This is an `executive summary' from CRA Bulletin (Computing Research
Assoc., contact josuna(a)cs.umd.edu) followed by more explanation from
an article by L. Knutson for AP, apparently sent to the Telcom Digest
edited by the `Pat' editor who inserted interesting comments at the
end. The AP article is very disturbing.
Short summary: National Crime Information Center is the government
agency that tracks criminal records, used by FBI all the way down to
local law enforcement, and the data continually leaks in serious
abuses. (This is the same government that will find not one but TWO
completely incorruptable Key Escrow houses.) So another black eye for
Big Brother and more ammunition for the Cypherpunks:
>Laurie E. Ekstrand, the GAO's associate director for administration of
>justice issues, said ...
>"Furthermore, all the reported misuse incidents involve insiders,
>while none involved outside [computer] hackers," she said.
And YIKES look at the lead in to that AP article...
* * *
Maybe we need a new Bill of Rights for cyberspace that describes
precisely what data can be accessed, and by whom. Here are a few ideas
that have been rattling around in my brain for a long time:
- If you could put an electronic `leash' on your name or any other
electronic information about you, such that whenever it was relocated
you would feel a `tug' (an email message or whatever), you could track
exactly where your personal data is going, such as when your name
exchanges through copied mailing lists.
- Not only that, but we could set up a system where the leash is
interactive so that the individual can individual veto or allow such requests.
- One should be able to `yank' the leash on the name out of databases
where it should be permitted (e.g. anything involving private
companies, but of course not criminal records).
- In general, imagine that every person has their own personal database
that tracks *exactly* where *all* information in the world is stored about them.
- This could all be accomplished without new legislation (always the
preferrable method!), if a system was developed whereby every
commercial transaction was actually a contract between the two parties
to adhere to the `privacy protocol'. Of course, the presence of a
ubiquitous network that everyone has access to, sort of a new Minitel, is assumed.
- In general, we should begin to recognize that information itself can
be considered private property, and the method to enforce its
exclusivity is a contract between the owner and anyone who wishes to
`lease' it that enforces the owner's desired degrees of exclusivity.
This may involve monetary arrangements, i.e. I get paid to allow my
name to be circulated if I agree.
So, to accomplish all this electronic standards are required. If anyone
wants to start, it now would be great head start prior to the explosion
of commercial networking, and the standard could become available not a
moment too soon and entrenched as a result. It's definitely a first
class Cypherpunk project.
===cut=here===
GAO TELLS HOUSE OF NCIC COMPUTER ABUSE
=============================================================
The General Accounting Office made a statement before a House subcommittee
July 28 about security holes in the National Crime Information Center computer
system.
NCIC is the nation's largest computerized criminal justice information system,
consisting of 24 million records accessible by 500,000 people.
Upon a request from Gary Condit (D-CA), GAO testified on NCIC security before
a joint meeting between the House Judiciary Subcommittee on Civil and
Constitutional Rights and the House Government Operations Subcommittee on
Information Justice, Transportation and Agriculture.
NCIC is not easily penetratable from outside. However, because there is no
password authentication, NCIC is easily abused by insiders, GAO said.
Most users of the system simple identify themselves and their agencies using
codes that are not kept secret. The GAO reported instances where law
enforcement agents entered the system using false codes, retrieved information
and sold it to private investigators.
Subject: NCIC News
From: trader(a)cellar.org
Date: Fri, 30 Jul 93 21:04:53 EDT
Organization: The Cellar electronic community and public access system
I sent this to CuD, but thought that Telecom readers may also be
interested.
{Philadelphia Inquirer} - 07/29/93
CRIMINAL RECORDS ARE VULNERABLE TO ABUSE, CONGRESS IS WARNED
Sometimes the information is for sale, the GAO said. It called for
greater security.
By Lawrence L. Knutson
ASSOCIATED PRESS
WASHINGTON -- In Arizona, a former police officer gained access to
print-outs from the FBI's National Crime Information Center, tracked
down his estranged girlfriend and murdered her.
In Pennsylvania, a computer operator used the system to conduct
background searches for her drug-dealer boyfriend, who wanted to learn
if new clients were undercover agents.
In Colorado, Connecticut, Florida, Maryland and other states, private
investigators bought data from insiders with authorized access to the
criminal-record system.
These examples were presented to the House Judiciary and Government
Operations Committeess yesterday by the General Accounting Office,
which concluded that the criminal-records system is vulnerable to
widespread misuse.
The GAO recommended that Congress enact legislation with "strong
criminal sanctions" barring the misuse of the criminal record files
and that the FBI encourage state users to enhance security.
Laurie E. Ekstrand, the GAO's associate director for administration of
justice issues, said that while the FBI and the states do not keep
adequate records, "we did obtain sufficient examples of misuse to
indicate that such misuse occurred throughout the system."
"Furthermore, all the reported misuse incidents involve insiders,
while none involved outside [computer] hackers," she said.
"It appears that there are employers, insurers, lawyers or
investigators who are willing to pay for illegal access to personal
information, and there are insiders who are willing to supply the
data," said Rep. Gary Condit (D., Calif.) summing up the GAO's
findings.
The National Crime Information Center, with 24 million records, is the
nation's largest computerized criminal justice information system.
Its 14 separate files contain an extensive range of data, including
information about fugitives, stolen vehicles and missing persons.
The largest single file, known as "the III file" gives users access to
17 million criminal-history information records maintained in separate
state systems.
The GAO said more than 19,000 federal, state and local law enforcement
agencies in the U.S. and Canada, using 97,000 terminals, have direct
access to the system.
The GAO called the Arizona case the most extreme example of misuse it
uncovered.
The agency said investigators learned that the former police officer
was able to locate his estranged girlfriend using data provided from
the national records system by three people working in different law
enforcement agencies.
"After an investigation, the printouts provided by the three
individuals were discovered and they were identified, prosecuted and
convicted," the GAO said.
Other examples provided by the GAO:
- In Maine, a police officer used the system to conduct a background
check on one of his wife's employees who was then fired for not
disclosing his criminal record
- In Iowa, a dozen cases of misuse were reported over the last two
years. All involved computer operators conducting background
searches on friends or relatives.
- In New York state, an employee of a law enforcement agency provided
criminal history information to be used by a local politician against
political opponents.
- In Pennsylvania, a police officer "accessed and widely disseminated"
a fellow officer's criminal history record.
- In South Carolina, a law enforcement agency conducted background
searches on members of the City Council.
-------------
[Moderator's Note: Be aware however that much information people don't
like having released is considered public record, and that includes
criminal histories. There are perhaps right ways and wrong ways to go
about getting the information, but criminal background information on
any person can be obtained quite legally, and you don't have to be a
law enforcement officer to get it. Here is why: In the United States,
our constitution calls for *open, public trials*. To wit, anyone can
walk into a courtroom, sit down and observe a trial in progress.
Records are kept of trials (we call them transcripts) and the same
rules which provide that trials are open to the public say that by
extension, transcripts can be read by anyone who wants to get it and
read it later. The court may charge a fee for its expense in making
the copy, but pay the fee and you get the record.
Now no one is going to traipse around the country, state by state and
county by county looking to see if you are a criminal, a deadbeat or
whatever. What happens is that nearly every community has at least one
practioner of records research. Send them a note plus their fee and
*they* will walk over to the courthouse, pull the file and fax it to
you. Many researchers have cooperative arrangements with other
researchers. You pull files in your community that I need and I'll
pull files here for you. This then lead to computerized databases of
perfectly open, legally obtained information on criminal records
(among other things) in much the same credit bureaus work with each
other.
So you don't have to get into confidential records illegally to get
what you want to find out, you just have to know where to go for
*legal, public* files which say the same thing or the essence thereof.
If your record in the Podunk Circuit Court says Judge Greene sent you
away for ten years for refusing to select a default one plus carrier,
I don't have to have an illicit contact in the NCIC or law enforcement
to tell me the same thing at some risk to my own freedom if I get
caught snooping! Remember, you can have all the information you want
on anyone quite legally. Public records abound. Learn to use them. PAT]