MPS Encrypted Data
August 14 Town Presentation to Council and Press Release of Council Decision
Town staff made a presentation to council August 14, 2019 about the Midland Police Services Controversy (i.e. the 'encrypted MPS hard drives for which encryption keys have not been turned over'). The council decided, 6-2 to pursue legal action to compel the turning over of the encryption keys and consider possible legal action against Bill Gordon (currently a member of town council). There is a press release regarding the Town of Midland's decision to pursue legal action on the matter of the encrypted drives and possibly against Mr. Gordon.
I personally did not attend the council meeting as this issue is not good for my mental health, especially with a crowd of people in attendance, and I've decided to step back from it. I will of course follow it, though, and watch the recorded Town Council meeting.
Timeline on Simcoe.comhttps://www.simcoe.com/news-story/9549328-timeline-the-battle-over-encrypted-midland-police-records/
Two Questions Regarding the MPS Controversy
- Question #1: Why was the data in question not handled through the OPP as part of the transition?
- Question #2: Why was there a soup of data (civilian data mixed with non-civilian data) rather than being operationally separate and therefore the non-civilian data transferred to the OPP with the data that was transferred to the OPP?
August 9: Town Council Agenda Includes Encrypted Hard Drives issue
The agenda for the council meeting coming up August 14, 2019 contains the Town's position regarding the controversy surrounding the transfer of records from the former Midland Police Service to the Town.
Statement of Claim by Former Police Chief Mike OsborneStatement of Claim by Former Police Chief Mike Osborne
August 2, A Brief Brief on the Situation
What is this all About?
My understanding of what are the key components of this situation (Daniel F. Dickinson, a Midland resident)
- The Town of Midland (Ontario) disbanded the former Midland Police Service in favour of policing by the regional Ontario Provincial Police.
- There was a rather acrimonious debate surrounding the disbandment.
- Shortly before disbandment the town ordered the Midland Police Service to not remove any data from it's servers, even data that would be normally be at the point it should be deleted under the data retention policy.
- Shortly after the disbandment the town revealed the there were outstanding legal fees incurred by former chief Mike Osborne—the town claims it was unaware of the amount of money owing to the legal firm involved in the case.
- The Town of Midland ordered former chief Osborne to hand over the encryption keys for the data on the former Midland Police Service servers (which were encrypted at rest, as is the expected and customary best practice for sensitive data).
- The former chief has refused citing concern fro the privacy of citizens.
- I found out about this issue about the time of the October 2018 municipal elections and at that time, and since then, have publicly and privately stated my belief that the data ought to vetted and managed by the Ontario Provincial Police, Royal Canadian Mounted Police, or a privacy watchdog. The town has not indicated whether it agrees or disagrees with this position, however my judgement, based on the agendas for closed session council meetings, is that they are in disagreement with the position. (The town solicitor has also, in the past, expressed the opinion the data is town property, and the previous council went so far as to express the opinion that the data encryption amounted to theft).
- It has been claimed, to me, that the data on the former MPS servers includes things like police informants, criminal records checks, dispatch notes/information, and a variety of other extremely sensitive police data, which is the reason for the refusal to turn it over the town lock, stock, and barrel.
- The town published its statement of claim against former chief Osborne regarding the legal fees mentioned above in a public agenda, which I viewed—unfortunately the town's file naming scheme and website search, and organization are rather terrible, and I've not been able to locate the PDF in order to share a link here.
- I expressed my opinion to the town (not sure of council was forwarded the emails) that the town does not the have IT staff, and especially not the security budget and infrastructure, to properly protect that 'classification level' of data. I've to date not received a response the that proposition, but again based on the agendas for closed session, I believe that the town solicitor is arguing against that belief. EDIT: After reviewing older town agends I may be trying to read tea leaves in trying to glean information from close meeting agenda, rather than getting an accurate picture.
- Over a year after disbandment, the Town of Midland has still not settled the severance pay for former chief Osborne.
- Former chief Osborne has initiated a lawsuit against the town and police services board, with a number of serious and concerning allegations. EDIT: I am reminded that I should emphasize that these allegations have not been tested in a court of law.
Of interest may be the response to my Facebook post linking to this entry of a friend of mine who is a privacy advisor/auditor at a large tech company:
This is interesting... the Police Services Board act doesn't specify what happens to the data if a police service is dissolved. And MFIPPA has obligations for municipalities to protect the confidentiality of data - since they don't typically have access to identifiable police data, I don't believe they should be the custodians - it should be transferred to the OPP (as the OPP has to determine that there is adequate policing available which would include having the necessary information transferred appropriately)
If anything, the municipality may have responsibilities to making sure the data is held/stored safely; the former police chief may have responsibilities to hold the keys - but the city is fighting otherwise I guess