RCMP breached policy on collection of online information: audit
Posted March 23, 2021 4:00 am.
Last Updated March 23, 2021 6:49 am.
An internal review says the RCMP routinely flouted its own policies when gathering information from the internet, potentially endangering investigations and prosecutions.
The newly released audit report says many members across the RCMP use “open source information” in the course of investigations, intelligence gathering, research and engaging with the public.
The national police force’s efforts in the open-source realm range from passive online reading to creation of fake social media accounts.
A section of the Mountie operational manual provides a framework for the collection and use of open source material.
However, the audit found that many employees were unaware that an open-source policy existed or that it applied to their activities.
Overall, the reviewers concluded that internet-related open-source activities conducted across the RCMP “were not consistent nor compliant with” the operational policy.
In a response included in the report, RCMP management agreed with recommendations to improve compliance with policy, training and oversight concerning open-source information.
“We recognize that proper training, support, and in particular the organization’s approach to governance around this function is critical.”
In December, RCMP Commissioner Brenda Lucki acknowledged the inadequacy of the force’s data-handling practices in her response to a watchdog report on Mountie surveillance of opponents of the now-defunct Northern Gateway pipeline project.
The Civilian Review and Complaints Commission for the RCMP said the force should provide clear policy guidance on collection of personal information from open sources such as social media sites, the uses that can be made of it and what steps should be taken to ensure its reliability.
The commission also said the RCMP should treat such information from social media sources as a separate category of records — data that should be kept no longer than strictly necessary.
In the latest report, the auditors found that roles and responsibilities related to the police force’s open-source information policy were not well understood by employees.
“Without clearly established and communicated roles and responsibilities, there is a risk that OSI will be inappropriately obtained and used in support of criminal investigations and criminal intelligence gathering, which can expose the Force to liability and potentially impact prosecutions,” the report says.
The auditors found most of the RCMP’s open source research was done passively, involving no interaction with subjects of interest.
But they noticed some exceptions that were contrary to policy, “such as joining closed Facebook groups in a proactive monitoring effort to obtain information on upcoming events such as a protest or demonstration from online discussions, and using personal social media accounts to overtly try to contact a missing person.”
The RCMP devised a standard form for the creation, modification and removal of discreet online identities, such as fake social media accounts.
A key purpose of the form is to allow RCMP to determine if a subject of interest is actually another police officer. It is also intended to help flag cases where an online identity or account has been compromised and should no longer be used.
However, an audit sample of 110 employees determined that only six per cent had properly completed the form with the required approvals.
Employees from various RCMP divisions also told the auditors no consistent process was in place to remove a discreet online identity when an employee leaves a unit.
In addition, the RCMP policy did not include specific information on how to capture, store and retain open source information gathered by the police force.