RCMP Confirms It Bought a Tool that ‘Unlocks’ Hidden Facebook Friends

The Nova Scotia division of the RCMP bought use of a tool designed to “unlock” lists of friends that Facebook users set to be hidden.

The Web Identity Search Tool was also built to extract entire user timelines from Facebook.

But now, following a Tyee investigation and a Facebook legal complaint to WIST’s developer LTAS Technologies, the Toronto-based company has removed marketing information about the tool from its website and its CEO has told The Tyee the product is “discontinued.”

WIST has been marketed to law enforcement in Canada and around the world since at least 2012.

LTAS Technologies restricted WIST customers to police and other “investigators,” according to its site, requiring credentials be submitted to purchase a license.

Using WIST, police could select a Facebook user who had set friends to private, or seen by “only me,” and watch as the tool scoured the internet for leads from other accounts and filled in the missing friend list.

Internal documents obtained by The Tyee via a freedom of information request showed the Nova Scotia RCMP division listed the Web Identity Search Tool among apps it used on a “covert laptop” when investigating members of organized crime groups.

The app can “unlock hidden friend lists,” connecting any Facebook user to others with up to three “degrees of separation,” the Nova Scotia RCMP wrote in a 2017 summary of its web monitoring tools.

“Nova Scotia RCMP (NSRCMP) purchased a 1 year licence of the WIST software which showed promise at being able to identify, organize and export associates/friends lists,” Sergeant Andrew Joyce said in a Nov. 20 email to The Tyee.

Joyce could not say when the contract began and ended, but the tool appears to have been in use in 2017, based on files obtained by The Tyee.

The Tyee contacted Facebook on Nov. 13 to ask if the social media giant was aware of WIST and its advertised capabilities. Facebook responded that it could not answer but would follow up when it had more information.

By Nov. 20, a week later, information about WIST on LTAS Technologies’ page had been removed.

When The Tyee again contacted Facebook to ask if it had been in touch with LTAS Technologies, spokesperson David Troya-Alvarez confirmed it had “removed the CEO and organization from our platform” for violating policies.

Facebook sent LTAS Technologies a cease and desist order for WIST, The Tyee has learned.

LTAS Technologies CEO Allen Atamer told The Tyee that WIST was “discontinued” and declined to answer any further questions on the timing.

Joyce in his email said the Nova Scotia RCMP has not renewed its license for WIST, and even when it was using the tool, privacy and security controls added by Facebook made “many of the software functions ineffective.”

The force never sought judicial authorization to use WIST, wrote Joyce, because, “for our purpose everything the software collected was from public/plain view and we were not engaging anyone.”

Regarding WIST’s advertised ability to crack open private lists of Facebook friends, Joyce said, “I do not believe we knew or were able to use that feature.”

Yet the Nova Scotia division listed the feature in its summary of tech it possessed in 2017, in preparation for the 2018 summit of G7 nation leaders in Quebec.

‘Troubling implications’

The capabilities of WIST and similar tools “have troubling implications for our ability to exercise freedom of association,” said Cynthia Khoo, a technology and human rights lawyer and researcher with University of Toronto’s security-focused Citizen Lab.

“Facebook, for all its own set of serious faults, is known and relied on as a space where people cultivate social bonds and build community. Law enforcement being able to exploit that fact is a serious incursion into our private lives and relationships,” she said.

Khoo disagrees with the RCMP’s claim that spying on social media runs no risk of violating privacy because users assume their messages and postings are public. The RCMP has described social media as “open source,” meaning in the public domain.

“The idea of publicly available social media data being ‘open source’ or legally ‘fair game’ for law enforcement surveillance is deeply contested and open to debate,” she said.

“The Supreme Court of Canada has recognized that privacy is not an all or nothing concept, and the mere fact of making certain information public does not mean you waive all privacy rights in that information, especially for the purposes of state surveillance,” said Khoo.

Harsha Walia, executive director of British Columbia Civil Liberties Association said the RCMP purchase of WIST, coupled with previous revelations it purchased facial recognition software from Clearview AI, should give Canadians pause.

“Given the significant threats to privacy and constitutionally-protected Charter rights, we continue to call on all provincial and federal governments to place moratoriums on police agencies’ use of facial recognition and algorithmic surveillance technology,” Walia wrote in an email.

Last month, a person with the required investigator credentials to buy WIST contacted its maker and inquired about purchasing the tool. The person told The Tyee that LTAS Technologies responded that it was having difficulty with the tool in recent weeks but hoped to have the code “patched” again shortly.

Facebook loopholes

On its blog, LTAS Technologies discusses how users of WIST can find out what they want to know about Facebook users and their friends despite obstacles meant to guard privacy such as missing last names, international treaties, or users with duplicate accounts.

WIST exploits loopholes in Facebook’s platform to get around the private setting for friends. Critics have raised concerns about such potential weaknesses, which Facebook has not fixed.

Among the loopholes critics cite:

Friendships of a user that keeps friends hidden will still show up in the publicly accessible friend lists of connected users who have not set lists to private.

A friendship between two people will also be revealed to anyone who has friends in common with the private person and another individual.

And a link on the Facebook platform allows friendships to be revealed by displaying friends in common between two users when only one has a private list.

Using a combination of these loopholes and historical caches of known friends from its previous scouring operations, WIST systematically reconstructed the friend list of a user that wanted it kept secret. It starts its process by looking for any “likes,” comments, or other interactions from the WIST target or other users on any public posts.

Other loopholes enabled Cambridge Analytica to scoop up information from millions of non-consenting Facebook users and beam Donald Trump and Brexit campaign messages tailored to recipients on the social media platform — a practice that became an international scandal and prompted government hearings on either side of the Atlantic.

Cambridge Analytica exploited a feature set by Facebook which allowed any user of an “app” on the platform to give up not just their own data, but the data of all of their friends too, without asking those friends.

Canada’s Competition Bureau handed out a $9-million fine to Facebook in Canada as a result of a related investigation, noting the company effectively made misleading claims on privacy.

While the information on WIST is gone from its site, LTAS Technologies continues to advertise other web-scanning software there. Its products included a suite of tools designed to catch tenants who are putting apartments on short-term leasing sites like Airbnb, and help identify counterfeit items for sale on Craigslist or Facebook.

The company powers the service by storing massive caches of previously listed items on the websites, and its products can reveal information that sites try to keep from scraping, such as unmasking phone numbers which are automatically blurred on Craigslist by default.