This is an `executive summary' from CRA Bulletin (Computing Research Assoc., contact josuna@cs.umd.edu), followed by more explanation from an article by L. Knutson for AP, apparently sent to the Telcom Digest edited by the `Pat' editor who inserted interesting comments at the end. The AP article is very disturbing. Short summary: National Crime Information Center is the government agency that tracks criminal records, used by FBI all the way down to local law enforcement, and the data continually leaks in serious abuses. (This is the same government that will find not one but TWO completely incorruptable Key Escrow houses.) So another black eye for Big Brother and more ammunition for the Cypherpunks:

Laurie E. Ekstrand, the GAO's associate director for administration of justice issues, said ... "Furthermore, all the reported misuse incidents involve insiders, while none involved outside [computer] hackers," she said.

And YIKES look at the lead in to that AP article... * * * Maybe we need a new Bill of Rights for cyberspace that describes precisely what data can be accessed, and by whom. Here are a few ideas that have been rattling around in my brain for a long time: - If you could put an electronic `leash' on your name or any other electronic information about you, such that whenever it was relocated you would feel a `tug' (an email message or whatever), you could track exactly where your personal data is going, such as when your name exchanges through copied mailing lists. - Not only that, but we could set up a system where the leash is interactive so that the individual can individual veto or allow such requests. - One should be able to `yank' the leash on the name out of databases where it should be permitted (e.g. anything involving private companies, but of course not criminal records). - In general, imagine that every person has their own personal database that tracks *exactly* where *all* information in the world is stored about them. - This could all be accomplished without new legislation (always the preferrable method!), if a system was developed whereby every commercial transaction was actually a contract between the two parties to adhere to the `privacy protocol'. Of course, the presence of a ubiquitous network that everyone has access to, sort of a new Minitel, is assumed. - In general, we should begin to recognize that information itself can be considered private property, and the method to enforce its exclusivity is a contract between the owner and anyone who wishes to `lease' it that enforces the owner's desired degrees of exclusivity. This may involve monetary arrangements, i.e. I get paid to allow my name to be circulated if I agree. So, to accomplish all this electronic standards are required. If anyone wants to start, it now would be great head start prior to the explosion of commercial networking, and the standard could become available not a moment too soon and entrenched as a result. It's definitely a first class Cypherpunk project. ===cut=here=== GAO TELLS HOUSE OF NCIC COMPUTER ABUSE ============================================================= The General Accounting Office made a statement before a House subcommittee July 28 about security holes in the National Crime Information Center computer system. NCIC is the nation's largest computerized criminal justice information system, consisting of 24 million records accessible by 500,000 people. Upon a request from Gary Condit (D-CA), GAO testified on NCIC security before a joint meeting between the House Judiciary Subcommittee on Civil and Constitutional Rights and the House Government Operations Subcommittee on Information Justice, Transportation and Agriculture. NCIC is not easily penetratable from outside. However, because there is no password authentication, NCIC is easily abused by insiders, GAO said. Most users of the system simple identify themselves and their agencies using codes that are not kept secret. The GAO reported instances where law enforcement agents entered the system using false codes, retrieved information and sold it to private investigators. Subject: NCIC News From: trader@cellar.org Date: Fri, 30 Jul 93 21:04:53 EDT Organization: The Cellar electronic community and public access system I sent this to CuD, but thought that Telecom readers may also be interested. {Philadelphia Inquirer} - 07/29/93 CRIMINAL RECORDS ARE VULNERABLE TO ABUSE, CONGRESS IS WARNED Sometimes the information is for sale, the GAO said. It called for greater security. By Lawrence L. Knutson ASSOCIATED PRESS WASHINGTON -- In Arizona, a former police officer gained access to print-outs from the FBI's National Crime Information Center, tracked down his estranged girlfriend and murdered her. In Pennsylvania, a computer operator used the system to conduct background searches for her drug-dealer boyfriend, who wanted to learn if new clients were undercover agents. In Colorado, Connecticut, Florida, Maryland and other states, private investigators bought data from insiders with authorized access to the criminal-record system. These examples were presented to the House Judiciary and Government Operations Committeess yesterday by the General Accounting Office, which concluded that the criminal-records system is vulnerable to widespread misuse. The GAO recommended that Congress enact legislation with "strong criminal sanctions" barring the misuse of the criminal record files and that the FBI encourage state users to enhance security. Laurie E. Ekstrand, the GAO's associate director for administration of justice issues, said that while the FBI and the states do not keep adequate records, "we did obtain sufficient examples of misuse to indicate that such misuse occurred throughout the system." "Furthermore, all the reported misuse incidents involve insiders, while none involved outside [computer] hackers," she said. "It appears that there are employers, insurers, lawyers or investigators who are willing to pay for illegal access to personal information, and there are insiders who are willing to supply the data," said Rep. Gary Condit (D., Calif.) summing up the GAO's findings. The National Crime Information Center, with 24 million records, is the nation's largest computerized criminal justice information system. Its 14 separate files contain an extensive range of data, including information about fugitives, stolen vehicles and missing persons. The largest single file, known as "the III file" gives users access to 17 million criminal-history information records maintained in separate state systems. The GAO said more than 19,000 federal, state and local law enforcement agencies in the U.S. and Canada, using 97,000 terminals, have direct access to the system. The GAO called the Arizona case the most extreme example of misuse it uncovered. The agency said investigators learned that the former police officer was able to locate his estranged girlfriend using data provided from the national records system by three people working in different law enforcement agencies. "After an investigation, the printouts provided by the three individuals were discovered and they were identified, prosecuted and convicted," the GAO said. Other examples provided by the GAO: - In Maine, a police officer used the system to conduct a background check on one of his wife's employees who was then fired for not disclosing his criminal record - In Iowa, a dozen cases of misuse were reported over the last two years. All involved computer operators conducting background searches on friends or relatives. - In New York state, an employee of a law enforcement agency provided criminal history information to be used by a local politician against political opponents. - In Pennsylvania, a police officer "accessed and widely disseminated" a fellow officer's criminal history record. - In South Carolina, a law enforcement agency conducted background searches on members of the City Council. ------------- [Moderator's Note: Be aware however that much information people don't like having released is considered public record, and that includes criminal histories. There are perhaps right ways and wrong ways to go about getting the information, but criminal background information on any person can be obtained quite legally, and you don't have to be a law enforcement officer to get it. Here is why: In the United States, our constitution calls for *open, public trials*. To wit, anyone can walk into a courtroom, sit down and observe a trial in progress. Records are kept of trials (we call them transcripts) and the same rules which provide that trials are open to the public say that by extension, transcripts can be read by anyone who wants to get it and read it later. The court may charge a fee for its expense in making the copy, but pay the fee and you get the record. Now no one is going to traipse around the country, state by state and county by county looking to see if you are a criminal, a deadbeat or whatever. What happens is that nearly every community has at least one practioner of records research. Send them a note plus their fee and *they* will walk over to the courthouse, pull the file and fax it to you. Many researchers have cooperative arrangements with other researchers. You pull files in your community that I need and I'll pull files here for you. This then lead to computerized databases of perfectly open, legally obtained information on criminal records (among other things) in much the same credit bureaus work with each other. So you don't have to get into confidential records illegally to get what you want to find out, you just have to know where to go for *legal, public* files which say the same thing or the essence thereof. If your record in the Podunk Circuit Court says Judge Greene sent you away for ten years for refusing to select a default one plus carrier, I don't have to have an illicit contact in the NCIC or law enforcement to tell me the same thing at some risk to my own freedom if I get caught snooping! Remember, you can have all the information you want on anyone quite legally. Public records abound. Learn to use them. PAT]