State Audit Finds More Than Half Of Minnesota's 11,000 Law Enforcement Users Misused Driver Data
from the unfortunately,-nothing-really-shocking-about-these-findings dept
It's been proven before by various government agencies and it still holds true: if you give someone more access than oversight when it comes to collected personal information, you can't be surprised when this tool gets abused.The latest abuse of a government-harvested database was uncovered by state auditors in Minnesota. The report details extensive misuse of driver's license records by law enforcement agencies.
The review by the state's legislative auditor — highly anticipated by legislators and privacy advocates — said officers need better training in allowed uses of the protected data, and local and state agencies should do more to monitor use. Beyond 88 incidents of misuse documented in state records last year, auditors found even more suspicious activity buried in audit trails.This study's findings will likely result in some additions to legislation proposed earlier this year, which seeks to add penalties and transparency to data breaches by government employees, requiring local agencies to post full investigation reports online should any breach occur. The legislation itself was written in response to a severe data breach traced back to a single government employee.
More than half of the 11,000 law enforcement users of the Driver and Vehicle Services (DVS) website in that time frame queried themselves or people with the same last name, for example, or disproportionately searched for people of one sex.
The legislation came on the heels of news that a former employee at the Department of Natural Resources had viewed thousands of drivers license records — almost exclusively of women — without a permissible use. That employee, John Hunt, is now facing criminal charges, and his actions have spurred five federal lawsuits against the state.This employee might have been caught more quickly, but Hunt likely knew the limitations of the DPS auditing system and stayed below the radar, despite making nearly 19,000 queries to the database over the course of five years.
The report also recommended that because audits by the DPS largely detect heavy users, rather than suspicious use, local agencies should conduct more proactive monitoring. They suggested the department beef up its abilities to assist local agencies.In addition to the larger breaches, there were also cases where failure to deactivate accounts resulted in additional misuse of the DVS system.
[Public safety commissioner Mona] Dohman said in an interview that the queries were so spread out that he did not emerge in their monthly review of the top 50 users.
During the 18 months ending June 30, 2012, 13 users conducted queries using access privileges associated with law enforcement agencies that no longer existed. Over the same time period, three former employees of state law enforcement agencies, as well as four former employees of local law enforcement agencies, accessed the DVS Web site using usernames and passwords that should have been disabled.The current process for disabling accounts is almost farcical in its slowness. The report points out that the DVS allows accounts to remain dormant for 120 days before inactivating them. While this is a huge improvement over the 500 days it used to allow, it's still plenty of time for anyone looking to query a database they should no longer have access to.
Compounding the existing misuse issues is the fact that law enforcement agencies have exempted themselves from many of the policies affecting authorized civilian users. To begin with, sworn officers are not required to attend training or refresher courses on proper use of the DVS system, including policies regarding general security and appropriate data use. Officers are also exempted from the same user agreement that greets civilians at login and are otherwise not held accountable by any agreement when utilizing the DVS database.
DPS (Dept. of Public Safety) has not implemented other access management practices for all users. For example, DPS does not require a user agreement for sworn officers with access to the DVS Web site. Civilian law enforcement employees must sign a user agreement justifying their need for driver's license information, including their specific needs for access to driver's license photographs. DVS staff review the agreements before granting access. BCA (Bureau of Criminal Apprehension) has a signed intra-agency agreement with DVS. Agencies with employees who access BCA systems sign an agreement taking responsibility for access by their staff, among other things. Thus, it is only sworn officers who use the DVS Web site for whom DPS does not require an agreement, signed by the user or his or her employer, taking responsibility for appropriate access.The findings of this study will certainly raise questions about this law enforcement double-standard. The proposed legislation and its attendant penalties and openness is, unsurprisingly, being fought by the law enforcement community.
House author Rep. Mary Liz Holberg, R-Lakeville, said she has already met resistance from some law enforcement entities.It's pretty hard to rebuild public trust when you don't trust the public. Or, at least, don't trust them enough to be honest with them. The law enforcement fraternity has never been one for openness and consistency. As the study notes, misuse of the DVS system is handled differently by every law enforcement agency, if it's even punished at all. The lack of a codified "best practices" or even a basic "user agreement" that holds the individual officer responsible for his actions has led to widespread misuse. Minnesota's legislators are on the right track and this audit offers some very sound suggestions, but the feeling that those who enforce the law should be exempted from these same laws is somewhat endemic in law enforcement, meaning this has the potential to get worse before it gets any better. If they aren't careful, this legislation could reach passage with very few "teeth" intact, if it gets there at all.
"If you have bad actors in your bunch, then why shouldn't the public know about it?" Holberg said. "It seems like nobody wants any sunshine around this issue. And I think it would do a lot to rebuild the public trust if there was more public awareness of misuse and consequences."
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: abuse, data, driver data, minnesota, privacy
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in thread ]
[ link to this | view in thread ]
I can't imagine
[ link to this | view in thread ]
Re: I can't imagine
/s
[ link to this | view in thread ]
This is an example of “just because a list is made it will be taken advantage of” kind of thing. Personally, I favor that only violent felony convictions being public record in the sense that violent felons must not be treated in the same way as common citizens (regardless of non violent felony convictions).
Here is a link to a post describing bullies using government as a shield: http://www.techdirt.com/articles/20130226/14360422120/supreme-court-effectively-says-theres-no-way-t o-challenge-warrantless-wiretapping.shtml#c681 (its normal human nature so we must deal withit as such)
[ link to this | view in thread ]
[ link to this | view in thread ]
ONLY for government agencies? What about Google?
First, I noted in sub-head and 1st paragraph that lack of surprise is an almost unavoidable theme here at Techdirt.
Then I noted a 2nd recurring theme: only narrow worries that mostly distract from much larger actualities. While a jab is thrown at Facebook now and then, the possibility that Google with its massive server farms and collating engines with almost no public oversight just MIGHT mis-use that power (including conspiring with gov't) seems off-limits.
And one of the ways that gov't exempts itself from Law is through use of "private" corporations.
Take a loopy tour of Techdirt.com! You always end up at same place!
http://techdirt.com/
Techdirt's official motto: This isn't surprising.
[ link to this | view in thread ]
Re: ONLY for government agencies? What about Google?
Though maybe the reason is that the article was about Governments, which have authority over the public, misusing that authority...
What do I know I'm not even registered.
[ link to this | view in thread ]
Re: ONLY for government agencies? What about Google?
[ link to this | view in thread ]
Out_of_the_blue (anonymous) brings to light our ignorance of how current legislation is created (and the batch of legislators that create such). Current government uses private organizations to do what it cannot do itself which is collate and organize diverse databases using identifiers we don't yet understand as a public (Example: prescriptions from your local pharmacy are sold to an aggregate collector which identifies you (exactly) by your medical record (date of birth, prescription usage, and age.) hereafter you are identified (exactly) forever in their mindset. These are unique identifiers of which drug manufactures and state monitor laws keep tract of. (another great topic would be the new prescription monitoring programs which record every doctor prescribed prescription you take).
Several organizations like Blackwater (now changed names to confuse the attentive voter) collect your personal info by contract from the federal government. The fed is prohibited from such stupidity but private organizations are not. (out_of_the_blue is correct)
[ link to this | view in thread ]
Re:
Considering that accessing public documents in an unusual amount in an open network now amounts to Felony charges I see where you are going at but I have to disagree..
[ link to this | view in thread ]
Re: Re: ONLY for government agencies? What about Google?
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Government Unchecked
I hate violence and think way to many people have guns, but the bottom line is what the NRA preaches is still valid. Who is going to protect the people from the government?
[ link to this | view in thread ]
cops training and hand books
2 every hand book states , everyone lie's.
cops believe they are above the law an therefore not subject to the law.
with no over site , power corrupts.
we see it starting in the united states now , we are very close to the Nazi SS state (without antisemitism)
New york is the test bed Nanny state.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
both arrest records and felony convictions (excepting violent) are no indication of a citizens further actions. The whole idea of law is to teach the individual the consequence of taking advantage of others by fraud, theft or whatever.
The real measurement is that, does our, prison/enforcement procedures reduce recidivism? (repeat offenders)
“If you work at a bank you can look up the account information of any normal person but if you pull up the account information of either a movie star or a rich person it will raise a red flag. Those who are rich get special privileges that the rest don't.”
Really? Is that true? And. Technically, how does that happen in real life?
Most people expound the phrase 'Fame and fortune'. Fame is an expense (argue with me please)(am soooo lucky to avoid such a cost. So far, lol) in that public attention is to be managed, in such a way as, to allow a normal life (cost). While fortune is a profitable thing.
Hard to delineate a way to allow a famous person is to visit a local shopping mall (This has got to be a basic right, I mean really... shopping?) and the public need to ask for an autograph and create a (an embarrassing) scene.
Where dose culture enter the scene? How we act as a people/society/country does mater.
[ link to this | view in thread ]
Re:
Medical records are ready for abuse. (it is likely the main way NSF and FBI identifies you as a citizen regardless of your drivers license or passport credentials.) Dental records anybody? A (lot) of states have implemented an abuse of prescriptions legislation that automatically transfer your list of prescriptions to a (what the hell ) law enforcement agency for, whatever, review.
Voice print technology is a very developed technology so much so that if you receive a phone call (regardless of whether you hang up immediately) requesting what radio or TV channel you like (three seconds of recorded background sound is enough to distinguish what you are watching or listening to at the moment) is enough to...
Thank you for the comments.
[ link to this | view in thread ]