for which such information may be collected – including about many individuals innocent of any crime, and not directly implicated in any investigations. The RCMP has posted a summary of its PIA for Babel X on its website, but as discussed above, currently that PIA does not accurately and meaningfully reflect the personal information collected via Babel X. None of the descriptions in the RCMP’s index include references to personal information collected from social media, location-sharing services, the dark web or even more generic terms like the internet, publicly available or open-source.
- Further, not all the purposes listed above in paragraph 94 are reflected in the RCMP’s descriptions in their index.
- Accordingly, we find that Section 11 of the Act was contravened.
Recommendation
- In its PIA for use of Babel X, the RCMP indicates that it has committed to being “more open and transparent about the use of Babel X and its open-source activities in publications pertaining to its law enforcement and policing activities.”
Recommendation 4
- We recommended that, within 12 months, the RCMP work with TBS to develop and publish new PIB description(s), or modify existing PIB descriptions, to meaningfully cover personal information collected via open-source intelligence gathering. These PIB descriptions should: (i) clearly describe what personal information is collected from these different types of sources and what limits there are on the extent of collection, and (ii) name and describe the sources of open-source information in detail, including naming and describing any sources of information that the RCMP pays for – either directly or via an omnibus contract such as with Babel Street, unless a clear, documented justification for not doing so is recorded. These descriptions of what is collected, should be accompanied (as per the requirements of Section 11 of the Act) with detailed descriptions of the purposes of collection.
- We note that this recommendation is aligned with the TBS Privacy Implementation Notice: Guidance pertaining to the collection, use, retention and disclosure of personal information that is publicly available online, issued during the course of our investigation. In this notice, TBS instructs that institutions must identify the elements of personal information they collect from publicly available information in a PIB description. It also states that it may be necessary to register or update an institution-specific PIB that reflects the elements of publicly available information collected, the purpose of its collection, and its retention period.
RCMP Response 4
- The RCMP responded to this recommendation by acknowledging that its PIB descriptions require updating. It indicated that it will work with TBS to update the relevant PIB descriptions and that it is “…supportive of this level of transparency”, but that “[i]t is more likely that transparency will be more general in nature - i.e., the RCMP collects information from open sources using a variety of tools designed for use by law enforcement.” In our view, such overly generic statements are of insufficient value to readers and inadequate to comply with the requirements of Section 11 of the Act.
- As a case in point, in response to a preliminary version of this report, the RCMP indicated that some of the “fee-for-access” Babel X data sources with which the OPC has taken issue may no longer be associated with the Babel X platform (it did not confirm one way or the other). It also noted that new data sources, that would be available to the RCMP, could be added by Babel X from time to time (it did not provide further details). As this report illustrates, distinctions between the wide range of types and sources of personal information that may be captured under the broad heading of “open-source information” are significant to understanding the privacy implications for Canadians.
- We recognize that providing more detailed information to Canadians would require more frequent updates to PIB descriptions to keep up with the evolution of technology, and would require careful, documented, consideration of exceptions to transparency where justified. In our view, ensuring adequate transparency at the level of individual tools and sources can and should be integrated into the assessments of those individual tools and sources. Further, the exercise of drafting a transparent PIB in and of itself can benefit the drafting institution to truly understanding the privacy implications of its collection practices.
- Given the RCMP’s lack of commitment to implement the recommendation we find the transparency matter to be well-founded and not resolved.
Conclusion
- As described above, we ultimately could not determine that the RCMP is complying with Section 4 of the Act when it collects information using Babel Street’s Babel X service. What is clear, is that the RCMP did not conduct adequate due diligence to verify that the personal information provided to the RCMP by Babel X and its data providers was collected in compliance with Canadian privacy laws.
- The RCMP was unwilling to commit to implementing our recommendations, including that it ceases collecting personal information via Babel X from sources that require logins or authentication to access (i.e., ones not indexable by traditional search engines that respect do-not-index tags) until it has completed a thorough review of each one for compliance with Canadian privacy laws. Therefore, this matter is unresolved, and continuing contraventions and violations of Canadians’ privacy rights may be occurring.
- In addition, we found that the RCMP contravened the transparency provisions of the Act by failing to account for, in its PIB descriptions, information that it collects from what it categorizes as open sources, including social media and the dark web. While the RCMP acknowledged the need to update its PIB descriptions, it did not agree to implement our recommendation to ensure that the PIB descriptions are clear and meaningful. Consequently, the transparency component of the complaint is well-founded and not resolved.
- Date modified: