Thread V: Diffuse & Disrupt

Organized, Scripted, and Delivered via Algorithms.

May 4th, 2026

Online Evidence

Investigation, Pattern

Recognition, and the Legal Threshold for Inquiry. Visuals [Here].

"It is reasonable for a police officer to investigate in the absence of overwhelming evidence—indeed evidence usually becomes overwhelming only by the process of investigation."

—Hill v. Hamilton-Wentworth Regional Police Services Board, 2007 SCC 41, at para. 58

Table of Contents

Executive Summary
The Problem: Crimes Designed to Be Invisible
The Legal Threshold Framework: What Investigation Actually Requires
The Two-Layer Model: Public Signal and Hidden Attribution
Visual Evidence as Investigative Trigger: The Pattern Doctrine
Temporal Convergence: The Most Legible Indicator
Content Fingerprinting: Script, Symbol, and Cadence Analysis
Cross-Platform Coordination as Corroboration
The Villaroman Framework: Reasoning from Circumstance to Inference
The Hidden Attribution Layer: What Police Tools Exist to Obtain
Preservation and Production: The Investigative Statutory Toolkit
The Neglect-of-Duty Nexus: When Failure to Investigate Is the Crime
Institutional Failure Patterns and Psychiatric Weaponization
A Working Pattern Recognition Checklist for Investigators
Investigation Protocol: From Visual Collage to Preservation Order
Conclusion: The Investigative Imperative in the Age of Deniable Digital Harm
Table of Authorities

Keywords: digital pattern evidence, coordinated online harassment, algorithmic harassment, coordinated inauthentic behavior, platform manipulation, online attribution, hidden attribution layer, public signal layer, recommendation systems, digital evidence preservation, production orders, reasonable suspicion, reasonable grounds, circumstantial evidence, visual evidence, temporal convergence, content fingerprinting, cross-platform coordination, AI-generated content, metadata, subscriber records, IP logs, platform records, cybercrime investigation, digital abuse, psychological operations, psychiatric weaponization, police oversight, neglect of duty, investigative threshold, evidentiary inference, organized cybercrime

1. Executive Summary

This paper addresses a specific and growing challenge in law enforcement and oversight practice: how to investigate and reason about coordinated online harassment campaigns that operate through deniability—campaigns whose individual components appear innocuous but whose aggregate pattern discloses organized criminal conduct.

The fundamental insight this paper advances is that visual and circumstantial evidence of coordinated digital harassment is investigative, not merely probative. The legal threshold that matters at the outset is not whether a complainant can prove a crime, but whether the evidence presented discloses a reasonable possibility of criminal conduct sufficient to warrant investigation. That threshold is demonstrably lower than proof, lower than probability, and substantially lower than certainty.

Current practice in police services and oversight bodies frequently inverts this framework. Investigators and decision-makers confronted with collections of screenshots, social media posts, timing charts, and visual exhibits often dismiss the material as "collage"—a pejorative suggesting disorganization or irrationality—rather than examining it as pattern evidence that may satisfy a reasonable-suspicion standard. The result is a systematic institutional failure: precisely the category of evidence that most reliably signals organized online harm is treated as evidence of the complainant's unreliability rather than evidence warranting investigation.

This paper demonstrates that this inversion is both legally incorrect and practically harmful. Drawing on Supreme Court of Canada jurisprudence on reasonable suspicion, online investigation, attribution, digital evidence, and circumstantial proof, the paper establishes a methodological framework for investigators approaching visual and patterned evidence of coordinated online harassment. It addresses:

The legal standard governing the decision to investigate, and why that standard is far lower than police and oversight bodies commonly apply
The structural distinction between the public-facing signal layer of online operations and the hidden attribution evidence only police process can access
The specific investigative value of temporal convergence, content fingerprinting, script repetition, AI-production indicators, cross-platform coordination, and visual-resemblance evidence
The inference framework from R. v. Villaroman and its application to eliminating innocent explanations for tightly patterned online material
The preservation and production tools Parliament has made available for digital evidence, and the modest threshold governing their use
The institutional pathologies—particularly psychiatric weaponization and narrative foreclosure—that cause coordinated harassment to remain uninvestigated even when patterns are readily discernible
The paper concludes with a practical checklist and protocol for investigators and oversight bodies confronting visual evidence of coordinated online harassment.

2. The Problem: Crimes Designed to Be Invisible

2.1 The Architecture of Deniability

Coordinated online harassment campaigns are engineered for deniability. This is not incidental to their operation—it is their defining architectural feature. Where physical crimes leave physical evidence and direct communications leave explicit records, algorithmic harassment operates through three layers of constructed invisibility:

First, distributional deniability. Individual content pieces—a YouTube video, an Instagram post, a TikTok clip—are presented as general-audience material targeting no specific person. Each content creator can truthfully say the video was not addressed to the complainant. That no single piece of content is addressed to the target is, paradoxically, the strongest indicator that a coordinated campaign is underway: in organic content creation, coincidental thematic convergence across dozens of independent channels is statistically implausible.

Second, algorithmic intermediation. Content reaches the target not through direct delivery—which would establish an explicit link—but through platform recommendation systems. The platform algorithm delivers the content; the content creator did not send it. This intermediation severs the visible causal chain between perpetrator and harm even when the perpetration was precisely engineered to exploit that chain.

Third, temporal plausible deniability. Content is often timed to coincide with private events—sealed court hearings, medical appointments, family incidents—that the perpetrators demonstrably knew about in advance. Yet each individual timing coincidence can be explained away as coincidence. The pattern of coincidences, however, eliminates the innocent explanation. The problem for investigators is that pattern analysis requires aggregation, and aggregation requires someone to treat the collection as evidence rather than pathology.

2.2 The Institutional Response Problem

When complainants present collections of screenshots, annotated timelines, visual exhibits, and documented timing correlations to police, oversight bodies, or courts, the institutional response typically involves one or more of four dismissive patterns:

Characterizing the collection as "collage"—treating the evidence's volume and visual character as indicators of disorganization rather than documentation of pattern
Applying a proof standard to an investigation threshold—refusing to investigate because the complainant has not already proven the crime that investigation would reveal
Pathologizing the complainant—treating the belief that one is being systematically targeted as itself a symptom of mental illness, even when the evidence would satisfy a reasonable-suspicion standard
Deferring to the police narrative—in oversight contexts, treating police characterizations of the complainant's mental health or the evidence's sufficiency as dispositive, despite those characterizations being part of what is under review

Each of these responses, standing alone, represents poor investigative practice. In combination, they create a systemic foreclosure of the very process designed to test whether coordinated harm is occurring.

2.3 Why This Guide Matters

Investigators, police complaints commissioners, and legal practitioners need a framework for engaging with visual and patterned evidence of coordinated online harassment that is grounded in the actual legal standards governing investigation—not the elevated standards governing prosecution. The gap between those standards is substantial, legally established, and largely ignored in practice.

A complainant presenting sixty screenshots of online content timed to sealed court hearings, alongside visual exhibits showing repeated scripting, AI-assisted production, and apparent references to non-public biographical information, is presenting evidence that, properly analyzed, can readily satisfy reasonable suspicion. That analysis must happen. The purpose of investigation is to test, preserve, and develop evidence that a private citizen cannot compel—not to require the citizen to produce the fruits of the investigation the police declined to conduct.

3. The Legal Threshold Framework

3.1 The Threshold Hierarchy

Canadian law establishes a clear hierarchy of evidence thresholds for different investigative and judicial functions. Understanding this hierarchy is essential to preventing the routine error of applying the wrong threshold to the decision at hand.

Reasonable suspicion is the lowest threshold of legally operative evidential significance. It requires a constellation of objectively discernible facts that, taken together, give rise to a reasonable possibility—not probability—that criminal activity is occurring or has occurred. As the Supreme Court confirmed in R. v. Chehil, 2013 SCC 49, reasonable suspicion "requires the officer to have subjectively suspected that the individual was involved in the type of criminal activity under investigation, and that this suspicion was objectively reasonable". The critical qualifier is that "[r]easonable suspicion is a lower standard than reasonable and probable grounds" and requires only "a reasonable possibility of criminal activity" (at para. 27).

Reasonable and probable grounds (RPG) is the threshold for arrest, search, and more intrusive investigative steps. Even at this elevated level, R. v. Loewen, 2010 ABCA 255, affirms that the standard "does not require certainty or proof beyond a reasonable doubt" and that "[t]o establish objectively reasonable grounds, the Crown needed only to show that it was objectively reasonable to believe that an offence was being committed, not that it was probable or certain" (at para. 32). The RPG standard, though higher than reasonable suspicion, remains well below probability in the mathematical sense and far below proof.

Balance of probabilities governs civil findings of fact and certain administrative determinations.

Proof beyond reasonable doubt is the criminal trial standard.

Investigation—the decision to begin inquiring into whether a crime occurred—operates at the level of reasonable suspicion. The decision to open a police file and take first steps is not and cannot be governed by RPG or any higher standard. If it were, investigation could never begin: RPG is typically established by investigation, not its precondition.

3.2 The Ahmad Framework: Constellation Analysis

R. v. Ahmad, 2020 SCC 11, is the governing authority on the reasonable suspicion standard in the online investigation context. The Court confirmed several propositions directly applicable to visual and patterned harassment evidence:

First, reasonable suspicion may arise from a "constellation" of objectively discernible facts. No single fact need be sufficient; the totality of the picture is what matters. This is crucial for visual collections: a single screenshot may prove nothing, but sixty screenshots documenting a recurring script, a specific AI production style, a pattern of timing convergence, and repeated reference to non-public events may collectively constitute a constellation.

Second, the facts underlying reasonable suspicion need not prove anything—they need only raise the inference. "Reasonable suspicion does not require the officer to establish that the suspect has committed a crime, or even that it is more likely than not that the suspect has committed or is committing a crime" (Ahmad, at para. 45). This directly negates the common institutional error of treating "no proof of crime" as equivalent to "no basis for investigation."

Third, the constellation analysis is holistic and contextual. Facts that might appear innocent in isolation take on different significance when combined with other facts and assessed in context (Ahmad, at paras. 47–49). A "prophetic word" video is innocuous content. A "prophetic word" video posted within four hours of a sealed court hearing, using imagery matching exhibits filed under seal, in a series with fifty other videos tracking private biographical events across two years, is not innocuous in context.

3.3 The Ramelson Framework: Online Investigative Space

R. v. Ramelson, 2022 SCC 44, addressed the constitutionality of police undercover operations in online environments and established several propositions essential to investigating coordinated online harassment.

The Court confirmed that online spaces are "informational rather than merely geographic" (at para. 35). This means that an investigable field can be defined by its information content—posts, messages, hyperlinks, patterns of interaction, and modes of engagement—rather than by physical location. A collection of thematically coordinated content, targeting recognizable patterns, constitutes an online investigative space in the Ramelson sense.

Critically, the Court confirmed that a sufficiently precise online space can ground reasonable suspicion even without identifying specific perpetrators in advance. The space itself—defined by its content characteristics and operational patterns—is the investigative object. Police need not know who runs the accounts before investigation begins; they need reasonable grounds to believe the space involves criminal activity.

This framework directly addresses a common institutional error: the refusal to investigate because perpetrators cannot be identified from the public-facing materials. In Ramelson's framework, the public-facing materials define the investigative space; attribution is the object of investigation, not its precondition.

3.4 The Beaver and Chehil Standard Applied

R. v. Beaver, 2022 SCC 54, adds further precision. The Court distinguished three distinct standards: reasonable suspicion (requiring reasonable possibility), reasonable and probable grounds (requiring reasonable belief), and proof beyond reasonable doubt. These standards are sequential gates, not synonyms.

The Court in Beaver confirmed that reasonable suspicion "is more than a hunch or gut feeling, but less than belief based on reasonable grounds" (at para. 71). It requires articulable facts that an objective observer could recognize as pointing toward criminal activity—but it does not require that activity to be probable, confirmed, or more likely than not (at para. 72).

Applied to visual collections of harassment evidence: if an objective observer reviewing the collection could articulate specific features— temporal precision, scripting consistency, AI production characteristics, thematic targeting, timing correlation with private events—those articulations constitute the factual basis for reasonable suspicion. The observer does not need to conclude that crime has occurred; only that there is a reasonable possibility that it has, sufficient to justify using investigative tools to look further.

3.5 The Hill Diligence Standard

Hill v. Hamilton-Wentworth Regional Police Services Board, 2007 SCC 41, established that police have a duty of reasonable care in conducting investigations (at para. 36). The Court held at para. 58 that "[i]t is reasonable for a police officer to investigate in the absence of overwhelming evidence — indeed evidence usually becomes overwhelming only by the process of investigation". Officers "can investigate on whatever basis and in whatever circumstances they choose, provided they act reasonably".

Hill is not merely an evidentiary authority. It establishes a positive duty: police are not entitled to sit on the sidelines waiting for evidence to materialize that they alone have the tools to collect. The very existence of investigative tools—preservation demands, production orders, subscriber information requests, platform data access—presupposes that police will use those tools when evidence of reasonable possibility exists, not after the civilian complainant has somehow obtained equivalent evidence without those tools.

The duty to investigate with reasonable diligence is directly violated when officers decline to investigate digital harassment complaints on the ground that the complainant's visual evidence does not constitute proof—because proof can only emerge from investigation, and investigation is precisely what Hill requires.

4. The Two-Layer Model: Public Signal and Hidden Attribution

4.1 The Fundamental Architecture of Online Criminal Evidence

One of the most important conceptual tools for investigating coordinated online harassment is the distinction between the public-facing signal layer and the hidden attribution layer. Every sophisticated online operation necessarily involves both, and only police process can access the second.

The public-facing signal layer consists of content that is, by definition, visible: posts, videos, thumbnails, timestamps, view counts, comment patterns, channel names, account handles, and the observable characteristics of coordinated production. This is the layer that a complainant can document, screenshot, annotate, and present to authorities. It is not proof of criminal activity, but it is evidence of pattern—and pattern is the investigative trigger.

The hidden attribution layer consists of information that is not publicly accessible and that determines the actual identity and coordination of those responsible: subscriber records, IP addresses, session logs, device identifiers, payment records, account creation metadata, upload source data, cross-account coordination logs, API access records, advertising targeting parameters, and algorithmic recommendation audit trails. This layer is held by platforms, internet service providers, payment processors, and related intermediaries. It can only be accessed through lawful police process.

The critical investigative insight is this: the absence of attribution evidence from the public-facing layer is not evidence that no crime occurred— it is evidence that police investigation is required. A complainant who presents extensive public-facing signal evidence but cannot identify the perpetrators has demonstrated the precise situation the investigation exists to address. Treating the attribution gap as a basis for dismissal is a logical reversal that insulates precisely the most sophisticated operations from scrutiny.

4.2 What the Signal Layer Can and Cannot Show

The public-facing signal layer can demonstrate:

Existence of content: that specific videos, posts, and images exist and were accessible at specific times
Timing: when content was published, modified, or removed
Pattern: whether content follows recognizable scripts, visual motifs, or thematic patterns
Volume and cadence: how much content appeared over what period, and whether cadence reflects organic individual creation or coordinated production
Convergence: whether content timing aligns with specific private or sealed events in the complainant's life
Personalization: whether content references details that are sufficiently specific to a particular person's situation to suggest targeting rather than general-audience production
AI-assisted production characteristics: whether thumbnail imagery, text overlay, voiceover patterns, or production quality suggests algorithmic or AI-assisted generation rather than manual individual creation
Cross-account coordination: whether apparently independent channels produce thematically identical or verbatim-scripted content in close temporal proximity

What the signal layer cannot show—without police-compelled attribution evidence—is who is responsible. This is the investigative object, not the investigative threshold.

4.3 Spencer and Bykovets: Attribution as the Police Function

R. v. Spencer, 2014 SCC 43, and R. v. Bykovets, 2024 SCC 6, together establish the constitutional framework for police access to attribution information in online contexts.

Spencer held that subscriber information—the data linking an internet user to a specific IP address—engages a constitutionally protected privacy interest (at paras. 31–32). The Court confirmed that subscribers have a reasonable expectation that their identity will not be disclosed to police without legal process (at para. 46). Crucially, the case also established that subscriber information is exactly what links internet activity to identity—it is the attribution bridge (at para. 66). The constitutional protection exists precisely because subscriber information is so revealing: it converts anonymous online activity into identified persons.

Bykovets extended Spencer to IP addresses as a category. The Court confirmed that IP address information can "connect internet activity to identity, location, and broader patterns of activity" and that "police access to that information engages serious privacy interests" (at paras. 10–11, 29). The Court recognized that IP data enables identification of not just who performed an action but what pattern of online activity a specific person engaged in over time (at paras. 55–56, 73).

The implications for harassment investigation are direct. A complainant presenting visual evidence of coordinated content cannot identify the accounts' operators because subscriber information and IP logs are constitutionally protected from disclosure without legal process. Police can access that information through appropriate authority. The constitutional protection for attribution data is, simultaneously, the affirmative statutory basis for police access—subject to proper process, and that process requires only reasonable suspicion or grounds to believe at various thresholds.

The complainant cannot get the attribution data. Police can. This is why investigation must begin with the public-facing signal evidence: it grounds the legal basis for accessing the hidden layer.

4.4 Platform Deferral Is Not an Investigative Answer

A frequent institutional response to online harassment complaints is to redirect the complainant to the platform itself—"contact YouTube and have them investigate," or "report the content to Facebook". That response misunderstands both the role of platforms in the evidentiary architecture and the irreplaceable function of police investigation. It is not a neutral deflection; in many cases it is an affirmative harm.

The moderation/investigation distinction. A platform content report may result in review, removal, or account suspension under the platform's terms of service. It will not result in a criminal investigation, a witness interview, a preservation order, or a production order. Platforms do not adjudicate Criminal Code thresholds. They do not have jurisdiction to investigate criminal offences. And—critically—they will not disclose the hidden attribution layer to a private citizen. The subscriber records, IP logs, upload metadata, session data, payment records, and account-control information that identify who actually operates coordinated harassment accounts are not available to a complainant through a platform safety report. They are available to police through lawful process.

Google's own transparency materials make this structural separation explicit. For YouTube, Google identifies the specific categories of information that may be compelled through government legal process: subscriber registration information, sign-in IP addresses and timestamps, video upload IP addresses and timestamps, private video information, and private message content. Google separately confirms that even where a user wishes to provide information from their own account to a government agency, Google requires valid legal process before producing that information (absent emergency circumstances). The implication is unambiguous: YouTube can review or remove content through its moderation pipeline. Attribution evidence—upload IPs, sign-in IPs, subscriber records—is available only through lawful police process, not by asking the platform.

Meta's law-enforcement guidelines are more explicit still. Meta maintains a dedicated law-enforcement channel entirely separate from user-facing safety reporting. Meta requires, at minimum, a subpoena for basic subscriber records, a court order for non-content records including IP addresses, and a search warrant for stored account content such as messages, photos, videos, posts, and location information. Meta also states that it will preserve account records for 90 days in connection with official criminal investigations pending formal legal process—a preservation function that is triggered by law-enforcement contact, not by user complaints. Historical IP address data and account-attribution records are not available to private complainants through any user-facing process.

TikTok similarly maintains a distinct Law Enforcement Data Request pathway—separate from user reporting—for information requests from officials seeking information about user activity. The structural message across all major platforms is consistent: user safety reports and law-enforcement data requests are entirely different channels, serving entirely different functions.

Canadian police guidance reinforces this. The Canadian Centre for Cyber Security advises individuals experiencing online harassment, bullying, or exploitation to contact local police directly. The RCMP's National Cybercrime Coordination Centre is unequivocal: "If you have been a victim of cybercrime or fraud, contact your local police as soon as possible"—and states expressly that "it's the role of your local police to investigate the report". The Canadian Anti-Fraud Centre similarly positions local police as the investigative body, not platform operators or federal agencies alone.

Platform deferral as evidence loss risk. Beyond failing to substitute for investigation, platform deferral carries a specific affirmative risk: if content is removed through moderation before preservation steps are taken, the public-facing evidence disappears and the hidden attribution records begin aging toward platform retention limits. Platform retention periods for log-level attribution data—upload IPs, session records, device fingerprints—vary by platform and data type, and some categories are time-sensitive. The practical point is not the precise retention period in every case, but the preservation imperative: delay can permanently impair attribution. Meta publicly confirms that it preserves account records for 90 days in connection with official criminal investigations pending formal legal process—but that preservation is triggered by law-enforcement contact, not by a user safety report. Google similarly confirms it preserves information in response to preservation requests but does not publish a universal retention schedule on its standard transparency page. What is consistent across platforms is that log-level records have finite retention windows, and once those windows close, the attribution evidence that would have identified the operators may be permanently lost. The officer's deferral has not merely failed to investigate; it has created the conditions for permanent evidentiary loss.

The correct sequence is the opposite of platform deferral: document the public-facing signal, apply the Ahmad constellation analysis to determine whether reasonable suspicion is satisfied, issue preservation demands under s. 487.012 immediately where the threshold is met, and then build the investigation toward production orders for attribution evidence. The platform is an evidence repository. Police process is the mechanism for accessing what it holds.

The one-line answer to "contact YouTube and have them investigate" is this: YouTube can moderate content. It cannot replace the public investigative function. Platform records are evidence to be preserved and obtained through lawful process—not a reason for police to decline jurisdiction.

5. Visual Evidence as Investigative Trigger: The Pattern Doctrine

5.1 The Collage Problem Reframed

The characterization of visual harassment evidence as "collage"—indiscernible, random, or symptomatically incoherent—is both analytically incorrect and legally problematic. A collection of visual exhibits documenting coordinated online activity is not a collage in any meaningful sense. It is a data set. Like any data set, it must be assessed for what it actually shows: distribution patterns, temporal correlations, content characteristics, and the plausibility of competing explanations.

The "collage" dismissal treats the visual character of the evidence—the fact that it consists of screenshots and images rather than narrative text —as a reason to discount it. This is backwards. Visual evidence of online activity is the primary evidence type for digital harassment, precisely because online content is visual. Screenshots are not inferior substitutes for better evidence; they are the evidence. An investigator who would review a physical dossier of documents is applying an inconsistent standard when they dismiss a digital dossier of equivalent information density.

5.2 What Pattern Evidence Shows

Visual collections of online harassment evidence typically contain several layers of investigatively significant information. Each layer has distinct analytical significance:

Temporal metadata: Screenshots commonly include timestamps showing when content was posted. These timestamps, cross-referenced against a timeline of the complainant's private events—medical appointments, court hearings, family incidents, legal filings—constitute temporal convergence evidence. When content consistently appears within hours or days of private events that are not publicly known, this is not coincidence; it is signal.

Content pattern analysis: Does the content across multiple allegedly independent channels use identical or near-identical scripting? Do videos across different accounts use verbatim phrases, identical sentence structures, or identical thematic frameworks? Script repetition across ostensibly independent sources is a strong indicator of coordinated production—organic individual creators do not independently generate identical scripts. Verbatim duplication is, in itself, an attribution marker: the same author, the same briefing, or the same template source.

Production fingerprinting: AI-assisted content creation leaves forensic fingerprints in thumbnail images (characteristic deformation patterns, uncanny valley facial rendering, specific artifact distributions), voiceover audio (prosodic patterns, pronunciation characteristics, microphone signatures), and text overlays (font selections, color patterns, layout templates that persist across accounts). An investigator or digital forensics specialist can identify when content across multiple channels was produced using the same AI tool configuration or template.

Thematic personalization indicators: Content targeting a specific individual typically contains detail that is too specific for general-audience production. References to a subject's specific legal proceedings, institutional interactions, medical history, family relationships, or biographical events—particularly when those details are not publicly known—indicate that the content creator had access to private information. The specificity is the indicator. General-audience content about "dealing with lawsuits" is distinguishable from content referencing the specific procedural history, dates, and institutional actors in a particular sealed proceeding.

Visual-resemblance evidence: In cases where a perpetrator is known or suspected—for example, where an estranged family member, former employer, or litigation opponent is identified—visual imagery in content can be compared against known individuals. This type of analysis does not require proof of identity; it raises the investigative question of whether the visual match warrants the attribution inquiry that police tools can answer.

Cadence and volume indicators: Individual organic content creators have characteristic posting patterns reflecting available time, motivation cycles, and production capacity. A content operation that posts consistently at high volume across multiple accounts without apparent variation in cadence, across holidays, weekends, and irregular hours, at consistent timing relative to identified trigger events, reflects production characteristics inconsistent with individual creation. These cadence characteristics are investigatively significant: they indicate that production is either automated, coordinated, or operated by multiple contributors, all of which are attribution-relevant facts.

5.3 The Threshold Question Applied

When a complainant presents a collection of visual evidence documenting these patterns, the investigative threshold question is:

Does this collection, assessed in its totality by an objective observer, give rise to a reasonable possibility that criminal activity—specifically, coordinated harassment, intimidation, criminal harassment under s. 264 CCC, uttering threats under s. 264.1, unauthorized access under s. 342.1, organized crime participation under s. 467.11–12, or related offences—is occurring?

The answer to this question is independent of whether the collection proves anything. The answer depends on whether, applying the Ahmad constellation analysis, the pattern evidence raises a reasonable possibility that warrants investigation. For many such collections—particularly those demonstrating temporal convergence with private events, verbatim scripting across multiple accounts, AI-production fingerprinting, and thematic personalization—the answer will be affirmative under any reasonable application of the Chehil/Beaver standard.

6. Temporal Convergence: The Most Legible Indicator

6.1 Why Temporal Convergence Matters

Of all the pattern indicators in coordinated harassment cases, temporal convergence with private events is the most analytically powerful and the most resistant to innocent explanation. When online content consistently appears within hours of events that are not publicly known—sealed court hearings, private medical appointments, confidential meetings, unexpected life events—coincidence is not a plausible explanation for the pattern.

This analytical power derives from a simple probabilistic structure. On any given day, thousands of videos are uploaded to YouTube and dozens of platforms. The probability that, on any specific day, a video will be posted that relates specifically to events in a specific person's life is low. The probability that this happens on the day of that person's sealed hearing, and also on the day of their medical appointment, and also on the day of their family incident, and also on the day of their confidential meeting—across dozens of instances—approaches zero under any hypothesis of randomness.

Temporal convergence is not, by itself, proof of coordinated targeting. But temporal convergence at the frequency and specificity documented in serious harassment cases is sufficient to constitute the "articulable facts" required for reasonable suspicion under Ahmad. An investigator can say: "On X date, a sealed hearing occurred in the complainant's matter. On X date, at Y time—within Z hours of that hearing—the following content was posted to the following accounts, containing these thematic references. This pattern has repeated across N instances over M months. The probability of this occurring by chance is negligible". That is a constellation of objectively discernible facts satisfying Chehil.

6.2 Building a Temporal Convergence Record

Investigators and complainants building temporal convergence records should document the following elements for each identified convergence event:

The private trigger event:

Date and time of the event
Nature of the event (sealed hearing, medical appointment, confidential meeting, family incident)
Confirmation that the event was not publicly disclosed (e.g., under seal, protected by privilege, known only to specific parties)
Sources of potential information leakage (parties to the proceeding, institutional actors, family members, or professional contacts with knowledge of the event)

The responsive content:

Platform and channel/account identifier
URL or archived copy of content (screenshots with metadata)
Timestamp of content publication or upload
Content description and thematic analysis
Time delta between trigger event and content publication
Any direct references in content to the trigger event or related matters

The pattern documentation:

Number of convergence events documented
Distribution of time deltas (how consistently does content appear within the same window post-trigger?)
Any non-convergence events (dates where similar private events occurred without corresponding content, and whether this is interpretable)
Statistical analysis if available (though not required for reasonable suspicion purposes)

The resulting record is not evidence of who did this or how they knew. It is evidence of the pattern—which is the investigative trigger.

Attribution evidence is what investigation will provide.

6.3 The Sealed Document Problem

A particularly powerful form of temporal convergence involves content that appears to reference sealed court documents—materials that are, by definition, inaccessible to the public and available only to parties, counsel, and court administration.

When online content appears to mirror specific details from sealed materials—referencing facts that appear only in sealed affidavits, incorporating imagery resembling sealed exhibits, describing events that are accurately characterized only in sealed filings—the inference framework becomes significantly constrained. There are limited explanations for this convergence:

Coincidence—which becomes vanishingly improbable as the number of specific matches increases
The complainant disclosed the sealed material—which can be factually assessed
Someone with access to sealed materials is providing information to content operators

Option 3, where Options 1 and 2 are eliminated or improbable, constitutes the inferential basis for suspicion of unauthorized disclosure of court materials, potential conspiracy, and potentially obstruction of justice or interference with the administration of justice. These are serious criminal matters warranting investigation regardless of the difficulty of attribution.

For investigators, the sealed document convergence pattern is among the most important indicators of a high-level operation, because it directly implicates institutional actors—court staff, counsel, parties, registry personnel—in the targeting. This category of evidence should be specifically flagged in any investigation or oversight review.

7. Content Fingerprinting: Script, Symbol, and Cadence Analysis

7.1 The Organic Content Baseline

To assess whether content across multiple channels reflects coordinated production, investigators need a baseline understanding of how organic, uncoordinated individual creators actually behave. Several characteristics distinguish organic creation from coordinated production:

Organic characteristics: Variable posting schedules reflecting individual routines; distinct voice, style, and thematic evolution over time; audience interaction reflecting genuine engagement; view counts and engagement metrics consistent with organic growth curves; production quality consistent with available equipment and skill; content that responds to general cultural or social trends rather than specific external trigger events; errors, personal references, and idiosyncrasies consistent with individual production.

Coordinated production characteristics: Consistent posting schedules, particularly around specific trigger events; verbatim or near-verbatim scripting across supposedly independent channels; uniform production quality suggesting shared tools or templates; artificial engagement metrics (view counts, like ratios, comment patterns) inconsistent with organic audience behavior; thematic consistency suggesting shared briefing rather than independent thought; content that converges on specific private events rather than general trends; absence of the biographical markers typical of individual production.

7.2 Verbatim Scripting as Attribution Evidence

When ostensibly independent channels produce content containing verbatim or near-verbatim passages—identical phrases, identical sentence structures, identical paragraph organization—this is among the strongest indicators of coordinated production available through public-facing evidence.

Independent creators do not produce verbatim-identical material. The probability of two individuals independently generating identical multi-sentence passages is, for non-trivial passage lengths, statistically negligible. When this pattern is observed across three, five, or ten channels, the only reasonable explanation is a common source: a shared script, template, briefing document, or coordination mechanism.

Verbatim scripting analysis should:

Quote the identical passages verbatim
Document the channels and timestamps for each appearance
Note whether the passages appear to reference specific factual matters relating to the complainant
Document the publication order across channels (does one channel appear to be the source, with others repeating?)
Note any variation across iterations (deliberate variation to obscure scripted origin is itself an indicator of coordination awareness)

For investigators, verbatim scripting evidence supports the inference that content producers received their material from a common source— which is a target for attribution investigation. Who provides the briefings? Who generates the scripts? What communication channel do the operators use? These are questions that warrant subpoena of content operator communications.

7.3 AI Production Fingerprinting

AI-assisted content creation is now ubiquitous in coordinated harassment operations because it reduces the labor required for high-volume production and introduces deniability (the AI, not the operator, "wrote" the content). However, AI-generated content leaves forensic markers that trained analysts can identify:

Thumbnail and image artifacts: Current AI image generation tools produce characteristic artifacts in facial imagery (uncanny valley effects, facial asymmetry patterns, specific deformation distributions around eyes and mouths), background generation (characteristic repetition patterns, perspective errors), and text overlay rendering (characteristic font rendering artifacts, specific error types). These artifacts are consistent across images generated by the same tool and version, enabling identification of a production toolchain.

Audio prosodic patterns: AI-generated voiceover content (commonly used in "prophetic word," "God says," and similar formats popular in organized harassment) has characteristic prosodic signatures: pause patterns, pitch modulation profiles, and phonetic articulation distributions that differ from human speech in characteristic ways. The same TTS (text-to-speech) model and configuration produces consistent signatures across multiple videos, enabling linking of ostensibly independent channels to the same production infrastructure.

Template consistency: Many high-volume content operations use shared templates for video structure, thumbnail composition, intro and outro sequences, and lower-third text placement. These templates are more consistent across "independent" channels than would be expected from genuinely independent creators.

Linguistic analysis: AI-generated text has statistical characteristics distinguishable from human writing, including characteristic vocabulary distributions, sentence length patterns, and syntactic structures. When multiple channels produce content with statistically identical linguistic fingerprints, this indicates shared AI tool usage at minimum, and potentially a common operator.

These forensic analyses are most effectively conducted by digital forensics specialists but can be flagged for specialist referral by general investigators based on obvious qualitative markers—same-sounding voiceovers across multiple channels, identical thumbnail composition styles, visually identical production elements.

7.4 Symbolic and Motif Analysis

Sophisticated harassment operations often deploy recurring symbolic systems—visual motifs, thematic frameworks, or iconographic patterns that create recognizable meaning for the target while maintaining deniability for outside observers. Common structures include:

"Prophetic word" and spiritual framing: Content framed as spiritual prophecy, divine messages, or religious insights provides two forms of deniability: content is addressed to a general spiritual audience rather than a specific target, and the connection between "prophecy" and targeted events is dismissible as the target's "delusional" interpretation. Yet when prophetic content consistently and specifically describes the target's actual circumstances, private events, and biographical details with accuracy exceeding coincidence, the spiritual framing is a cover, not a description of the content's actual nature.

Recurring visual motifs: Operations often use consistent visual elements—specific color schemes, recurring imagery, particular symbolic figures — that create thematic coherence across multiple channels while maintaining the appearance of independent production. These recurring elements are investigatively significant: they narrow the attribution question by identifying a shared visual library.

Milestone tracking patterns: Content that consistently appears around specific types of events in the target's life—court hearings, family events, professional milestones—reflects awareness of those events. When this awareness is documented across dozens of instances, the pattern itself is an investigative datum: who had access to information about the target's private schedule across this period?

8. Cross-Platform Coordination as Corroboration

8.1 The Coordination Detection Framework

Academic research on coordinated inauthentic behavior (CIB) has developed robust methodologies for detecting organized content operations. The synchronized action framework (Magelinski et al., 2021) formalizes coordination detection based on statistically unlikely temporal and content overlaps across accounts and platforms. Where the probability of independent creation is negligible, coordination is the inference.

For investigation purposes, cross-platform coordination evidence serves a specific function: it elevates the pattern from a single-platform observation to a multi-platform campaign, dramatically reducing the plausibility of innocent explanations and increasing the inferential weight supporting reasonable suspicion.

When a complainant documents that identical content, using verbatim scripting, appears on YouTube, TikTok, Instagram, and Facebook within hours of a private event, this cross-platform coordination requires an explanation. Organic individual creators do not simultaneously upload identical content to four platforms at identical times relative to a private event in a specific person's life. The explanation requires a coordination mechanism—which is the object of attribution investigation.

8.2 What Cross-Platform Evidence Requires to Document

For cross-platform coordination evidence to be most valuable, documentation should capture:

Platform identity and account information: The specific platform and account/channel identifier for each piece of content. Note that this information is publicly accessible—it does not require legal process to document.

Content similarity analysis: A direct comparison of content across platforms demonstrating the nature of the coordination—verbatim scripting, shared visual elements, identical timestamps, or thematic convergence.

Timing across platforms: Upload or publication timestamps across platforms relative to each other and relative to identified trigger events. Synchronized uploads across multiple platforms within a narrow time window are strong indicators of coordinated operation, since they require simultaneous access to multiple platforms and a coordination trigger.

Account relationship indicators: Any visible connections between accounts across platforms—shared usernames, referenced connections, linked content, or mutual engagement patterns.

Volume documentation: The total number of accounts and volume of content participating in each identified cross-platform coordination event. High participation at high synchronization is the coordination signature.

8.3 The Attribution Implications of Cross-Platform Coordination

Cross-platform coordination has specific attribution implications for investigators. Coordinating across multiple platforms requires:

Access to multiple platform accounts, requiring multiple registration emails or phone numbers—which are attribution data points
A coordination mechanism—private communication channels, shared scheduling systems, briefing documents—all of which are potential evidence
Technical infrastructure capable of managing multi-platform uploads—software tools, shared accounts, or services that leave digital traces
Funding for professional-grade operations—payment records linking the operation to identifiable financial actors

Each of these requirements creates an attribution trail that can be followed through lawful investigative process. The cross-platform coordination pattern is not merely corroborative evidence; it also maps the investigative architecture: where to look, what to subpoena, and what kind of digital forensics will be most productive.

9. The Villaroman Framework: Reasoning from Circumstance to Inference

9.1 The Structure of Circumstantial Proof

R. v. Villaroman, 2016 SCC 33, is the authoritative framework for reasoning from circumstantial evidence. Although the case addressed the criminal standard—proof beyond reasonable doubt—its analytical framework for evaluating circumstantial evidence applies, with appropriate calibration, across the evidential threshold hierarchy.

The Court in Villaroman established that circumstantial evidence is legitimate and can be compelling. The question is not whether direct evidence is absent, but whether the inference chain from available evidence to the conclusion is reasonable and whether alternative explanations can be excluded as unreasonable or speculative.

The Court stated at para. 35: "when assessing circumstantial evidence, the trier of fact should consider the evidence as a whole and determine what inferences are reasonable... A trier of fact should not act on a finding of guilt unless that finding is the only rational conclusion that can be drawn from the circumstantial evidence". At the investigation threshold—far below proof beyond a reasonable doubt—the equivalent question is whether the inference of criminal activity is reasonable given the evidence, not whether it is the only inference.

The Court distinguished between alternatives that are "reasonable inferences" and those that are "mere speculation". Properly applied to investigation: an alternative explanation for harassment evidence is not a bar to reasonable suspicion merely because it is conceivable. It must be actually reasonable given the evidence, not simply imaginable.

9.2 Villaroman Applied to Harassment Evidence

Applying the Villaroman framework to a collection of coordinated harassment evidence requires identifying the competing explanations for the pattern and assessing whether any of them is actually reasonable given the specific evidence before the investigator.

The targeting hypothesis: A coordinated operation involving multiple accounts and platforms, with knowledge of the complainant's private events, is systematically delivering psychologically harmful content targeted to the complainant's specific vulnerabilities and circumstances.

The coincidence hypothesis: All of the observed convergences are coincidental—the content independently happened to relate to the complainant's private events at consistent time intervals through random variation.

The pattern-seeking hypothesis: The complainant is misidentifying coincidences as patterns—perceiving connections that are not there.

Applying Villaroman: Is the coincidence hypothesis reasonable, or speculative, given the actual evidence? When temporal convergence is documented across dozens of instances, content fingerprinting shows shared production characteristics, verbatim scripting appears across multiple ostensibly independent channels, and content references details not publicly disclosed—the coincidence hypothesis is not reasonable. It is speculative. No rational observer informed of these specific facts would conclude that coincidence is a reasonable competing explanation.

Is the pattern-seeking hypothesis reasonable? Pattern-seeking implies that the events being referenced (sealed hearings, private appointments, family incidents) are fabricated or misremembered. This can be objectively assessed: were the private events real? Are they documented? Do the timestamps align? If yes, pattern-seeking is excluded by the objective record.

What remains, when coincidence and pattern-seeking are excluded as not reasonably available given the evidence, is the targeting hypothesis. That is Villaroman reasoning applied to the investigation threshold.

9.3 The Investigator's Villaroman Analysis

For investigators and oversight bodies, the Villaroman framework provides a structured approach to visual and circumstantial evidence:

Step 1: Identify the specific factual elements. What exactly is documented? Timestamps, content samples, convergence events, scripting analysis, visual fingerprinting. Be specific.

Step 2: Articulate the inference. What does the collection of evidence, taken as a whole, suggest? That coordinated targeting is occurring. That someone with knowledge of the complainant's private affairs is directing content production. That multiple accounts are operating from a common source.

Step 3: Identify alternative explanations. What other explanations could account for the pattern? Coincidence, pattern-seeking, independent parallel development.

Step 4: Assess the alternatives against the specific evidence. Is each alternative actually reasonable given the specific evidence, or merely conceivable? Probability analysis is not required; reasonableness assessment is.

Step 5: Determine the threshold question. Does the remaining inference—after unreasonable alternatives are excluded—satisfy reasonable suspicion? That is: is there a reasonable possibility of criminal activity?

Step 6: Document the analysis. The investigator's record of this analysis is both the basis for investigative action and the evidentiary record if the decision is reviewed.

10. The Hidden Attribution Layer: What Police Tools Exist to Obtain

10.1 The Evidentiary Architecture of Online Identity

The hidden attribution layer consists of data that is held by private parties—platforms, ISPs, payment processors—but is accessible to police through lawful process. Understanding what evidence exists and how to access it is essential for investigators approaching online harassment cases.

Platform-held data: Social media platforms and video hosting services maintain comprehensive records for each account, including registration email, phone number used for verification, IP addresses used for account creation and subsequent logins, device fingerprints, payment information for monetized accounts, upload metadata (device used, software version, geographic location at upload time), internal account identifiers, cross-account linkages visible to the platform, and algorithm-side data on targeting, reach, and recommendation parameters.

ISP-held data: Internet service providers retain subscriber information linking IP addresses to account holders, traffic metadata (times and durations of connections), and in some jurisdictions, content data subject to lawful access provisions.

Payment processor data: When content channels are monetized—through platform ad revenue, donation platforms, Patreon-style services, or cryptocurrency transactions—payment records create attribution bridges between content operations and identifiable financial actors.

Domain registration data: Website domains linked to harassment operations have registration records, hosting provider records, and DNS history that can identify operators or their infrastructure.

Email provider data: Registration accounts for platform accounts are typically email addresses, and email providers maintain registration and login records.

10.2 The Statutory Toolkit: Criminal Code Provisions

Parliament has provided a robust statutory toolkit for accessing digital evidence. These provisions were specifically designed for the online investigation context and reflect legislative recognition that digital evidence requires specialized preservation and attribution tools.

Section 487.012—Preservation demand: A police officer may demand that a person preserve computer data in their possession that the officer has reasonable grounds to suspect is relevant to an investigation. This is the lowest-threshold tool: reasonable suspicion, not RPG, and no judicial authorization required. A preservation demand generally expires after 21 days unless revoked earlier, making it a short-term bridge instrument rather than a durable hold. It is nonetheless the appropriate first-response tool when a complainant presents visual evidence satisfying reasonable suspicion—the demand preserves evidence while the investigation develops to the point where a judicial preservation order or production order is sought.

Section 487.013—Preservation order: Where a preservation demand is not sufficient, or where judicial authority is required, a justice may order preservation of computer data on grounds that a peace officer suspects on reasonable grounds that an offence has been or will be committed. Again: reasonable suspicion, not RPG. A preservation order under this section may preserve data for up to 90 days. This judicial preservation order requires application supported by the investigative record and provides a more durable hold pending the investigation's development toward production orders.

Together, these two provisions create a two-stage preservation sequence: the preservation demand as an immediate no-authorization reflex upon establishing reasonable suspicion, followed where necessary by a judicial preservation order to extend the hold through the investigation timeline. For Canadian offences, investigators should not treat these as alternatives but as sequential instruments—the demand is used first to stop the clock on retention, the order is sought to hold the data while production order applications are prepared.

Section 487.0131—Order to keep account open: A justice may order a person to preserve and not delete, conceal, or alter a computer account for a period not exceeding 60 days on grounds that a peace officer suspects on reasonable grounds that the account is relevant to an investigation. This is a specialized complement to the preservation demand and order—it targets account integrity rather than data snapshots, preventing operators from deleting accounts while attribution investigation proceeds. Like the preservation instruments, this tool operates at the reasonable-suspicion threshold, not RPG.

Section 487.014—Production order (general): A justice may order a person to produce documents or data on grounds establishing RPG— specifically, reasonable grounds to believe that an offence has been or will be committed and that the targeted document or data will afford evidence of that offence. This is the primary tool for compelling platform subscriber records, ISP records, payment processor records, and other account-holder attribution data. The RPG threshold is higher than reasonable suspicion and will typically be met once the pattern evidence from the public-facing signal layer is formally compiled and the preservation returns confirm the existence of the targeted records.

Section 487.015—Production order (to trace a specified communication): Authorizes a justice to order assistance in tracing a specified communication where a peace officer has reasonable grounds to suspect that an offence has been or will be committed. This provision operates at the lower reasonable-suspicion threshold, not RPG, making it available earlier in the investigation than the general production order. It is directly applicable to tracing the origin of specific identified content—for example, tracing the upload path of a specific video through successive intermediaries to the originating subscriber.

Section 487.016—Production order (transmission data): Covers transmission data—the metadata of internet communications, including source and destination IP addresses, port data, timing, duration, and volume of connections. Available where a peace officer has reasonable grounds to suspect that an offence has been or will be committed. Again: the reasonable-suspicion threshold, not RPG. Directly applicable to obtaining platform-side metadata on who uploaded specific content, when, and from what IP address, as well as ISP-level data linking those IPs to subscriber identities.

Section 487.017—Production order (tracking data): For data that tracks the location or movement of a person or thing. Available on reasonable grounds to suspect. Potentially applicable in harassment investigations where device location data is relevant to attribution—for example, establishing that account operators were physically present in identified locations at material times.

Section 487.018—Production order (financial data): For financial transaction records and account data. Available on reasonable grounds to suspect. Directly applicable to harassment operations involving monetization, crowdfunding, donation platforms, payment processors, or cryptocurrency transactions—all of which represent attribution vectors linking content operations to identifiable financial actors.

A critical observation for investigators: sections 487.015, 487.016, 487.017, and 487.018 — the specialized digital-evidence production orders covering communication tracing, transmission data, tracking data, and financial data — all operate at the reasonable-suspicion threshold, not RPG. This means that the same evidential foundation that grounds a preservation demand under s. 487.012 will, if it satisfies reasonable suspicion, also ground applications for these specialized production orders. The corrected statutory map is therefore more favorable to early investigation than a simple RPG-across-the-board reading would suggest: investigators who establish reasonable suspicion from public-facing pattern evidence have access to a substantially broader immediate toolkit than is commonly understood.

10.3 The Logical Sequence

The statutory toolkit creates a logical investigative sequence that begins, not ends, with the public-facing signal evidence:

Complainant presents visual evidence satisfying reasonable suspicion
Investigation opens; preservation demands under s. 487.012 are issued to platforms to prevent evidence destruction while investigation proceeds
Investigation develops; visual evidence is formally documented and analyzed; temporal convergence, scripting analysis, and fingerprinting evidence is compiled
RPG is established through the growing evidentiary record, supplemented by any information obtained through preservation
Production orders are obtained in priority sequence: specialized digital-evidence orders under ss. 487.015–487.018 (transmission data, tracking data, financial data—all available at reasonable-suspicion) where the threshold is already met; general production orders under s. 487.014 (RPG) for subscriber records and account attribution data as the evidentiary record matures
Attribution is established through the production order returns, identifying the operators of the coordinated operation
Charges and prosecution proceed based on the full evidentiary record including both the public-facing pattern evidence and the hidden attribution evidence

This sequence begins with the visual "collage"—because that is the evidence that exists at the start. Treating the collage as the end of the evidentiary inquiry rather than its beginning is the institutional failure this paper addresses.

11. Preservation and Production: The Investigative Statutory Toolkit

11.1 The Urgency of Preservation

Digital evidence is volatile. Unlike physical evidence, which typically persists without active destruction, digital evidence can disappear through automatic deletion policies, account suspensions, platform content moderation actions, or deliberate evidence destruction. The temporal urgency of preservation cannot be overstated in online harassment investigations.

Platform retention periods vary by platform and data type. Log data—particularly access logs and upload metadata—is generally time-sensitive, and some forms of attribution data may be subject to finite retention windows that, once closed, result in permanent evidentiary loss even if subsequent investigation is otherwise successful. Meta publicly confirms a 90-day preservation window for account records in connection with official criminal investigations pending formal legal process; that preservation is triggered by law-enforcement contact, not by user reports. Google confirms preservation in response to valid requests but does not publish a universal retention schedule. The practical point across platforms is the same: the preservation imperative is urgent. Delay can permanently impair attribution.

This urgency maps directly onto the statutory toolkit. A preservation demand under s. 487.012—the immediate, no-authorization tool—expires after 21 days. A judicial preservation order under s. 487.013 extends the hold for up to 90 days. The two instruments are sequential: the demand stops the clock immediately; the order holds the data while the investigation develops toward production. Investigators should understand this sequence not as bureaucratic procedure but as evidence triage: without the demand on day one, the retention window may close before the order can be obtained.

Investigators should treat preservation demands under s. 487.012 as an immediate reflex when reasonable suspicion is established—not a step deferred until investigation is "complete". Investigation is not complete when preservation is triggered; it has barely begun.

11.2 What to Preserve

Preservation demands should comprehensively address all potential evidence repositories:

Platform-level preservation:

All account data for identified accounts, including registration information, contact details, and account creation metadata
Upload logs for all content attributed to those accounts, including source IP addresses, device identifiers, and timestamps
Login history for identified accounts
Internal linking data (accounts linked through shared phone numbers, email addresses, or payment methods)
Payment and monetization records for monetized accounts
Advertising targeting data if accounts ran paid promotion
Algorithm-side recommendation data showing how content was surfaced to identified users

ISP-level preservation:

Subscriber records for identified IP addresses at upload timestamps
Connection logs for identified IP address ranges

Payment processor preservation:

Transaction records for identified monetization accounts
Payment source and destination data
Know-your-customer (KYC) documentation held by payment processors

Email provider preservation:

Registration records for email addresses associated with identified accounts
Login metadata for those accounts

11.3 Practical Obstacles and Responses

Investigators pursuing digital evidence in harassment cases encounter several predictable practical obstacles:

Platform cross-jurisdictional issues: Major platforms are headquartered in the United States and may resist Canadian production orders on jurisdictional grounds. Several responses are available: mutual legal assistance treaties (MLATs) with the United States for formal evidence sharing; emergency preservation requests through platform law enforcement portals (which most major platforms maintain for serious criminal investigations); Canadian counsel's ability to bring applications to enforce production against platform Canadian subsidiaries.

Volume of data: Digital evidence in harassment cases can involve large volumes of content across multiple accounts and platforms. Investigators should prioritize sequentially: first preserve everything, then prioritize production orders for highest-value attribution data (account creation records, first-login data, payment records), then secondary records.

Encrypted communications: If operators communicate through encrypted messaging platforms, content may not be accessible. However, metadata—who communicated with whom and when—remains available through appropriate legal process, and provides coordination evidence even without content.

Platform content moderation as evidence interference: When platforms remove content that constitutes harassment evidence, the removed content may no longer be accessible. Investigators should: maintain complainant documentation practices; issue preservation demands before content is moderated; and treat any moderation actions affecting potential evidence as grounds for expedited production orders.

12. The Neglect-of-Duty Nexus: When Failure to Investigate Is the Crime

12.1 The Statutory Framework

R. v. Hill and the Police Act framework in various Canadian jurisdictions create a positive duty of reasonable diligence in the conduct of investigations. When an officer encounters evidence satisfying reasonable suspicion and declines to investigate—particularly where the declination rests on an incorrect legal standard—the failure may itself constitute a disciplinary default.

Under s. 24(3)(a) of the Nova Scotia Police Act Regulations (and equivalent provisions in other jurisdictions), neglect of duty is defined as "neglecting to or, without adequate reason, failing to promptly, properly, or diligently perform a duty as a member". The duty to investigate, when evidence satisfies reasonable suspicion, is a foundational professional obligation. Declining to investigate because a complainant's visual evidence does not constitute proof—when proof is precisely what investigation would develop—is both legally incorrect and potentially a disciplinary default.

Oversight bodies reviewing complaints about police failures to investigate online harassment must evaluate the officer's decision against the correct legal standard. The question is not whether the officer reasonably concluded that investigation was unwarranted given the available evidence. The question is whether the officer applied the correct threshold to that evidence. Applying a proof standard to an investigation decision is, definitionally, applying the wrong standard, and a decision made under the wrong standard is not made with adequate reason.

12.2 The Wrong-Question Failure Mode

The failure mode in police responses to online harassment complaints is frequently structural rather than arbitrary. Officers confronted with visual evidence of coordinated harassment tend to ask one of two wrong questions:

Wrong question 1: "Does this evidence prove a crime?". This is the trial standard. Investigation does not require proof; it develops proof. Applying the trial standard to the investigation threshold systematically forecloses investigation of every sophisticated crime for which the evidentiary architecture requires police tools to reveal.

Wrong question 2: "Can I identify the perpetrator from this evidence?". Attribution is the object of investigation, not its precondition. A complainant who cannot identify perpetrators has identified precisely the situation investigation exists to resolve. Requiring perpetrator identification as a prerequisite for investigation creates a logical circle: investigation is what attributes perpetrators, so requiring attribution before investigation is simply a blanket refusal to investigate.

The correct question is: "Does this evidence give rise to a reasonable possibility of criminal activity, such that investigation—using the tools Parliament has provided—is warranted?". That is the threshold. That is the question.

12.3 Oversight Review Standards

When a police officer's failure to investigate reaches an oversight body—through a police complaints process, judicial review, or other mechanism—the oversight body must apply the correct standard of review.

The oversight question is not whether the complainant's evidence proves a crime. It is whether the officer's decision not to investigate was made with adequate reason and through proper application of the relevant legal threshold. Where an officer has declined to investigate because evidence does not constitute proof—without addressing whether it satisfies reasonable suspicion—the decision is made without adequate legal reason regardless of whether the evidence happens to be sufficient under the correct standard.

Oversight bodies reviewing such decisions must:

Identify the threshold the officer actually applied
Compare that threshold to the legally correct threshold for the decision type
Assess whether, under the correct threshold, investigation was required
Determine whether the failure to investigate, under the correct threshold, constitutes a disciplinary default

An oversight body that defers to the officer's legal characterization of the threshold is abdicating its oversight function. The oversight function exists precisely to catch the application of incorrect legal standards.

13. Institutional Failure Patterns and Psychiatric Weaponization

13.1 The Complaint Foreclosure Architecture

Coordinated online harassment investigations face a characteristic institutional failure pattern that this paper describes as "complaint foreclosure architecture"—a set of institutional responses that, individually, might represent error or oversight, but collectively and systematically foreclose any investigation of the underlying conduct.

The components of this architecture are predictable:

Police pathologization: Initial complaint is classified as mental health concern rather than criminal matter. Complainant is characterized as delusional, paranoid, or fixated. Any documentation provided is dismissed as evidence of the complainant's irrationality rather than evidence of a crime. EDP (Emotionally Disturbed Person) forms are generated, creating a record of psychiatric concern that subsequently affects every institutional interaction.

Oversight circularity: When the complainant escalates to police complaints oversight, the oversight body reviews the police response and defers to the police characterization of the complainant's mental health and the evidence's sufficiency. The same narrative that caused the failure to investigate is treated as the reason the failure was appropriate.

Medical system weaponization: Where complainants are involuntarily assessed or hospitalized in connection with the harassment pattern (particularly where crisis response is disproportionate or triggered by harassment-adjacent events), the resulting medical records create a permanent documentation of mental health concerns that further undermines institutional credibility in all subsequent contexts.

Legal system reinforcement: If the complainant pursues legal remedies and is unsuccessful, the adverse outcomes—vexatious litigant designations, costs awards, failed applications—are recycled into the narrative of irrationality, despite those outcomes often reflecting the complainant's unrepresented status and the complexity of the evidence rather than the merits.

Sealed file exploitation: In cases involving related civil litigation, sealing orders over litigation files prevent public scrutiny of patterns in how the proceedings were conducted, while the public record of outcomes (adverse results) is used to discredit the complainant.

13.2 Non-Clinical Mental-Health Framing and Complaint Foreclosure

The psychiatric weaponization of harassment complainants deserves specific analysis because it is both the most harmful component of complaint foreclosure and the most difficult to address from outside the institutional system.

When a complainant presents visual evidence of coordinated online harassment, the psychiatric weaponization response works as follows: the belief that one is being systematically targeted by a coordinated operation is categorized as a symptom—paranoid ideation, delusional disorder, or "gang-stalking" paranoia. The evidence is then interpreted not as documentation of actual events but as artifacts of the complainant's belief system. Screenshots become "obsessive documentation"; timing charts become "magical thinking"; visual analysis becomes "apophenia."

This response has a devastating logical structure: the more evidence a complainant produces, the more "obsessive" they appear; the more precisely they document patterns, the more "delusional" the pattern-seeking seems; the more persistently they seek investigation, the more "fixated" they are characterized. The institutional response thus creates a perverse incentive structure where thorough documentation worsens the complainant's institutional credibility.

Investigators and oversight bodies must recognize this dynamic as an institutional pathology, not a legitimate assessment methodology. The correct response to a complainant presenting extensive, organized documentation of potential coordinated harassment is not psychiatric referral; it is application of the Ahmad constellation analysis to the documentation itself. The psychological state of the complainant is not the investigation. The evidence is the investigation.

13.3 The Non-Clinical Language Standard

HRP Inspector Legere's pejorative characterization, in the Dempsey matter record, of the complainant's documentation as evidence of mental illness— adopted and carried forward through the institutional chain—illustrates a specific evidentiary problem: non-clinical mental health language deployed by institutional actors (police officers, supervisors, oversight bodies) in contexts where they have no clinical qualification and where the purpose of the characterization is dispositional rather than therapeutic.

Non-clinical mental health characterizations by police officers and oversight bodies should be treated as what they are: lay opinion on subjects requiring clinical expertise, offered for the purpose of dispositional characterization rather than clinical assessment, by parties with an institutional interest in the outcome. Such characterizations are not evidence of mental illness; they are evidence of the speaker's dispositional motivation.

For oversight purposes, the use of non-clinical mental health language as a basis for dismissing a complaint—rather than engaging with the evidence on its merits—is itself a procedural failure. It is not an answer to the question "does this evidence satisfy reasonable suspicion?". It is an attempt to avoid the question.

13.4 The Circular Oversight Failure

When a police complaints oversight body reviews an officer's failure to investigate and endorses that failure on the basis of the officer's characterization of the complainant, the oversight function has been captured by the failure it exists to review.

The oversight body's function is independent assessment. Where the complaint is that an officer failed to investigate with reasonable diligence, independent assessment requires the oversight body to:

Apply the correct legal standard (reasonable suspicion, not proof)
Assess the complainant's evidence under that standard, independently of the officer's characterization
Determine whether the officer's decision was made with adequate legal reason

An oversight body that simply defers to the officer's narrative—particularly where that narrative includes pejorative characterizations of the complainant's mental health—has not conducted independent assessment. It has conducted institutional reinforcement.

Vavilov, at paras. 85–86, 99–103, requires that administrative decisions be justified, transparent, intelligible, and responsive to the submissions and evidence before the decision-maker. A screening decision that adopts a police narrative characterizing the complainant as mentally ill, without engaging with the evidentiary content of the complaint, satisfies none of these requirements.

14. A Working Pattern Recognition Checklist for Investigators

This checklist is designed as a practical tool for investigators and oversight bodies confronting visual and circumstantial evidence of coordinated online harassment. Each category identifies what to look for, what it means, and what investigative action it supports.

CATEGORY A: Temporal Convergence Indicators

A1. Private event documentation

[ ] Have the private trigger events been objectively documented? (Sealed hearing dates, medical appointment records, confidential meeting records)
[ ] Are the events confirmed as non-public? (Not disclosed on social media, not in public court records, protected by privilege or sealing)
[ ] Have the trigger event dates been compiled in a searchable timeline?

A2. Content timing analysis

[ ] For each identified piece of potentially relevant content, has the publication timestamp been recorded?
[ ] Has the time delta between trigger event and content publication been calculated?
[ ] Does the distribution of time deltas suggest a consistent pattern? (e.g., consistently within 24 hours, consistently within the same calendar day)

A3. Convergence statistical assessment

[ ] How many convergence events are documented?
[ ] What is the probability that this number of convergences would occur by chance given the documented content volume?
[ ] Are there identifiable non-convergence periods, and are they explainable? (Periods where trigger events occurred without responsive content)

Threshold assessment for Category A: If five or more documented temporal convergences are identified between non-public events and content publication, with time deltas consistently under 48 hours, reasonable suspicion is likely satisfied under Ahmad/Chehil.

CATEGORY B: Content Fingerprinting Indicators

B1. Verbatim scripting

[ ] Are identical or near-identical passages present across multiple channels?
[ ] Has the verbatim content been quoted and attributed to specific channels with timestamps?
[ ] Does the verbatim content suggest specific facts relating to the complainant?

B2. AI production characteristics

[ ] Is thumbnail imagery consistent with AI generation? (Facial artifacts, uncanny valley characteristics, characteristic deformations)
[ ] Does voiceover audio suggest TTS generation? (Characteristic prosodic patterns, unnatural pause distributions)
[ ] Are production templates visually consistent across multiple channels?

B3. Personalization indicators

[ ] Does content reference biographical details specific to the complainant that are not publicly available?
[ ] Do thematic elements align with specific, non-public circumstances in the complainant's life?
[ ] Is the specificity of reference too precise for general-audience content?

Threshold assessment for Category B: Two or more Category B indicators, combined with any Category A findings, substantially strengthen the Ahmad constellation and support reasonable suspicion.

CATEGORY C: Coordination Indicators

C1. Cross-account scripting

[ ] Have multiple accounts producing verbatim-identical content been identified?
[ ] Are those accounts ostensibly independent? (No visible linking between accounts)
[ ] Does the verbatim overlap occur simultaneously or in rapid sequence?

C2. Cross-platform coordination

[ ] Has similar content appeared on multiple platforms within close temporal proximity?
[ ] Do the multiple-platform appearances align with the same trigger events?
[ ] Has the cross-platform pattern been documented with timestamps?

C3. Volume and cadence

[ ] Does the volume and cadence of content production exceed what is plausible for individual organic creators?
[ ] Does content production continue consistently across periods (weekends, holidays) inconsistent with individual production?
[ ] Does cadence correlate with events in the complainant's life rather than organic content production cycles?

Threshold assessment for Category C: Any C1 finding satisfies a significant portion of the Ahmad constellation independently. C2 and C3 findings substantially reinforce the constellation.

CATEGORY D: Sealed Document and Private Information Indicators

D1. Sealed proceeding references

[ ] Does content suggest events or information that appears only in sealed documents?
[ ] Is the accuracy of such references verifiable against the sealed record?
[ ] Has the timing of such content been correlated with sealed proceeding dates?

D2. Confidential information access

[ ] Does content suggest medical, therapeutic, or professional information not publicly disclosed?
[ ] Are references accurate to non-public facts, excluding the possibility of guesswork?
[ ] Have possible information sources been identified? (Who had access to the referenced information?)

D3. Private communication references

[ ] Is the content suggestive of conversations, correspondence, or private communications?
[ ] If so, what was the potential channel of information access?

Threshold assessment for Category D: A single verified sealed document reference, accurately reflected in content, may independently satisfy reasonable grounds exceeding mere suspicion, because it directly implicates institutional information access.

CATEGORY E: Institutional Response Indicators

E1. Prior complaint history

[ ] Has the complainant previously reported similar patterns to police?
[ ] Were those reports rejected on the basis of characterizations that are themselves disputed?
[ ] Is there an audio or documentary record contradicting a police characterization of prior events?

E2. Pathologization history

[ ] Has the complainant been subjected to EDP assessments, involuntary hospitalization, or welfare checks in connection with harassment-related events?
[ ] Were those institutional responses proportionate to the precipitating events, or does the evidence suggest disproportionality?
[ ] Has non-clinical mental health language been used by institutional actors to characterize the complainant's concerns?

E3. Report accuracy

[ ] Are there identifiable discrepancies between officer reports of interactions with the complainant and the complainant's account of those interactions?
[ ] Is there objective evidence (audio recordings, contemporaneous documentation) that would allow assessment of report accuracy?

Institutional indicator assessment: E indicators do not directly satisfy the threshold for investigating the harassment, but they raise collateral investigative questions (false reporting, potential misconduct) and inform the assessment of the officer narrative's reliability as a basis for dismissing the harassment complaint.

15. Investigation Protocol: From Visual Collage to Attribution to Program Proof

This protocol converts visual and circumstantial online evidence into a structured investigative pathway. It is designed for cases where the alleged mechanism is not merely ordinary recommendation, user-habit-based delivery, or accidental algorithmic exposure, but a directed program of platform-mediated targeting: a system in which content is allegedly created, sequenced, surfaced, boosted, suppressed, routed, recommended, notified, advertised, or delivered to a target through a direct control mechanism, potentially involving major technology platforms, platform-integrated tools, contractors, advertisers, partner systems, privileged access, compromised credentials, or internal platform infrastructure.

The allegation is serious. It must not be assumed. It must be tested through records.

The investigative task is to determine whether the visible pattern is merely public online content or whether it reflects a directed operation involving:

Pattern proof — what public-facing content exists, and what pattern it forms.
Attribution proof — who created, uploaded, controlled, financed, or amplified the content.
Exposure proof — whether the complainant actually received the content.
Delivery proof — how the content reached the complainant.
Direct-control proof — whether a person, platform actor, contractor, advertiser, administrator, API user, campaign operator, moderation/recommendation operator, or third-party control system caused or shaped delivery.
Program proof — whether the delivery events were part of a coordinated program, workflow, campaign, operation, internal ticketing process, partner arrangement, or repeatable targeting mechanism.
Collaboration proof — whether platform-side actors, platform tools, platform records, platform permissions, or platform-integrated systems facilitated, supported, participated in, or failed to preserve the relevant delivery pathway.
Intent proof — whether timing, targeting parameters, private-event correlation, communications, access logs, campaign records, prompt histories, internal actions, or control-plane records show that the operation was directed at the complainant or a defined target class.

The central investigative principle is this:

A directed platform operation is not proven merely by showing that content existed or appeared in a feed. It is proven by linking public-facing content to complainant-side exposure, platform-side delivery records, direct-control records, operator access, program infrastructure, AI/provenance evidence, production integrity, baseline testing, and evidence of intent.

Where the allegation is a directed platform operation, the proof task is not merely to show that an algorithm delivered content. The proof task is to determine whether delivery was caused or shaped by a direct control mechanism, and then to link that mechanism to an operator, workflow, platform-side record, campaign, credential, payment trail, prompt history, privileged access event, or coordinated program.

Step 1: Initial Evidence Assessment, Preservation, and Investigative OPSEC — Day 1

Upon receiving a complaint accompanied by visual evidence of coordinated online harassment, the investigator should immediately determine whether the material discloses a reasonable possibility of criminal activity and whether digital evidence is at risk of loss.

1.1 Review the visual evidence as a data set, not a narrative.

Identify:

the number of platforms involved;
the number of accounts, channels, pages, handles, profiles, ads, videos, posts, messages, URLs, domains, or external referrers;
visible timestamps, URLs, video IDs, post IDs, channel names, account handles, edit dates, deletion events, restoration events, publication dates, ad labels, or notification indicators;
repeated scripts, thumbnails, symbols, titles, captions, voiceovers, AI-production indicators, visual motifs, or repeated narrative themes;
whether content appears to track litigation events, sealed proceedings, medical events, police interactions, family incidents, legal filings, financial events, reputational events, or other non-public milestones;
whether content appears in a specific sequence, cadence, escalation pattern, or cross-platform order.

1.2 Apply the Ahmad constellation analysis.

Ask whether the objectively discernible facts, taken together, give rise to a reasonable possibility of criminal activity. The question is not whether the complainant has proven the offence. The question is whether the pattern justifies investigation.

The written analysis should identify:

the observable facts;
the apparent pattern;
the possible offences or misconduct implicated;
the direct-control hypothesis being tested;
the alternative explanations;
the records required to test the hypothesis;
the preservation steps required before data is lost.

1.3 Use a non-attributable investigative environment.

Before viewing, searching, subscribing to, clicking, saving, liking, commenting on, or otherwise interacting with suspected targeting content, investigators should use a controlled, non-attributable investigative environment. The purpose is to prevent evidence pollution, avoid training recommendation systems through investigative activity, and avoid alerting operators who may monitor analytics, traffic sources, viewer geography, referrers, device types, account views, or institutional IP ranges.

Where authorized by law, policy, and supervisory approval, investigators should consider:

clean devices not associated with the complainant, police, government, counsel, or known institutional networks;
controlled test accounts created for investigative comparison;
separated browser profiles;
documented VPN or location-control settings where legally and operationally appropriate;
disabled personalization where appropriate;
screen recording of all investigative sessions;
preservation of browser, device, and network logs;
documentation of whether the session was logged in, logged out, location-masked, location-fixed, account-based, or device-based;
avoidance of engagement actions that could alter recommendation signals, such as liking, subscribing, commenting, sharing, saving, or repeated replay, unless those actions are part of an approved test protocol.

Investigators should not use deceptive accounts, location-masking tools, undercover online identities, or controlled interactions except where authorized under applicable law, policy, and supervisory approval. The objective is evidentiary integrity, not unsupervised covert engagement.

1.4 Identify volatile evidence.

Digital evidence may be lost through deletion, moderation, suspension, account renaming, account deactivation, log-rolling, platform retention limits, prompt deletion, project deletion, ad-campaign deletion, API-token revocation, or deliberate destruction. Investigators should identify time-sensitive records, including:

upload IP logs;
login/session records;
device fingerprints;
subscriber records;
impression records;
recommendation records;
notification logs;
ad-delivery records;
campaign records;
audience-list records;
prompt histories;
AI-generation logs;
project/export histories;
API logs;
moderation-action logs;
visibility or eligibility records;
internal-tool access logs;
payment records;
account-control and administrator-access records;
business-manager, creator-studio, or campaign-dashboard logs.

1.5 Issue preservation demands under s. 487.012 where reasonable suspicion is established.

Preservation demands should be issued to relevant platforms, hosts, service providers, payment processors, email providers, domain registrars, AI-generation platforms, editing platforms, advertising systems, analytics providers, social-media management systems, and other data holders.

The demand should cover specific accounts, URLs, posts, videos, messages, ads, payment accounts, domains, business-manager accounts, campaign accounts, AI-generation accounts, API credentials, and related infrastructure.

A preservation demand generally expires after 21 days. Same-day preservation should be treated as the default where reasonable suspicion is established.

1.6 Consider judicial preservation and account-continuity orders.

Where the matter requires a longer hold, investigators should consider a preservation order under s. 487.013. Where account deletion, deactivation, concealment, alteration, token revocation, campaign deletion, or project deletion would impair attribution, investigators should consider an order to keep an account open or active under s. 487.0131 or any other available lawful mechanism.

1.7 Create the initial preservation memorandum.

The memorandum should record:

what evidence was reviewed;
why reasonable suspicion was found or rejected;
what records were preserved;
which platforms, AI services, hosts, payment processors, or data holders were contacted;
the expiry date of each preservation demand;
what further orders are required before preservation expires;
whether non-attributable investigative procedures were used;
what steps were taken to avoid evidence pollution or alerting operators.

Step 2: Evidence Organization, Pattern Analysis, and AI Provenance — Days 2–14

The purpose of Step 2 is to transform the visual “collage” into a structured evidentiary matrix.

2.1 Organize the evidence by category.

Sort the material into:

temporal convergence;
content fingerprinting;
cross-account scripting;
cross-platform coordination;
AI-production indicators;
prompt-to-pattern indicators;
repeated symbols, titles, captions, thumbnails, or motifs;
private-information references;
sealed-document references;
complainant-side exposure events;
suspected paid targeting;
suspected platform delivery;
suspected direct-control actions;
suspected platform collaboration;
suspected AI-generation or editing-tool provenance;
institutional response indicators.

2.2 Build the temporal convergence record.

For each alleged convergence event, document:

the private trigger event;
whether it was public or non-public;
who knew about it;
when the online content appeared;
the time delta between the event and the content;
whether similar content appeared across multiple accounts or platforms;
whether the content contained specific references, symbols, words, images, or themes connected to the event;
whether the same pattern recurred across multiple milestones.

2.3 Build the content-fingerprinting and AI-provenance record.

Investigators should identify repeated wording, title structures, thumbnails, templates, voiceovers, music, captions, AI-image artifacts, symbolic motifs, channel naming conventions, posting cadence, and metadata patterns. Where AI-generated or AI-assisted production is suspected, the analysis should include prompt-to-pattern evidence.

Relevant indicators may include:

repeated LLM phrasing across different accounts;
common prompt structures reflected in titles, scripts, thumbnails, captions, or imagery;
identical or near-identical AI image artifacts;
repeated text-to-speech voices, cadence, pronunciation, or audio signatures;
shared production fingerprints from AI image, video, audio, voice, script, editing, or captioning tools;
common export settings, file names, metadata, watermarks, project structures, or template reuse;
matching editing pipelines through tools such as video editors, design platforms, voice-generation tools, generative-image services, or AI scripting systems;
repeated symbolic or thematic prompts transformed into different platform-native outputs.

Where grounds exist, investigators should consider production applications directed to AI-generation platforms, editing platforms, cloud accounts, email accounts, payment accounts, API providers, or team/workspace systems to obtain:

prompt histories;
generation logs;
user account records;
project files;
export histories;
upload metadata;
payment records;
API keys;
team or workspace memberships;
shared project access;
timestamps linking prompts to published content;
deleted prompt/project recovery data where retained.

The evidentiary objective is to connect the public-facing artifact to the generative process. A prompt history that anticipates the exact script, image, motif, timing, private reference, targeting theme, or symbolic structure in the published content may provide powerful evidence of authorship, intent, coordination, and premeditation.

2.4 Document verbatim or near-verbatim scripting.

Quote identical passages, identify the accounts where they appeared, record timestamps, and note whether the repeated wording references non-public facts, specific litigation events, medical events, family details, police interactions, or other private milestones.

2.5 Build the cross-platform coordination record.

For each coordination event, record:

platform;
account or channel;
URL or content ID;
timestamp;
content description;
similarity to other content;
relationship to private trigger events;
whether the same or similar content appeared in sequence across platforms;
whether the sequence suggests common scheduling, scripting, campaign management, or centralized control.

2.6 Identify the first attribution and control targets.

Potential targets include:

account creators;
uploaders;
channel operators;
advertisers;
campaign administrators;
business-manager users;
creator-studio users;
API users;
payment recipients;
domain registrants;
email accounts;
recovery phone numbers;
device identifiers;
IP addresses;
third-party scheduling tools;
social-media-management platforms;
AI-generation accounts;
editing-platform accounts;
shared cloud workspaces;
platform internal tools;
moderation or visibility-control systems;
notification systems;
recommendation or ranking controls.

2.7 Apply the Villaroman framework.

Identify and test competing explanations:

coincidence;
organic trend convergence;
ordinary recommendation;
complainant pattern-seeking;
paid targeting;
retargeting;
platform-side delivery;
account compromise;
device compromise;
AI-template reuse without targeting;
coordinated operation;
direct control-plane targeting;
platform collaboration.

The question is not whether the direct-targeting hypothesis is already proven. The question is whether innocent explanations remain reasonable in light of the actual pattern.

2.8 Produce the pattern-analysis memorandum.

The memorandum should identify the pattern, the investigative inference, the alternative explanations, and the specific records needed to test whether the pattern reflects a direct targeting program.

Step 3A: Threshold Mapping and Preservation Continuity—Days 14–21

Step 3A ensures that evidence does not disappear while the investigation moves from suspicion to production.

3A.1 Map each investigative need to the proper legal tool.

Separate:

preservation demands;
preservation orders;
keep-account-open orders;
trace-specified-communication orders;
transmission-data orders;
tracking-data orders;
financial-data orders;
general production orders;
search warrants;
device warrants;
cloud-account warrants;
AI-platform production orders;
payment-processor production orders;
mutual legal assistance requests;
platform law-enforcement portal requests;
emergency disclosure requests where legally justified.

3A.2 Track preservation expiry dates.

For every preservation demand, record:

date issued;
data holder;
account, URL, video, post, ad, campaign, AI project, prompt history, API key, or system covered;
expiry date;
whether a preservation order is required before expiry;
whether production applications are ready.

3A.3 Escalate from preservation demand to preservation order where needed.

A preservation demand is a bridge instrument. Where production applications cannot be prepared before expiry, a preservation order should be sought to extend the hold.

3A.4 Preserve account, project, and campaign continuity.

Where deletion or deactivation would impair attribution, seek appropriate account-continuity or preservation orders. This is especially important where operators may delete channels, rename profiles, remove videos, pause ads, delete campaigns, change recovery emails, revoke API permissions, delete AI prompts, erase project files, or deactivate business-manager access.

3A.5 Maintain a preservation continuity log.

The log should show that investigators prevented evidence loss and did not allow platform, AI-service, campaign, or payment-record retention windows to expire through inaction.

Step 3B: Attribution Production Orders — Days 14–60

Step 3B identifies who created, uploaded, controlled, financed, or amplified the content.

3B.1 Use specialized production orders where reasonable suspicion is established.

Where reasonable suspicion exists, investigators may seek:

s. 487.015 — production order to trace a specified communication;
s. 487.016 — production order for transmission data;
s. 487.017 — production order for tracking data;
s. 487.018 — production order for specified financial data.

3B.2 Use general production orders where reasonable grounds to believe are established.

Where the record establishes reasonable grounds to believe that an offence has been or will be committed and that the records will afford evidence, investigators may seek a general production order under s. 487.014 for broader platform, ISP, subscriber, account-holder, business-manager, payment, AI-platform, platform-attribution, administrative-access, or stored-content-adjacent records.

3B.3 Prioritize attribution targets.

Priority targets include:

upload IP logs;
login/session logs;
account creation records;
subscriber records;
recovery emails and phone numbers;
linked accounts;
device identifiers;
payment instruments;
monetization records;
domain and hosting records;
third-party app authorizations;
API access logs;
creator-studio access logs;
business-manager access logs;
advertiser-account records;
account-delegation records;
role-based permission records;
AI-platform account records;
prompt-history records;
project-sharing records;
editing-platform records.

3B.4 Explain why attribution is the object of investigation.

Each production application should state that the complainant cannot be expected to produce subscriber records, IP logs, upload metadata, device identifiers, payment records, prompt histories, account-control data, or platform-side audit logs. Those records are precisely what lawful process exists to obtain.

3B.5 Analyze production returns.

After records are received, determine:

which accounts share IP addresses;
which accounts share devices;
which accounts share emails, phone numbers, payment methods, recovery accounts, or administrator access;
which accounts were accessed from the same locations;
which accounts were managed through common business-manager, creator-studio, API, advertiser, third-party, or AI-generation systems;
whether nominally independent accounts are operationally linked;
whether prompt histories or project files link specific operators to specific public-facing outputs.

3B.6 Produce an attribution memorandum.

The memorandum should distinguish:

content existence;
account operation;
account control;
uploader identity;
administrator identity;
AI-generation provenance;
payment or monetization linkage;
infrastructure linkage;
person-level attribution;
remaining gaps requiring further process.

Step 3C: Exposure and Delivery Proof — Parallel to Steps 2–4

Step 3C determines whether the complainant actually received the content and how it was delivered.

3C.1 Preserve complainant-side exposure evidence.

Investigators should preserve:

screen recordings of feeds, recommendations, “Up Next,” Shorts, Reels, For You Page, autoplay sequences, notifications, ads, search results, and recommendation panels;
screenshots showing timestamps, URLs, channel names, account handles, video IDs, thumbnails, recommendation rows, notification prompts, and “Why am I seeing this?” explanations where available;
browser history;
app history;
watch history;
search history;
notification history;
referral links;
platform account data exports;
device logs;
app-cache artifacts;
browser-cache artifacts;
operating-system records;
records showing whether the complainant was logged in, logged out, using a particular device, IP address, location, browser, advertising ID, or platform account.

The goal is to prove that the content was actually delivered to the complainant, not merely that it existed online.

3C.2 Classify the delivery route.

For each exposure event, identify whether the content arrived by:

homepage feed;
recommendation panel;
autoplay;
“Up Next”;
Shorts/Reels/FYP feed;
search result;
notification;
paid advertisement;
boosted post;
direct message;
external referral link;
embedded page;
email;
cross-platform retargeting;
campaign delivery;
platform-side routing;
internal routing;
account or device compromise.

3C.3 Seek platform-side delivery records.

Production applications should seek, to the extent held by the platform:

impression records;
recommendation-source records;
ranking records;
notification logs;
search-result logs;
autoplay or “Up Next” records;
ad-delivery records;
referral records;
clickstream records;
delivery-decision records;
device or account identifiers associated with exposure;
records showing whether content was served to the complainant’s account, browser, device, IP, advertising identifier, email, phone number, or hashed identifier.

3C.4 Preserve evidence of delivery anomalies.

Investigators should document whether the content appeared:

despite the complainant not searching for related material;
despite clearing history or changing settings;
after private events;
in repeated sequence;
across platforms;
through notifications rather than passive browsing;
through unusually precise targeting parameters;
through accounts or channels with no ordinary relevance to the complainant;
in ways not replicated by reasonable controls.

3C.5 Produce an exposure-and-delivery memorandum.

The memorandum should answer:

what content was delivered;
when it was delivered;
to which account, device, browser, IP, or identifier;
through what platform mechanism;
whether delivery was ordinary, targeted, directed, anomalous, or unexplained;
what platform-side records support or refute the delivery theory.

Step 3D: Direct Control-Plane Targeting

Step 3D addresses the core allegation: that exposure was not merely the result of ordinary recommendation, user behaviour, or indirect engagement dynamics, but of a direct control mechanism.

The investigative question is:

Did a person, platform actor, contractor, advertiser, administrator, API user, campaign operator, institutional partner, or coordinated operator use a control layer to direct, boost, sequence, suppress, recommend, notify, advertise, route, or otherwise deliver content to the complainant?

This hypothesis must be tested through records.

3D.1 Identify possible direct-control vectors.

Potential vectors include:

advertising dashboards;
boosted-post tools;
promoted-content systems;
custom-audience tools;
retargeting systems;
business-manager accounts;
creator-studio tools;
notification or push-message systems;
email campaign tools;
recommendation-control systems;
content-ranking controls;
search-ranking interventions;
visibility or eligibility overrides;
moderation tools affecting reach, suppression, restoration, or promotion;
content-policy exception tools;
trust-and-safety escalation tools;
account-management tools;
creator-support tools;
API-based posting, scheduling, targeting, routing, or amplification;
third-party social-media-management platforms;
traffic-management dashboards;
botnet or engagement-farm dashboards;
compromised creator accounts;
compromised advertiser accounts;
compromised business-manager accounts;
compromised admin credentials;
internal platform tools;
employee or contractor access systems;
partner portals or enterprise access systems, where supported by the record.

3D.2 Preserve control-plane audit logs.

Preservation demands and production applications should expressly seek control-plane records, including:

administrative-access logs;
employee or contractor access logs;
role-based access-control records;
internal-tool usage logs;
business-manager access logs;
creator-studio access logs;
campaign-creation logs;
campaign-edit history;
audience-list uploads;
notification-send logs;
recommendation-control logs;
ranking or visibility override logs;
moderation-action logs;
trust-and-safety escalation logs;
content-eligibility changes;
whitelisting or blacklisting records;
search-indexing records;
ranking-intervention records;
API-call logs;
OAuth/token access records;
third-party app authorization logs;
account-delegation records;
IP/device logs for users accessing control interfaces;
payment records tied to campaigns, boosts, targeting, or traffic infrastructure.

The objective is to determine whether a direct human-controlled mechanism was used to alter delivery.

3D.3 Distinguish the source of control.

A directed operation may arise from several sources:

Platform-internal control: employee, contractor, moderation, trust-and-safety, advertising, recommendation, visibility, search, notification, or administrative tools.

Platform-integrated control: advertiser dashboards, business-manager tools, creator-studio tools, API access, promoted-content systems, custom-audience systems, retargeting systems, or partner portals.

External control: bot farms, engagement dashboards, purchased traffic, third-party posting tools, campaign-management systems, mass-linking systems, or social-media-management platforms.

Compromise-based control: unauthorized use of creator accounts, advertiser accounts, business accounts, admin accounts, API credentials, or the complainant’s own account, device, browser, or network.

Each source leaves different records and must be tested separately.

3D.4 Look for direct-control indicators.

Indicators requiring further inquiry include:

content appears in precise sequence after private events;
the same account or channel is repeatedly surfaced despite low organic relevance;
exposure occurs across platforms in a coordinated order;
content appears through notifications rather than passive browsing;
exposure occurs despite the complainant not searching for or watching related material;
exposure persists after clearing watch history, changing devices, or changing settings;
content is boosted at litigation, medical, police, family, financial, or reputational milestones;
multiple channels receive synchronized visibility increases;
posts are removed, restored, boosted, suppressed, or made eligible in suspicious sequence;
account operators show knowledge of non-public events before public disclosure;
ad or campaign records show targeting by location, identifier, custom list, interest, behaviour, lookalike group, exclusion group, or hashed identifier;
audit logs show privileged access, campaign edits, audience-list changes, moderation actions, visibility changes, or internal actions near exposure events.

These indicators do not prove direct control by themselves. They identify where control-plane records must be sought.

3D.5 Build the direct-control proof chain.

A directed operation is proven through the following chain:

Exposure proof: the complainant received the content.
Delivery proof: the content was delivered through a platform mechanism.
Control-mechanism proof: a dashboard, campaign tool, API, internal tool, moderation tool, visibility tool, recommendation tool, notification system, business-manager account, creator-studio account, or privileged access layer caused or shaped delivery.
Operator proof: logs, credentials, IPs, devices, payment records, role records, access records, or account-control records identify who used the mechanism.
Program proof: repeated actions, campaign names, internal tickets, shared infrastructure, workflows, instructions, tasking records, partner records, or coordination evidence show the mechanism was part of a repeatable program rather than an isolated event.
Collaboration proof: platform-side records, access permissions, internal actions, escalations, business relationships, data-sharing, support tickets, policy exceptions, or communications show involvement or facilitation by platform actors or platform-integrated systems.
Intent proof: timing, targeting parameters, private-event correlation, internal notes, audience lists, messages, edits, prompt histories, or coordination records show that the delivery was directed toward the complainant or a defined target class.

3D.6 Ask the “control panel” questions expressly.

Production applications should ask:

Who had administrative, business-manager, creator-studio, advertiser, API, moderation, internal-tool, partner-tool, or third-party-tool access?
What actions were taken through those interfaces?
When were those actions taken?
From what IP addresses, devices, credentials, accounts, or roles?
Were audience lists uploaded or modified?
Were campaigns created, edited, paused, resumed, boosted, suppressed, routed, or retargeted?
Were recommendation, visibility, notification, eligibility, moderation, search, or ranking settings altered?
Were internal notes, tickets, escalations, trust-and-safety actions, creator-support actions, policy exceptions, or platform-partner actions associated with the content?
Were third-party tools authorized to manage, post, boost, schedule, route, or amplify the content?
Were any platform employees, contractors, partners, advertisers, or institutional actors associated with access events near the relevant exposure dates?

3D.7 Produce a direct-control memorandum.

The memorandum should answer:

Was delivery ordinary, paid, platform-directed, campaign-directed, manually routed, compromised, or otherwise directly controlled?
What interface or tool caused or shaped delivery?
Who had access to that interface?
What logs show use of that interface?
What records connect the operator to the complainant’s exposure?
What facts support program structure, platform collaboration, knowledge, timing, targeting, or intent?

The direct-control principle is:

A directed operation is proven by linking exposure to a delivery mechanism, the delivery mechanism to a control interface, the control interface to an operator, and the operator’s actions to program structure, platform collaboration, timing, targeting, or intent.

Step 3E: Program, Platform-Collaboration, and Production-Integrity Proof

Step 3E tests whether the events reflect an organized program rather than isolated content creation. It also tests whether platform-side production is complete, reliable, and responsive.

3E.1 Identify program indicators.

Indicators include:

repeated targeting over time;
recurring content formats;
recurring timing around private events;
repeat use of the same accounts, templates, AI tools, dashboards, operators, or payment infrastructure;
coordinated activity across platforms;
repeated visibility changes;
recurring notification, recommendation, or delivery events;
common administrator access;
common API or third-party tool use;
internal tickets or support actions;
campaign naming conventions;
repeated policy exceptions or moderation decisions;
evidence of tasking, briefing, workflow, or repeatable delivery logic.

3E.2 Seek program records.

Where supported by grounds, investigators should seek:

campaign documents;
internal tickets;
trust-and-safety escalations;
creator-support records;
advertiser-support records;
business-manager records;
partner-management records;
API application records;
internal notes;
access-approval records;
data-sharing records;
payment records;
AI-generation project records;
prompt histories;
communications between platform actors, advertisers, contractors, operators, AI-tool users, or third-party vendors;
records linking multiple platforms, accounts, campaigns, AI tools, or control mechanisms.

3E.3 Seek platform-collaboration records.

Where the allegation involves major platform cooperation or facilitation, production applications should seek records capable of proving or disproving that allegation, including:

platform-side access logs;
employee or contractor access records;
internal notes concerning the complainant, accounts, content, campaigns, keywords, hashtags, or identifiers;
moderation or escalation tickets;
creator-support or advertiser-support tickets;
records of policy exceptions;
recommendation, visibility, ranking, or notification interventions;
records of data-sharing, partner access, or special account handling;
communications between platform personnel and external actors concerning the relevant accounts, content, campaigns, targeting parameters, or delivery mechanisms.

3E.4 Treat platform production as evidence, not conclusive truth.

Where the allegation involves direct platform-side control, privileged access, internal tools, recommendation/ranking intervention, moderation action, notification routing, or platform collaboration, investigators should not assume that platform productions are complete merely because they are official. Platform records should be assessed for completeness, scope, internal consistency, metadata integrity, and correspondence with the preservation demand or production order.

3E.5 Test for incomplete, anomalous, or integrity-compromised productions.

Investigators should examine whether the production omits expected categories of records, including:

internal-tool audit logs;
employee or contractor access logs;
role-based permission records;
moderation-action logs;
recommendation or ranking intervention records;
notification logs;
campaign edit histories;
audience-list uploads;
API-call logs;
business-manager or creator-studio access logs;
trust-and-safety tickets;
support escalations;
policy-exception records;
records showing deletion, restoration, suppression, boosting, eligibility, or visibility changes.

If expected record categories are absent, investigators should document the gap and, where appropriate, seek clarification, supplementary production, compliance affidavits, narrowed follow-up orders, or further judicial process.

3E.6 Develop lawful tool-capability evidence.

Where a platform denies the existence, relevance, or capability of a control mechanism, investigators may need independent evidence concerning the platform’s tools and workflows. This may include:

public platform documentation;
developer documentation;
advertising-platform documentation;
prior litigation records;
regulatory findings;
expert evidence;
academic or technical research;
lawful interviews of former employees, contractors, vendors, or platform partners;
subpoenas or production orders where available;
whistleblower disclosures received through lawful channels.

Investigators must not solicit confidential, privileged, or unlawfully obtained information. Former-employee or contractor evidence should be developed through lawful witness interviews, counsel-supervised contact, subpoena, expert-retainer processes, or protected whistleblower channels where applicable.

3E.7 Distinguish platform hosting from platform participation.

The fact that content was hosted, recommended, or monetized by a platform does not by itself prove platform collaboration. Collaboration requires additional evidence of facilitation, special handling, privileged access, internal intervention, partner access, targeting support, data-sharing, campaign assistance, moderation/ranking action, or other control-plane involvement.

The investigation should expressly distinguish:

passive hosting;
ordinary moderation;
ordinary recommendation;
paid advertising;
platform-integrated campaign delivery;
special account handling;
privileged access;
internal intervention;
coordinated platform-side facilitation.

3E.8 Produce a program, collaboration, and production-integrity memorandum.

The memorandum should answer:

Was the conduct isolated or programmatic?
What repeatable mechanism is alleged?
What records show workflow, campaign structure, or tasking?
What records show platform-side involvement or negate it?
Were platform productions complete, internally consistent, and responsive?
What persons, tools, dashboards, access rights, payments, prompts, communications, or records connect the program to delivery?

Step 3F: Baseline, Network-Level Control Testing, and Alternative Explanations

Step 3F tests whether the complainant’s exposure was ordinary platform behaviour, location-based delivery, user-induced bias, or anomalous individual targeting.

3F.1 Run reasonable controls.

Depending on the platform and facts, compare exposure against:

a clean account with no viewing history;
a logged-out session;
a different device on the same network;
the same device on a different network;
a different account with a similar but non-targeted profile;
an account in a different location;
an account with no connection to the complainant’s viewing, search, legal, medical, family, or social history.

3F.2 Conduct network-level and identifier-level baseline testing.

Where the complainant alleges targeted algorithmic or direct-control delivery, investigators should distinguish delivery to a general location from delivery to a specific identifier.

Controls should include, where feasible:

another device on the same Wi-Fi network;
another account on the same device;
another account on a different device but same IP address;
a clean account on the same network;
a clean account on a different network;
a device in the same physical location but not associated with the complainant;
a household member, colleague, or control participant using the same network but without the complainant’s search/watch/account history;
a logged-out browser session;
a browser with cleared cookies and no account login;
a device using the same location but a different advertising ID or platform account.

The objective is to determine whether delivery tracks:

location;
IP address;
device;
browser;
platform account;
advertising ID;
email;
phone number;
hashed identifier;
household;
interest profile;
custom audience;
or individual user identity.

If the content is repeatedly served to the complainant’s account or device but not to other users on the same network or in the same physical vicinity, that finding helps isolate delivery to a specific identifier rather than a general location or organic local trend. This is powerful evidence against the defence theory that exposure resulted from ordinary geography, shared IP, generalized recommendation, or user-induced browsing behaviour.

3F.3 Compare density, timing, specificity, and sequence.

The relevant question is not whether similar content could appear somewhere online. The question is whether this complainant received an unusual density, recurrence, timing, specificity, or sequencing of content compared with reasonable baselines.

3F.4 Test benign explanations.

Consider:

ordinary recommendation;
general trend content;
complainant search or watch history;
geographic relevance;
shared-device exposure;
platform clustering;
coincidence;
platform bugs;
manual searching;
benign referral links;
ordinary advertising;
ordinary topic clustering.

3F.5 Test direct-control explanations.

Consider:

paid targeting;
custom-audience use;
retargeting;
campaign delivery;
notification routing;
visibility override;
search-ranking intervention;
moderation or eligibility intervention;
internal platform access;
employee or contractor action;
API-based routing;
business-manager action;
creator-studio action;
account compromise;
device compromise;
platform collaboration;
directed program.

3F.6 Produce a baseline and defence-proofing memorandum.

The memorandum should explain which explanations remain reasonable and which require further records. It should not assume direct targeting merely because exposure occurred. It should identify whether the exposure pattern is ordinary, anomalous, directed, or unexplained.

The memorandum should expressly address common defence theories, including:

“The complainant searched for this.”
“The complainant trained the algorithm.”
“This was ordinary recommendation.”
“This was a general trend.”
“This was geographic targeting, not individual targeting.”
“This was coincidence.”
“The platform did nothing beyond passive hosting.”

Step 3G: Resource Triage and Escalation Criteria

Because direct-control and platform-collaboration investigations are resource-intensive, investigators should apply triage criteria before escalating to full production, expert, or cross-border process.

3G.1 Identify high-priority escalation indicators.

Escalation is more strongly justified where the record includes:

repeated temporal convergence with non-public events;
content referencing sealed, confidential, medical, legal, family, financial, or private information;
cross-platform synchronization;
verbatim scripting across apparently independent accounts;
evidence of AI-assisted mass production;
prompt-to-pattern indicators;
paid targeting or campaign indicators;
notifications, ads, or recommendations delivered in precise sequence;
anomalous delivery isolated to the complainant’s account/device rather than location;
account/device compromise indicators;
platform-side deletion, restoration, suppression, boosting, or eligibility changes;
prior police or institutional reports contradicted by recordings or documents;
evidence of multiple actors, payment infrastructure, common control, or shared AI-generation workflows.

3G.2 Apply proportional investigative escalation.

Where fewer indicators are present, investigators may proceed with narrower preservation and baseline steps before escalating to full direct-control production. Where multiple high-priority indicators are present, investigators should escalate to full preservation, production, attribution, delivery, direct-control, and program-proof tracks.

3G.3 Document triage reasoning.

The file should show why the investigation was escalated, narrowed, paused, or closed. Triage must not become a substitute for analysis. It must be a disciplined record-based decision.

Step 3H: Integrated Grounds Development

Step 3H integrates pattern, attribution, exposure, delivery, direct-control, program, collaboration, production-integrity, AI-provenance, baseline, and triage evidence into further investigative steps.

3H.1 Prepare an integrated grounds brief.

The brief should include:

public-facing pattern evidence;
temporal-convergence matrix;
content-fingerprinting analysis;
AI-provenance or prompt-to-pattern analysis;
cross-platform coordination analysis;
preservation returns;
attribution returns;
complainant-side exposure records;
platform-side delivery records;
direct-control records;
program records;
platform-collaboration records;
production-integrity analysis;
network-level baseline analysis;
triage reasoning;
remaining evidentiary gaps.

3H.2 Determine whether further production or warrants are required.

Further process may be needed for:

stored content;
direct messages;
platform internal records;
employee or contractor access logs;
business-manager accounts;
advertiser dashboards;
campaign systems;
notification systems;
recommendation or visibility systems;
API records;
third-party scheduling tools;
AI-generation platforms;
prompt histories;
cloud project files;
payment processors;
domain hosts;
email providers;
devices;
cloud accounts;
account-compromise evidence;
platform production-compliance evidence.

3H.3 Identify the proof theory.

The investigation should state which theory is supported:

ordinary exposure with no offence;
harassment by content creation only;
harassment by coordinated content production;
AI-assisted harassment production;
paid targeting;
retargeting;
platform-side delivery;
direct control-plane targeting;
platform collaboration;
account/device compromise;
directed program;
conspiracy or organized coordination.

3H.4 Produce the integrated proof memorandum.

This memorandum should become the investigative bridge to Crown review, further warrant applications, police oversight review, or court proceedings.

Step 4: Charge Assessment and Evidentiary Integration—Days 60–180

4.1 Compile the full evidentiary record.

The record should include:

public-facing pattern evidence;
temporal-convergence evidence;
content-fingerprinting evidence;
AI-provenance and prompt-to-pattern evidence;
cross-platform coordination evidence;
preservation records;
attribution evidence;
complainant-side exposure evidence;
platform-side delivery evidence;
direct-control records;
program records;
collaboration records;
platform production-integrity analysis;
network-level baseline testing;
financial, advertising, referral, API, notification, moderation, ranking, or visibility evidence.

4.2 Keep the proof questions separate.

Content proof: Did the content exist, and what did it say or depict?

AI/provenance proof: Was the content generated, edited, scripted, voiced, templated, or exported through identifiable AI or production tools?

Attribution proof: Who created, uploaded, controlled, paid for, amplified, or coordinated it?

Exposure proof: Did the complainant actually receive it?

Delivery proof: How did it reach the complainant?

Direct-control proof: Was delivery caused or shaped by a dashboard, campaign tool, API, moderation tool, recommendation tool, notification system, business-manager account, creator-studio account, internal platform tool, or other control layer?

Program proof: Was the conduct part of a repeatable operation, workflow, campaign, or system?

Collaboration proof: Did platform actors, platform tools, platform records, platform permissions, or platform-integrated systems facilitate or participate in the delivery?

Intent proof: Do timing, targeting, records, communications, campaign parameters, prompts, or control actions show that the delivery was directed?

4.3 Assess offence categories.

Potential offences may include:

criminal harassment under s. 264;
uttering threats under s. 264.1;
unauthorized use of computer under s. 342.1;
intimidation under s. 423;
fabricating evidence under s. 137, where reports or records are knowingly false;
participation in or commission of offences for a criminal organization under ss. 467.11–467.12, where the evidence supports coordinated serious criminal activity.

4.4 Assess how direct control affects intent.

Evidence of paid targeting, custom-audience delivery, retargeting, campaign edits, notification routing, visibility overrides, moderation interventions, internal-tool actions, API calls, platform-side access, account compromise, AI-prompt histories, prompt-to-pattern records, or platform collaboration may be highly probative of knowledge, intent, repetition, coordination, and targeting.

4.5 Consult Crown.

Consult Crown on:

charge viability;
sufficiency of grounds;
privacy limits;
disclosure obligations;
further production orders;
warrants;
expert evidence;
mutual legal assistance;
cross-border platform issues;
platform-internal records;
AI-platform records;
possible third-party record applications;
whistleblower or former-employee witness handling.

4.6 Document the complete investigative record.

The record should be organized so that a prosecutor, court, oversight body, or reviewing authority can follow the path from pattern to preservation, attribution, exposure, delivery, direct control, program structure, collaboration, AI provenance, baseline testing, and intent.

Step 5: Final Investigative Product

The final investigative product should not merely state that screenshots were reviewed. It should answer the full evidentiary pathway:

Pattern: What public-facing pattern was documented?
Threshold: Why did the pattern satisfy reasonable suspicion?
Preservation: What records were preserved, when, and from whom?
AI/provenance: Were AI tools, prompt histories, editing systems, voice-generation tools, project files, or export histories linked to the public-facing content?
Attribution: Who created, uploaded, controlled, financed, or coordinated the content?
Exposure: Did the complainant actually receive the content?
Delivery: How did the content reach the complainant?
Direct mechanism: Was delivery caused by recommendation, search, notification, referral, ad delivery, retargeting, campaign routing, visibility intervention, moderation action, API call, platform-side routing, or account/device compromise?
Control plane: Was any dashboard, campaign tool, API, moderation tool, recommendation tool, notification system, business-manager account, creator-studio account, internal platform tool, employee/contractor access layer, partner system, or third-party control interface used?
Program: Was the conduct part of a repeatable operation, workflow, campaign, or targeting system?
Collaboration: What records prove or disprove platform-side involvement, facilitation, special handling, privileged access, or platform-integrated control?
Production integrity: Were platform productions complete, internally consistent, and responsive? If not, what gaps remain?
Baseline testing: Was the exposure specific to the complainant, or also present for controls on the same network, device class, location, or interest profile?
Operator identity: Who used the relevant accounts, tools, dashboards, credentials, payment instruments, prompt histories, or devices?
Intent: What records connect the operator’s actions to timing, targeting, private-event knowledge, program structure, or coordinated purpose?
Offence analysis: Which offences are supported, and what further evidence is required?
Disclosure: What records must be disclosed to Crown, defence, oversight bodies, or the court?

The final principle is: From pattern to proof means moving through each evidentiary layer: public signal, preservation, AI provenance, attribution, exposure, delivery, direct-control mechanism, program structure, platform collaboration, production integrity, baseline testing, operator identity, and intent. A directed platform operation is proven not by the existence of suspicious content alone, but by records showing that someone used, controlled, or collaborated through a delivery system to target the complainant.

16. Conclusion: The Investigative Imperative in the Age of Deniable Digital Harm

16.1 The Core Proposition

The central argument of this paper is simple, legally grounded, and practically urgent: the evidence needed to open an investigation is not the evidence needed to win a prosecution.

This is not a novel proposition. It is the foundational structure of Hill, Ahmad, Chehil, Beaver, and Ramelson—the Supreme Court's own framework for what investigation requires and what it is designed to produce. Investigation is the process of developing evidence from preliminary grounds to prosecutable case. Requiring prosecutable evidence before investigation begins is not law enforcement; it is evidence laundering—using the absence of investigation-produced evidence to justify the failure to investigate.

Coordinated online harassment campaigns are specifically designed to exploit this institutional failure. Their operational architecture— distributional deniability, algorithmic intermediation, temporal plausible deniability—creates exactly the evidentiary gap that allows dismissal of the public-facing pattern evidence while placing attribution evidence beyond what a private citizen can access.

The perpetrators are rational: if investigations routinely refuse to begin without attribution evidence, and attribution evidence can only be accessed through investigation, the circle forecloses inquiry permanently.

The institutional response this paper addresses—treating visual evidence of coordinated harassment as "collage," applying proof standards to investigation thresholds, pathologizing complainants rather than analyzing evidence, deferring to police narratives in oversight proceedings—is not merely an error. It is the capture of institutional process by the very harm the process exists to address.

16.2 The Pattern Is the Point

Visual evidence of coordinated online harassment is, by its nature, pattern evidence. It does not look like a smoking-gun document, a confession, or a physical trace. It looks like dozens of screenshots, timing charts, annotated images, and analytical tables. That character— visual, aggregated, patterned—reflects the character of the crime: distributed, deniable, algorithmic.

Pattern evidence is what the Ahmad constellation framework is designed to process. It is what Villaroman instructs triers of fact to assess holistically, eliminating unreasonable alternative explanations rather than demanding direct proof. It is what s. 487.012 preservation demands are designed to protect pending the investigation that develops it further.

The investigator confronting a collection of visual harassment evidence has a professional and legal obligation to ask the right question: does this pattern, assessed by an objective observer, give rise to a reasonable possibility of criminal activity?

Not: is it proved?

Not: can the complainant name the perpetrators?

Not: is the complainant in good mental health?

Not: has the complainant been litigious?

The right question. The right threshold. Applied rigorously, honestly, and with awareness of the institutional pathologies that have historically foreclosed it.

16.3 The Stakes

The people who present visual "collages" of coordinated online harassment to police and oversight bodies have already, in most cases, spent months or years documenting a pattern of harm that is damaging them in ways that are well-documented in the psychological literature: cognitive impairment, CPTSD, learned helplessness, and in the most severe cases, the neurobiological damage associated with torture-level chronic stress.

They present this documentation because investigation is what they need and cannot obtain on their own. They need preservation orders issued within the platform retention window. They need production orders for subscriber data. They need someone with the authority to ask platforms who actually uploaded these videos and who paid for their distribution.

When institutions respond by characterizing the documentation as evidence of irrationality, they are not just making a legal error. They are adding institutional betrayal—the devastating compounding factor that psychological research consistently identifies as among the most damaging elements of chronic interpersonal trauma—to an already severe harm.

The law provides the tools. The threshold is low. The investigative imperative is clear.

The only thing required is the institutional willingness to ask the right question.

17. Table of Authorities

Case Law

Canada (Minister of Citizenship and Immigration) v. Vavilov, 2019 SCC 65, [2019] 4 SCR 653.
Reasonableness review; rational chain of analysis; responsiveness to record and submissions; limits on supplying absent reasons; wrong-question decisions; paras. 85–86, 96–97, 99–103, 127–128.

Green v. Nova Scotia (Human Rights Commission), 2011 NSCA 47.
Screening reasons may be concise in appropriate contexts, but the basis for dismissal must be discernible from the record; paras. 27–43, 35, 40, 44–48.

Hill v. Hamilton-Wentworth Regional Police Services Board, 2007 SCC 41, [2007] 3 SCR 129.
Reasonable diligence in police investigation; investigation may be reasonable in the absence of overwhelming evidence because evidence usually becomes overwhelming through investigation; paras. 36–37, 58.

Mercier v. Nova Scotia (Police Complaints Commissioner), 2014 NSSC 79.
Police Review Board function; complainant not necessarily required to have corroborating witnesses before hearing; “he said, he said” disputes may be why the Board has a role; para. 35.

R. v. Ahmad, 2020 SCC 11, [2020] 1 SCR 577.
Reasonable suspicion; constellation of objectively discernible facts; lower threshold than proof or probability; particularized basis for investigation; paras. 41, 45–49.

R. v. Beaver, 2022 SCC 54.
Threshold hierarchy; distinction between reasonable suspicion, reasonable and probable grounds, and proof beyond reasonable doubt; reasonable possibility standard; paras. 71–72.

R. v. Bykovets, 2024 SCC 6.
IP addresses as attribution evidence; IP information connects internet activity to identity, location, and broader patterns of activity; privacy interests in police access to IP data; paras. 10–11, 29, 55–56, 73.

R. v. Chehil, 2013 SCC 49, [2013] 3 SCR 220.
Reasonable suspicion requires a reasonable possibility of criminal activity; totality of circumstances; more than hunch but less than reasonable grounds; para. 27.

R. v. Hape, 2007 SCC 26, [2007] 2 SCR 292.
Territoriality, jurisdiction, and state investigative authority in cross-border contexts.

R. v. Libman, [1985] 2 SCR 178.
Territorial jurisdiction; real and substantial connection test; jurisdiction may exist where significant elements or harmful effects occur in the forum; pp. 212–13.

R. v. Loewen, 2010 ABCA 255.
Reasonable and probable grounds do not require certainty or proof beyond reasonable doubt; objective reasonableness of belief; para. 32.

R. v. Ramelson, 2022 SCC 44.
Online investigative spaces; online spaces as informational rather than merely geographic; reasonable suspicion may attach to a sufficiently precise online space; posts, messages, hyperlinks, and interaction patterns as investigative field; paras. 35–36, 49–54, 57.

R. v. Spencer, 2014 SCC 43, [2014] 2 SCR 212.
Subscriber information as the bridge between online activity and identity; anonymity and informational privacy; attribution requires lawful process; paras. 31–32, 46, 66.

R. v. Villaroman, 2016 SCC 33, [2016] 1 SCR 1000.
Circumstantial evidence; holistic assessment; alternative explanations must be reasonable rather than merely conceivable; inference versus speculation; paras. 35–37.

Society of Composers, Authors and Music Publishers of Canada v. Canadian Assn. of Internet Providers, 2004 SCC 45, [2004] 2 SCR 427.
Internet communications as both “here” and “there”; effects-based analysis for cross-jurisdictional internet conduct; paras. 59–61.

Taylor v. Nova Scotia (Attorney General), 2019 NSSC 292.
Reasonableness review of Police Complaints Commissioner decisions; sparse reasons require record examination; inadequate process may warrant remittal; paras. 76–77, 132–133, 137–138.

Statutes and Regulations

Criminal Code, RSC 1985, c C-46.

s. 83.22 — Instructing to carry out terrorist activity; identity, attribution, and coordination may be investigative objects rather than preconditions to inquiry.
s. 137 — Fabricating evidence; relevant where police reports are contradicted by recordings or documentary evidence.
s. 264 — Criminal harassment.
s. 264.1 — Uttering threats.
s. 342.1 — Unauthorized use of computer.
s. 423 — Intimidation.
ss. 467.11–467.12 — Participation in and commission of offences for a criminal organization.
s. 487.012 — Preservation demand for computer data; reasonable-suspicion threshold; no judicial authorization; generally expires after 21 days.
s. 487.013 — Preservation order for computer data; judicial authorization; reasonable-suspicion threshold; up to 90 days.
s. 487.0131 — Order to keep account open or active; reasonable-suspicion threshold; up to 60 days unless renewed.
s. 487.014 — General production order; reasonable grounds to believe; broad production mechanism for documents or data that will afford evidence respecting the commission of an offence.
s. 487.015 — Production order to trace a specified communication; reasonable-suspicion threshold.
s. 487.016 — Production order for transmission data; reasonable-suspicion threshold.
s. 487.017 — Production order for tracking data; reasonable-suspicion threshold.
s. 487.018 — Production order for financial data; reasonable-suspicion threshold; account-identifying financial information from financial institutions and designated reporting entities.

Police Act, RSNS 2004, c 31, ss. 31, 42, 74.
Police duties, complaint process, oversight structure, and referral powers.

Police Act Regulations, NS Reg 230/2005, s. 24(3)(a).
Neglect of duty: neglecting to, or without adequate reason failing to, promptly, properly, or diligently perform a duty as a member.

International Materials

United Nations Human Rights Council. Report of the Special Rapporteur on Torture and Other Cruel, Inhuman or Degrading Treatment or Punishment, Nils Melzer: Psychological Torture and Ill-Treatment. UN Doc A/HRC/43/49, 2020.
Technology-mediated psychological harm; cumulative conditions of cyber-enabled harm; institutional arbitrariness and psychological suffering; state and corporate capacity to conduct cyber operations inflicting severe suffering; implementation recommendations; paras. 63, 72, 82.

Platform and Government Guidance

Canadian Anti-Fraud Centre. Report Fraud and Cybercrime.
Identifies local police as the investigative body for reported fraud and cybercrime, while CAFC collects and shares information.

Canadian Centre for Cyber Security. Report a Cyber Incident for Individuals.
Advises individuals experiencing online harassment, bullying, exploitation, cybercrime, or serious online threats to contact local police.

Google. Transparency Report: Government Requests for User Information / Legal Process and YouTube Data.
Identifies YouTube-related data categories available through lawful government process, including subscriber registration information, sign-in IP addresses and timestamps, video-upload IP addresses and timestamps, private video information, and private message content.

Meta. Law Enforcement Guidelines.
Distinguishes user-facing reporting from law-enforcement data requests; identifies legal-process requirements for subscriber records, IP records, stored content, and account preservation.

Royal Canadian Mounted Police. National Cybercrime Coordination Centre: Report Cybercrime and Fraud.
Directs victims of cybercrime or fraud to local police and identifies local police as responsible for investigation.

TikTok. Law Enforcement Data Request Guidelines.
Identifies a distinct law-enforcement request pathway for user-activity information, separate from ordinary user reporting.

Secondary Sources—Digital Evidence, Platform Systems, and Coordinated Online Behaviour

BAE Systems Detica / John Grieve Centre for Policing and Security, London Metropolitan University. Organised Crime in the Digital Age. 2012.
Organized digital offending; convergence of online and offline criminal activity; law-enforcement implications.

Magelinski, T., Ng, L.H.X., & Nwala, A. “Detecting Coordinated Online Behavior: A Synchronized Action Framework.” 2021.
Coordination detection based on statistically unlikely temporal and content overlaps across accounts and platforms.

Minici, M., Cinus, F., Luceri, L., & Ferrara, E. “Uncovering Coordinated Cross-Platform Information Operations.” 2024/2025.
Detection of coordinated inauthentic activity across multiple social-media platforms.

Pasquale, F. The Black Box Society: The Secret Algorithms That Control Money and Information. Harvard University Press, 2015.
Platform opacity, algorithmic accountability, and structural barriers to transparency.

Ribeiro, M.H., et al. “Auditing Radicalization Pathways on YouTube.” Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency, 2020.
Algorithmic amplification and directional content exposure on YouTube.

Sheridan, L., James, D.V., & Roth, J. “The Phenomenology of Group Stalking (‘Gang-Stalking’): A Content Analysis of Subjective Experiences.” International Journal of Environmental Research and Public Health 17, no. 7 (2020): 2506.
Peer-reviewed qualitative/content-analysis study of reported group-stalking experiences; the authors note an initial online search producing more than 20 million hits, conclude that the experience appears to be a “widespread phenomenon” subject to little scientific examination, identify “resentment/distress” at being pathologized as a reported sequela, and stress that the phenomenon warrants further study and careful assessment rather than reflexive dismissal.

Visuals

Visual Evidence Guide

Upstream Verbatim Scripting. By Way of the Posting Cadence, This is a Full-Time Job For Certain Actors.

Frameworks Like This Are Not Built for the Sake of One Target. They Can However be Aimed at Anyone via Tailored Algorithm.

Detailed Example.

As above per the embellished HRP report that was provided to EHS.
Full details at the HRP Page (Here).

May 13, 2023 Live Audio Recording Hfx QE II

Sample Private Event: Disproportionate Timing & Response. Unmistakable Accuracy & Relevance.

On May 11th, 2023, I had a small backyard bonfire mishap involving nearby foliage that was resolved in roughly two minutes through a few buckets of water. Two fire trucks showed up at the three-minute mark, with several police officers in tow. The alacrity of the response seemed impossible, and it was widely disproportionate to the scope. I spoke briefly to the officers and then settled-in for the night. Less than two days later on the morning of Saturday, May 13th, a large white van rolled into the driveway, accompanied by a police paddy wagon. Two social workers and three police officers identified as a "mental health crisis team". They interviewed me in the living room while I was still in my pajamas. I was able to glean from the social worker that her concern had ultimately stemmed from pejorative guidance provided by HRP, and not the innocuous fire incident itself. I was then asked to accompany them to the Halifax QEII Health Centre. I peaceably objected to the unfounded violation of my privacy (R. v. Ahmad, 2020 SCC 11 at paragraph 38), before being handcuffed, and placed in the back seat of the van. I waited in the ER lobby with an HRP officer for roughly five hours before being interviewed by a medical resident. After a brief discussion that I recorded, as is show below, the EHS resident was satisfied that HRP's response was disproportionate. The event was telegraphed, as is the case with other event milestones, and was likewise reflected through visuals that appear to be generated through AI.

The visuals below are dated May 11th through May 13th, and share characteristics of the events described. Namely, the campfire incident with a disproportionately fast three-minute response time by both Police and Fire units (a response standard likely impossible under normal conditions, and very disproportionate to address the need), the use of wilted flowers to start the campfire, a white pick-up van, and an ensconced camera-equipped room where I was interviewed by resident Eastman. The visual shown by "Cosmic Wifey" on May 13th, 2023 depicting flowers, a white pick-up van, reference to the pick-up, and the suggestion of a special designation might be AI-generated, and is a compelling example of the species of scandal I am addressing here. The other actors shown, "Prophetic Record", "Stephanie P. Smith", "Word of God with Lola", and "Jordan's Journey" reference a vigilance standard, the visit, the pick-up, and the interview in the ensconced room. It is possible I may have been connected to the dark web for several years, not unlike a CSIS lab rat. The use of AI and algorithms suggest big tech commercial interests, as it would not be feasible otherwise. State actors, in partnership with the same, have ongoing visibility to my biometric data.

This Capability Requires Upstream Organization, Funding for Full-Time "Staff", Algorithmic Control, and a Surveillance Node.

Cotemporaneous Private Event Tracking (ie - Sealed Court Milestones) Yields an "Online Space" Under R. v. Ramelson, 2022 SCC 44.

CAGE Director

These Engagements Have Tracked Court Milestones Closely, and are Suffused With Relevant Symbolism.

CAGE Director

*CAGE Retainer Fee Claims*

Eight (8) 30-minute hearings w/ minimal prep.

Seven (7) lawyers assigned to overlapping tasks.

The customary tariff is $4,500 ($500 x 8 hearings).

One (1) 20-minute hearing w/ minimal prep.

Third-Party Assurances Were Required.

One hearing = More than Canada's Average Annual Salary.

"Special costs are fees a reasonable client would pay a reasonably competent solicitor to do the work described in the bill."
- Bradshaw Construction Ltd. v. Bank of Nova Scotia (1991), 54 B.C.L.R. (2d) 309 (S.C.), para 44

Bank Account Freeze, June 27, 2024.

A Key Actor in the Online Cohort is Alleged to be the Biological Mother of my Estranged Nephew as an Oocyte Donor.

Oocyte Donor

Nephew

Family Affidavit [Click]

Organized & Scripted

Some actors reside overseas, while many others are domiciled here in Canada. These groups operate like an online business. They are hired as contractors by governments and big companies. When assigned to a project, they remain focused. As it pertains to this scandal, police have refused services and filed false reports instead of responding as would be reasonable. This suggests a robust interest.

The Characteristics Point to the Likelihood of a Clandestine Citizen Profiling Project, or at Minimum, a Pilot, that Leverages Intimate Data.

Follow the Money: Charitable Donations.

Occult Symbolism.

Defining the Actors

The challenge in discussing "cults" is that there is insufficient language to treat of the subject. I buttress this term to the UNODC classification by means of the fact that many of the online actors pictured express themes germane to occultism, witchcraft, voodoo, and other related "graveyard" themes. The adjacent website appears to identify groups of criminal actors in the same capacity. As an operative definition of "cult", I am satisfied to rely on a simple definition that maintains a group of individuals known to each other, who act in accord with one another, and who collectively hold an overarching set of beliefs. That definition may appear to be diluted, but absent any substantiating materials suggesting the defintion should be expanded, that is all one can reasonably posit.

Threats of Death, Abduction, Human Experimentation, Bankruptcy, Identity Theft, and More

The adjacent images depict what might be the easiest discernible metric. Those sincerely religious or devout simply do not communicate like this. Full stop.

"Trust Account"

Contractors

A few of those involved in online mischief are shown to be domiciled in Canada and hold a part-time job in "government services". A number of actors are domiciled in the United States, a few are in Europe, and another large group of actors appear to be domiciled in South Africa. A common theme, as mentioned previously, is that these actors have been insulated from prosecution, despite their conduct being obvious and actionable under section 83.22 of the Criminal Code.

UN Human Rights Council Report A/HRC/43/49 (2020) Provides the Legal Framework for Precisely this Risk Envelope.

The Threshold For Police Engagement is Reasonable Suspicion Under R. v. Chehil, 2013 SCC 49. Frameworks are Built for Repetition.

Thread V: Diffuse & Disrupt

Upstream Verbatim Scripting. By Way of the Posting Cadence, This is a Full-Time Job For Certain Actors.

Frameworks Like This Are Not Built for the Sake of One Target. They Can However be Aimed at Anyone via Tailored Algorithm.

Detailed Example.

This Capability Requires Upstream Organization, Funding for Full-Time "Staff", Algorithmic Control, and a Surveillance Node.

Cotemporaneous Private Event Tracking (ie - Sealed Court Milestones) Yields an "Online Space" Under R. v. Ramelson, 2022 SCC 44.

CAGE Director

These Engagements Have Tracked Court Milestones Closely, and are Suffused With Relevant Symbolism.

"Special costs are fees a reasonable client would pay a reasonably competent solicitor to do the work described in the bill." - Bradshaw Construction Ltd. v. Bank of Nova Scotia (1991), 54 B.C.L.R. (2d) 309 (S.C.), para 44 Bank Account Freeze, June 27, 2024.

A Key Actor in the Online Cohort is Alleged to be the Biological Mother of my Estranged Nephew as an Oocyte Donor.

The Characteristics Point to the Likelihood of a Clandestine Citizen Profiling Project, or at Minimum, a Pilot, that Leverages Intimate Data.

Follow the Money: Charitable Donations.

Occult Symbolism.

Threats of Death, Abduction, Human Experimentation, Bankruptcy, Identity Theft, and More

UN Human Rights Council Report A/HRC/43/49 (2020) Provides the Legal Framework for Precisely this Risk Envelope.

The Threshold For Police Engagement is Reasonable Suspicion Under R. v. Chehil, 2013 SCC 49. Frameworks are Built for Repetition.

"Special costs are fees a reasonable client would pay a reasonably competent solicitor to do the work described in the bill."
- Bradshaw Construction Ltd. v. Bank of Nova Scotia (1991), 54 B.C.L.R. (2d) 309 (S.C.), para 44

Bank Account Freeze, June 27, 2024.