News + Opinion » City

Halifax police force blows IT security, then lies about it

The city’s auditor general says Halifax Regional Police sucks at handling covert information.

By

Consider this a visual representation of Halifax Regional Police’s information technology strategies - PHOTO MANIPULATION BY THE COAST
  • photo manipulation by the coast
  • Consider this a visual representation of Halifax Regional Police’s information technology strategies

If Halifax Regional Police’s information organization skills were a desk, that desk would be piled high with mismatched papers and zero-context sticky notes. There’d be a bunch of mugs, each with a crusting ring of mold forming at different heights of abandonment, and three cell phones—one encrypted, one broken and one that primarily uses Facebook messenger to communicate with colleagues. A sock, a laptop whirring under a box of unmarked evidence shoved into Ziplock baggies with a miscellaneous USB poking out of it, and probably crumbs. 

Lots of crumbs. 

A recent report from HRM’s auditor general, Evangeline Colman-Sadd, paints a clear picture that Halifax Regional Police is dropping the ball on managing its information technology security risks, from technological evidence to the way information is classified and stored. This comes five years after an internal audit, brought to public attention through a freedom of information request by The Coast, found HRP was dropping the ball on managing its physical evidence.  

The public version of Colman-Sadd’s report doesn’t include all the information discovered in  audit, as some of it is classified as in-camera–meaning problematic if discussed out in the open. The report says “given the sensitive nature of many IT topics, publicly reporting details of concerns identified could impact the safety and security of HRP operations.” 

But even abridged, the audit reveals a mess in the police force. The main crux of the report looks at a security risk assessment completed in 2016-17, and how a large chunk of the recommendations from that report haven’t been implemented.

On top of being wildly slow at implementing recommendations, when presenting the risk assessment report to the Board of Police Commissioners, the Halifax Regional Police lied. 

According to the audit, in 2019 HRP management told the police board that 13 of the risk assessment’s 67 recommendations were complete. But the audit found that six of those 13 were actually outstanding; one was technically not applicable instead of complete–because it was for the province to deal with; and another recommendation was marked complete when actually it was canned; leaving only five recommendations rather than 13 that were complete at the time of the presentation. 

The audit also found that HRP’s lone staff person who manages the covert IT systems isn’t supervised by anyone with an IT background and has no relationship with HRP’s chief information security officer, Andrew Kozma–who, fun fact, got a $30,000 raise between 2019 and 2020🙃 and had no idea the risk assessment existed until the auditors asked him about it. 

It’s true that technology has absolutely obliterated the systems all kinds of institutions used to use to keep things in order. It’s understandable that getting new systems in place takes time. But when a full-blown report on why HRP should have body-worn cameras can come together in a few short months, it’s hard to understand why other things lag for years at a time, especially when this means information and digital evidence–used to surveil and charge a disproportionate number of people of colour–is left unchecked and unaccounted for. 

Where HRP has thought through changes to its IT security policies, the report highlighted that those changes are stuck in draft form, with no specific plan to bring them to fruition. A broad policy review is one of the key objectives of the Board of Police Commissioners right now, but is also an item that doesn’t have a commissioner assigned to it, which is slowing the overall work to overhaul the policies. (Police policy is evidently a touchy subject. A freedom of information request was filed by Harry Critchley on behalf of the Nova Scotia Policing Policy Working Group in August 2020 for access to HRP’s policies as they stand right now, and the request was denied on the grounds the policies would be “reputationally damning to the organization” if they were made public.) 

As an example of a policy that’s missing, unclear or simply non-existent, the audit points to what happened–or didn’t happen–when work from home became a widespread reality. Instead of coming up with its own guidelines, the police defaulted to the city’s pandemic rules about what kind of information needs to be secured and how it can be  accessed from home. Apparently no one thought that perhaps the HRP employee would need more security than the parks and rec coordinator. 

Looking at the potential threats of the lax teleworking stance is one of the 12 recommendations laid out in the Colman-Sadd report, all of which HRP management has agreed to implement. The report says its advice doesn't necessarily require new infrastructure; more vital are new policies, and perhaps some extra money to get things done. 

And in a presentation this week to Halifax’s budget committee on the subject of extra money for HRP, Tari Ajadi, a member of the Nova Scotia Policing Policy Working Group, cited the auditor general’s report. HRP has a “track record of misleading council and misleading the board of police commissioners about important topics,” Ajadi said while asking council to take seriously the calls from the community to defund and reallocate police funding. Ajadi specifically asked council to reject HRP’s request for an extra $85,000 to employ someone to look into body-worn cameras, a request that comes after the Board of Police Commissioners punted its decision on the recent pro-camera report to next year.  

When council thinks about Halifax Regional Police’s funding, it’s worth asking if spending is the way to tidy up a messy desk. Or is more money just going to get lost in the mess?

Tags

Add a comment

Remember, it's entirely possible to disagree without spiralling into a thread of negativity and personal attacks. We have the right to remove (and you have the right to report) any comments that go against our policy.