US Marshal Indicted For Abusing Access To Cell Location Data To Run Personal Searches
from the if-you-give-a-cop-a-passcode... dept
Give anyone access to tons of sensitive personal information and it’s bound to result in abuse. Give cops access to this data and abuse is guaranteed. Why? Because law enforcement officers — for reasons unfathomable to regular people — face far fewer consequences for violating internal policies and breaking laws.
Regular people get fired. Cops get wrist slaps and a few weeks of bad press. Abuse of sensitive law enforcement databases is so commonplace it’s just become more unremarkable noise generated by news cycles.
More than half of Minnesota’s law enforcement officers misused access to drivers license databases. That scandal managed to raise eyebrows for perhaps half a day back in 2013. MORE THAN HALF! More than 5,550 officers! And yet, it’s little more than a data point a decade later.
Why? Because it keeps happening and so very little is done in response. Twenty-five Denver PD officers were caught abusing access to sensitive law enforcement databases. Nearly every one of the officers received nothing more than a written reprimand, rather than the criminal penalties the same PD would inflict on regular people who unlawfully accessed sensitive information.
Every so often a cop receives a severe punishment. But these anomalies only highlight how common the abuse is. An Ohio cop was fired for using law enforcement tools to spy on ex-wives and their relatives. Two police officers in California were hit with criminal charges for using DMV and other government records to [rereads post] screen women they were interested in dating. A Michigan police officer did the same thing, resulting in an ultra-rare criminal conviction.
Here’s another anomaly… not in terms of abuse, which continues to be widespread, but that a law enforcement officer might be punished for misusing law enforcement databases. The DOJ is pursuing criminal charges against a US Marshal who abused access to cell location data to run searches on people for purely personal reasons.
Adrian Pena, 48, of Del Rio, Texas, made his initial appearance in federal court yesterday in the Western District of Texas.
According to court documents, Pena allegedly unlawfully used a law enforcement service operated by Securus Technologies Inc. (Securus) for personal reasons, including to obtain cell phone location information relating to multiple individuals with whom the defendant had personal relationships and their spouses. Pena obtained this information by uploading false and fraudulent documents to the Securus system and by certifying that those documents were official documents giving permission to obtain the relevant individuals’ cell phone location information.
The indictment [PDF] also notes the US Marshal lied to the Inspector General’s investigators about his abuse, downplaying his unauthorized searches as nothing more than testing or demonstrations for others… like his wife.
The system Pena allegedly accessed is run by Securus, a company that has its own questionable history. In 2015, it was caught ignoring its own internal safeguards to capture privileged calls between prisoners and their legal reps. Nothing much happened to the company, due to its almost monopolistic stranglehold on prison phone services. That led to the company catching heat a few years later for providing law enforcement with unfettered access to cell location data harvested from nearly every cell phone user in the country.
That’s the database the US Marshal apparently had access to. And the system was easy to beat. According to the indictment, the database could be duped into providing access with nothing more than a blank Microsoft Word document.
Even though the system requires users to upload supporting documents justifying the searches, no one appears to be performing any verification of the uploaded docs. All Pena had to do was upload literally any document in a supported format and click a box stating that the submitted document was “official” and granted “permission to look up the phone number requested.”
To obtain location data relating to these individuals’ cellular telephones, PENA uploaded false and fraudulent documents to the Securus LBS platform, including blank pages, award certificates, a list of justifications for a merit promotion, letterhead templates, and other assorted documents.
Any document, one checkbox, and Pena was free to go.
Through this process, PENA repeatedly obtained cellular telephone location data relating to his personal associates and their relatives through misrepresentations and without the required official documentation or authorization. These queries were performed for personal and unofficial reasons and were not authorized by the United States Marshals Service, the Uvalde County Sheriff’s Office, or any other law enforcement agency or intelligence agency.
That’s it. That’s the “process.” As easy to bypass as age restrictions on a YouTube video. Just plug in some fake info and sally forth. Except it’s not a red band trailer being accessed, but sensitive location data, including the targeted phone’s current location.
Safeguards are supposed to do something. The ones Securus has in place do nothing. While it may be impossible for Securus employees to determine what is or isn’t actual justification for a search, a cursory examination of, I don’t know, a blank MS Word document should have made it obvious someone was cheating the system.
And if it’s wrong to expect Securus to second-guess uploads, law enforcement agencies should be more engaged in this process and ensuring — in as close to real-time as possible — that officers aren’t abusing the system. While it’s good this US Marshal’s actions were exposed, it didn’t happen until he had abused the system more nearly a dozen times. That sort of delayed reaction does very little to head off future abuse or ensure sensitive location data pertaining to millions of US cell phone users doesn’t become a plaything for law enforcement.
Filed Under: adrian pena, doj, location data, privacy, surveillance, us marshal
Companies: securus
Comments on “US Marshal Indicted For Abusing Access To Cell Location Data To Run Personal Searches”
In other news today...
A gentleman lost a USB flash drive containing an entire city’s worth of PII because he decided to get drunk. Waking up on the sidewalk, he found his pockets had been emptied. Names, addresses, bank accounts, birthdays, all you could ask for for Identity Theft.
Yay for data controls! … and good luck to the residents of Amagasaki, Japan, for their soon-to-be financial problems.
Patient Zero in this case, of course, is “having all that data in a single database”. The malady only mutated a little in “one person can walk out the door with all that data”.
Re: Ah, you mean this
https://www.bbc.com/news/world-asia-61921222
Luckily for the man, city officials said the data contained on the drive is encrypted and locked with a password. They added that there has been no sign that anyone has attempted to access the information so far.
At least the charges aren’t under the CFAA (as far as I can make out) in accordance with the promise made by the DoJ, but that system seriously needs looking at to prevent this kind of access. Maybe have the courts (or the judge) upload the documents relating to the warrant before the police can carry it out. If the system doesn’t recognise the IP address of the uploader as belonging to a court, then the information goes nowhere.
If only this hadn’t happened so many times before, we could muster up our shocked, just shocked faces.
This is not a bug, this is a fucking job perk.
3 different kinds of law exist, the one we get is weighted against us to make up for how little they do anything to our betters charged with crimes.
But hey, its no longer a violation of your rights if they don’t read you Miranda so at least we have that.
The Wrong Way
Or, just possibly one could look at a filename that says Blank.doc and ask an underpaid intern to see if it is valid.
Sadly, I would expect this reply: Yep, it’s a valid blank document.
Re:
As an underpaid intern, would you risk annoying a cop by rejecting their submitted document, or would you prefer to get home unmolested.
Uvalde?
Isn’t that the location of the recent school shooting, where the local police force(s) did nothing for over an hour?
Re:
That was Uvalde City, I believe, but it is the county seat of Uvalde County.
Thanks for finally covering the Minnesota cases. I have been writing about gang stalking in Minnesota for well over a decade–and this case was integral in getting the word out:
https://www.adweek.com/tvspy/another-minnesota-reporter-sues-over-drivers-license-privacy-breach/116516/
Since that time, Techdirt has moderated, or censored me many times–but here we are, 2022, writing about what I was writing about in 2013;-)
Keep up the good work–lol.
Back when I was covering it, Techdirt staffers and in-house trolls were calling me “delusional.” I screen capped all of it, for posterity.
I think location data may soon come under sttack by jammers in states where abortion is legal.
Some states that have banned abortion are apparently planning on using location data to prosecute women who go to a state where it is legal.
I think some clinics could already be using jammers to foil location data.
There are some parts of town where I live now where my cellulat data connection just dies, but voice calls still work, and where the GPS app I have on my phone crashes.
Abortion clinics that use jamming to foil location tracking are breaking any FCC rules, or California laws.
I could see the possibility of states that start using this prosecuting the abortion clinics on obsttruction of justice charges for foiling their location tracking using such jammers, but that is as far as it could go.
The clinics that use such jammers are not breaking any other laws, either in California, or at the federal level.