from the if-you-give-a-cop-a-passcode... dept
Give anyone access to tons of sensitive personal information and it’s bound to result in abuse. Give cops access to this data and abuse is guaranteed. Why? Because law enforcement officers — for reasons unfathomable to regular people — face far fewer consequences for violating internal policies and breaking laws.
Regular people get fired. Cops get wrist slaps and a few weeks of bad press. Abuse of sensitive law enforcement databases is so commonplace it’s just become more unremarkable noise generated by news cycles.
More than half of Minnesota’s law enforcement officers misused access to drivers license databases. That scandal managed to raise eyebrows for perhaps half a day back in 2013. MORE THAN HALF! More than 5,550 officers! And yet, it’s little more than a data point a decade later.
Why? Because it keeps happening and so very little is done in response. Twenty-five Denver PD officers were caught abusing access to sensitive law enforcement databases. Nearly every one of the officers received nothing more than a written reprimand, rather than the criminal penalties the same PD would inflict on regular people who unlawfully accessed sensitive information.
Every so often a cop receives a severe punishment. But these anomalies only highlight how common the abuse is. An Ohio cop was fired for using law enforcement tools to spy on ex-wives and their relatives. Two police officers in California were hit with criminal charges for using DMV and other government records to [rereads post] screen women they were interested in dating. A Michigan police officer did the same thing, resulting in an ultra-rare criminal conviction.
Here’s another anomaly… not in terms of abuse, which continues to be widespread, but that a law enforcement officer might be punished for misusing law enforcement databases. The DOJ is pursuing criminal charges against a US Marshal who abused access to cell location data to run searches on people for purely personal reasons.
Adrian Pena, 48, of Del Rio, Texas, made his initial appearance in federal court yesterday in the Western District of Texas.
According to court documents, Pena allegedly unlawfully used a law enforcement service operated by Securus Technologies Inc. (Securus) for personal reasons, including to obtain cell phone location information relating to multiple individuals with whom the defendant had personal relationships and their spouses. Pena obtained this information by uploading false and fraudulent documents to the Securus system and by certifying that those documents were official documents giving permission to obtain the relevant individuals’ cell phone location information.
The indictment [PDF] also notes the US Marshal lied to the Inspector General’s investigators about his abuse, downplaying his unauthorized searches as nothing more than testing or demonstrations for others… like his wife.
The system Pena allegedly accessed is run by Securus, a company that has its own questionable history. In 2015, it was caught ignoring its own internal safeguards to capture privileged calls between prisoners and their legal reps. Nothing much happened to the company, due to its almost monopolistic stranglehold on prison phone services. That led to the company catching heat a few years later for providing law enforcement with unfettered access to cell location data harvested from nearly every cell phone user in the country.
That’s the database the US Marshal apparently had access to. And the system was easy to beat. According to the indictment, the database could be duped into providing access with nothing more than a blank Microsoft Word document.
Even though the system requires users to upload supporting documents justifying the searches, no one appears to be performing any verification of the uploaded docs. All Pena had to do was upload literally any document in a supported format and click a box stating that the submitted document was “official” and granted “permission to look up the phone number requested.”
To obtain location data relating to these individuals’ cellular telephones, PENA uploaded false and fraudulent documents to the Securus LBS platform, including blank pages, award certificates, a list of justifications for a merit promotion, letterhead templates, and other assorted documents.
Any document, one checkbox, and Pena was free to go.
Through this process, PENA repeatedly obtained cellular telephone location data relating to his personal associates and their relatives through misrepresentations and without the required official documentation or authorization. These queries were performed for personal and unofficial reasons and were not authorized by the United States Marshals Service, the Uvalde County Sheriff’s Office, or any other law enforcement agency or intelligence agency.
That’s it. That’s the “process.” As easy to bypass as age restrictions on a YouTube video. Just plug in some fake info and sally forth. Except it’s not a red band trailer being accessed, but sensitive location data, including the targeted phone’s current location.
Safeguards are supposed to do something. The ones Securus has in place do nothing. While it may be impossible for Securus employees to determine what is or isn’t actual justification for a search, a cursory examination of, I don’t know, a blank MS Word document should have made it obvious someone was cheating the system.
And if it’s wrong to expect Securus to second-guess uploads, law enforcement agencies should be more engaged in this process and ensuring — in as close to real-time as possible — that officers aren’t abusing the system. While it’s good this US Marshal’s actions were exposed, it didn’t happen until he had abused the system more nearly a dozen times. That sort of delayed reaction does very little to head off future abuse or ensure sensitive location data pertaining to millions of US cell phone users doesn’t become a plaything for law enforcement.