As the police and intelligence agencies continue to collect more and more information, it’s all OK because they’re good custodians of that information: they keep it secure where hackers can’t get at it and publish it, and you need clearances to get at it.
Yeah, right.
One problem is pretty obvious: there are something like 300,000 people cleared with TOP SECRET/SCI clearances and, as Edward Snowden and Chelsea Manning showed us, once you’re inside the perimeter, it’s not hard to gain access to largely insecure databases.
The intelligence community is going to be doing more sharing “sharing before the privacy protections” in government parlance. That includes to other agencies – like the FBI, DHS, CBP. Agencies that are probably even more incompetent than the NSA and CIA. I don’t know if they are more or less corrupt, but they sure are not good custodians of their data:
Police in jurisdictions across the country were found to routinely misuse and abuse their access to state driver databases and federal criminal history databases. What’s more egregious than the actual misuse of confidential information is the fact that few officers are ever punished if caught. In Denver, it was found that in ten years of police database misuse, only 25 officers were ever disciplined. In fact, the misuse doesn’t just stop at uniformed and badged employees… AP research shows that other government employees including civilian contractors have also been caught abusing their access.
The number of illegal and unwarranted queries to NCIC and state databases is believed to be vastly under-reported. Some law enforcement agencies even responded to the AP investigation by stating that they do not keep track of those numbers. In Minnesota during the fiscal year of 2012, that number was estimated by a government auditor to be up to half of all law enforcement requests to the DMV database. [ap] [emphasis added]
From personal experience, it’s pretty easy to access this sort of file. All you need is a friend who’s willing to do you a favor, “hey could you look up…?” And it happens a lot.
Back in the day I knew a hacker who compromised a computer at a state police office, and very carefully and sparingly used that computer to access the FBI’s NCIC database. The NCIC database is, of course, “for law enforcement only” but – what does that even mean?
According to the NCIC’s site, it means things like:
Set a new single day record on July 28, 2016, by processing 17,492,427 NCIC transactions [ncic]
And:
The FBI provides a host computer and telecommunication lines to a single point of contact in each of the 50 states, the District of Columbia, Puerto Rico, the U.S. Virgin Islands, Guam, and Canada, as well as federal criminal justice agencies. Those jurisdictions, in turn, operate their own computer systems, providing access to nearly all local criminal justice agencies and authorized non-criminal justice agencies nationwide. The entry, modification, and removal of records are the responsibility of the agency that entered them.
In other words: local agencies (state police, whatever) do whatever they want and make whatever queries they want, and it’s not the FBI’s problem. The FBI isn’t responsible for inaccuracies in the database, either. And the whole system is set up so that it’s impossible to audit – especially if they’re pushing 17 million transactions a day.
State and local agencies employ over 1 million people, most of whom would potentially have access to NCIC data.
Other police employees searched for family members, sometimes at relatives’ requests, to check what information was stored or to see if they were the subjects of warrants.
Still other searchers were simply curious, including a Miami-Dade officer who admitted checking dozens of officers and celebrities including basketball star LeBron James.
Simply curious. Oh, OK. In hacking terms, that’s an “attack surface” that’s about the size of Jupiter: the transaction rate is too high to audit, and the number of users is too large to audit, either. These occasional cops who are caught being naughty are just the tip of a great big ice-mountain.
Before some smug European comments about how it’s not a problem for them, sorry, wrong, it appears authoritarians work the same way across cultures.A couple of months ago it was discovered that Poole borough council, in Dorset, had used the Regulation of Investigatory Powers Act – designed to track serious criminals and terrorists – to determine whether a school applicant and her parents lived where they said they did. They did, and were appalled to discover they had been spied on for three weeks [guardian]
But it’s just harmless curiousity:
Just who are these people, these swelling legions of unelected, ill-qualified monitors who wield such extraordinary power in our surveillance society? Clarification in one case came last year, when the civilian in charge of a Worcester police station’s surveillance team was suspended after detectives found, among one day’s footage, a 20-minute sequence of close-ups of a woman’s cleavage and backside as she walked oblivious through the streets. Whether the woman ever discovered she was the star of a kind of pervert Truman Show is not recorded. But the offending monitor escaped with a warning and was – unbelievably – back in post within weeks.
I hear it’s important to watch these things because terrorists tend to have nice cleavage.
What does “sharing before the privacy protections” even mean? There’s one thing we can infer from it: everything is being collected before the privacy protections, or there wouldn’t be anything to share. Back in the old days when the NSA was promoting the myth that they only looked at foreign data, we were left to imagine that they had some way of distinguishing foreign from domestic traffic, then were capturing the foreign traffic. It was always obvious to me that that doesn’t make any sense: they collect it all, then “don’t look at” the domestic stuff. They still have it. They just “don’t look at it” and “look at” means – literally – human eyeballs view it. The “privacy protection” is the analyst who decides what to cast their eyes upon.
Remember: NSA’s Security Sucks
One of the best things that could happen would be for some Tyler Durden to upload a bunch of data to NCIC and DHS’ “no fly list” consisting of FBI agents, secret service, and congresspeople. Then sit back and watch the fireworks.
Looking for some pictures to illustrate this, I searched a google image search for “naughty surveillance camera” and discovered that Rule #34 applies: yes, there’s porn of it.
sonofrojblake says
This is on my list of “things I’m surprised haven’t already happened”, along with someone mounting a three-shot handgun on a drone and using it to remotely and untraceably assassinate someone.
Marcus Ranum says
sonofrojblake@#1:
This is on my list of “things I’m surprised haven’t already happened”
If it were in my power to cause, it would have happened a few weeks ago. Every lobbyist, legislator, and FBI agent would be on a “no fly” list. Just so they could see how it feels. For educational purposes, ya kno?
Crimson Clupeidae says
Rule 34 always applies…..
Marcus Ranum says
Crimson Clupeidae@#3:
Rule 34 always applies
I wonder if there is any porn about Rule #34.
And, I want to see the first porn about Zeno’s paradox. Before you can start having sex, you have to go halfway. And then you sort of wind up eternally 3/4 of the way “there”…
CJO says
Zeno disputes your claim to have “gone all the way”.
sonofrojblake says
That’s not porn. That’s painful flashback to every failed attempt to get somewhere with the first few girls you tried to get frisky with, isn’t it? “Eternally halfway there” is a description only of frustration, which is surely the opposite of the point of porn.
Dunc says
There is a joke I heard many years ago about a modified form of Zeno’s paradox of motion (in which traversing half of the remaining distance requires constant time), involving a physicist, an engineer, and a beautiful woman. The punchline is “But I can get close enough!”… I’ll let you fill in the details for yourself.
Marcus Ranum says
And, I want to see the first porn about Zeno’s paradox.
I hear that a studio did try to make it, but they could never finish it.
multitool says
If you’re trying to pack the no-fly list with chaff, can’t you just make lots of distributed ‘concerned citizen’ phone calls about your suspiciously-acting neighbor, Mitch McConnell?