State Audit Finds More Than Half Of Minnesota's 11,000 Law Enforcement Users Misused Driver Data
from the unfortunately,-nothing-really-shocking-about-these-findings dept
It's been proven before by various government agencies and it still holds true: if you give someone more access than oversight when it comes to collected personal information, you can't be surprised when this tool gets abused.The latest abuse of a government-harvested database was uncovered by state auditors in Minnesota. The report details extensive misuse of driver's license records by law enforcement agencies.
The review by the state's legislative auditor — highly anticipated by legislators and privacy advocates — said officers need better training in allowed uses of the protected data, and local and state agencies should do more to monitor use. Beyond 88 incidents of misuse documented in state records last year, auditors found even more suspicious activity buried in audit trails.This study's findings will likely result in some additions to legislation proposed earlier this year, which seeks to add penalties and transparency to data breaches by government employees, requiring local agencies to post full investigation reports online should any breach occur. The legislation itself was written in response to a severe data breach traced back to a single government employee.
More than half of the 11,000 law enforcement users of the Driver and Vehicle Services (DVS) website in that time frame queried themselves or people with the same last name, for example, or disproportionately searched for people of one sex.
The legislation came on the heels of news that a former employee at the Department of Natural Resources had viewed thousands of drivers license records — almost exclusively of women — without a permissible use. That employee, John Hunt, is now facing criminal charges, and his actions have spurred five federal lawsuits against the state.This employee might have been caught more quickly, but Hunt likely knew the limitations of the DPS auditing system and stayed below the radar, despite making nearly 19,000 queries to the database over the course of five years.
The report also recommended that because audits by the DPS largely detect heavy users, rather than suspicious use, local agencies should conduct more proactive monitoring. They suggested the department beef up its abilities to assist local agencies.In addition to the larger breaches, there were also cases where failure to deactivate accounts resulted in additional misuse of the DVS system.
[Public safety commissioner Mona] Dohman said in an interview that the queries were so spread out that he did not emerge in their monthly review of the top 50 users.
During the 18 months ending June 30, 2012, 13 users conducted queries using access privileges associated with law enforcement agencies that no longer existed. Over the same time period, three former employees of state law enforcement agencies, as well as four former employees of local law enforcement agencies, accessed the DVS Web site using usernames and passwords that should have been disabled.The current process for disabling accounts is almost farcical in its slowness. The report points out that the DVS allows accounts to remain dormant for 120 days before inactivating them. While this is a huge improvement over the 500 days it used to allow, it's still plenty of time for anyone looking to query a database they should no longer have access to.
Compounding the existing misuse issues is the fact that law enforcement agencies have exempted themselves from many of the policies affecting authorized civilian users. To begin with, sworn officers are not required to attend training or refresher courses on proper use of the DVS system, including policies regarding general security and appropriate data use. Officers are also exempted from the same user agreement that greets civilians at login and are otherwise not held accountable by any agreement when utilizing the DVS database.
DPS (Dept. of Public Safety) has not implemented other access management practices for all users. For example, DPS does not require a user agreement for sworn officers with access to the DVS Web site. Civilian law enforcement employees must sign a user agreement justifying their need for driver's license information, including their specific needs for access to driver's license photographs. DVS staff review the agreements before granting access. BCA (Bureau of Criminal Apprehension) has a signed intra-agency agreement with DVS. Agencies with employees who access BCA systems sign an agreement taking responsibility for access by their staff, among other things. Thus, it is only sworn officers who use the DVS Web site for whom DPS does not require an agreement, signed by the user or his or her employer, taking responsibility for appropriate access.The findings of this study will certainly raise questions about this law enforcement double-standard. The proposed legislation and its attendant penalties and openness is, unsurprisingly, being fought by the law enforcement community.
House author Rep. Mary Liz Holberg, R-Lakeville, said she has already met resistance from some law enforcement entities.It's pretty hard to rebuild public trust when you don't trust the public. Or, at least, don't trust them enough to be honest with them. The law enforcement fraternity has never been one for openness and consistency. As the study notes, misuse of the DVS system is handled differently by every law enforcement agency, if it's even punished at all. The lack of a codified "best practices" or even a basic "user agreement" that holds the individual officer responsible for his actions has led to widespread misuse. Minnesota's legislators are on the right track and this audit offers some very sound suggestions, but the feeling that those who enforce the law should be exempted from these same laws is somewhat endemic in law enforcement, meaning this has the potential to get worse before it gets any better. If they aren't careful, this legislation could reach passage with very few "teeth" intact, if it gets there at all.
"If you have bad actors in your bunch, then why shouldn't the public know about it?" Holberg said. "It seems like nobody wants any sunshine around this issue. And I think it would do a lot to rebuild the public trust if there was more public awareness of misuse and consequences."
Filed Under: abuse, data, driver data, minnesota, privacy