News from ICLMG

Urgent action needed on facial recognition, ICLMG tells Privacy and Ethics committee

On March 24, 2022, ICLMG’s national coordinator Tim McSorley appeared before the House of Commons Standing Committee on Access to Information, Privacy and Ethics for the committee’s study on the use of facial recognition technology.

Above you can watch our opening statement to the committee; you can watch the full committee hearing here.

Below is the text of our opening statement.

To find out more and to call on the federal government to take action to protect us from facial recognition surveillance, click here.

FULL STATEMENT:

Thank you for inviting me to speak today on behalf of the International Civil Liberties Monitoring Group, a coalition of 45 Canadian civil society organizations dedicated to protecting civil liberties in Canada and internationally in the context of Canada’s anti-terrorism and national security activities.

Given our mandate, our particular interest in facial recognition technology is its use by law enforcement and intelligence agencies, particularly at the federal level.

We have documented the rapid and ongoing increase of state surveillance in Canada and internationally over the past two decades. These surveillance activities pose significant risks to and have violated the rights of people in Canada and around the world. Facial recognition technology is of particular concern, given the incredible privacy risks that it poses and its combination of both biometric and algorithmic surveillance.

Our coalition has identified three reasons, in particular, that give rise to concern.

First, studies have shown some of the most widely used facial recognition technology is based on algorithms that are biased and inaccurate. This is especially true for facial images of people of colour, who already face heightened levels of surveillance and profiling by law enforcement and intelligence agencies in Canada.

This is particularly concerning in regard to national security and anti-terrorism, where there is already a documented history of systemic racism and racial profiling. Inaccurate or biased technology only serves to reinforce and worsen this problem, running the risk of individuals being falsely associated with terrorism and national security risks. As many of you are aware, the stigma of even an allegation in this area can have deep and life-long impacts on the person accused.

Second, facial recognition allows for mass, indiscriminate and warrantless surveillance

Even if the significant problems of bias and accuracy were somehow resolved, facial recognition surveillance systems would continue to subject members of the public to intrusive and indiscriminate surveillance. This is true whether it is used to monitor travelers at an airport, individuals walking through a public square, or activists at a protest.

While it is mandatory for law enforcement to seek out judicial authorization to surveil individuals either online or in public places, there are gaps in current legislation as to whether this applies to surveillance or de-anonymization via facial recognition technology. These gaps can subject all passerby to unjustified mass surveillance in the hopes of being able to identify a single person of interest, either in real-time or after the fact.

Third: there is a lack of regulation of the technology and a lack of transparency and accountability from law enforcement and intelligence agencies

The current legal framework for governing facial recognition technology is wholly inadequate. The patchwork of privacy rules at the provincial, territorial, and federal levels do not ensure law enforcement use facial recognition technology in a way that respects fundamental rights. Further, a lack of transparency and accountability means that such technology is being adopted without public knowledge, let alone public debate or independent oversight.

Clear examples of this have been revealed over the past two years.

First, the lack of regulation allowed the RCMP to use Clearview AI facial recognition technology for months without the public’s knowledge, and to then lie about it before being forced to admit the truth. Moreover, we now know that the RCMP has used one form of facial recognition or another for the past 20 years, without any public acknowledgement, debate, or clear oversight. The Privacy Commissioner of Canada found that the RCMP’s use of Clearview AI was unlawful, but the RCMP has rejected that finding, arguing they cannot be held responsible for the lawfulness of services provided by third parties. This essentially allows them to continue contracting with other services that violate Canadian law.

Lesser-known is that the RCMP also contracted the use of a US-based private “terrorist facial recognition system” known as “IntelCentre.” This company claims to offer access to facial recognition tools and a database of more than 700,000 images of people associate with “terrorism.” According to the company, these images are acquired from various sources online, including social media, just like Clearview AI. Also, like Clearview AI, it is unclear how these images are verified, or the legal justification for collecting these images. Even worse than Clearview AI, though, is that this system comes with the added stigma of being allegedly linked to terrorism. Worsening the situation, we have no idea how the RCMP used this tool, let alone the force’s legal basis for using it. It is clear, though, that it could have devastating impacts on someone who is falsely accused.

In another example, the CBSA ran a pilot project using real-time facial recognition surveillance at Toronto’s Pearson Airport for six months in 2016, with little to no public warning beyond a vague notice posted to their website. In all, nearly 3 million travellers had their faces scanned against a database of 5,000 images.

Finally, CSIS has refused to confirm whether they use facial recognition technology in their work, stating they have no obligation to do so. While intelligence agencies may not be able to go into the specifics of ongoing operations, there is no reason why they should not engage in a fulsome, public debate about the use of such controversial technology.

Given all these concerns, we would make three main recommendations:

  1. That the federal government ban the use of facial recognition surveillance immediately, and undertake consultation on the use and regulation of facial recognition technology in general
  2. That based on these consultations the government undertake reforms to both private and public sector privacy laws to address gaps in FR and other biometric surveillance
  3. That the Privacy Commissioner be granted greater enforcement powers, both with regard to public sector and private sector violations of Canadian privacy laws.

Since you’re here…

… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.panel-54141172-image-6fa93d06d6081076-320-320You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity!
make-a-donation-button

RCMP violates national security disclosure rules, potentially placing thousands of individuals at risk

In late February, the latest annual review on national security-related information sharing was published to little fanfare. While it found that, overall, rules were being followed, it revealed a significant problem that deserves greater scrutiny and raises concerns about how the RCMP treats sensitive, personal information.

The study, conducted jointly by the National Security and Intelligence Review Agency (NSIRA) and the Office of the Privacy Commissioner of Canada (OPC), revealed that in 2020 the RCMP disclosed to the Department of National Defence/Canadian Armed Forces (DND-CAF) a dataset with the biometric information of thousands of individuals — men, women and children — who have been “detained by a third party on suspicion of being members or supporters of a terrorist organization.” The disclosure was made proactively by the RCMP, on the basis that they believed it fell within the scope of the DND-CAF’s counterterrorism mandate and because the CAF was active in the region where the individuals were detained.

While not explicitly stated, it is almost certain that this dataset relates to the thousands of individuals who continue to be detained in camps and prisons in North Eastern Syria by the Kurdish administration on allegations that they support and/or are members of Daesh (also known as ISIS). There is simply no other ongoing situation that meets the description provided and that, plausibly, would be of interest for DND-CAF based both on their own counterterrorism activities and on where they were active.

It’s important to note that the individuals detained have not faced trial or even been formally charged. There are ongoing efforts to have those who are not citizens of Syria repatriated to their home countries for reintegration and, if deserved, to face trial. Currently more than 40 Canadians, including nearly two dozen children, are in those camps and prisons. The families of 26 of those Canadians initiated a lawsuit last year to force the Canadian government’s hand to protect its own citizens and aid them in returning to Canada. While some countries have made efforts to bring their citizens home, more than 40,000 foreigners are estimated to be in the camps.

The RCMP received this dataset from a “trusted foreign partner,” which is also unnamed, but that is believed to be the FBI. 

The Security of Canada Information Disclosure Act (SCIDA), as the rules are formally known, was implemented to regulate how national security information is disclosed to Canadian national security agencies, including the protection of personal information. It includes safeguards around what information can be disclosed, how it is requested, how it can be proactively disclosed, and around record keeping to allow for after-the-fact review. This includes determining whether the information being disclosed will contribute to the recipient institution’s jurisdiction or mandate in respect to activities that undermine the security of Canada, and will not affect any person’s privacy interest more than is reasonably necessary. Disclosing and requesting institutions must also document the reasoning for the disclosure/request, and the disclosing institution must record information pertaining to the accuracy of the information shared.

In this case, while the RCMP removed any information related to Canadians in the dataset, it shared the remainder details of thousands of individuals with DND-CAF. However, NSIRA and the OPC discovered that when the RCMP originally received the dataset, it was meant to be accompanied by a detailed description of the dataset, including crucial information related to how the information was obtained, and caveats on its use. However, that detailed description apparently never arrived. Months later, the RCMP still went ahead and shared the dataset with DND-CAF proactively — there was no request for the information — without the supporting description of the dataset. 

The report finds that because of this failure to share important supporting information, it would be impossible to adequately evaluate the privacy impact on the individuals listed, especially given the fact that it meant that they are linked to a terrorist organization. Therefore, the disclosure was not compliant with SCIDA.

It is extremely troubling that the personal biometric information relating to thousands of individuals was shared without taking every precaution to ensure accuracy and the protection of privacy. This is especially important given the accusations being laid against these individuals, and the already precarious position that they are in. What if some of the information was inaccurate, and led to CAF misidentifying an individual as being a suspected terrorism sympathizer?

The sheer scope of the problematic disclosure raises serious questions. We do not know how many thousands of people are included, nor how the RCMP may be using this list (even if DND-CAF has said they are not). And while this accounted for only one of the 215 disclosures made under SCIDA for 2020, it makes up the vast majority of individual records shared. It’s important to note that one disclosure does not equal information related to one individual, and can range from one or a handful of people to bulk information related to hundreds or thousands of individuals.*

In the end, DND-CAF did not integrate the information — which again, it did not request — into their operational info. NSIRA and the OPC have asked that DND-CAF review whether they should retain the information, which the department says they will do, taking into account “any new information provided by the RCMP, NSIRA and the OPC’s findings, and associated DND-CAF directives and policies.”

The RCMP, though, has astonishingly said it only “partially accepts” the review’s findings, stating that despite not having received key details about the information from their trusted partner, they were “satisfied that the disclosure would not affect any person’s privacy interest more than was reasonably necessary in the circumstances.” How this is possible is not clear, and raises serious questions about how the RCMP assesses information it shares with partners.

RCMP violated disclosure rules on at least three occasions in 2020

Taken alone, this violation of SCIDA would be concerning, but the RCMP’s name continues to pop up throughout this year’s report. The review examines whether organizations met the two-part test for disclosure. First, whether the information disclosed was relevant to the national security mandate of the receiving organization. Second, whether the disclosure would impact the privacy of individuals more than is reasonably necessary given the circumstances.

They found that of 215 disclosures made in 2020, 213 met the first standard for disclosure. The two cases that did not comply? Both were proactive disclosures from the RCMP, one to Global Affairs, the other to Immigration, Refugees and Citizenship Canada (IRCC). 

For the second standard, again the report found that there were only two instances of non-compliance, both related to the RCMP. One was the previously discussed disclosure to DND-CAF, and another disclosure to IRCC (it is unclear whether this is the same disclosure to IRCC mentioned above, or a separate disclosure).

If the RCMP was responsible for the bulk of the 215 disclosures made in 2020, their violation of the Act could be excused as a minor aberration. However, the RCMP only accounted for nine of the 215 disclosures. So in fact, at least a third of the RCMP’s disclosures (3 out of 9) did not meet the requirements set up in SCIDA.

The report also found that the RCMP has failed to fully update its policies since SCIDA was enacted in 2019, whereas most other departments covered by SCIDA have. This is especially troubling, because the entire reason for the introduction of SCIDA was to try and make up for the lack of safeguards included in its predecessor, the Security of Canada Information Sharing Act. And yet the RCMP, the largest law enforcement agency tasked with national security, has still yet to fully update its policies. 

“Verbal disclosure” raises further questions

The report shares lots of other interesting information including the overall number of disclosures and requests from various agencies. It shows that most requests and disclosures are made between agencies explicitly named in Schedule 3 of the bill as having a national security-related mandate.

For the first time this year, the report documents that one federal agency without a national security-related mandate disclosed personal information, in this case to CSIS. The report does not name this agency. In response to an email follow-up asking why this would be kept secret when all other disclosing agencies are named, NSIRA stated that the decision was specific to this case. Revealing the agency, they wrote, “would have jeopardized CSIS’ investigation of the security risk identified.” They also assured that withholding the name of disclosing agencies is not automatic nor a standard practice.

While this is only one case, it too raises a red flag: When CSIS reached out verbally to the agency for information, instead of following the formal protocols under SCIDA, the agency simply shared the information verbally. Shortly thereafter, the agency did consult with the Justice Department, and a more detailed written disclosure did follow SCIDA regulations. However, why did CSIS — which is fully aware of the rules — not formally request information with the appropriate guidelines in the first place? And if SCIDA disclosures are to be used more broadly, as was the hope when the rules were adopted, what will stop this from happening more frequently? While some may argue it is unlikely, it is entirely possible that other verbal disclosures that did not require follow-up have already been made and would not have been caught by this review.

NSIRA and the OPC have made suggestions for better training, and for agencies requesting disclosures to proactively inform the department they are approaching about SCIDA regulations. But this speaks to the central concerns that we and others raised about SCIDA and its predecessor, SCISA: that in opening the gates to more information sharing in regards to national security, we run the real risk of breaches in privacy and overly-broad disclosures and requests. 

This is difficult to measure though, since we do not have any comparative, comprehensive statistics prior to the introduction of SCIDA, and many of these agencies have their own, separate, information sharing agreements that fall outside of SCIDA; for example, information sharing between the RCMP and CSIS falls under their own, separate agreement.

Happily, this report shows that most departments take their duties to limit the information disclosed to that which is necessary, and to even destroy information that is disclosed to them if they find that it is not compliant with the law. IRCC, which made the single largest number of disclosures, seemed to take this particularly seriously, limiting what information it shared, placing caveats on it, and destroying information that was non-compliant.

However, we still harbor deep reservations about aspects of SCIDA, and will continue to advocate for reforms, including its overly-broad definition of “threats to the security of Canada.”

* As the report notes, most disclosures related to one or a small number of individuals. However, five related to 20 individuals or more, the RCMP disclosure discussed included information about thousands of individuals, and another Global Affairs Canada disclosure impacted possibly thousands of people as well (when it shared several thousand Twitter handles with the Communications Security Establishment). As the report notes, the government should examine implementing specific policies around the “bulk disclosure” of information.

Since you’re here…

… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work.panel-54141172-image-6fa93d06d6081076-320-320You can also make a one-time donation or donate monthly via Paypal by clicking on the button below. On the fence about giving? Check out our Achievements and Gains since we were created in 2002. Thank you for your generosity!
make-a-donation-button

ICLMG statement on use of Emergencies Act

Feb. 24, 2022, OTTAWA — Yesterday, the federal government put an end to the public order emergency declared on Feb. 14th, and approved this past Monday by the House of Commons.

Despite the emergency declaration coming to an end, important questions and issues persist.

The invocation of a public order emergency was an extraordinary response to the multiple crises of border blockades and the occupation of downtown Ottawa – on what is already unceded, occupied Algonquin Anishinaabe territory.

As a civil liberties coalition that focuses on the impact of anti-terrorism laws and national security actions in Canada, we recognize how the implementation of extraordinary state and policing powers can have long lasting impacts, and that temporary measures can become permanently entrenched. Further, as these powers persist, the greatest impact is often on marginalized and vulnerable communities that are already over-policed. It is crucial that even as we recognize the severity of the impact and threat posed by far right movements, that these state powers are scrutinized and that those carrying them out – from politicians to police to private institutions – are kept accountable for their actions.

This includes how protests will be policed going forward. Blockades – in abstraction – are legitimate forms of protest. However, the blockade in Ottawa was accompanied by harassment, threats of physical and sexual violence, assaults, racist violence, incessant noise that were described as torture by downtown residents, and more. Border crossing blockades were also accompanied by threats of violence, along with hateful and white supremacist language and imagery. These acts stand apart from the actions of Indigenous land defenders, anti-racism advocates, and other actions advocating for justice, democracy and emancipation which are almost always met with swift police control, arrests, and often, violence. It is imperative, going forward, that the kinds of violence and threats seen at the blockades not be conflated with protest. Nor should it be allowed to give rise to broader invocations of either the Emergencies Act or the view that protest must be met with extraordinary policing powers.

It also includes surveillance powers, and financial surveillance in particular. Over the past two decades, we have heard many stories of Muslims, and Muslim-led organizations, in Canada facing unaccountable financial surveillance from banking institutions and being de-banked based on vague, unsubstantiated allegations of links to terrorism. It is crucial that powers granted to financial institutions as a result of the emergency declaration not be further deployed against individuals engaged in protest – as opposed to those providing funds that directly support criminal activities. While these powers are ostensibly limited by the time limits placed on emergency powers, their overall impact may continue if appropriate accountability and transparency measures are not put in place.

Our research and advocacy on anti-terrorism laws raises another important concern: that “extraordinary laws” should not be introduced when existing laws suffice. For example, we and others have argued that terrorism-related crimes can be addressed just as well through standard criminal code provisions, if enforced adequately, without the need for a special category of law because of the dangers such special categories entail. This reflects what we have seen with the invocation of the Emergencies Act: if regular powers had been properly utilized earlier on, the need to declare an emergency would likely not have arisen. This speaks to a deep crisis that so many have identified in regards to policing at all levels in Canada, and must be addressed in the aftermath of this declaration of emergency. While it is difficult to adequately assess whether the appropriate legal threshold was met for invoking the Emergencies Act, it is much more clear that we should never have gotten to that point in the first place. We look forward to seeing the result of the Canadian Civil Liberties Association’s court challenge over whether those legal thresholds were met.

Finally, it is impossible to not observe the deep – and warranted – concerns over the invocation of the Emergencies Act in contrast to the acceptance and complacency towards anti-terrorism laws and their impacts on Muslim and other racialized Canadians for the past 20 years. Canada’s anti-terrorism laws have been plagued with some of the very concerns raised over the Emergencies Act – lack of necessity, lack of due process, unaccountable surveillance, extra interrogation, limitations on mobility rights – and yet are accepted on a daily basis. It isn’t too much to say that many Muslim and racialized individuals in Canada have been living under a decades-long state of emergency because of these problematic laws. As we debate the appropriateness of the Emergencies Act, it is well past time that we also question the logic of Canada’s anti-terrorism framework.

Going forward, there must be a vigorous and in-depth examination of the impact of the Emergencies Act. The mandatory inquiry into circumstances leading to the declaration of emergency, and the actions carried out during the emergency, must be convened as soon as possible. Such a review must be carried out in public, must be independent, and those carrying it out must be granted full access to the information necessary to evaluate all aspects of the actions and decisions of both the federal government and government agencies.

Page 29 of 106« First...1020...2728293031...405060...Last »