It took several months of trying and a Freedom of Information request to get ahold of the police department’s
Drug Exhibit Audit last year. Far easier than obtaining that public report was gaining access to the department’s private social media passwords, which
Halifax Regional Police mistakenly and unknowingly released to The Coast.
Two weeks ago, communications advisor
Cindy Bayers emailed us a copy of the police department’s
Social Media Monitoring Manual as part of her response to questions about HRP's tweeting habits. The 15-page document contains basic rules on grammar and tone as well as guidelines for comment moderation.
It also includes step-by-step instructions for using HRP’s
Facebook,
Twitter, Photobucket and Hootsuite accounts, along with the corresponding usernames and passwords. The department was not aware of the mistake until The Coast contacted Halifax Police about it earlier this week.
“It was an error to not redact the passwords prior to the manual being sent to you,” emails Bayers. “In future, our documents will be vetted by our FOIPOP office prior to sending.”
The information was accurate at the time of the manual’s publication in
February 2016, but Bayers says only two passwords hadn’t been changed since that time.
One of the still-active logins was for HRP’s Hootsuite account, which provides full access to all of the department’s Twitter accounts. The other was the email and password used to access the
halifax.ca/police admin page where press releases are created and published.
It’s “potentially a serious screw-up,” says
David Fraser, a
privacy and technology lawyer with
McInnes Cooper.
“[The Coast] is trustworthy, I presume, but credentials like that could be used for some pretty mischievous purposes,” he says. “There’s a lot of power in those passwords.”
The unsecured entry points have since had their passwords reset.
Fraser says he's glad to hear the police are using a combination of letters, numbers and symbols in their social media passwords, but he’s less impressed the login details weren’t being regularly changed and were so casually documented.
“Login credentials should never be stored in a manner where they’re even potentially widely accessible like that,” he says. “I think, kind of, just basic information security practices says that should be the case.”
According to Bayers, the department had already been having earnest discussions over the last few weeks about a new “password strategy” for its social media, which when implemented will begin changing the login info every month.
The Social Media Monitoring Manual is used by the public relations unit to help train HRP staff tasked with monitoring police social media accounts. You can read the full document below. To the best of Bayers’ knowledge, it hasn’t been shared with any other members of the public or media.