The report was embellished with red typeface, warning signs and a red traffic light.

Researchers at the French cybersurveillance firm Altrnativ had investigated a candidate for an entry-level job at the French military manufacturer Dassault Aviation and decided she was suspicious.

The report described the woman as “a strong and true risk for Dassault's security and safety” and recommended the defense company “send a report to French security services.”

Its evidence: The woman’s “social media connections.”

The report, contained in a trove of internal Altrnativ documents seen by POLITICO, shines a spotlight on the rapidly growing cybersurveillance industry, in which companies scour the internet for information on their clients’ rivals, critics and employees, with little or no regulatory oversight.

With the proliferation of online information, especially on social media, it's an industry privacy watchdogs and legal experts say has worrying implications for minority rights and the sanctity of personal information. “There’s a problem in the business model of these companies, for individuals to be able to assert rights over them, and to be able to control how they are labeled,” said Ravi Naik, a lawyer and legal director of AWO agency, a law firm specialized in data protection, noting the industry incentivizes the collection of personal data.

“They exist to create profiles on individuals without those individuals knowing,” he said. "The more information they have, the better their sales pitch is to potential clients.” The 18-page document Altrnativ produced in the summer of 2021 for Dassault described the job applicant, a graduate student of North African heritage, as a “sympathizer” of the Muslim Brotherhood, an international Islamist organization.

To back up this claim, the dossier reported the woman had “liked” the Facebook pages of two well-known and established Muslim NGOs that were banned by the French government in 2020, and the page belonging to the founder of one of them, Idriss Sihamedi, who was found guilty in 2021 of cyber harassment for bullying people on Twitter.

Harvesting this kind of information to screen employees can be problematic under European Union law. While governments can scour such material to approve security clearance, companies must follow strict privacy rules, particularly when it relates to topics such as religion.

The woman being investigated had also liked the French Muslim community radio Beur FM and the U.K.-based news outlet Middle East Eye, both mainstream media outlets. The report also said she “followed” (as opposed to “liked”) Tariq Ramadan, an Islamic scholar who was French media’s go-to conservative Muslim until he was accused of rape by multiple women in 2017. She also “followed” Medine, a popular French rapper of Algerian descent known for his political lyrics.

The report did not establish when the job applicant had liked the Facebook pages, or why she had elected to follow them.

It did however include a screenshot of an Instagram post showing North African pastries she had baked for an Eid al-Fitr party organized by a student association promoting Arab culture. It also noted she spent a semester abroad at a university in a large Muslim country.

This, the report warned, “raises questions on her motivations and possible collusion with foreign intelligence. This point is not yet formally demonstrated and still needs to be assessed.”

Altrnativ advised Dassault to ask the applicant why she studied abroad when France has “many universities offering [language] classes and [her field of study].”

The woman was not hired by Dassault, which did not respond to a request for comment.

'Weak signal’

Digital rights watchdogs said the growing use of personal online data by companies making important decisions, like whom to hire, risked reinforcing biases and impinging on privacy.

“The problem we often have with data scraping with a minimum of analysis is that we reinforce a discrimination that already exists,” said Estelle Massé, an expert in data protection at the digital rights advocacy group Access Now.

“It’s not just an invasion of privacy, it also means that what you do online can be used at any time,” she added. “That means we no longer have the right to make mistakes in our lives, to think one thing and evolve."

The constant collection of data is creating an "Orwellian world” and a “feeling of constant surveillance,” said Max Schrems, founder of privacy rights group noyb (None of Your Business).

“There’s a larger chilling effect if people feel like they cannot ‘like’ something online because in the future it might get them out of a job,” he added. “Even when it doesn’t happen, people get the feeling it could and therefore limit their free speech online.”

The job applicant wasn’t the only person Altrnativ investigated for Dassault. The Altrnativ documents include four other reports. One was a due diligence investigation of a partner company’s anti-corruption policies. Another concerned a court case involving potential business partners. Neither of these included information on the subjects’ families or personal opinions.

The two other reports did. Like the investigation into the job applicant, both looked for “possible collusion with foreign intelligence” and targeted people of North African descent.

One verbose 14-page report on a French-Algerian engineer working for Dassault found no “specifics likely to amount to an alert signal indicating collusion with a foreign intelligence service.” But it noted the engineer is a member of a Facebook group for people interested in Algerian news.

This is a “weak signal,” the report said. It advised Dassault to be careful if the “social situation in Algeria were to become more serious, considering her frequent trips to Algeria.” (Altrnativ offered no evidence for the trips.)

The dossier also included pictures of the engineer’s children, taken from the Facebook page of her husband, who was also profiled.

The last report profiled a French-Moroccan job applicant for an engineering position at Dassault. It featured his Instagram username, his resumé and the name, picture and phone number of his wife. It also included a picture of him, part of a corny photo montage from 2007, apparently made by his then-girlfriend when he was a teenage boy. “I love you forever,” the caption says.

The investigators did not find any evidence of involvement with foreign intelligence.

The three people investigated by Altrnativ declined to comment on the reports. One of them asked not to be identified for fear it would hurt their professional future.

In an interview with POLITICO, Eric Leandri, Altrnativ's CEO, denied the people his company investigated for foreign collusion were chosen because of their ethnic background. “There’s no racism in my house,” he said. “There is no targeting. Nothing to do with origins or ethnicity.”

Privacy laws

The three reports may have violated European privacy laws, according to legal experts interviewed by POLITICO.

Under the EU’s General Data Protection Regulation, also known as GDPR, subjects of investigations like these should be told their data is being used, and how it’s being used.

The children whose faces appear in the report are also individuals with their own data rights, said Ravi Naik, the lawyer and legal director of AWO agency. “The processing of the child’s data is very, very problematic, particularly where the purpose of processing their data seems so unclear,” he said. “It can’t be for the purposes of any kind

of special investigation, as it is not an investigation into those children. It seems purely out of a morbid interest, and to gather as much data as possible on the target. I cannot see that ever being justified, and would hope regulators act.”

The EU’s privacy laws are particularly strict when it comes to handling information about political views or religion — even when the information being compiled is technically public. One exception is if the processing “relates to personal data which are manifestly made public” by the individual, such as their religion, explained Naik. But that can be tricky to determine.

“If you put on Facebook “I am a Hindu,” and then somebody processes that information, that would seem to be covered by the ‘manifestly made public’ exemption. But if I just start tweeting about Diwali, have I made my religion public? The question on whether it’s lawful to process this information is far from straightforward,” Naik said.

In the report on the job applicant, Altrnativ noted under the heading “Religious involvement” that she used a picture of a mosque as her cover photo on Linkedin.

Some sensitive job positions “can justify looking a bit further at the individual, and this can be done through qualified contractors, but the quantity of information needs to be proportionate with the position,” said Valérie Aumage, a French lawyer and head of the IT department at PWC Société d’Avocats. “You need to justify yourself to the employee that it’s necessary to collect information about their family.”One possible justification for an investigation is if an employee will be handling classified or otherwise secret data. However, in this case, the law is clear: “it’s always performed by public authorities,” said Eric Delisle, head of the employment, solidarity, sport and housing department at CNIL, the French data protection agency.

The three reports don’t make mention of security clearance.

Asked specifically whether Altrnativ broke the GPDR, Eric Leandri did not reply.