It took several months of trying and a Freedom of Information request to get ahold of the police department’s Drug Exhibit Audit last year. Far easier than obtaining that public report was gaining access to the department’s private social media passwords, which Halifax Regional Police mistakenly and unknowingly released to The Coast.
Two weeks ago, communications advisor Cindy Bayers emailed us a copy of the police department’s Social Media Monitoring Manual as part of her response to questions about HRP’s tweeting habits. The 15-page document contains basic rules on grammar and tone as well as guidelines for comment moderation.
It also includes step-by-step instructions for using HRP’s Facebook, Twitter, Photobucket and Hootsuite accounts, along with the corresponding usernames and passwords. The department was not aware of the mistake until The Coast contacted Halifax Police about it earlier this week.
“It was an error to not redact the passwords prior to the manual being sent to you,” emails Bayers. “In future, our documents will be vetted by our FOIPOP office prior to sending.”
The information was accurate at the time of the manual’s publication in February 2016, but Bayers says only two passwords hadn’t been changed since that time.
One of the still-active logins was for HRP’s Hootsuite account, which provides full access to all of the department’s Twitter accounts. The other was the email and password used to access the halifax.ca/police admin page where press releases are created and published.
It’s “potentially a serious screw-up,” says David Fraser, a privacy and technology lawyer with McInnes Cooper.
“[The Coast] is trustworthy, I presume, but credentials like that could be used for some pretty mischievous purposes,” he says. “There’s a lot of power in those passwords.”
The unsecured entry points have since had their passwords reset.
Fraser says he’s glad to hear the police are using a combination of letters, numbers and symbols in their social media passwords, but he’s less impressed the login details weren’t being regularly changed and were so casually documented.
“Login credentials should never be stored in a manner where they’re even potentially widely accessible like that,” he says. “I think, kind of, just basic information security practices says that should be the case.”
According to Bayers, the department had already been having earnest discussions over the last few weeks about a new “password strategy” for its social media, which when implemented will begin changing the login info every month.
The Social Media Monitoring Manual is used by the public relations unit to help train HRP staff tasked with monitoring police social media accounts. You can read the full document below. To the best of Bayers’ knowledge, it hasn’t been shared with any other members of the public or media.
Related Stories
Don’t @ me: Why Halifax police are turning to social media to improve public relations
Maybe don’t turn yourself in at Voluntary Surrender Day
Halifax’s overburdened FOIPOP office wants to go digital
Halifax police prep for cyber attacks
Nova Scotia’s FOIPOP site won’t be back online anytime soon
Halifax police at high risk of cybersecurity threats
This article appears in Mar 9-15, 2017.
All of that free dope in evidence lockup is obviously having an effect on performance.
Poor Cindy.
But David Fraser says “The Coast is trustworthy”? I think I need a new lawyer as he is obviously rather addled at the moment.
I nominate Cranky for Coast Comment of the Year.
That’s why he threw in the presumably. At least, I presume.
Why is this not on the front page? Who fucking cares what whobleejoo would ask Cheryl Blossom if she bumped into her getting a smoothie or whatever?
Patty: What shows up on our website’s front page mostly depends on how recently the article was posted. Since this one went up before our latest issue came out, it was bumped by other pieces.