This is a voluntary guide that seeks to provide guidance on open source due diligence methods for those looking to complete the National Security Guidelines for Research Partnerships. This guide has been drafted to be adapted by institutions as needed to complement their own policies and tools. It is targeted at research administrators, technology transfer professionals, post-secondary business officers and research security officers; researchers are welcome to make use of this guide should they wish to do so. For an abridged version for researchers, refer to the Open Source Due Diligence Summary.
PDF version
Table of Contents
- Executive Summary
- Purpose
- 1. Introduction & Background
- 2. What are open source due diligence methods and why should you use them to research partners?
- 3. What should open source due diligence help you find?
- 4. How to plan your open source due diligence
- 5. Use consistent research methods to get reliable, repeatable results
- 6. How to pursue findings fully, and how to know when you are done
- 7. How to document and explain your findings
- 8. Conclusion
- Annex A: Data Sources to Safeguard Research Partnerships
- Annex B: Commercial Tools to Safeguard Research Partnerships
- Annex C: Summary Process Map
Executive Summary
This guide is designed to help any individual looking to identify, assess, and manage risks to research, especially risks arising from partnerships. As such, the guide is written in a way that it can be understood and apply to any and all audiences; some content may be more or less useful to each individual based on their unique situation.
The guide draws on methods from Open Source Intelligence (OSINT), an intelligence discipline that collects and analyses public information to support decision-making; for this guide, we term this open source due diligence. By helping you bring structure to your thinking and approach, open source due diligence methods make the online world more discoverable.
While the majority of research partnerships are transparent and provide mutual benefits to all research partners, some activities by foreign governments can pose real national security risks. This guide will provide you with tools and techniques to identify these risks to research partnerships.
The guide is structured as a practical open source due diligence process that enables you to Know Your Partner and manage potential risks on behalf of or in collaboration with a researcher; the guide will refer to the research in question as “your research” and the partner in question as “your partner”.
After providing an overview of open source due diligence methods and the potential risk indicators they may help you find, the guide provides a step by step method for conducting open source due diligence on research partners.
Planning Open Source Due Diligence
This section provides tips and techniques to design an open source due diligence plan. The first step is examining what you already know and identifying knowledge gaps. These gaps form the basis for research questions and research tasks targeted at specific information sources.
Using Consistent Methods to get reliable, repeatable results
This section introduces you to the Three Cs Method, an easy to remember framework to help you organize your thinking and search syntax.
- Context sets the outside boundaries of your search. This could be a particular source of information or keywords that help to set the logical context of an internet search.
- Content are the phrases or concepts that you expect to find within the Context. Content keywords are more specific than context keywords, and get to the heart of your question.
- Controls are ways to focus your results and reduce You can use them when your initial results are too voluminous or noisy.
How to pursue findings fully, and how to know when you are done
There is no one “right” way to do open source due diligence, so you will have many small decisions to make along the way. This section provides guidance on making sound, evidence-based decisions. Making and documenting these decisions carefully will help you assess the relationships, interests and intentions of your partner.
How to document and explain your findings
This section provides practical tips to ensure you communicate your findings and assessments in a clear, actionable way, recognizing that anyone involved in the development, evaluation and funding of a research project may want more information on your findings. There is no one-size-fits-all recipe for assessing risk, but the essential ingredients are evidence and judgement. For any risk you have identified, consider what mitigation measures you can put in place to address them.
Conducting effective open source due diligence and explaining what you find accurately, to whomever may request additional information, are the first steps in taking and maintaining control of intellectual property, the research agenda and any research outputs.
Purpose
The purpose of this guide is to help the research community identify, assess and manage risks to their research and work, especially risks arising from
partnerships. The guide draws on methods from Open Source Intelligence (OSINT), an intelligence discipline that collects and analyses public information to support decision-making; this guide uses the term open source due diligence. While this guide is aimed at research administrators, technology transfer professionals, post-secondary business officers and research security officers, individual researchers or researchers who are completing the National Security Guidelines for Research Partnerships risk assessment form or other similar questionnaires may benefit from this guide.
1. Introduction & Background
Open source due diligence methods are techniques and processes for finding, organizing and analyzing publicly available information – usually from the Internet – in support of important decisions. Among other things, open source due diligence is a valuable tool for confirming the intentions and interests of partners you work with or you accept funding from.
The Government of Canada recognizes the value of partnerships. Open and collaborative academic research is indispensable to pushing the boundaries of science and addressing complex economic and societal challenges in Canada and around the world. Addressing these challenges requires not just national and international academic collaborations, but also strong research partnerships with the private, public and not-for-profit sectors. Research partnerships include both formalized agreements – where all parties share and work towards an agreed upon goal through a financial commitment or legal document – and informal agreements, such as a student visiting another lab for a period of time. Regardless of the degree of formality of your partnership, knowing who you are working with is beneficial and supports the integrity of research.
Not all partnerships are risky. The majority of research partnerships are transparent and provide mutual benefits to all research partners. However, some activities by foreign governments, militaries and other actors can pose real risks to Canada’s national security, the integrity of Canada’s research ecosystem, and your reputation and the research in question. While the level of risk may vary, risks can never be entirely reduced or accounted for. In many situations, partnerships with a certain level of risk – that also provide net positive benefits – can still go forward with the appropriate mitigations in place. This assessment will assist researchers and research organizations in making an informed decision on whether to proceed with a partnership. For this reason, the Government of Canada has consulted with Canadian post-secondary institutions and research associations to develop policies, processes, and guidance to help you manage these risks. You can learn more about this effort, and why research security and this open source due diligence matter, on the Safeguarding Your Research Portal.
This guide will provide you with the tools and techniques to take the first step in ensuring that a partner’s goals aligns with the goals of your research. Understanding a partner, including their interests and relationships, is an important first step in ensuring that researchers and institutions maintain control of their research and intellectual property.
In almost every case, the information you need to conduct due diligence is freely available online from public sources. Footnote 1 This guide will give you a practical approach to planning, executing and interpreting this open source due diligence.
The guide is designed to help you:
- Structure an open source due diligence research plan
- Implement your plan with reliable, responsible techniques
- Conduct your open source due diligence research process efficiently and ethically
- Pursue leads to their logical conclusion
- Document and explain your findings
Each step in this guide builds on the steps before it. Be sure to review all steps and reflect on the questions provided at the end of each section. You may also want to return to certain sections of the guide while you are conducting your open source due diligence , in order to confirm your approach or find alternatives.
2. What are open source due diligence methods and why should you use them to research partners?
As the availability and volume of public information has increased online, open source due diligence has become a common ingredient in many important decisions, whether in business, government, or academia. Open source due diligence methods bring focus and intent to online research and discovery. They provide a structured approach to finding and interpreting online information to make important decisions.
The open source due diligence you may have been asked to conduct through the National Security Guidelines for Research Partnerships The main objectives of open source due diligence are to:
- verify that your partners are who they say they are
- confirm that their relationships and motivations are clear
- ensure there are no obvious sources of unwanted control or
Understanding your research partner allows partnerships to proceed with confidence, knowing that potential risks have been identified and mitigated.
Open source due diligence is the first step in a process. Using open source due diligence to build a full picture of your partner will help you anticipate questions and proactively address concerns that might arise later from institutions, your other partners and collaborators, or your research funders. Understanding your partners and their intentions sets you and your research up for success.
Conducting Open Source Due Diligence Ethically
Like any form of research, there are important ethical considerations related to open source due diligence. Poorly executed open source due diligence can produce inaccurate, incomplete, or biased results. Irresponsible open source due diligence can also invade the privacy (or expected privacy) of other people, be used to draw sweeping conclusions from limited evidence, or use data that is collected outside acceptable and ethical norms. You should apply the same ethical commitments you have to your work—integrity, accuracy and the dignity of the research subject—to your open source due diligence.
The best way to ensure you are conducting ethical open source due diligence is by building good open source due diligence skills. It’s a bit like driving a car: good driving is safe driving, while most bad driving is also unsafe. In the same way, good open source due diligence is, by definition, safe and responsible. Most ethical lapses (and driving accidents) occur when people are struggling to accomplish a task, or rushing through something that requires more time and attention. This guide is designed to help you conduct effective, efficient, and responsible open source due diligence searches, and make sense of what you find.
3. What should open source due diligence help you find?
For the purposes of this guide, open source due diligence can be used to ensure that your research partner’s intentions and relationships are clear and appropriate for your project. This will help you assess potential risks to your intellectual property, stay in control of your research and ensure that the partnership meets its intended goals.
The most significant national security risks to your research are:
- the transfer of your research knowledge to foreign governments without your consent
- tampering with your research findings in order to reduce their value, damage your reputation and achievements or potential benefit to Canada.
These risk are most likely to occur if your research partner has conflicting interests or is under the control or influence of a foreign government, especially from countries known to steal intellectual property (IP) from academic researchers (The Canadian Security Intelligence Service (CSIS) has identified several such countries). Other indicators that could influence your risk assessment include the ranking of the partner country on indices such as the Academic Freedom Index or the Corruption Index.
Inappropriate control and interference in your partnership can take many forms. Below are some potential indicators of risk, along with examples of how you can verify the likelihood of the risk through an open source due diligence search. These are only a few illustrative examples, to demonstrate the range of potential risks and information sources. There are many other ways that you may identify risks.
| POTENTIAL RISK INDICATOR | OPEN SOURCE EXAMPLES |
|---|---|
| Organizational structures or relationships that may limit or compromise your partner’s independence or autonomy |
|
| Indications that your partner has also partnered with a foreign government on sensitive research areas |
|
| Indications that your partner has a close relationship with foreign militaries or security services |
|
| Information showing that your partner has facilities in countries known to steal IP from academic researchers, where your research could be duplicated without your knowledge. |
|
| Any information that doesn’t line up with what your partner has told you, suggesting a lack of candor or transparency on their part |
|
No one piece of information is likely to cause concern – rather it is the accumulation of information, combined with your understanding of your research’s sensitivity, that will help you to assess the situation. It is likely that most of what you will find can be explained and any potential issues can be managed and mitigated. But you have to do the open source due diligence in order to make an informed decision about your partner.
For example, many Canadian companies have some presence internationally, so the presence of sales or marketing offices in foreign countries is probably not a cause for concern. But if your partner owns private research labs that specialize in your field which they haven’t told you about, and those labs are in a country known to steal IP from academic researchers, there is a reason to investigate further.
The sections that follow will help you develop and execute an open source due diligence plan that will inform these judgements.
Open Source Due Diligence and You:
Based on what you already know about your research and partnership, what are the most likely national security risks to your work? What risks might be less likely, but more consequential?
4. How to plan your open source due diligence
Knowing where to start with open source due diligence can be challenging. Building a plan before you dive in is an important first step in staying focused and efficient. Taking the time to do so will save you time over the long run.
Step 1: Understand your baseline risk
Understanding the baseline risk associated with your research project and partnership is the best place to start, since it will help you set reasonable expectations and begin picturing potential risks. Nearly every academic discipline and research area has some potential risks (see a summary of the risks here), but some research areas are more sensitive than others. Annex A of the National Security Guidelines for Research Partnerships provides a non-exhaustive list of areas that are considered sensitive by the Government of Canada.
You know your work and how it might be used, including any dual-use potential, that might make it a target. Your understanding of the sensitivity of your work should contribute to the baseline risk that you associate with your work. You should keep in mind that risks can evolve, and you should continue to reassess how your work could be used to advance goals that are not your own.
You are not expected to become a security expert, but keeping these considerations in mind when conducting open source due diligence can help you make sense of your findings and draw nuanced conclusions. It is also important to consider the baseline risk associated with your partner(s).
Risks to national security can come from any country, but as noted elsewhere, Canadian security agencies have publicly identified certain countries with a record of stealing IP from academic researchers. Note that even Canadian organizations may have international ties, and those ties may engender some risk.
At the same time, you know your sector and those with a history of skirting or ignoring privacy, ethical or contractual provisions. You may be aware of those within your field that have well established relationships with foreign states and militaries or who have a history of concern related to financial or professional management of projects. Once again, these considerations all contribute to the nuanced understanding you will take away from open source due diligence.
There are a variety of tools on the Safeguarding Your Research portal to help you understand your baseline risk. If you are unsure about your baseline level of risk, consider speaking with a colleague or another trusted resource to get an idea of the hypothetical consequences you could face if your work were compromised; this can contribute to your understanding or your baseline risk. The goal of this step is to get a general sense of the risks to your work, and to think through how those risks may be affected by introducing a partner.
Step 2: Externalize what you know, identify gaps
The next step is to externalize what you already know about your research partnership. This will help you identify gaps in your knowledge and could highlight important ambiguities and assumptions. To start, write down or discuss brief answers to these basic questions:
- How did the partnership come about?
- What has your partner told you about their interests in your research?
- What do you already know about your partner’s other research investments and partnerships?
- What does your own personal understanding of the partner’s reputation and history tell you?
- Are there obvious conflicts of interest or commitment that could impede the partnership?
If you are struggling to answer these questions, it may be useful to speak with your partner further about their interests and motivations. This should help to clarify the basics of the partnership, and allow you to focus on more specific areas of risk or concern. Remember, you are not interrogating your partner, but engaging in a discussion to ensure clarity over shared interests, goals, motivations and the use of your work.
Step 3: Develop Questions to Fill the Gaps
Based on your answers to these questions, identify gaps in your knowledge about your partner, their motivations for working with you and their other relationships. Some of these gaps may be filled through a quick online search, while others will require a more deliberate approach. Restate these in the form of questions. For example, “does my partner have affiliations or partnerships with foreign governments? If so, which government, and on what topic?”
Make sure you include questions that address all the risk areas identified on the Know Your Partner section of the National Security Guidelines for Research Partnerships’ Risk Assessment Form.
To help with developing your open source due diligence questions, reflect on the following:
- What questions do I need to answer in order to understand my partner’s intentions for partnering with me?
- What questions do I need to answer in order to understand my partner’s independence and integrity?Footnote 3
- What kinds of information will be most useful to help me find the answers to these questions?
To help you answer the last question, here is a curated list of potential information sources and a few use case examples. See Annex A for links to specific information sources.
| INFORMATION SOURCE | USE CASE |
|---|---|
| Corporate Records |
|
| Corporate Websites |
|
| Academic and Awards Databases |
|
| Intellectual Property and Patent Databases |
|
| Sanctions |
|
| Controlled Goods and End User Lists |
|
| Legal Databases |
|
Step 4: Turn your questions into tasks
The final step is to make and organize a list of tasks to answer these questions. Each open source due diligence task should be specific, include an information source and it should be something you can reasonably accomplish in a single sitting.
For example:
- Identify foreign subsidiaries of Corporation Y using a corporate records database
- Check Corporation Q against Sanctions & Controlled Goods lists
- Verify the professional credentials of Person Z on LinkedIn and their corporate website
Consider starting with simple, factual tasks. These will help you settle into the work, build momentum and resolve straightforward questions. Getting the basics done may also provide you with helpful background knowledge for more involved or ambiguous questions. But the most important part is to simply start!
Open Source Due Diligence and You:
What are the most important questions you need to answer for your partnership? How will you turn them into open source due diligence tasks?
5. Use consistent research methods to get reliable, repeatable results
The open source due diligence you need to do to know your partner and maintain the confidence of your funders is important, and you will need to be able to demonstrate not just what you found, but how you found it. Using a consistent method for your open source due diligence will keep you productive, let you reliably repeat your findings, and help you explain what you found to others.
The Three Cs Method of Open Source Due Diligence
The Three Cs Method is an easy to remember framework to help you organize your thinking, stay on track and explain your findings. The method can be applied to almost any research question and information source. It can be used to carefully structure a Google Search, query a public records database or organize open-ended open source due diligence on a website.Footnote 4
The basic method is simple: Context + Content + Controls. For each of your open source due diligence questions, identify the Three Cs, then use them to build a search string, query a database or navigate a website.
CONTEXT
Where do I need to look? Where am I most likely to find relevant information?
Context sets the outside boundaries of your search. This could be a particular database or website, or it could be keywords that help to set the logical context of a Google search (for example, the name of your partner organization).
CONTENT
What do I need to look for? What words or variables are likely to return the most relevant information
Content are the phrases or concepts that you expect to find within the Context you have set. Content keywords are more specific than context keywords,
and get to the heart of your question. The content you use will depend on the context you’re searching within. In essence, your content keywords should return relevant results if they are present in your context.
CONTROLS
How can I refine my search to get better results? How can I avoid or exclude false positives, without losing relevant information?
Controls are ways to focus your results and reduce noise. You can use them when the combination of Context and Content returns too many results, or when irrelevant results (noise) make it difficult to find what you need (signal).
Using Controls could mean applying filters on a website, or excluding results that contain particular keywords. Controls are not always necessary, and you will usually only figure them out after you have run a search with context and content.
One of the virtues of using this structured approach is the control and flexibility it gives you to quickly adapt and problem-solve. Here are some examples of the Three Cs, to illustrate how they can work in practice.
QUESTION : does my partner already own IP on my research topic, and if so, who produced it?
| Context | Content | Controls |
|---|---|---|
|
IP database like |
Your partner’s name |
If there are an unmanageable number of patents on other research areas, add your research area to the search to control volume Use filters to exclude false positive results, for example, near-matches to the partner’s name |
QUESTION : has my partner ever been publicly accused of stealing Intellectual Property?
| Context | Content | Controls |
|---|---|---|
|
Google search for partner’s name |
lawsuit OR theft OR IP OR damages OR ethics |
Perhaps the company has had an unrelated lawsuit, in which case you may need to exclude words related to that lawsuit, for example: NOT “hiring” OR “pollution” |
As a logical search string: “ACME CORP”
AND (lawsuit OR theft OR IP OR damages OR ethics) NOT (hiring OR pollution)
On Google: (“ACME CORP”)
(lawsuit OR theft OR IP OR damages OR ethics)
–(hiring OR pollution) Footnote 5
QUESTION : Is my partner also partnering with other researchers in my field?
| Context | Content | Controls |
|---|---|---|
|
Press release page on the partner’s website |
Use your browser’s Find function to search for terms like partner, acquire, invest, strategic, research |
None needed |
Open source due diligence improves with repetition and practice. With practice, you will find that certain combinations of the Three Cs return the best results for your particular research area and partnership. Every time you run a search, you will learn more about how to find the best results, which will save you time and effort on the next search.
A spreadsheet is a simple, easy to use way to document and execute your plan. Create a column for each of the Three Cs and a row for each open source due diligence task. Make sure you take notes on what worked and what did not, and then adjust your approach for other tasks.
As your open source due diligence progresses, you will likely identify new questions and tasks, and need to decide where to focus your attention first. Making these open source due diligence decisions is the subject of the next section.
Open Source Due Diligence and You:
Based on the priority open source due diligence questions you have identified, what are the most important contexts and contents you will need to search?
6. How to pursue findings fully, and how to know when you are done
There is no one “right” way to do open source due diligence, so you will have many small decisions to make along the way. Recognizing these small decisions and making them deliberately will help you stay oriented and motivated as you encounter new information.
There are three decisions you will make over and over during your open source due diligence. In fact, you already make these decisions all the time when you are searching online, whether you are shopping online or finding something to watch:
- WHAT SHOULD YOU LOOK FOR?
Deciding on how to craft and refine your search approach, using the Three Cs - IS THIS RELEVANT?
Deciding whether your search results are relevant and worth continued attention - WHAT’S NEXT?
Deciding which leads to pursue, and in what order
Making and documenting these decisions carefully will help you to track your progress, and ultimately help you make the most important decision: deciding whether you have enough information to assess the relationships, interests and intentions of your partner.
Initial Findings and Next Steps
Your initial open source due diligence will most likely result in one of three outcomes. Here are the outcomes, with some recommended next steps:
No Meaningful Findings. In many cases, your open source due diligence won’t generate any concerning findings. This is good! But
absence of evidence isn’t necessarily evidence of absence. Consider repeating your approach with a different tool, database, or keyword approach. If you still do not identify concerns, consider adopting an adversarial approach to your research – how could I prove myself wrong?
The goal is to confirm that your assessment is correct, and demonstrate that you made a thorough and reasonable effort to find potential risks.
Example: You searched corporate registries to see if your partner has any foreign partners, but did not find any. Consider repeating that approach on another database, and check both provincial and federal registries. Or if the company is publicly traded, look at their corporate filings.
TAKING AN ADVERSARIAL APPROACH TO YOUR RESEARCH AND THINKING
Research tends to follow a rhythm, and can sometimes lead to unexamined assumptions. Our minds are often biased toward seeing what we want to find. This is called Confirmation Bias.
To combat this tendency, researchers should periodically adopt an adversarial approach to their work and the knowledge they have created. Ask yourself important questions like:
- How do I know this to be true?
- What if I am wrong?
- What other explanations could there be for what I have found?
For especially important findings, it may be important to attempt to disprove what you have found or concluded. The adversarial approach helps you reflect on your thinking and anticipate possible questions or alternative explanations.
New Findings, More Research. In some cases, your initial open source due diligence will generate new questions or concerns, or at a minimum, more information that needs to be reviewed and researched. In this situation, it is especially important to document your approach as you go to keep track of your progress and findings.
When you find leads, pursue them one at a time, and don’t leave any lead unfollowed. In instances where a risk exists, your open source due diligence will often converge around the issue from different angles, so pay close attention to similarities and information that validate findings you already have.
Example: You identified an international subsidiary on your partner’s website that seems to do work in your field. You should research this international partner in more depth, perhaps looking at patents they have applied for on IP databases.
Immediate, Risky Findings. In some cases, initial open source due diligence may produce high risk findings very quickly. Be sure to document this information carefully and capture evidence (see the next section). Consider repeating your approach with a different tool, database or keyword approach. The goal is to verify and substantiate your concerns.
Example: You found a press release through a Google search showing they have a large stake in a military contract in a foreign country. You should document this immediately, and look for more details of the contract using a search engine or a government contracts database for that country. Whether or not it turns out to be a significant issue, it will be vital for you to understand the details.
Deciding when you are done
Like academic research, open source due diligence can sometimes feel endless, as one piece of information leads to another. It is important to check in with yourself along the way periodically to decide whether you have enough information to confidently conclude your work and explain what you have found. Here are a few questions you can ask yourself:
- Do I have enough information to describe the situation to someone else in my own words?
- Can I explain the potential risks to my research?
- Do I have enough information to make informed decisions about how to manage those risks?
- Have I exhausted the research methods available to me?
Reviewing what you have found is an important part of answering these questions. The next and final section will provide some practical advice for capturing, documenting, and explaining what you have found.
7. How to document and explain your findings
Documenting & Explaining Your Findings
Your findings may be reviewed and acted on by others, including those you work with or who fund the research. You may be asked to provide more information later or make a plan to mitigate the risks you have found. Having the evidence to hand will make both of these easier. It is in your interest to describe your findings and assessment as clearly and unambiguously as possible, which will make it more likely that others will have confidence in your findings and judgement.
Focus on drawing reasonable conclusions from the evidence you have, and avoid wandering into speculation. If you find yourself speculating, it is probably a sign that you need to do more open source due diligence, reframe your approach or seek advice from others.
At the most basic level, your writing should answer the following questions:
- What evidence did I find, and how?
- Where did I find the evidence? Is it from reputable sources? Have I verified it with other sources where possible?
- What logical conclusions can I draw from what I found?
- Based on what I know about my research area and what I have found about my partner, what risks could arise in our partnership?
You may not be able to answer the last question for everything you have found, but be sure to document as much as you can. This will aid your memory later and will demonstrate to others that you have done a thorough job.
ASSESSING & DESCRIBING PARTNERSHIP RISKS
The Panel Thought Experiment
Drawing links between what you have found in your open source due diligence and your risk assessment is easier said than done. One good way to know if you have a good understanding of the risk is to engage in a thought experiment.
Thought experiments help you to look at an issue in a different way, and then reflect on your reaction.
Consider the following example:
Your proposed partner organization is participating in a discussion panel that has garnered a lot of attention; it is expected to be a big event.
As an expert in the field, you have been asked to introduce all the panelists, one of whom is your proposed partner.
Do you have enough information to talk about what it is your partner does? Do you know what they are known for? Are there any notable achievements that may be of interest to your colleagues in the field?
Alternatively, is there anything you have found out about them that you would not be comfortable saying in front of a group of your academic peers and public? Is there anything about that partner that may makes your nervous about partnering with them? Would you consider avoiding the event because of the risk to your reputation?
There is no one-size-fits-all recipe for assessing risk, but the essential ingredients are evidence and judgement.
It is unlikely that you will find definitive, indisputable evidence of risk in the course of your open source due diligence, so you will need to apply your judgement to the evidence as a whole to arrive at a reasonable assessment. Your assessment should consider:
- the baseline risk of your research area
- the baseline risk of your partner(s)
- evidence you found during your open source due diligence
- concerns or unresolved ambiguities that arose during your open source due diligence
Consistent with the Three C’s approach, your assessment should include the context in which your partnership is occurring, the content you found during your open source due diligence and any other factors that control or shape your judgement.
In most cases, the simplest explanation is the right one. While it is important to identify and acknowledge unresolved ambiguities and concerns, your assessment should rely on the totality of evidence.
For any risk you have identified, consider what mitigation measures you can put in place to address them. A good mitigation plan should decrease the likelihood and the magnitude of these risks, to a level that is acceptable to you, your institution, and to your funders, partners, and collaborators.
8. Conclusion
This guide provides a simple, step-by-step approach to conducting efficient, effective open source due diligence to understand your partner’s relationships, interests and intentions. The particulars of your research area and your partnership will shape how complex and deep your open source due diligence will be, but the guidelines and decision aids provided here should be useful to any partnership.
Annex A: Data Sources to Safeguard Research Partnerships
The table below provides a range of online information sources to support your open source due diligence. Note that the table is non-exhaustive – there may be other data sources of value to your research area and partnership. Most sources are free, but some may charge a fee for certain features.
See Annex B for paid tools that can automate certain parts of the open source due diligence process.
CORPORATE RECORDS
Who am I dealing with? How are they organized?
|
Resource |
Description |
Free/Paid |
|---|---|---|
|
System for Electronic Document Analysis and Retrieval (SEDAR) - Canadian Securities Administrators |
Database of public securities documents and information filed by companies, including a wide range of documents for publicly traded companies and securities administrators in Canada. |
Free |
|
Database of documents for publicly traded companies in the United States. |
Free |
|
|
Database of national business registries of EU countries. |
Free |
|
|
Largest corporate database of companies in the world, covering 140 jurisdictions and nearly 200 million companies. |
Free |
|
|
Consolidated directory of corporate registries, covering more than 120 countries. Browsable by country. |
Free |
|
|
Compendium of global business registries, provided by the Government of the United Kingdom. |
Free |
|
|
An authoritative and comprehensive source of information available on corporate ownership and “who owns what” in Canada. |
Free |
|
|
Search for federally registered companies to find out who is involved. Can be used to search whether a business is registered in Canada, and verify the name of a corporation. |
Free |
|
|
Search for both federally and provincially registered companies in Alberta, British Columbia, Manitoba, Ontario, Quebec, and Saskatchewan. This service lets you search across these registries all at one time. See below for individual provincial registries. |
Free |
Individual provincial registries
|
Resource |
Description |
Free/Paid |
|---|---|---|
|
Request records from Alberta’s corporate registry, for a fee. |
Paid |
|
|
Search provincially registered corporations. Requires account creation. |
Free |
|
|
Search provincially registered corporations. Results can be reviewed for free; details available for a fee. |
Free & Paid |
|
|
Search provincially registered corporations. Results and details available for free, without account creation. |
Free |
|
|
Search provincially registered corporations. Results and details available for free, without account creation. |
Free |
|
| Ontario eCore |
Search provincially registered corporations. Requires account creation and charges fees. |
Free |
|
Search provincially registered corporations. Results and details available for free, without account creation. |
Free |
|
|
Search provincially registered corporations. Results and details available for free, without account creation. |
Free |
|
|
Search provincially registered corporations. Requires account creation and may charge fees. |
Paid |
|
|
Search provincially registered corporations. Results can be reviewed for free; details available with account creation and for a fee. |
Free & Paid |
|
|
Nunavut Corporate Records |
Inquire at Corporate.Registries@gov.nu.ca. |
Fees may apply |
|
Search provincially registered corporations. Results can be reviewed for free; details available with account creation and for a fee. |
Free & Paid |
ACADEMIC AND AWARDS DATABASES
Have my partners been involved in other research on my subject
|
Resource |
Description |
Free/Paid |
|---|---|---|
|
Compendium of research documents related to engineering, computer science, telecommunications, power and other engineering fields. Free results, but downloads require a subscription. |
Free & Paid |
|
|
Paid compilation of databases providing access to scientific literature and citation data. |
Paid |
|
|
Abstract and citation engine with a focus on curation and peer-review. Basic search (“preview”) requires an account; in-depth search requires subscription. |
Free & Paid |
|
|
Abstract and citation engine with a more inclusive, automated approach to indexing. Likely to produce a wider, but possibly less precise, list of results. |
Free |
|
|
Abstracting and citation search engine for academic research similar to Google Scholar, but with a focus on links and relationships. Records are highly contextualized with funding data, institutional support and policy documents. |
Free | |
|
Compendium of research databases, including projects, facilities, and intellectual property from Canadian research institutions. Cognit provides consolidated search of NSERC/CIHR/SSHRC/CFI databases. |
Free |
|
|
Database of research facilities in universities, colleges, hospitals and the Canadian federal government. |
Free |
|
|
Database of awards provided by the Natural Sciences and Engineering Council of Canada. |
Free |
|
|
Database of awards provided by the Canadian Institutes of Health Research. |
Free | |
|
Database of awards provided by the Social Sciences and Humanities Research Council of Canada. |
Free |
INTELLECTUAL PROPERTY & PATENT DATABASES
WHO OWNS PATENTS IN MY RESEARCH AREA?
What other fields or researchers does my partner fund?
|
Resource |
Description |
Free/Paid |
|---|---|---|
|
Government of Canada database of trademarks, patents, copyrights, industrial designs or other goods and services. |
Free |
|
|
Patent search engine with global coverage. Option to include documents and literature from Google Scholar and Google Books. |
Free |
|
|
Patent search engine with global coverage, provided by the European Patent Office. Provides high degree of control over search and filtering. |
Free |
|
|
Patent search engine with global coverage, provided by the World Intellectual Property Organization. Provides fewer records, but more analytical capability than Espacenet. |
Free |
SANCTIONS LISTINGS AND END USER LISTS
HAS MY PARTNER EVER BEEN SANCTIONED?
Is my partner at high risk of diverting my research to military end users?
|
Resource |
Description |
Free/Paid |
|---|---|---|
| Official Government of Canada list of individuals and entities subject to specific Canadian sanctions. Searchable and filterable. | Free | |
|
Official US Government Sanctions listings. Searchable and filterable. |
Free |
|
|
Sanctions search engine covering US (OFAC), European Union and United Nations sanctions. Includes individuals, organizations, aircraft and vessels. |
Free | |
|
List of parties for which the US Government maintains restrictions on certain exports, reexports, or transfers of items. |
Free |
LEGAL DATABASES, INDICTMENTS AND CASE RECORDS
Has my partner been the subject of legal proceedings?
|
Resource |
Description |
Free/Paid |
|---|---|---|
|
Consolidated search engine of Canadian civil and criminal court cases and related documents. |
Free |
|
|
Consolidated database of legal decisions and other legal documents from 123 global jurisdictions, including Canada. |
Free |
|
|
Searchable database of indictments, charges and pleas related to FBI cases. Filterable by location, category and date. |
Free | |
|
Searchable database of indictments, charges and pleas related to US federal cases. Filterable by location, category and date. |
Free |
MISCELLANEOUS OPEN SOURCE TOOLS & RESOURCES
Additional online tools that may support specific due diligence tasks
|
Resource |
Description |
Free/Paid |
|---|---|---|
|
News source consolidator and search engine. A good source for both media coverage and press releases. |
Free |
|
|
Archive of data and information compiled by and for investigative journalists. Access a wide range of documents and data uncovered by journalists. |
Free |
|
|
Access cached versions of websites, including websites that are no longer active, and older versions of live sites. Useful for reviewing sections of corporate websites that have been removed. |
Free |
|
|
Consolidated access to technical website data, including domain registries and IP ranges. Also includes WHOIS records, to establish websites and domains. |
Free |
Annex B: Commercial Tools to Safeguard Research Partnerships
The table below provides a selection of commercially available services and technologies that consolidate and automate aspects of Know Your Customer (KYC) and Know Your Partner (KYP) research. While these tools may accelerate some aspects of your open source due diligence, they are not free.
This list is non-exhaustive. There may be other tools available at your institution.
| Resource | Description |
|---|---|
| Comply Advantage | Offers a real-time risk database of people and companies. It includes information on sanctions and politically exposed persons (PEP). It also includes adverse information and media. |
| Dun & Bradstreet Onboard | Tool providing consolidated compliance data, access to global sanctions lists, and detailed corporate linkage analysis to identify the full range of business relationships. |
| Kharon ClearView | Search tool to verify if individuals or entities are associated with sanctioned or trade-restricted parties. |
| Refinitiv World-Check Risk intelligence | Search tool to verify if individuals or entities are involved in money laundering, terrorist financing, bribery, corruption and other activities. |
| Strider Shield | Search tool specializing in identifying parties involved in IP theft and nation-state talent solicitation. Designed to integrate with internal customer systems. |
Annex C: Summary Process Map
Summary Process Map
- Understand baseline risk
- Partner
- Research Subject
- Externalize what you know
- Turn gaps into questions
- Turn questions into research tasks
- Identify potential information sources
- Development an initial search strategy
- Context
- Controls
- Content
- Track methods and progress
- Make research decisions based on findings
- No risks found
- Repeat with different tool or approach
- Adopt adversarial approach
- Demonstrate your diligence
- New findings, more research
- Document your research
- Pursue leads in turn
- Pursue all leads fully
- Immediate risky findings
- Capture evidence immediately
- Replicate findings with another tool
- Verify and substantiate concerns
- No risks found
- Ask key questions to decide if you are done
- Capture, document, and explain findings
- What you found
- Where you found it
- What conclusions you can draw
- What risks could arise
- Assess risks
- Mitigate risks