The Laundering · Vol. II · Case 49 · The protocol is the pedigree

The Need-to-Know

How a login becomes a stalking tool, and why the audit log cannot tell the difference. A police credential answers one question, is this person allowed in. It does not answer the question that should govern every access, should this person be in this record, right now. The reason was never recorded, so the stalking query and the lawful one produce the same line in the log.

Filed from Treaty 4No sponsorsNo trackersPublic record only

On scope & care The subject here is an architecture, not a verdict on any one officer. The findings of the Saskatchewan Information and Privacy Commissioner (wilful, unauthorized access) and the guilty pleas and convictions cited below are on the public record and are stated as fact; nothing about motive is added beyond what those records establish. Where a matter is only an allegation or a pending accusation, it is marked, and the person is not named. The recurring victims, former partners, crime victims, and people who reported wrongdoing, are referred to in the roles the records assign them, with no detail added for effect. The point is structural: the access system is built so that misuse and use are the same act until someone audits, and audits are rare, retrospective, and usually triggered by accident.

A protocol issues access. The pedigree is supposed to be the justification attached to each access: the need-to-know that makes this particular look at this particular record legitimate. The whole quiet failure of police information systems is that the protocol is real and the pedigree is not. The credential is checked at the door and never again. The reason for any single query is a social expectation laid on top of a technical system that does not capture it, so it is never written down, never checked at the moment of access, and only ever reconstructed afterward, by an audit, if an audit happens. When the justification is fictional but the access is real, the breach is invisible at the instant it occurs, because the system records a query, not a reason.

§01 · The protocol is the pedigree

This is a money-laundering shape, and it is worth naming it that way, because the site is called what it is called for a reason. Launderers move dirty money through three stages: placement (get it into the system), layering (hide it inside legitimate traffic until it cannot be told apart), and integration (let it re-emerge as clean, usable funds). A misused police query runs the identical three stages, except what is being laundered is not money. It is access.

Placement

Clean credential. Lawful standing access to IEIS, CPIC, the driver database.

Layering

67 illegitimate queries hidden inside thousands of legitimate ones. No reason recorded, so no query looks different from any other.

Integration

Located, contacted, surveilled. Output re-enters the world as ordinary policing.

The credential answers “is this person allowed in.” It does not answer “should this person be in this record right now.” Those are different questions, and the system only ever asks the first. So the second one, the pedigree, has nowhere to live. It is never attached to the protocol, and that gap is the entire case.

§02 · The front door is immaculate

Start where the system is strongest, because its strength is the misdirection. Getting access is hard and well-papered. To reach the Canadian Police Information Centre, CPIC, an officer passes clearances, fingerprinting, and mandatory courses; there are rules against password sharing and requirements for restricted-access rooms. CPIC reaches a great deal: through it, more than 80,000 law-enforcement users across some 3,185 agencies can query provincial driver-licence systems, the firearms registry, and the correctional offender-management system, with each agency responsible only for the accuracy of its own data.architecture The Correctional Service has a written directive governing who may see an offender file.

Read those controls closely and a pattern appears: almost every control is on getting in, and almost none is on what you do once inside, or on recording why you did it. The front door has a guard, a log, a badge reader, and a list. The rooms beyond it have none. Access is governed by a reference manual, not by a per-query justification engine. That is the placement stage made institutional: the credential is so clean, so hard-won, that the system treats possession of it as proof that every use of it is legitimate.

Counter: police need fast, frictionless access to do urgent work, and a justification prompt on every query would cost time in a real emergency. True, and the fix below is calibrated to that. The objection is not that access should be slow. It is that access should leave a reason behind it.

§03 · The layer that hides the substance

The anchor is a single regulator document. In Investigation Report 123-2025 (11 December 2025), the Saskatchewan Information and Privacy Commissioner found that a Regina Police Service officer had accessed the personal information of six individuals in the service’s Integrated Electronic Information System, IEIS, without a legitimate need-to-know basis, over a span of three years, three months and 15 days (October 2021 to June 2024): 67 unauthorized searches in all. The people he searched included a former partner, that former partner’s sibling, and that former partner’s previous partner.primary

What the queries pulled is the point. The accessible fields included full names, dates of birth, fingerprint serial numbers, physical descriptions, the person’s role in any investigation (complainant, witness, victim, suspect, reporter), and whether they had ever been charged. The Commissioner found the breaches intentional and wilful: the officer had taken privacy training in 2017, 2018 and 2019, had signed a Confidentiality Protocol, and saw a privacy disclaimer at every IEIS login, and breached anyway. None of those 67 queries looked any different, in the log, from the lawful queries around them. That is the layering: not a clever forgery, just volume. A reason was never required, so a query made “for personal reasons” and a query made for an investigation are the same record.

The system recorded a query, not a reason. So a stalking search and a lawful one are the same line in the log.

Two findings from the same report carry the architecture. First, the Commissioner called the service’s response, additional privacy training plus random audits for two years, wholly inadequate and incapable of restoring public faith. Second, and more revealing, the service did not revoke the officer’s access, because he was still working as a police officer and therefore “required access.” The system has no setting for “trusted enough to police, not trusted enough to query.” Access is binary. You are in, with everything, or you are out, of the job.

§04 · When the access re-enters the world

Layered access is invisible only until it is used, and use is the integration stage: the located address, the contacted victim, the surveilled complainant, re-entering the world as ordinary activity. The same Regina service holds the starkest example, named in the Commissioner’s report as “an unfortunate backdrop.” A 22-year Regina Police Service sergeant pleaded guilty, on 21 November 2025, to breach of trust and unauthorized use of a computer, after using police databases over roughly 15 years to find and contact around 30 women, among them victims of domestic violence and victims of crime, some with no idea he was a police officer. He used aliases and posed as a contractor.primary Two officers, one mid-size prairie service, overlapping years, the same class of system: the pattern is not one bad login, it is a standing capability that two different members independently found they could use.

The integration stage is documented elsewhere in equal detail. In Toronto, a constable pleaded guilty (2018) to insubordination for unauthorized queries on two people, one a former partner, across three databases at once: the records system, the national CPIC, and the fingerprint-and-photo system. The same reporting describes a separate officer docked four days’ pay for looking up a woman in CPIC, then docked sixteen more days for using his badge to obtain a key fob to her building and leaving a note on her car after a friendship ended.primary That is the whole chain in one man: a query becomes an address becomes a physical approach. The data did not stay in the database. It walked out and stood next to her car.

§05 · The victim profile is not incidental

Notice who keeps appearing on the receiving end: former partners, crime victims, and people who reported wrongdoing. This is not coincidence, it is the architecture again. These are exactly the people whose records the system holds, and whose vulnerability the access multiplies. The system was built to hold their information for their protection. The same hold is what makes them reachable.

The pattern runs across services. In Calgary, an officer was convicted under the provincial Police Act for harassing a woman and using police databases to search her information, stalking a perceived romantic rival until the woman left the province.primary In Ottawa, a constable is accused of 77 unauthorized searches between January 2021 and October 2024, including queries into 44 women in the provincial transportation database, reportedly for “curiosity” and “attraction,” plus six into colleagues; the same service had shortly before disciplined another member for similar searches.accused And in Lethbridge, an officer was suspended for allegedly using a police database to search a young woman two weeks after she alleged she had been sexually assaulted by a retired inspector of the same service.alleged

The Lethbridge matter changes the motive but not the mechanism, and that is the lesson. There the access is not courtship; it is the institution turning its own tooling on the person who reported one of its own. Same protocol, opposite purpose, identical invisibility. Whether the query is desire or defence, the log cannot tell, because the log was never asked to.

Counter: these are individual wrongdoers who were caught, charged, and in several cases convicted, so the system worked. They were caught, yes, but look at how: by accident, by a complaint, long after the fact, and (the Commissioner’s own finding) answered with measures that do not restore trust and do not remove access. Catching some misuse retrospectively is not the same as a system that records why each query was made.

§06 · The fix names the mechanism

The Saskatchewan Commissioner saw the whole thing and wrote the remedy in a single line. Recommendation 4 of Report 123-2025 asks the service to build a feature into IEIS requiring members to provide a reason, with sufficient particularity, when they conduct a query. That recommendation is the entire case stated as its own absence. You cannot launder a query through legitimate traffic if every query must declare its own pedigree, and that declaration is auditable against the file it touched. Require the reason at the moment of access, and the stalking search stops being identical to the lawful one: it now carries a justification that either matches an open file or does not.

Until that reason is captured, the breach stays structurally invisible. It uses the real credential (placement). It hides in the volume and produces a log entry identical to lawful work (layering). Its output, a located person, a contacted victim, a surveilled complainant, re-enters the world as ordinary policing (integration). The credential was the protocol. The reason was the pedigree. The system kept the first and never asked for the second, and a power built to protect people became a directory for reaching them.

The mechanism, stated as its absence: the system did not record reasons, so the pedigree was never attached to the protocol. Make every query declare its own reason at the moment it is made, and the laundering has nowhere left to hide.

The receipts

All primary or near-primary, public record only. A and B are the anchor pair: one city, one class of system, overlapping years.

Receipt A · Regina · Primary document Office of the Saskatchewan Information and Privacy Commissioner, Investigation Report 123-2025 (11 December 2025): a Regina Police Service officer made 67 unauthorized IEIS searches into six people over three years, found intentional and wilful; discipline found “wholly inadequate”; access not revoked; Recommendation 4 (require a reason at query time). oipc.sk.ca/assets/la-foip-investigation_123-2025.pdf
Receipt B · Regina · Court record A 22-year RPS sergeant pleaded guilty (21 November 2025, Provincial Court of Saskatchewan) to breach of trust and unauthorized use of a computer: ~15 years of database use to find and contact ~30 women, including victims of domestic violence and crime, using aliases. Named in the OIPC report as “an unfortunate backdrop.” (CBC, CTV, Regina Leader-Post, The Globe and Mail, 2025.)
Receipt C · Ottawa · Accused An OPS constable is accused of 77 unauthorized searches (Jan 2021 to Oct 2024), including 44 women in the provincial transportation database, plus six colleagues; shortly after another member was disciplined for similar searches. CBC, 29 April 2026
Receipt D · Toronto · Court record A constable pleaded guilty (2018) to insubordination for unauthorized queries on two people (one a former partner) across three databases (records, CPIC, fingerprints/photos); a separate officer docked four days’ pay for a CPIC look-up, then sixteen more for using his badge to reach her building and leaving a note on her car. The Globe and Mail, 5 May 2026
Receipt E · Calgary · Conviction An officer convicted under the Alberta Police Act for harassing a woman and using police databases to search her information, stalking a perceived rival until she left the province. CBC
Receipt F · Lethbridge · Alleged An officer suspended for allegedly using a police database to search a young woman two weeks after she alleged a sexual assault by a retired inspector of the same service: access as institutional protection against a complainant. CBC
Receipt G · The architecture CPIC reaches 80,000+ users across ~3,185 agencies into driver, firearms, and offender systems, governed by a reference manual, not a per-query justification engine. BCCLA primer · CSC Commissioner’s Directive 564-5

Framing note, kept as context, not spine: the same era saw a public “Community Safety Data Portal” marketed to citizens as empowerment, by a service concurrently disciplining members for weaponizing its internal databases against women. The irony is the door that surfaces the case. The architecture is the case.

§07 · Need-to-know, named

Strip it to the structure. A credential is granted after real scrutiny, and from then on the system asks nothing further. Each query is supposed to carry a need-to-know, but the need-to-know is a sentence no one is required to write, so it is never captured, never checked at the moment of access, and reconstructed only if an audit happens to look. Misuse therefore wears the exact appearance of use: same login, same interface, same line in the log. The breaches that surface are the few that were noticed; the architecture guarantees the rest stay clean. And when a breach is proven, the same architecture has no way to keep the person in the job while taking the access away, so the access stays.

So the honest sentence is the cold one. A system that records a query but never its reason has decided, in advance, that a stalking search and a lawful one will look the same, and it will be right every time until someone, by luck, audits the log. The need-to-know was always the point of the rules. It was never a field in the database. Make it one, and the protocol finally has to carry its pedigree. Leave it out, and the power built to hold people’s information for their protection remains, quietly, the fastest way to reach them.

Companion reading. The institution turning its own machinery on the person who reported wrongdoing is the subject of Case 16 · The Container; the later scrubbing of the record of a breach is tracked downstream at policedata.ca; and the disclosure gap by design is the frame of The Register.

▸ Field record · The Laundering · Vol. II · Case 49 · The Need-to-Know ▸ Crew, not cargo. Keep the file open. A single structural claim, held: a police access system that records a query but never its reason makes misuse and legitimate use the same act, invisible at the moment it happens and separable only by a rare retrospective audit. The frame is money-laundering's placement / layering / integration, applied to access: placement is the clean, well-papered credential (CPIC: 80,000+ users, ~3,185 agencies, governed by a reference manual not a per-query justification engine; CSC Directive 564-5); layering is the unrecorded reason (Regina, OIPC Report 123-2025, 11 Dec 2025: 67 unauthorized IEIS searches into six people over three years, three months, fifteen days, found intentional and wilful, discipline "wholly inadequate," access not revoked because the officer still "required access"); integration is the used output (Regina sergeant, guilty plea 21 Nov 2025, ~15 years, ~30 women; Toronto, guilty plea 2018, three databases, plus the badge-and-note escalation). The recurring victims (former partners, crime victims, complainants) are the people the system holds and whose vulnerability the access multiplies; Lethbridge shows the same protocol turned on a complainant. The analytical payoff is OIPC Recommendation 4: require a reason with sufficient particularity at query time. That single fix is the laundering mechanism stated as its own absence. Receipts A and B are the Regina anchor pair; G is the architecture; C (Ottawa) and F (Lethbridge) are marked accused/alleged and unnamed. Gate: architecture not individual; OIPC findings and guilty pleas/convictions stated as fact, no motive added beyond them; the Ottawa "Community Safety Data Portal" promotion is context (the surfacing irony), not the spine. No crisis footer per the source spec. Kin: Case 16 (The Container); policedata.ca; theregister.felineunion.org.

primary Saskatchewan OIPC, Investigation Report 123-2025 (11 December 2025): 67 unauthorized IEIS searches, six individuals, October 2021 to June 2024, intentional and wilful; discipline “wholly inadequate”; access not revoked; Recommendation 4 (reason-at-query-time). oipc.sk.ca/assets/la-foip-investigation_123-2025.pdf
primary Regina sergeant, guilty plea (21 November 2025, Provincial Court of Saskatchewan) to breach of trust and unauthorized use of a computer; ~15 years, ~30 women, aliases. CBC / CTV / Regina Leader-Post / The Globe and Mail, 2025.
accused Ottawa: OPS constable accused of 77 unauthorized searches (Jan 2021 to Oct 2024), 44 women in the provincial transportation database plus six colleagues. CBC, 29 April 2026. (Accusation; not a conviction; not named here.)
primary Toronto: constable’s 2018 guilty plea to insubordination, unauthorized queries across records / CPIC / fingerprint systems; separate officer docked 4 then 16 days for a CPIC look-up plus a badge-enabled approach and a note left on a car. The Globe and Mail, 5 May 2026.
primary Calgary: officer convicted under the Alberta Police Act for harassment and database searches of a woman; stalking until she left the province. CBC.
alleged Lethbridge: officer suspended for allegedly searching a woman two weeks after she alleged a sexual assault by a retired inspector. CBC. (Allegation; not named here.)
architecture CPIC scope and governance: 80,000+ users, ~3,185 agencies, into driver / firearms / offender systems, by reference manual not per-query justification. BCCLA privacy primer; CSC Commissioner’s Directive 564-5.
analysis Placement / layering / integration applied to access, and “the protocol is the pedigree.” A structural reading of the public records above; no motive is asserted beyond the OIPC findings and the pleas/convictions. Framing-device (Ottawa data-portal promotion) carried as context only.