Canada’s Spies, Police, and Border Agents Are Quietly Coordinating on Biometrics
Privacy experts worry the meetings could put Canadians’ privacy at risk.
Image via ATIP
For over a year, Canadian military, intelligence, police, and border agencies have been meeting to develop and coordinate their biometric capabilities, which use biological markers like facial recognition and iris scanning to identify individuals.
This initiative—details of which were revealed to Motherboard in documents obtained through an access to information request—shows that the Canadian government is reigniting its focus on biometrics after a similar attempt a decade ago fizzled out. According to these documents, which include emails, meeting agendas, and briefing reports, the meetings are an effort to coordinate the critical mass of biometrics programs that exist across many government agencies, particularly those relating to national security.
The US has put together such working groups before, like the National Science and Technology Council's subcommittee on biometrics. Established in 2003, the initiative was a formal working group to coordinate biometrics efforts and it regularly released public reports. In contrast, the Canadian effort is "informal," spokespeople emphasized, and it hasn't been promoted by the government except for four tweets from Defence Research and Development Canada (DRDC), the department that spearheaded the initiative.
Spokespeople for various government branches also stressed that no actual biometric information is being shared between agencies at these meetings, which would be a major concern for privacy advocates. But documents show that database sharing was part of the discussions, raising questions about how Canadians' biometric information is handled behind closed doors.
"If information is being shared behind the scenes with organizations or agencies that an individual is not informed about, then that wipes out consent," Brenda McPhail, director of the Canadian Civil Liberties Association's privacy project, told me. "Our privacy laws are based on consent."
The Canadian Security Intelligence Service (the country's CIA analogue), the Royal Canadian Mounted Police, the Canadian Armed Forces, as well as the country's border and immigration agencies are all participants in the "Government of Canada Biometrics Community of Practice" (CoP), which had its first meeting in March of 2016.
"The [initiative] was established … to encourage information-sharing and foster collaboration between federal departments and agencies that have an interest in biometric technologies and their applications," Department of National Defence (DND) spokesperson Ashley Lemire wrote Motherboard in an email. (DRDC falls under DND's umbrella.)
At least one current government project—the Canadian Border Services Agency's facial recognition kiosks at airports—was discussed at meetings in the year leading up to the kiosks being rolled out in early 2017, according to John Campbell, a consultant at the Ottawa-based Bion Biometrics firm. He assisted DRDC in coordinating the biometrics group and has attended every meeting to date, he said in an interview.
"The [kiosk program] is one of the biggest projects right now," Campbell said, describing how information swapping occurs between departments at these meetings. "They say, 'Here's what we're doing,' and then there's discussion, and maybe someone will say, 'Oh, this is similar to what we're doing,' or, 'Hey, did you have trouble with this?'"
It's not clear what input, if any, police or spies have had on the facial recognition kiosks. A spokesperson for the Canadian Border Services Agency (CBSA) wrote Motherboard in an email that the program was "developed independently from the Biometrics Working Group [a previous title for the community of practice] and the CoP."
DND spokesperson Daniel LeBouthillier confirmed to Motherboard that the agencies meeting on biometrics don't share any actual biometric data, like fingerprints or facial scans. However, meeting transcripts suggest that database sharing and closer cooperation between domestic agencies was discussed.
Campbell of Bion Biometrics wrote an email to DRDC staff prior to the first meeting in March of 2016 that seems to indicate that sharing biometric data was part of the motivation in setting up the initiative.
Similar working groups exist in the US to ensure that "all the biometric systems in different departments could communicate to ensure they could share information on known and suspected terrorists," Campbell wrote. "We have the same problem to a smaller degree with DND and RCMP and CBSA and [Immigration, Refugees and Citizenship Canada] needing to share information."
The working group should offer "cooperation on database access" between DND, Immigration, Refugees and Citizenship Canada, and the CBSA, an undated summary from a DRDC meeting to establish what the initiative can offer participants states. The group could also allow the DND to analyze biometric data it collected in Afghanistan, which it was not previously permitted to do, the summary continues.
While in Afghanistan, the Canadian Armed Forces collected biometric markers from locals who were suspected or believed to pose a threat to soldiers, and from shrapnel collected after bomb blasts, according to background info provided by DND.
Under the DND's Afghanistan-era policy, these biometrics could only be used to support the mandates from Operation Enduring Freedom (the US military's term for the war) and NATO's now-concluded security mission in the country. Under this policy, other uses of biometrics collected in Afghanistan, like sharing them with border agents, would have required government approval. DND did not provide Motherboard with the current policy in time for publication.
Additionally, representatives from the RCMP who attended the CoP's inaugural meeting said that the federal police force "wants to be able to talk more to Canadian government rather than just their foreign partners, but this can be a problem because of security clearances."
The RCMP did not respond to Motherboard's request to clarify this statement in time for publication. In the past, however, the federal police force has used databases from domestic law enforcement partners and public information sources to keep tabs on environmental and First Nations protesters.
Last year, Motherboard obtained RCMP documents that showed the force was seeking to upgrade its fingerprint database with biometric facial recognition technology in order to keep pace with US law enforcement. Police documents stated that the force had "no authority" in Canada to use biometrics like facial and iris recognition, however, and the police have no specific plans to implement the technology.
Emails show the biometrics initiative was the result of a campaign by staff at the DRDC, and by Campbell, who said in a phone interview that he pitched the idea to the government.
"There are several such groups in other parts of the world that I have seen and participated in, but there wasn't one in Canada for the Canadian government," Campbell said in an interview. "So, I suggested that it might be a good idea."
In emails, some departments appeared to display reluctance to join the initiative, prompting a DRDC official to write, "we're in sales mode here."
Documents suggest that CSIS was particularly difficult to convince. In one email, Campbell noted that he met with an individual whose name is redacted, but whom Campbell said in an interview was an official at Australia's border agency. Australia is a member of the international "Five Eyes" surveillance alliance, which includes Canada. In the email, Campbell suggests that the Australian could convince CSIS to join the CoP at his behest.
Campbell said that he never actually gave the unnamed Australian border official the go-ahead, but regardless, CSIS is now a participant in the meetings.
"While I won't speak to specifics," CSIS spokesperson Tahera Mufti wrote Motherboard in an email, "what I can say is that CSIS participates in selected communities of practice, such as those offered by DRDC's Canadian Safety and Security Program, in order to better leverage the collective knowledge and experience of the science and technology community in support of its mandate to protect Canadians and Canada's national security interests."
There are precious few safeguards in place to ensure that the conversations between security agencies remain appropriate and lawful, documents suggest.
In order to protect citizens' privacy, Canadian agencies are expected to file privacy impact assessments to the Office of the Privacy Commissioner (OPC) on new initiatives that may impact them. While a specific subcommittee to produce privacy impact assessments was considered for the meetings, the idea was eventually abandoned. However, the Office has presented to the group on impact assessments.
"At the [May 2017] meeting, we provided an introductory presentation on policy and [Privacy Impact Assessment] processes at the OPC," Office spokesperson Valerie Lawton wrote in an email to Motherboard. "We noted during that session that, due to our audit and investigatory mandate, we can provide advice and recommendations, but do not approve or endorse programs. "
Due to the CoP's "informal" nature, there are no policies or ground rules for how participating agencies share information, according to LeBouthillier, who spoke to Motherboard on behalf of DND.
Privacy expert Brenda McPhail emphasized that the public has a right to know what's happening behind closed doors, particularly when it comes to implementing biometrics.
"If groups are going to be created for the purpose of creating programs and sharing information, it's important that the public know what the terms of reference are, and what can and can't be done by that group," she said over the phone. "We need accountability."
Get six of our favorite Motherboard stories every day by signing up for our newsletter .