U.S. public-safety agencies have long been entrusted with protecting sensitive information collected from, and/or about, the general public. From traffic citations to the details of juvenile crime, law enforcement organizations are required to ensure that criminal records, as well as data collected as part of their own day-to-day operations, are well protected.
Today, because so much of the data collected is now in an electronic format, the mechanisms of protection have, in many cases, moved from lock and key to “user name and password” and other Cyber Security measures. The rapid migration and accumulation of such data necessitates new strategies, policies, and infrastructure designed specifically to protect sensitive public safety records. These efforts must also address new and changing privacy rules, as well as entirely new forms of data that require protection – and which may require new access and use restrictions.
Last month – more specifically, on 14 July – the Cyber Security Coordinator and Special Assistant to the President, Howard Schmidt, hosted a White House meeting to discuss the status of Cyber Security efforts across various levels of government and in the private sector. The meeting addressed several of the key issues involved, with special focus on the draft National Strategy for Trustedentities in Cyberspace (NSTIC), which calls for, among other things, the creation of “an online environment where individuals can voluntarily choose to obtain a secure, interoperable, and privacy-enhancing credential from a variety of service providers – both public and private – to authenticate themselves online for different types of transactions.” That type of solution, Schmidt pointed out, is critical to ensuring that the “right people access the right data.”
GFIPM, Global Justice, GPS, and LPRs
One example of enhanced credentialing is the Justice Department’s Global Federatedentity and Privilege Management (GFIPM) initiative, which establishes a standardized credentialing framework for the justice community that is designed to improve access security while at the same time allowing more information to be shared. GFIPM is also designed to reduce the administrative burden on numerous government agencies and other data “owners” by: (a) automating the authentication process; and (b) implementing “single sign-on” solutions (where possible). GFIPM is based on Global Justice XML and NIEM (National Information Exchange Model) usages and provides a standard mechanism to share and exchange both userentities and authentication privileges.
Although enhanced authentication will provide secure and more efficient access to public safety datasets, the technology used must keep pace not only with new privacy laws but also with the evolving interpretations of what types of data require special protection, including judicial approval for access. Earlier this month, however – on 6 August – the U.S. Court of Appeals for the District of Columbia ruled that the use of global positioning system (GPS) location data that had been collected by law enforcement officers – who had surreptitiously (and without warrant) planted a tracking device on a vehicle used by two drug suspects -– had violated the suspects’ expected right to privacy under the Fourth Amendment. Data collected from the device was a key factor in the conviction of one of the suspects – but the Court overturned that conviction.
The Court of Appeals ruling may have implications for public safety’s use of tracking and location data, which in many jurisdictions is now automatically – and continuously – being captured by an ever-growing number of license plate readers (LPRs). Many states have installed and are using these systems for law enforcement and other purposes, and one result is a growing volume of data being amassed on the movement of vehicles. Although such information is, or could be, a major boon to law-enforcement investigations and crime analysts, access to that data must obviously be very tightly controlled. In large part for that reason, the International Association of Chiefs of Police last year issued a Privacy Impact Assessment about the use of LPR that provides valuable insights and recommendations for public safety agencies on issues related to the collection and use of LPR data.
As the types and quantity of data collected by public safety agencies continue to grow, the security and protection of the data must be correspondingly enhanced. The new datasets being accumulated are too valuable not to be used in support of law-enforcement investigations. That said, however, it also should be emphasized that privacy concerns are equally important – particularly for the purpose of maintaining public trust. Abuses in providing access to such data, and/or a lack of adequate cyber security protection, could erode and perhaps even eliminate that accumulated trust and result in the imposition of politically driven limits on the use of such important information.
Rodrigo (Roddy) Moscoso
Rodrigo (Roddy) Moscoso is the executive director of the Capital Wireless Information Net (CapWIN) Program at the University of Maryland, which provides software and mission-critical data access services to first responders in and across dozens of jurisdictions, disciplines, and levels of government. Formerly with IBM Business Consulting Services, he has more than 20 years of experience supporting large-scale implementation projects for information technology, and extensive experience in several related fields such as change management, business process reengineering, human resources, and communications.