Privacy Commissioner: RCMP Violated Privacy Laws With Clearview AI

Canada’s privacy commissioner has issued a strongly worded report saying that the RCMP violated privacy laws by using Clearview AI.

There is an update to the Clearview AI scandal that has plagued multiple countries. Sadly, it will ultimately highlight just how badly broken Canada’s privacy laws really are.

Back in February of 2020, the Clearview AI scandal made it’s way from the US into Canada. A bombshell report at the time said that Canada’s RCMP was using Clearview AI. Clearview AI reportedly scoured the web and scraped as many pictures as it could find without either the websites or the users permission. It added those photos to a large database and trained artificial intelligence to attribute pictures and video’s to individuals found in its database.

Worth noting is the fact that such activity is generally either illegal or a violation of the various platforms terms of service. Nevertheless, the company seemingly took the approach of beg for forgiveness later rather than ask for permission now. In the sales pitch for the software, the few supporters tried to sell this as a new tool to find missing persons as well as identify criminals and help solve crime. Opponents point to the obvious privacy implications in that it used people’s pictures without permission among other things. As such, the push was already on to outlaw the practice in the US as the scandal began surfacing in Canada.

So, as the debate started to unfold last year about the RCMP’s use of Clearview AI, it became very clear very quickly that this whole thing wasn’t going to end well for the RCMP from a public relations standpoint. So, in response, the RCMP quickly came out to say that this was a trial run of the software for a few of its members and that it discontinued its use shortly after. In short, they dropped the company like a hot potato.

Regardless, four of Canada’s privacy commissioners said that they would investigate the RCMP’s use of Clearview AI to determine if privacy laws were violated.

As that went on, questions quickly swirled around who knew what when. Was this just a few RCMP members checking this out or was this directed from the top? As it turns out, the worst case scenario of the two came out in that it was directed from the top. This came in the report that said that the police board knew about the trials. That report single-handedly defeated the idea that this was just a couple of officers playing around with some new toys on their own time. Obviously, this opens up the liability by quite a bit to affect quite a large chunk of the chain of command.

If you think that, at least, a portion of the chain of command in the RCMP knew about this trial run, was bad enough, things got a whole lot worse in March. This came through the story that said that Clearview AI had suffered from a major data breach with their entire client list stolen. That, no doubt, rattled the trust between police forces and the company because it suggested that Clearview AI might also have security vulnerabilities on top of it all.

Just to add further insult to injury over this scandal, reports surfaced shortly after that said that the use of Clearview AI was not exclusive to law enforcement. As it turns out, it was a tool being used by the rich and famous to use for fun at parties and dates. This created the perception that anyone with money can be on the other part of this surveillance tool which made the public perception a whole lot worse for a number of reasons.

The trail of stories then gradually went cold after the company tried to pack up and move their focus of operations to every security researchers favorite country, Australia. The company seemingly tried to put behind the scandals plaguing it in North America to try again in another country, but to what might be limited success given that we had no problem reporting on their attempted move.

So, imagine our intrigue when we saw reports surfacing about Clearview AI popping up in Canada. As it turns out, Canada’s privacy commissioners have concluded their investigation into the RCMP’s use of Clearview AI. As a result, they have issued a strongly worded report saying that the use did, in fact, violate Canadian privacy laws. From the CBC:

The RCMP’s use of a controversial, third-party facial recognition technology was a serious violation of Canada’s privacy laws, the privacy commissioner says.

Privacy Commissioner Daniel Therrien tabled a report to Parliament this morning after investigating the national police force’s use of software from U.S.-based Clearview AI.

He concluded that by using this software, the RCMP violated the section of the Privacy Act that says that no personal information can be collected by a government institution “unless it relates directly to an operating program or activity of the institution.”

“The use of facial recognition technology by the RCMP to search through massive repositories of Canadians who are innocent of any suspicion of crime presents a serious violation of privacy,” Therrien said in the report.

“A government institution cannot collect personal information from a third party agent if that third party agent collected the information unlawfully.”

Legally speaking, there isn’t much of a surprise here. Unlawfully obtained evidence is generally inadmissible in court. So, for instance, if an RCMP officer breaks into someone’s house, rifles through the persons belongings, and finds evidence to support their case without a warrant, taking that evidence in the process, then that evidence is no longer admissible in court because it was illegally obtained.

What happened above is basically the equivalent of an RCMP member paying someone to perform these illegal actions, and hoping that this circumvents those pesky rules around illegally obtained evidence. As the privacy commissioner rightfully points out, that doesn’t change the fact that an unlawful action took place. Therefore, the use of Clearview AI is still illegal.

As a result of all of this, it is pretty much plain as day that an unlawful action that violated Canada’s privacy laws took place.

Now, as we pointed out at the beginning of this article, this may very well highlight just how broken Canada’s privacy laws truly are. If you recall the Facebook Cambridge Analytica scandal of 2018, serious privacy violations did took place in that personal information was scooped up without the users authorization. Canada’s privacy commissioners investigated and found that Facebook did violate privacy laws and ordered the company to take proactive steps to prevent something like this from ever happening again.

In the months that followed, the privacy commissioners followed up with Facebook to see if the company had followed through with implementing the recommendations. As it turned out, they had either did so insufficiently or took no action at all. The Canadian privacy commissioners then responded by issuing a strongly worded letter saying that Facebook is continuing to violate Canadian privacy laws. In response, Facebook simply said that they disagreed with the commissioners findings and effectively called it case closed. In other words, they told authorities to pound sand.

Thanks to the state of Canadian privacy laws today, this actually meant the end of the investigation. The commissioners had no tools left in the chest and, as a result, there were no repercussions for Facebook to continue to violate Canadian privacy laws. This, obviously, infuriated the commissioners who took the unusual step of stepping out of their roles as commissioners and suing Facebook as private citizens. This, of course, proved two things:

  1. That legal recourse for privacy violations is solely left in the hands of private citizens
  2. That the privacy commissioners have no legal teeth thanks to woefully unreformed privacy laws

With it being painfully clear in 2019 that Canada badly needs to have privacy law reforms to get even remotely close to keeping up with the likes of Europe and the US, it seemingly sparked a sense of urgency. In November of 2020, more than a full year later, Canada finally introduced Bill C-11 which seemingly took steps to reform Canada’s privacy laws. Among other things, the law introduced the concept that the privacy commissioner could actually levy fines against companies – what a shocking and novel concept that was… adopted in many other countries around the world long ago.

There was some debate surrounding whether or not those laws go far enough with digital rights organization, OpenMedia openly demanding more in the new legislation. To be fair, it wouldn’t be a surprise if there were inefficiencies in the law itself given that this is a pretty early kick at the can on this problem. From our perspective, though, a half-baked effort to fix Canadian privacy reforms is probably better than doing nothing at all.

As time went on, it became increasingly clear that doing nothing is what is going to happen. We can probably safely say that the worst case scenario is playing out right before us. By March of this year, it became apparent that the Liberal government was dragging its feet on this important piece of legislation. The Innovation Minister responded to questions about why privacy reform wasn’t a priority by saying that it’s all the oppositions fault. By April, the damage of the inaction became obvious when Facebook suffered another security incident. As we pointed out, if Canada had privacy reform as a priority, we’d either be able to see the newly minted laws used on Facebook or use it as extra motivation to get this legislation over the finish line. Instead, it was a missed opportunity altogether.

Now, here we are today with a second very big example as to why Canada needs to reform its privacy laws. If this was a private company, the real world consequences of their actions would be nothing. So, obviously, since this is a public service, the consequences are just as non-existent. All we are left with is the ever growing list of reasons why Canada needs these privacy reforms and why it’s frustrating that Canadians probably won’t ever get what they need.

Instead, we get a seemingly desperate attempt to get speech regulation law, Bill C-10, passed by any means necessary – seemingly at the behest of corporate lobbyist interests, while C-11 is left to languish – also seemingly at the interests of corporate lobbyist interests. Funny how closely aligned the corporate interests and the government motivations are at the expense of ordinary Canadians.

At any rate, the scandal of a lack of privacy reform is clearly continuing to plague Canadians with no end in sight. With speculation that an election could hit this Fall (we’re not entirely sure on that, but we are open to the possibility that it could happen), it seems that organizations can continue to remain untouched by Canadian privacy laws. With nothing expected to change any time soon, Canadians will continue to suffer for it.

Drew Wilson on Twitter: @icecube85 and Facebook.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: