NDP mistake identified whistleblower
Improperly redacted document led province to leaker, experts say
The Ontario NDP led the Ford government to the source of an embarrassing leak when it released a document last week that wasn’t properly redacted, sources say.
On Thursday, the official opposition scooped the government on a major announcement by releasing the draft version of a bill that overhauls Ontario’s health-care system and amalgamates several government agencies into one super agency.
While the leak blindsided the government, the document released publicly by the NDP also led the province directly to the leaker, according to three sources who spoke with iPolitics on condition of anonymity.
The sources include someone in government and two people close to the government.
Additionally, two privacy experts confirmed to iPolitics that the unredacted information in the document would have helped identify the NDP’s source. The 81-page PDF — marked “confidential” — includes a URL and a date at the bottom of each page. The sources said those two pieces of information made for quick work identifying who made the leak.
Within four days of the document’s release, interim cabinet secretary Steven Davidson released a memo saying the government had found the person responsible, fired them and called the OPP.
The OPP confirmed on Tuesday that its Anti-Rackets Branch is reviewing the case, but hasn’t decided yet whether to open a full investigation.
iPolitics repeatedly asked NDP Leader Andrea Horwath on Monday whether her party had done its due diligence to protect the identity of the source when it released the draft bill.
She didn’t answer the questions and instead deflected to the government’s response.
“I’m very concerned about what may happen to possible potential whistleblowers because of the threats that Mr. Ford has made,” she said. “I’m going to not respond to those kinds of questions particularly because of those threats.”
Premier Doug Ford has not made any public comments about the leaked documents or the source of them. Horwath’s office later said she was referring to news reports based on anonymous sources that the government had decided to call the OPP.
In a followup statement on Tuesday, NDP spokesperson Erin Morrison said the party received the documents “with permission from the source or sources to release them as delivered.”
“We believe that nothing on them could have revealed the source, and have verified that to the best of our abilities,” she wrote.
However, two privacy experts say the party wasn’t successful.
Importantly, they said the link at the bottom of the page, which is from the government’s remote email website, would have helped the government identify the user.
University of Toronto computer science professor Graeme Hirst said with “certainty” that the URL “included a key for the right to access the document through the government’s web-based electronic mail system that uniquely identified the user.”
Privacy consultant and the former privacy director at Cancer Care Ontario John Wunderlich noted that the link at the bottom of the page is a partial URL. But he said even with that handicap, the government could have used it to search its internal database and then the date would have been used to narrow down the search.
“The point is that there are multiple routes by which (the government) could find the document and the person who accessed it or emailed it,” Wunderlich said.
He said it would have involved “relatively straight forward forensic IT work.”
He also said the NDP should have redacted other parts of the document, as well, if its goal was to ensure that the identity of the source was protected.
Namely, he said the file reference numbers in the top right corner of the first page would have at the very least helped the government narrow down who had access to the specific version of the draft bill.
“They didn’t exercise as much diligence as they could have,” Wunderlich said.
The NDP did not answer direct questions about why the link and the file reference numbers weren’t redacted.
Wunderlich said the proper procedure for anyone considering releasing leaked information should be to first ask an expert how the document can be scrubbed of all identifying information.
“They need to know the limits of their own expertise,” he said.
“This applies to all political parties. Given their lack of digital skills and digital awareness, I would say that this could have happened to any of the parties.”
“Anybody who wants to receive this kind of material from sources more than once has to protect their sources,” he said.