Audit of Open Source Information
Access to Information Assessment
An assessment of this report with respect to provisions in the Access to Information Act produced no exemptions; therefore, this report is presented in its entirety.
Table of contents
- Acronyms and abbreviations
- Executive summary
- Management's response to the audit
- Objective, scope and methodology
- Audit findings
- Appendix A – Audit objective and criteria
- Appendix B – OM 26.5 online activity dashboard
- Appendix C – Management Action Plan
Acronyms and abbreviations
- Contract & Indigenous Policing
- Cadet Training Program
- Chief Information Officer
- Criminal Operations
- Division Criminal Analysis Section
- Divisional Informatics Officer
- Federal Policing
- Federal Technology Solutions
- Internal Audit, Evaluation & Review
- Information Technology
- Internet Protocol
- National Headquarters
- Operational Manual
- Operational Records Management Systems
- Open Source Information
- Open Source Intelligence
- Royal Canadian Mounted Police
- Subject Matter Expert
- Standard Operating Procedures
- Specialized Policing Services
- Shared Services Canada
- Tactical Internet Operational Support
- Unit-Level Quality Assurance
Open source information (OSI) is a key tool that is used organization-wide, across all business lines and within every RCMP division. OSI activities are performed by all categories of employees for a variety of purposes. It is often the first step in policing activities, and is just one component of a criminal investigation or intelligence gathering function. The RCMP Operational Manual (OM), section 26.5, titled Using the Internet for Open Source Intelligence and Criminal Investigations provides a framework for the collection and use of OSI and open source intelligence based on a 3-tier system (Tier 1: overt, Tier 2: discreet, Tier 3: covert).
The objective of the audit was to determine whether internet-related open source activities conducted across the organization were consistent and compliant with policy. The audit scope focused on internet-related open source activities in support of criminal investigations and criminal intelligence gathering at the national and divisional levels from April 1, 2018 to March 31, 2019.
Overall, the audit determined that internet-related open source activities conducted across the organization were not consistent nor compliant with OM 26.5. The audit found that opportunities exist to develop a more robust governance framework and enhance national and divisional oversight of open source activities. Without clear roles and responsibilities, and adequate monitoring and oversight, the Force could be exposed to liability and reputational risk, or criminal prosecutions could be jeopardized and the resulting case law could restrict the future use of open source.
There was limited consultation for the development of OM 26.5 in 2015, and none for the policy update in 2019. The audit found that many employees were not aware that an open source policy existed or that it was applicable to the open source activities that they performed. In addition, OM 26.5 does not provide adequate information to guide users on how to capture, store and retain OSI. There is an opportunity to more broadly communicate OM 26.5 and educate employees on when it applies to their work. Supplementary guidance should be developed and shared across the Force, and should include: how to capture, store and retain OSI, and what constitutes acceptable Tier 2 infrastructure.
Finally, training and information sharing are valuable investments that would ensure that OSI users have access to current and up-to-date information, including relevant case law. Providing introductory-level training to RCMP employees conducting open source activities at the Tier 2 level would facilitate information sharing across the organization.
The management responses and action plan developed in response to this report demonstrate the commitment from senior management to address the audit findings and recommendations. A detailed management action plan is currently being developed. Once approved, RCMP Internal Audit will monitor the implementation of the management action plan and undertake a follow-up audit if warranted.
Management's response to the audit
Federal Policing (FP), Specialized Policing Services (SPS) and Contract and Indigenous Policing (C&IP) agree with the findings and recommendations of this audit, including the observation that there are areas where the RCMP could improve consistency and compliance with policy, training, infrastructure, and oversight to support open source activities. We recognize that proper training, support, and in particular the organization's approach to governance around this function is critical.
FP's Tactical Internet Operational Support unit was established to support an immediate need to provide tactical open source assistance to operations in the National Security program in the absence of a policy centre. FP, SPS and C&IP agree that all areas using open source information should be considered in the development and implementation of the management action plan (MAP) for this audit. Accordingly, the MAP will incorporate governance requirements to address all of the organization's collection, analysis and use of open source information.
A detailed MAP, which addresses the report recommendations, including specific timelines and milestones, will be developed for review by the Departmental Audit Committee prior to the next Committee meeting.
Deputy Commissioner Michael Duheme
Deputy Commissioner Stephen White
Specialized Policing Services
Deputy Commissioner Brian Brennan
Contract and Indigenous Policing
Open source information (OSI) is a key tool that is used organization-wide, across all business lines and within every RCMP division. OSI activities are performed by all categories of employees for a variety of purposes, such as investigations, intelligence gathering, outreach and public engagement, environmental scanning, and research. It is often the first step in policing activities, and is just one component of an investigation or intelligence gathering function.
Operational Manual (OM) 26.5 Using the Internet for Open Source Intelligence and Criminal Investigations defines OSI as unclassified, raw data that is derived from a primary source (e.g. the Internet) and can include any type of media in any format. The information is obtained, derived, or recovered lawfully, and is purchased or viewed from open or encrypted publicly available sources (e.g., websites, blogs, social networks, online databases, etc.).
OM 26.5 also defines open source intelligence (OSINT) as the systematic and passive collection of OSI, and its processing, analysis, and dissemination in response to specific law enforcement activities (e.g. criminal intelligence) or investigative requirements. OSINT is used as a valuable form of insight to generate tangible and actionable investigative leads that are complementary to traditional policing methods.
OM 26.5 breaks down the use of OSI into a three-tier structure, as follows (also summarized in Appendix B):
- Tier 1: overt online activities (e.g. research, environmental scanning, inquiry, public engagement, etc.).
- Tier 2: passive online activities for investigations and intelligence performed in a manner that minimizes identification to law enforcement (e.g. discreet, no engagement with a subject of interest).
- Tier 3: covert online activities in a manner that is explicitly concealed and safeguarded to prevent identification to law enforcement (e.g. engagement with a subject of interest is permitted with authority).
The Tactical Internet Operational Support (TIOS) unit, within Federal Policing (FP) Criminal Operations, was created in 2005 to respond to the increasing demand for support in internet-related investigations and is the national policy centre for OM 26.5. TIOS conducts internet research in support of criminal investigations by corroborating information, identifying associates and businesses, identifying a suspect's location and identifying witnesses and potential human sources.
While TIOS is the policy centre and an operational unit conducting its own open source activities, other RCMP stakeholders are inherently involved in open source activities through their respective policing mandates. Specifically:
- Federal Policing (FP) is responsible for a wide range of activities under the Federal mandate, including investigating drugs and organized crime, economic crime, and terrorist criminal activity, enforcing Federal statutes, securing Canada's border, conducting international capacity building, liaison and peacekeeping and ensuring the safety of major events, state officials, dignitaries and foreign missions.Footnote 1 This is carried out by various areas, including FP Criminal Operations which provides national oversight and governance of serious and organized crime, cybercrime, financial crime, and border integrity criminal investigations, and provides strategic and tactical operational support, advice, and direction to divisional investigative entities.Footnote 2
- Specialized Policing Services (SPS) is responsible for critical front-line operational support services to the RCMP and partners across the entire Canadian law enforcement and criminal justice communities, as well as for providing assistance to foreign law enforcement partners. Within SPS, Technical Operations provides direct specialized investigative and operational services to frontline police officers by delivering vital policing solutions for the 21st century. In addition, Criminal Intelligence Service Canada (CISC) uses OSI in its delivery of intelligence products and services to help reduce the harm caused by organized crime. Also within SPS, the Chief Information Officer (CIO) is responsible for the RCMP's Information Management and Information Technology (IM/IT) Program, which includes all information necessary to carry out the RCMP's mandate, as well as developing and managing the technology, infrastructure, and systems used to access, communicate, record, share and manage this information.
- Contract and Indigenous Policing (C&IP) is responsible for managing the Contract Policing business line, including Provincial, Territorial, Municipal and Indigenous policing. C&IP has functional oversight over the divisions, who use OSI for investigations, intelligence and research. C&IP is the national policy centre as it pertains to the collection and standardized use and sharing of information across its various business lines.
- Criminal Operations (CROPs) Officers in the divisions are responsible for all intelligence and investigational support within their prescribed territory.
The Commissioner approved the Audit of Open Source Information in the 2018-2023 Risk-based Audit, Evaluation and Data Analytics Plan.
Objective, scope and methodology
The objective of this audit was to determine whether internet-related open source activities conducted across the organization were consistent and compliant with policy.
The audit examined internet-related open source activities in support of criminal investigations and criminal intelligence gathering at the national and divisional levels from April 1, 2018 to March 31, 2019.
Specifically, the audit examined how employees gathered publicly available information sources when conducting online queries (e.g., social media, blogs, corporate registries, etc.), and how their findings were captured, stored and retained. The audit assessed existing internal controls (e.g., policies and procedures, training and tools, monitoring and reporting mechanisms, etc.) that supported the use of internet-related open source information. The audit focused on Tier 2 functions as defined in national policy OM 26.5.Footnote 3
The audit scope did not examine how and whether internet-related open source information was subsequently used in law enforcement decisions. (e.g. to follow a lead, included as evidence in court, laying of charges, etc.)
Planning for the audit was completed in October 2019. In this phase the audit team conducted interviews, process walkthroughs, and examined relevant legislation, policies and procedures. Sources used to develop audit criteria include OM 26.5 and other relevant policies and guidelines. The audit criteria are available in Appendix A.
The examination phase concluded in December 2019, and was focused on E, H and K Divisions, as well as TIOS at National Headquarters (NHQ). It employed various auditing techniques including interviews, documentation reviews, testing of mandatory forms and training, IT Infrastructure Questionnaires, and attribution testing on a sample of computers used for open source activities.
- The audit team sampled a total of 110 employees to determine if mandatory training was taken, and whether the necessary approvals were obtained to conduct open source activities and to create discreet online identities and accounts, where applicable.
- In addition, attribution testing was done to assess whether 46 sampled computers that are used for open source activities satisfied Tier 2 IT requirements.Footnote 4
Upon completion of the examination phase, the audit team held exit meetings to validate findings with personnel and debriefed senior management of the relevant findings.
Statement of conformance
The audit engagement conforms to the Institute of Internal Auditors' International Professional Practices Framework, and the Treasury Board of Canada Directive on Internal Audit as supported by the results of the quality assurance and improvement program.
Opportunities exist to develop a more robust governance framework including further clarification of roles and responsibilities, and the enhancement of national and divisional oversight of open source activities.
The audit expected to find a sound governance framework for open source activities conducted in support of criminal investigations and criminal intelligence-gathering across the organization, which included clear roles, responsibilities and oversight mechanisms. An effective governance framework would serve to reduce the risk that OSI is inappropriately obtained and used in support of criminal investigations and intelligence-gathering, and promote visibility of all employees conducting open source activities at the Tier 2 level organization-wide.
Roles and responsibilities
The governance structure with respect to OSI is defined in OM 26.5 Using the Internet for Open Source Intelligence and Criminal Investigations. The policy provides a framework for the collection of OSI and OSINT based on a 3-tier system (Tier 1: overt, Tier 2: discreet, and Tier 3: covert), which may be performed by all RCMP employees. TIOS within FP Criminal Operations is the national policy centre.
OM 26.5 was initially published in March 2015 and subsequently updated in July 2019. The audit team was informed that TIOS developed and updated the OM 26.5 policy governing the conduct of investigations on the internet due to a recognized policy gap within the organization. Prior to the development of OM 26.5, RCMP national policy did not exist on this topic and the Treasury Board did not have any policy guidance.
A key revision to OM 26.5 in 2019 included the creation of a roles and responsibilities section, changes to the role and responsibilities of TIOS and unit commanders, and expanded definitions. The 2015 version of OM 26.5 stated that TIOS was "responsible for the oversight of all open source intelligence and online investigational support activities in the RCMP." The 2019 version no longer includes oversight responsibility. It now specifies that TIOS is responsible for:
- providing strategic advice and tactical OSINT operational support,
- conducting risk assessments of specialized OSINT tools, techniques or tradecraft,
- developing, coordinating and delivering advanced OSINT training, and
- providing advice to technical authorities on internet network design, network security, software and desktop applications to support OSINT functions.
The 2019 OM 26.5 delegated oversight responsibility from TIOS to the unit level (e.g. unit commanders and line officers), including the authorization and monitoring of forms required for open source activities. Other examples of responsibilities delegated to unit commanders and/or line officers include:
- maintaining an up-to-date unit-level registry of the authorities granted to employees conducting OSI activities,
- conducting unit-level quality assurance (ULQA) for Form 6449 Online Identity Record submissions, and
- providing authorized practitioners the required IT infrastructure and open source related training.
However, many interviewees ranging from criminal intelligence analysts to detachment commanders across divisions stated that they were not aware of the open source policy and/or roles and responsibilities assigned to their position.
The audit found that roles and responsibilities related to OM 26.5 were not well understood by employees at all levels using OSI. Without clearly established and communicated roles and responsibilities, there is a risk that OSI will be inappropriately obtained and used in support of criminal investigations and criminal intelligence gathering, which can expose the Force to liability and potentially impact prosecutions.
Monitoring and oversight
Oversight and monitoring of the OSI function is needed to ensure that the Force conducts activities appropriately to support investigations and intelligence gathering.
The audit team observed that OM 26.5 no longer identifies responsibility for oversight and monitoring at the national level. Responsibility for oversight, including the authorization and monitoring of forms required for open source activities, was originally included in the 2015 policy but was delegated to the unit level in the 2019 policy revision.
The audit team was informed by TIOS that they did not have the capacity to fulfill their monitoring and oversight responsibilities as a national policy centre.Footnote 5 In addition, TIOS did not consider their unit to be a national program as they do not have authority over other business lines and divisions that conduct open source activities organization-wide. Interviews with senior management from FP, SPS and the Strategic Policy and Planning Directorate, as well as a CROPs officer, agreed that other business lines should possibly have a role in the oversight function.
Although TIOS recognized that they cannot fulfill their role as a national policy centre, the absence of national oversight increases the risk that OSI will be gathered and used by employees across the RCMP without the appropriate authorization and without adhering to policy, which could increase the risk of unsuccessful prosecution of court cases due to inadmissibility of evidence.
Authorization to conduct open source activities
As the scope period of the audit was fiscal year 2018-19, audit testing was based on the 2015 OM 26.5. Testing was conducted to determine whether employees from specialized areas or considered subject matter experts (SMEs) had the required authorization for the level of open source activities that they were conducting. These employees were for the most part criminal intelligence analysts.
According to the 2015 OM 26.5, oversight mechanisms included the approval by the Non-Commissioned Officer (NCO) in charge (i/c) of TIOS, of Form 6448 Tier Registration Request to authorize an employee to conduct open source activities at a Tier 2 and Tier 3 level. Authorization is not required for the Tier 1 level. The audit found that TIOS did not approve any of the 110 forms sampled. As a result, the entire sample was considered to be non-compliant with the 2015 policy.
We were informed that TIOS changed their approval requirement on Form 6448 in January 2017 due to their lack of capacity for monitoring and oversight, however OM 26.5 was not updated to reflect this change. The revised Form 6448 advised open source users that only forms for Tier 3 should be sent to TIOS for approval, and that Tier 2 forms should be recommended by the unit commander, approved by the line officer, and retained at the unit level. With this in mind, the audit team assessed whether unit-level authorizations by the unit commander and line officer existed on the forms. Testing results indicated that only 14% (15 of 110) of employees were authorized via Form 6448 to conduct open source activities:
- The majority of the sampled employees (71/110) had not completed Form 6448 because they were not aware of the policy requirement or they did not think that it applied to them.
- Of the 39/110 forms that were completed, most of these were recommended by the unit commander, but only 15/39 were approved by the line officer as required by the form.
- TIOS did not complete Form 6448 for their own employees. TIOS' rationale was that they felt automatically designated as Tier 3 by virtue of their role within the policy centre and the nature of their work in a covert environment. However, no such exemption is indicated in policy.
Authorization to create discreet online identities
An additional oversight mechanism existed within both the 2015 and 2019 versions of OM 26.5 with Form 6449 Online Identity Record that included the approval by a "manager" for the creation, modification and removal of discreet online identities and accounts that are used for Tier 2 and Tier 3 activities (e.g., fake social media accounts). The form did not specify the level of this manager position.
A key purpose for Form 6449 is to facilitate visibility over discreet online identities and accounts and potential deconfliction in law enforcement activities that are conducted on the internet, (e.g., where a subject of interest could potentially be another police officer or law enforcement agent using a fake identity). This could be within the RCMP or with external partners such as the Canadian Security Intelligence Service or the Federal Bureau of Investigation. Other reasons for the form are to provide oversight in a situation where a discreet online identity or account was compromised, so should no longer be used, and to ensure that Tier 3 practitioners do not venture into online undercover operations, which are governed by OM 30.8 Online Undercover Operations.
Audit testing was conducted on the same sample of 110 employees and results indicated that only 6% (7 of 110) had appropriately completed Form 6449:
- The majority of the sample (69/110) had not completed a Form 6449 because they were not aware of the policy requirement or they did not think that it applied to them.
- Of the 41/110 forms that were completed, only 7/41 included the required approvals.
- Instead of completing an individual Form 6449 for its employees, TIOS maintains an electronic database for their unit only. Similarly, H Division Criminal Analysis Section (DCAS) does not require their employees to complete Form 6449 but maintains a master list of discreet online identities that are used within the unit. OM 26.5 does not stipulate any substitute for the completion and approval of Form 6449.
Interviewees across divisions confirmed that no consistent process was in place to remove a discreet online identity when an employee leaves a unit. Discreet online identities were either retained by the practitioner in their new position, kept with the unit for use by a new practitioner, or left dormant and unused. This may create a risk that a discreet online identity could be used inappropriately if an original user maintains it when no longer required, or if a new practitioner assumes the identity without the proper approvals.
The audit did not find evidence that open source activities were being tracked or monitored at the national or divisional levels. In accordance with the 2015 OM 26.5, TIOS was responsible for entering and managing approved designations (Form 6448), as well as maintaining discreet online identities (Form 6449) in a national registry to facilitate visibility over discreet online identities and accounts and mitigate potential deconfliction. Some interviewees stated that when offered, TIOS declined the forms and advised units to retain their completed forms at the unit level. Moreover, a national registry was not established by TIOS as required by the 2015 policy. The national policy centre should assess value and adequacy of Forms 6448 and 6449 as oversight mechanisms to facilitate visibility over individuals performing Tier 2 and Tier 3 open source activities and their online identities.
The audit team was informed that due to TIOS' lack of resources to perform a policy centre role, the 2019 policy revision removed this requirement and currently requires the practitioner to maintain approved forms in a unit-level registry. As many interviewees were not aware that the policy existed, they were also not aware that oversight responsibility had been transferred to them.
Unit-Level Quality Assurance (ULQA)
The 2019 policy includes a new requirement that unit commanders conduct ULQA reviews on Form 6449 submissions as a monitoring mechanism. However, a ULQA guide for this activity has not been developed. Although ULQAs could be a useful tool to monitor policy compliance, it does not substitute for national level oversight which would allow for aggregating and analyzing results and identifying best practices and challenges that users are experiencing across the Force.
There is a risk that the lack of oversight and monitoring by the national policy centre could result in a lack of visibility over those who are conducting open source activities. This could jeopardize criminal prosecutions resulting in case law restricting the use of open source (e.g., if the employee did not have authorization for open source activities, or if information was not appropriately captured). It may also expose the Force to liability or create reputational risk to the organization.
Opportunities exist to improve policy compliance and promote consistent practices across the Force by developing supplementary guidance and further clarifying and communicating policy requirements for the capture, storage and retention of OSI.
The audit expected to find that national-level open source policy was established, maintained, communicated and followed. In addition, we expected that this policy would provide adequate guidance for capturing, storing and retaining OSI. Further, it was expected that any divisional level policies were aligned with national policy.
Consultation with relevant stakeholders is an important element when developing policy to ensure that policy issues are fully understood and views are considered. The audit did not find documented evidence to demonstrate consultation for the development of OM 26.5.
TIOS informed the audit team that business lines and divisional CROPS officers were consulted during the initial policy development process in 2015 to identify SMEs using the internet for criminal investigations and criminal intelligence gathering. TIOS reported that while the larger divisions identified SMEs, others did not. Further, C&IP did not fully engage and TIOS could not recall whether SPS was consulted. For the 2019 policy update, TIOS informed the audit team that no formal consultation was held with key stakeholders. OM 26.5 is used by many stakeholders across the Force, and compliance depends on stakeholder buy-in, awareness and understanding of the policy. The lack of consultation for the development of OM 26.5 may result in users not recognizing when OM 26.5 applies to the work that they do.
Some interviewees who were not part of specialized units did not believe that OM 26.5 was applicable to their open source work as they were not conducting online undercover operations or engaging with targets or subjects of interest (Tier 3 covert). Employees understood the definition of Tier 1 (overt) and Tier 3 (covert), but there was a lack of clarity regarding Tier 2 (discreet). Although open source is being used for all types of intelligence gathering and investigations (e.g., missing persons, hate crimes, homicides, break and enters, drugs, etc.), many interviewees did not realize that their open source work required Tier 2 approval.
While interviewees indicated that the majority of OSI research was conducted passively (e.g., not engaging or interacting with subjects of interest), some exceptions were reported that were contrary to policy, such as joining closed Facebook groups in a proactive monitoring effort to obtain information on upcoming events such as a protest or demonstration from online discussions, and using personal social media accounts to overtly try to contact a missing person.
There was limited engagement with key stakeholders within business lines and divisions in the development of OM 26.5. The lack of consultation does not ensure that policy issues are fully understood by relevant stakeholders and may prevent buy-in, or understanding of roles and responsibilities from the stakeholders for whom the policy would apply.
One of the responsibilities of a policy centre is to actively communicate and share relevant information to those who need it. This may include notice of new policy, relevant judicial decisions, guidance documents, communication bulletins, and training requirements. The audit team found that there is no information-sharing process in place for employees conducting OSI activities. Information shared by the policy centre is mostly done on an ad-hoc basis or upon request to specialized areas, however, it may not reach all members and the organization at large.
SMEs that were interviewed confirmed that the 2019 policy revision had not been communicated to them. TIOS reported that they have sent updates to CROPs in the past, and that they rely on CROPs officers to disseminate the information to divisional employees that need it. However, none of the CROPs officers from the sampled divisions could recall receiving any communication on OSI, including the 2019 OM 26.5 policy revision.
While OM 26.5 is available in the RCMP Manuals on the Infoweb, its existence may not be obvious because it is listed under Internet Facilitated Crime in the OM, which falls under TIOS within FP Covert Operations as a policy centre. Until the recent 2019 policy update with the inclusion of "open source" in its title, an Infoweb search for "open source" did not include OM 26.5 in the search results. With the exception of some supervisors and criminal intelligence analysts, most interviewees were unaware of the existence of OM 26.5.
As OM 26.5 had not been widely communicated to those involved in open source activities, units in the Force were not aware that they were assigned responsibility and accountability for OSI. Given the lack of awareness, there is a higher risk that open source activities may not be conducted in accordance with policy requirements.
According to Administration Manual III.4, divisions can develop supplemental operational policies when a directive applies only to their particular area, and when the information is not contained in any national policy. Supplements should not repeat national policy and only local practices unique to a province or territory should be included in divisional policy. Divisional policy must be consistent with and aligned to the RCMP national policy.
Divisional policy supplements from B, D, E, F, G and M Divisions were reviewed. While no major concerns were noted in regard to their alignment with national policy, it would be beneficial to review all divisional policy supplements related to OM 26.5 to ensure compliance and consistency across the Force.
The Internal Audit, Evaluation & Review Branch recently completed the Audit of Policy Management - Phase Two, which identified a gap in there being no requirement for national policy centres to review divisional policy. The absence of a requirement for national policy centres to review divisional policy can increase the risk of misalignment between national and divisional policy, as well as the inconsistent application of policy. This risk is increased with the absence of a national monitoring and oversight function.
Capture, storage and retention
Overall, OM 26.5 does not include specific information on how to capture, store and retain OSI. Instead it refers users to the IM Manual and the Canada Evidence Act. There was no evidence of other national guidance available to assist employees. A judicial decision in British Columbia from 2017 (R. v. Hamdan, 2017 BCSC 867) highlighted improper captures of OSI by the RCMP that resulted in an unsuccessful prosecution and has increased the need for additional prudence. Many interviewees were not aware of this case law. While the 2019 OM 26.5 refers to this case, national guidance was not established on how to properly capture OSI to ensure that court requirements are met.
Currently, the onus is on the user to ensure compliance with relevant policies and to maintain electronic evidence in a way that withstands the scrutiny of the courts. Interviewees confirmed that they needed guidance regarding acceptable methods to capture, store and retain OSI. They also advised that RCMP guidance was not available to assist them in defending their open source processes when required to testify in court.
The audit found that employees used a variety of methods to document OSI activities such as analyst work logs and notebooks, supplemental reports, detailed OSINT reports, simple or partial screen captures, e-mails, and narratives. Most analysts confirmed the use of discreet online identities and accounts to access open source material. In detachments, most members stated that they use personal accounts to access OSI. However, a few detachments noted that some fake accounts were available and shared.
Interviewees stated that they used various tools and practices for the capture of OSI, differing both between and within the divisions. This included taking screen shots, printing to PDF, and using specialized forensic-grade software.
In part due to a MacNeil Report recommendationFootnote 6, a joint memo from Assistant Commissioners (A/Commrs) within C&IP, FP and SPS was sent to divisional CROPs officers in February 2018 that promoted the use of Social Studio.Footnote 7 However, there has been limited take-up on the use of Social Studio as many at the divisional level felt that it did not meet their needs. While OM 26.5 is not prescriptive with respect to the use of specific tools and software for the collection of OSI, the lack of a standardized approach could result in a risk to investigations and successful prosecutions.
Many analysts reported that their results of open source queries were sent to the primary investigator, or the file coordinator, who decides whether to upload them to the investigation file within existing Operational Records Management Systems (ORMS) such as PROS, SPROS, PRIME-BC, etc. Information stored within an ORMS follows the prescribed information management retention guidelines. Most OSI is stored as an Information File, which may have a relatively short retention period (e.g., two years).
Analysts reported that the OSI gathered is often too large to save to an ORMS, and must therefore be stored in an alternative repository such as personal or shared drives, USBs or external drives. In addition, some analysts retain OSINT indefinitely for future intelligence because the subjects of interest may remain a concern over longer periods of time for certain types of crime (e.g., serious and organized crime, drugs, terrorism, etc.), and previously gathered OSI may no longer be available on the internet. However, information stored still requires the user to determine and apply appropriate retention guidelines. Current practices present a risk that OSI may be retained beyond the retention requirements or deleted too soon. Further, users must consider IT security requirements and potential risks if aggregated OSINT is stored in an under-protected repository.
OSI is widely used by many RCMP employees for day-to-day policing, not just in specialized areas. If users are not aware of the appropriate methods to capture OSI in accordance with existing judicial decisions, there is a risk to investigations and successful prosecution, as well as the creation of new case law that may limit the use of OSI in future policing activities. In addition, inappropriate storage and retention of OSINT could result in possible liability issues related to privacy.
Training and IT infrastructure
There is an opportunity to provide open source related training and technical guidance on IT infrastructure requirements to RCMP employees conducting open source activities at the Tier 2 level.
The audit expected to find that employees conducting open source activities were provided with the necessary training and IT infrastructure for their tier level.
OM 26.5 Online Activity Dashboard (Appendix B) identifies training requirements by tier level as follows:
- Tier 1: No mandatory training requirements are identified.
- Tier 2: Employees are required to contact TIOS for recommended introductory-level training on open source. An AGORA course was being developed by TIOS but it was not completed at the time of the audit. Equivalent training programs were recommended by TIOS in the interim and were provided by internal providers, including the RCMP Canadian Police College and the Pacific Region Training Centre, as well as external ones.Footnote 8
- Tier 3: Employees are required to take one mandatory advanced course for conducting open source activities in a covert environment. TIOS coordinates and delivers one mandatory course titled Tactical Use of the Internet. A list of optional courses to satisfy the Tier 3 level is also identified.
The onus is on the employee to identify the appropriate open source related training that they need based on their tier level. The dashboard clearly identifies the training requirements for Tier 3. However, the training requirements for Tier 2 are unclear. There is a risk that Tier 2 users who have not received training may gather and use OSI inappropriately.
Audit testing was performed on the sample of 110 employees who were for the most part analysts in specialized areas to assess whether they received mandatory training for the tier level in which they were conducting open source activities. Testing confirmed that 96% (106 of 110) of employees sampled had completed the appropriate training.Footnote 9 Many intelligence analysts indicated that they rely on their training more so than policy for OSI guidance. Some interviewees in specialized areas expressed that more frequent refresher training would be beneficial.
While most analysts in specialized units had completed the mandatory training for their tier level, many members at the detachment level had not received any open source related training. As detachment commanders and their representatives reported that divisional employees were not aware that they were working at the Tier 2 level, they were equally unaware that training requirements prescribed in OM 26.5 applied to them. As such, most had not received open source related training.
A senior official at Depot confirmed that there is no material related to the use of OSI or using the internet for policing activities in the Cadet Training Program (CTP). Any requests to add curriculum to the CTP must be supported by a needs analysis that identifies a gap in the competencies required by a front-line, general duty Constable upon the completion of basic training. Recognizing that the CTP has time constraints, consideration should be given to including open source in the curriculum as the majority of members are using open source in some capacity for day-to-day policing.
Although members may have obtained some information in other operational courses that have an internet element, there is still a need for introductory-level training on open source requirements to ensure that activities are being conducted appropriately to enable successful prosecution, prevent the creation of new case law, mitigate liability to the Force, and ensure officer safety from attribution risks, e.g., if members are using personal devices for OSI work. Opportunities exist to provide training to Regular Members as they are the main category of employee that are unknowingly conducting open source activities at the Tier 2 level.
The OM 26.5 policy identified the IT infrastructure requirements by tier level in the Online Activity Dashboard. A key element in the IT requirements is the concept of attribution, which OM 26.5 defines as "the process of identifying various data touchpoints that, together, can reveal identifying information." The differences for the Tiers consist of:
- Tier 1 activities are overt and attribution is not an IT concern.
- Tier 2 activities are required to be conducted on "low attribution networks" where the internet protocol (IP) address is not readily attributed to law enforcement. Procurement for both Tier 1 and 2 IT infrastructure follows the standard RCMP procurement processes for hardware and software.
- Tier 3 activities are required to be conducted on covert networks where attribution to law enforcement is explicitly concealed and safeguarded with the assistance of divisional backstopping activities and procured via sensitive expenditures.Footnote 10
Requirements for Tier 1 and Tier 3 were clearly defined and understood, however, requirements for Tier 2 IT infrastructure were not. Further, no Tier 2 guidance or solution is currently available from TIOS or the IM/IT Program. Currently, the onus is on the user to understand their particular IT infrastructure needs and obtain the required set up, as well as apply appropriate mitigation strategies to minimize attribution risks. However, many users were not aware of the requirements.
The audit team was advised that when users request a Tier 2 set up, Shared Services Canada (SSC) provides the IT infrastructure, which is a stand-alone computer to access the open internet, unless the user specifies additional requirements. Interviews with intelligence analysts, detachment representatives, Divisional Informatics representatives and Divisional Informatics Officers (DIOs) confirmed that there was a lack of guidance for setting up Tier 2 IT infrastructure. The E and H DIOs stated that a stand-alone computer would not be sufficient to manage attribution risks, given that the hardware and software components may have identifiers for law enforcement (e.g., licenses). TIOS stated that a stand-alone computer may be sufficient, but advised that it depends on how the unit has set up their network, as well as the hardware and software components. TIOS also advised that the adequacy of the IT infrastructure was dependent on other factors such as the sensitivity of information being searched, the sophistication of the target or subject of interest, and whether open source users apply additional mitigations for higher risk cases (e.g., using virtual private networks).
The absence of clearly defined requirements for a Tier 2 IT infrastructure may result in employees using equipment or networks that are attributable to the RCMP. In addition, it is important that all detachments have access to appropriate Tier 2 equipment. To ensure that OSI users have access to current and up-to-date information, the national policy centre should supplement OM 26.5 with additional guidance including recommended tools and software to be used for open source, and technical requirements for Tier 2.
Conducting regular attribution checks on computers used for open source activities is considered to be a good practice to ensure that IP addresses are not directly attributable to law enforcement. While analysts were aware of attribution risks, many stated that they were not regularly conducting attribution checks. The majority of detachment employees interviewed were not aware of these risks and were not performing attribution checks.
TIOS advised that there are various layers of protection to minimize attribution, and only the first layer (being the IP address) can be easily tested to determine whether the initial digital footprint comes back to the RCMP. The audit team conducted this attribution testing on 46 computers and found that only one was directly attributable based on its IP address and the others were directly attributed to internet service providers, which is the desired outcome. A second test was performed to verify whether the latitude and longitude coordinates for these IP addresses could identify close proximity to an RCMP location. This increased the number of potentially attributable computers to six, suggesting that geo-mapping information could reveal identifying information and increase attribution risks.
Beyond the first layer of protection, there are other layers of protection that should be considered (e.g., all attributable components in the hardware and software) but TIOS advised that there is no way for a user to easily test this. Additionally, TIOS advised that even with an appropriate Tier 2 set up, low attribution cannot be assured if the user is on a shared internet network, and most interviewees were accessing the internet through a shared network. On a shared network, other users' online activity may inadvertently increase the risk of attribution. In contrast, a dedicated internet access provides better assurance of low attribution as it is used solely by the practitioner or the unit that is connected to it.
While the audit team's attribution testing did not reveal a high number of attributable computers, there remains a lack of clarity on whether stand-alone computers provide sufficient protection from attribution. Other factors should also be considered when determining whether risks are being adequately mitigated for Tier 2, for example, using virtual private networks if open source computers are on shared internet networks.
IT solutions for tier 2 IT infrastructure
In 2017, the Low Attribution Network Application (LANA), which was supported by Technical Operations within SPS, was decommissioned. This left a gap in the RCMP's Tier 2 infrastructure as units are now responsible to obtain low attribution network infrastructure through SSC. There are two initiatives underway to develop a discreet Tier 2 infrastructure for the RCMP:
- Federal Technology Solutions (FTS) within FP is leading a project that is examining a cloud-based solution for Tier 2 called Project Cerebro. Initial testing was conducted by users across the country connecting to the cloud via stand-alone internet computers and was considered successful. The next phase of testing is underway whereby users access the cloud through existing RCMP Office Support System computers.
- NHQ Informatics Services is leading a project to develop a standardized process and network image for NHQ users to acquire a traditional Tier 2 infrastructure (that being physical hardware) through SSC. The goal is to deliver a discreet internet network connection whereby the IP address would be directly attributable to "the Government of Canada". However, TIOS advised that this would not be sufficient for Tier 2 because the policy intent is to appear as any normal individual accessing the internet, and not to be identified as a government entity.
While these ongoing initiatives were not included in the scope of the audit, the IM/IT Program, FTS, TIOS and NHQ Informatics Services should collaborate to maximize benefits, reduce duplication of effort and ensure that Tier 2 infrastructure requirements defined in OM 26.5 are met. Any enterprise-wide IT solution for Tier 2 work should consider the use of shared networks and all attributable components of the IT infrastructure, classification of OSI as "unclassified" and the potential risks when aggregate OSI becomes "classified" OSINT, IM requirements (e.g., data storage, retention, and backup data), and lastly, privacy considerations and implications on how and where data is stored (e.g., offshore servers and/or in the cloud).
The OM 26.5 Online Activity Dashboard referred to in Appendix B of this report restricts the use of mobile devices for OSI activities. Notably, for Tier 2, the dashboard states that "discreet mobile devices can only be used for validation/authentication of discreet online profiles." Interviews confirmed that there is widespread use of both personal and organizationally-issued mobile devices for open source activities by members.
Based on one of the MacNeil report recommendationsFootnote 11 and the RCMP Vision150 initiative, smart phones are being deployed to all front line members to enhance situational awareness, improve tactical responses, and increase officer safety. As of September 2019, 10,000 devices have been purchased, with approximately 8,700 deployed.Footnote 12 These devices will have applications that will not be backstopped. However, if these devices are used overtly for OSI functions that should be performed in a discreet or covert manner, this may create a risk of attribution to the RCMP or to employees themselves, possibly increasing the risk to officer safety.
While the roll-out of the smart phones is underway, no additional guidance has been provided regarding acceptable user practices in relation to open source activities on these mobile devices, e.g., downloading applications, using personal social media accounts, or creating fake ones to access publicly-available information. Any enterprise-wide IT solutions for Tier 2 should consider the widespread use of mobile devices in addition to potential attribution risks, IM requirements, and privacy considerations.
OSI is a key tool that is used organization-wide, across all business lines and within every RCMP division. OSI activities are performed by all categories of employees for a variety of purposes, including investigations, intelligence gathering, outreach and public engagement, environmental scanning, and research. It is often the first step in policing activities, and is just one component of a criminal investigation or intelligence gathering function.
Overall, the audit determined that internet-related open source activities conducted across the organization were not consistent nor compliant with OM 26.5. Opportunities exist to develop a more robust governance framework and enhance national and divisional oversight of open source activities. Without clear roles and responsibilities and adequate monitoring and oversight, visibility over those who are conducting open source activities may be lacking. This may create a risk to investigations and successful prosecution, as well as new case law that may limit the use of OSI in future policing activities.
There was limited consultation for the development of OM 26.5 in 2015, and none for the policy update in 2019. The audit found that many employees were not aware that the policy existed or that it was applicable to the open source activities that they performed. In addition, OM 26.5 does not provide adequate information to guide users on how to capture, store and retain OSI.
Given that OSI is widely used by many RCMP employees, there is a risk to investigations if users are not aware of the appropriate methods to capture, store and retain OSI. There is an opportunity to more broadly communicate OM 26.5 and educate employees on when it applies to the work that they do. Supplementary guidance should be developed and shared across the Force, related to the capture, storage and retention of OSI, best practices and preparation for court testimony, and acceptable Tier 2 infrastructure (including suitable software, equipment, storage systems and repositories).
Finally, training and information sharing are valuable investments that would ensure that OSI users have access to current and up-to-date information including relevant case law. There is an opportunity to provide introductory-level open source related training to RCMP employees conducting open source activities at the Tier 2 level and to facilitate information sharing across the organization.
- The D/Commrs. FP, SPS and C&IP should collaborate to determine how best to fulfill the oversight function for open source activities, recognizing that open source is used by multiple business lines across the Force.
- Following the decision relating to recommendation #1, the identified business lead(s) should ensure that:
- National oversight mechanisms are in place to improve visibility over open source activities being conducted in support of investigations and intelligence-gathering activities.
- The national policy is updated to reflect agreed-upon accountabilities.
- Supplementary guidance is developed and published related to appropriate capture of OSI, recommended tools and best practices, relevant case law summaries, and advice on court testimony for open source practices.
- Supplementary guidance is developed and published on the information management requirements for the storage and retention of OSI and OSINT. This guidance should clarify when OSI and OSINT would be considered a record of business value.
- A communication strategy for OM 26.5 is developed and implemented to educate employees Force-wide about requirements for open source activities and when the policy would be relevant to their duties. This may include the further development and completion of the OSI introductory AGORA course and consideration by the National Mandatory Training and Oversight Committee for making it mandatory for all Regular Members once it is available, as they are the main category of employee unknowingly conducting open source activities at the Tier 2 level.
- The D/Commr. SPS, in collaboration with D/Commrs. FP and C&IP, should consider the feasibility of developing an enterprise-wide solution to address the current gap in Tier 2 infrastructure. In the interim, guidance for technical requirements and/or any mitigating measures (e.g., virtual private network) for Tier 2 infrastructure should be developed and disseminated to all Tier 2 open source users.
Appendix A – Audit objective and criteria
Objective: to determine whether internet-related open source activities conducted across the organization were consistent and compliant with policy.
Criterion 1: A governance framework that includes clear roles, responsibilities and oversight is in place for open source activities in support of criminal investigations and criminal intelligence gathering.
Criterion 2: Policy related to the use of open source information and activities is established, adequate, maintained, clearly communicated and followed.
Criterion 3: Employees are provided with the necessary training and tools to support the discharge of their responsibilities for open source activities.
Appendix B – OM 26.5 online activity dashboard
Appendix C – Management Action Plan
|Management Action Plan
1 - The D/Commrs. FP, SPS and C&IP should collaborate to determine how best to fulfill the oversight function for open source activities, recognizing that open source is used by multiple business lines across the Force.
The policy development processes for the Force's use of open source information and oversight required regarding adherence to these policies spans all RCMP business lines. It is an example of a multi-faceted and complex organizational issue that would benefit from central coordination to support (i) policy development and evergreening required for RCMP manuals in relation to all three tiers of open source information (overt; discreet; covert), as well as (ii) the oversight and monitoring of open source activities in the field.
With respect to (i) policy development, Deputies agreed that how SEC proceeds on the MAP for the Audit of Policy Management Phase II will inform how best to fulfill this particular function.
Recommendations under the Audit of Policy Management Phase II that highlight the need for Force-wide policy development and lifecycle management processes and the need to create a centre of expertise for the RCMP Operational and Administrative Manuals, are directly tied to the gaps identified on the management of policy in the Audit of Open Source. A summary of the two options in the MAP for the Audit of Policy Management Phase II, going to SEC for consideration and decision, including a source of funding are as follows:
Option 1: Establish a new Policy Hub within a national corporate program responsible for oversight, guidance, publication and monitoring of policies, including: common standards and procedures; quality control; and guidance and compliance on policy development and lifecycle management for all RCMP administrative and operational policies. Policies and Publications Section (PPS), which is responsible for editing and publication, would move under the Hub. The Hub is funded through existing resources of the NHQ Business Line and Divisional user communities.
Option 2: Expand PPS and its current mandate of editing and publication, under the IM/IT Program, into a new Policy Hub responsible for oversight, guidance, publication and monitoring, including: common standards and procedures; quality control; and compliance monitoring; and guidance on policy development and lifecycle management for all RCMP administrative and operational policies. The Hub is funded through existing resources of the NHQ Business Line and Divisional user communities.
With respect to (ii) the oversight of open source activities and adherence to the policies, Deputies agreed that further options require development by an operationally-focussed working group to identify the oversight authority for the practice/use of open source in the organization. A working group will be established to bring relevant stakeholders together from RCMP business lines to consider a range of compliance mechanisms. The group would jointly develop options for an oversight authority. These options will be vetted by the new RCMP Operations Committee and, subsequently, presented to the lead Deputies for consideration and approval. This working group will among other activities, ensure open source activities being conducted within each business line are clearly defined for monitoring purposes, and ensure they are addressed in operational policies (e.g. governance frameworks, standard operating procedures).
Milestones/Completion Date: Confirmation of a Policy Hub to provide centralized expertise on policy development and lifecycle management processes: December 31, 2020 (dependent on outcome from Audit of Policy Management Phase II MAP).
Positions Responsible: Deputy Commissioners of FP, C&IP, and SPS
2 - Following the decision relating to recommendation #1, the identified business lead(s) should ensure that:
a) National oversight mechanisms are in place to improve visibility over open source activities being conducted in support of investigations and intelligence-gathering activities.
b) The national policy is updated to reflect agreed-upon accountabilities.
c) Supplementary guidance is developed and published related to appropriate capture of OSI, recommended tools and best practices, relevant case law summaries, and advice on court testimony for open source practices.
d) Supplementary guidance is developed and published on the information management requirements for the storage and retention of OSI and OSINT. This guidance should clarify when OSI and OSINT would be considered a record of business value.
e) A communication strategy for OM 26.5 is developed and implemented to educate employees Force-wide about requirements for open source activities and when the policy would be relevant to their duties. This may include the further development and completion of the OSI introductory AGORA course and consideration by the National Mandatory Training and Oversight Committee for making it mandatory for all Regular Members once it is available, as they are the main category of employee unknowingly conducting open source activities at the Tier 2 level.
As part of its work to revise OM 26.5, the working group will engage the Information Management Branch to develop supplementary guidance, if necessary, on the information management requirements for the storage and retention of OSI and OSINT, in accordance with the new Treasury Board Policy on Service and Digital, which took effect on April 1, 2020. Any such guidance should clearly specify when OSI and OSINT is to be considered a record of business value. The RCMP's Access to Information and Privacy Branch will also be consulted.
The existing OM 26.5 chapter is narrowly focussed within one business line and will need to be completely revised to reflect stakeholder input in all three key tiers: overt, discreet, and covert. To reflect the cross-organizational ownership of the policy suite going forward, Force-wide training and communications about the changes will need to be centrally coordinated.
The Policy Hub, will be responsible for working with National Communications on the development of a communications strategy at the outset of the revised suite of open source policies, and will communicate updates as it relates to one of the three tiers.
As it relates to training, the OSI policy working group will consult with Learning and Development to determine how to proceed for each tier of OSI use (i.e., overt, discreet, covert), such as whether the training can be made available on AGORA or whether more specialized training is required.
|3 - The D/Commr. SPS, in collaboration with D/Commrs. FP and C&IP, should consider the feasibility of developing an enterprise-wide solution to address the current gap in Tier 2 infrastructure. In the interim, guidance for technical requirements and/or any mitigating measures (e.g., virtual private network) for Tier 2 infrastructure should be developed and disseminated to all Tier 2 open source users.
The IM/IT Program's completion of options analysis and recommendation of a viable standard solution (Completion date: November 30, 2020). Positions Responsible: CIO and the OSI Working Group
- Date modified: