Modern police work or invasion of privacy?

NOTE: This article was initially posted in June 2019 and has been updated with new and current information.

The Maryland legislature passed a new law in 2021 that further regulates how law enforcement uses commercial DNA databases to identify suspects. With this new law, Maryland joins Utah and Montana as the only states to limit police use of these databases. In 1994, the Maryland legislature passed the Maryland DNA Collection Act which authorized police to gather DNA evidence for certain criminal investigations. The Act was expanded in 2008 to included more crimes but also limited law enforcement from using State databases to search for relatives of a suspect, or familial matches. Maryland is the only state with such a limitation of state run databases.

Maryland’s new law will take effect in October 2021 and bars law enforcement from using commercial DNA databases to look for familial connections. Law enforcement will be required to exhaust all other avenues of identification and then make application to a judge. Police will also have to obtain consent from a person not suspected of a crime before comparing that person’s DNA to commercial databases. 

 

         _________________________________________________________________________________

 

In March 2019, Florida police identified a suspect in a 1998 cold case murder after a man submitted his fingerprints for a job application. Law enforcement had submitted unknown fingerprints from the murder scene to a National database. As fingerprints from crime scenes, criminal arrests, clearance, and background checks are submitted to the database they are checked against the fingerprints on file. Matches are then reported back to the submitting police departments.

Fingerprints

As detailed my blog, “National” Record Checks? there is not a national database of criminal records. There is, however, a database of fingerprints that matches to criminal records of individuals.  Maintained by the FBI and begun in 1924, the database contains the world’s largest database of fingerprints and associated criminal history. Up until 1999, the system was based on the manual collection, submission, and examination. Police would ink up a person’s fingers, roll out the prints on a card, and submit the card to the FBI. There, technicians would painstakingly, individually, examine the prints under magnification and check against known crimes or suspects. After which the cards were filed. When the system became digital it was possible to check the submitted prints against the entirety of the database. Unknown prints found at crime scenes could then been matched against previously submitted prints and suspects developed. If you have ever been fingerprinted your prints are stored in the system and checked against other submissions thousands of time a day. 

The Florida case happened that way. In 1998, police submitted latent prints collected from the murder site. For twenty years every fingerprint submitted to the FBI was checked against the 1998 submission. The killer had avoided being fingerprinted for two decades.

Familial DNA

DNA testing was first developed for use in paternity identification.  Police in England first used DNA in a criminal case in 1986. The first DNA conviction in the U.S. came in 1987. As with any new forensic test, court admissibility was tested early on. Over the years DNA identification has been accepted and the process of collecting and identifying made more efficient. What used to take weeks now only takes days.

In 2018, police and the FBI captured a man suspected of being a serial rapist and murderer in a multitude of cases from forty years ago. The case was broken through the use of DNA. The suspect himself was smart enough not to have his DNA logged into any DNA databases. Smart detectives realized that outside of justice system DNA databases there is a plethora of information being collected by private entities. Ancestral research companies provide DNA collection kits, which allow people to submit their DNA for comparison to other samples in hopes of finding family matches. You guessed it. The profiles are stored in databases so that they can be pinged during searches.

Checking crime scene DNA against public sources of DNA, police were able to get a familial match. That match narrowed the pool of suspects down to one family.  This method has been tagged as “genetic genealogy”.  After the familial match, through traditional police work, detectives were able to identify a suspect. 

Genetic genealogy also works to identify the victims of violent crimes. In 2019, Anne Arundel County Police identified the remains of a man who had been discovered in a trashcan during the construction of Marley Station Mall in 1985. Roger Kelso was believed to have been killed in the 1960s and buried in the woods where the mall would eventually be constructed. Police compared the victim’s DNA to samples in public databases to form the familial match. The long cold case is now active.

The same methods were used to identify the remains of a woman and children found buried in barrels in the woods of Allenstown, New Hampshire in 1985. Although law enforcement had long ago associated the victims to serial killer Terry Rasmussen they had never identified the victims. By using genetic genealogy police in 2019 were able to finally identify the victims as Marlyse Honeychurch and her daughters Sarah McWaters and Marie Vaughn.

As you can imagine privacy watchdogs are all over the issue of law enforcement having access to private sector databases.

Genetic privacy

Ancestry and 23andMe are the largest consumer testing providers. Both companies have policies in place that prevents law enforcement from having direct access to the databases. However, customers of both companies, hoping to grow their family tree, can upload their personal results to public databases. This is where law enforcement has access to the DNA results. Ancestral DNA companies are working to find balances. While they do not want to allow complete access to databases for misdemeanor crimes, companies do allow access for violent crimes. As law enforcement finds success they will rely more on these DNA databases.

Opponents of this kind of police work feel that the use of relatives DNA on public databases constitute unwarranted searches and thus illegal under the Fourth Amendment. State legislatures are paying attention as Maryland and a few others have had bills introduced to bar police from using relatives DNA to track criminals.

Fingerprints, DNA, facial, hair, optical, these are all methods of identifying humans as individuals. All were new sciences at one time. All have made their way through the world’s courts as legal ways of making identifications. They are most certainly other scientific discoveries that will be added to the list. The question is and always has been, Where does the privacy of individuals get compromised in the name of justice?

Locking down the Internet of Things

WiFi security on the Internet of Things

Have you gotten all of your new tech gadgets hooked up after Christmas? Seems like every gift that had a plug also had a phone app and connected to Wi-Fi. Throughout the year as new toys or even appliances enter your home, setting up individual devices isn’t that noticeable. But after Christmas rolls through and you start setting up all the new goodies it really makes you sit back and notice-You have entered the new age of a smart home. Without realizing it we have created our own attachment to the Internet of Things (IoT).

That's a lot of things

Leichtman Research Group in 2018 found that 74% of U.S. homes had at least one smart device. Statista estimates that there will be 42.2 million smart homes in 2019. Spending on IoT devices was $23.3 billion (yes, billion) and is estimated to be $75 billion by 2025.  While there are Bluetooth connections, the primary connection for IoTs is Wi-Fi. Statista reported that the average number of connected devices per person, worldwide, in 2015 was 3.47 and is estimated to be 6.58 by 2020. That is connected devices per person. Multiply that by people in your home and the for-the-common-good devices like appliances, cameras, plugs, bulbs, etc, and that’s a lot of connectivity. 

If you want to keep up with technology it is how it’s going to be. I didn’t set out to convert the ol’ analog home to “smart”. It just happened. Garage door opener, a new appliance here and there, TVs, Hey Google, Hey Siri, Alexa, before you know it you’re your home is smart. The router sent me a message, yes it communicates as well, that the network was getting full. You’re aware of connectivity for your phones and computers but forget about the other electronics-appliances/TVs/cameras/power strips/gaming systems/eBooks, etc-that are on all the time and trying to communicate with the mother ship. Not only are these devices taxing on your home network they are all portals for security breaches.

Anyone of these connected devices can be hacked at the source, through the controlling app, or the company that provides the service. All the more reason to review your home network security.  If you haven’t done so recently, with the onset of all your new tech wonderness, you’ll need to upgrade your Internet service.  Most times these types of upgrades come with new routers. 

Security

One of the first actions you should take on all routers and new devices is set up your own logins and passwords. Many people still use the default settings, which cybercriminals are aware. Changing this information will at least slow them down. I say slow down because, as we’ve seen, anyone can be hacked. At least changing the settings will offer some protection.

For all of your connected devices actually, read the setup instructions and pay attention to what you are agreeing to during the process. Data collection is big business and those companies want your data. As consumers get more privacy savvy the product providers are finding counteractions. I recently loaded an app that wanted access to my phone’s camera, microphone, location, and to send user data. Answering no to any of those requests denied the user access. Or sometimes certain features are denied or dampened if the user doesn’t agree to the terms.

Devices that listen, your phone, TV, Echo, Google home, are also collecting data and have been proven to also be recording your conversations. In the interest of improving their service, of course. Again, go through the setup and privacy menus carefully. Understand what the device, i.e.-manufacturer is asking you to allow.

Overall, you have to understand that if you allow “smart” devices into your home you are giving up privacy. It’s hard not to get caught up in the technology craze, but understand that what you’re getting yourself into.

Please see the blog archive for other posts relating to privacy.

There’s been a breach May 2018

How secure are apps? April 2018

One born every minute February 2018

Are you being watched? February 2018

Cleaning up your online presence September 2017

Public WiFi for dummies July 2017

Keys to the vault August 2015

Privacy access

Responding to privacy concerns and the EU’s restrictive privacy legislation, Apple launched a new portal on October 17, 2018, that allows users to see what kind of data Apple is collecting and storing. The portal has been available in Europe since May 2018. The portal provides users with a report on tracked data such as App store purchases, support history, calendars, photos, documents, and browser bookmarks.

To access the portal follow these steps.

Go to  https://privacy.apple.com/

Sign in with your Apple ID. You may be asked to authenticate the sign in.

You will then be presented with this page

Under the heading, Get a copy of your data, Click on Get Started

You can then select which data you wish to download or you can select all. Keeping in mind that the more or less you select will affect file size and download time.

Google also has an option to download your data. Access by signing in to your Google account.

After signing in, in the top right, click on the checkerboard symbol and receive this drop down

Click on Account. Under the section Personal info & privacy, click Manage your Google activity

Scroll down to Control Your Content and click on CREATE ARCHIVE under Download your Data. 

The next page, select the data you wish to download.

Refer to the blog archive for more articles on privacy and security.

What we give up for convenience

If you think about it, who is the culprit in the multitude of personal data breaches? The hackers? The companies that failed to protect the data? Or is it ourselves for uploading our personal data in the first place? This really isn’t a proper question because we aren’t the culprits. But the point is that we, ourselves, allow more and more data to be collected by mega corporations. Sometimes it is innocuous as registering on a web site or app, which we cannot always avoid because in order to do business in the digital world we have to. What I mean by allow is two pronged. One, we are not outspoken enough about the Google’s and Facebook’s of the digital world collecting data. Facebook has seen a little backlash recently, but people will continue over sharing every detail of their life. But that’s the really big picture. 

Second, and more specific to personal security, is what we allow by making choices to upload or share personal data. We do this by plugging in the new smart TV without learning about its capabilities and without changing the settings. Or by installing the multitude of other appliances, cameras, digital assistants that we bring into our homes and plug and play. Anything you can talk to on demand and receive a response has to be listening all the time. Creepy? We will allow apps to track our location so that when we are in certain stores or near certain locations we receive notifications. As with listening, these apps aren’t waiting for you to arrive at a certain location, they are tracking and storing your every move until you arrive at the specific location.

How much privacy are we willing to give up?

Last month police and the FBI captured a man suspected of being a serial rapist and murderer in a multitude of cases from forty years ago. The case was broken through the use of DNA. The suspect himself was smart enough not to have his DNA logged into any DNA databases. Smart detectives realized that outside of justice system DNA databases there is a plethora of information being collected by private entities. Ancestral research companies provide DNA collection kits, which allow people to submit their DNA for comparison to other samples in hopes of finding family matches. You guessed it, the profiles are stored in databases so that they can be pinged during searches.

Checking crime scene DNA against public sources of DNA, police were able to get a familial match. That match narrowed the pool of suspects down to one family. Then through traditional police work detectives were able to identify a suspect. As you can imagine privacy watchdogs are all over the issue of law enforcement having access to private sector databases.

For some time Amazon has been offering package delivery inside of your home. Utilizing an Amazon smart lock, with the customer’s permission and knowledge, delivery personnel can unlock your door and drop the package inside. Of course, you are alerted each step of the process. Amazon recently announced package delivery to your vehicle. Currently the service is only offered to owners of GM and Volvo vehicles in certain cities.  The privacy we give for convenience. We allow cleaning and pet sitting services into our vacant homes but more than likely we have met the workers performing the services. I’m sure Amazon does a fantastic job vetting it’s employees. The point is we are giving complete strangers access to our homes and vehicles. We are then shocked and surprised when something bad happens. 

Check yourself

As with corporations and social media we gladly share and upload personal data, even our current location and DNA profiles. Trusting souls that we humans are we don’t cry foul until there is a breach or government overreach. Even though we are the ones that probably share a little too much.

You can’t always avoid uploading data or providing data through registrations. What you can do is be aware of what and to whom you are sharing. Monitor your financial accounts and pay attention to announcements of breaches. You may not be directly affected, but your other accounts may have been compromised through third party links to the breach victim.

Just as we are told to change smoke detector batteries at Daylight Saving Time, maybe we should get in the habit of doing online security checks every time there is a breach announcement.

Please see the blog archive for other posts relating to privacy.

There’s been a breach May 2018

How secure are apps? April 2018

One born every minute February 2018

Are you being watched? February 2018

Cleaning up your online presence September 2017

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach

Note: This post was originally published in 2015. It has been updated with new information relating to the topic. 

Last week Twitter announced a breach of passwords. Twitter claimed that no personal data was released and encouraged users to change passwords. Since the big breaches from the fall of 2014 it seems like every month we have heard about a new breach. If not banks then major retailers or healthcare systems. The private information we entrust others to keep safe is being violated on a regular basis.

Try as you might to stay off the “grid” by paying cash, getting paper statements, or banking in person, eventually you will be a victim of identity theft or some sort of financial intrusion. Either because of convenience or because a company demands you use an electronic system. It is difficult to navigate in today’s world without having some portion of personal data stored on an institution’s computer.

Personal data

Ever check out at a store that you shop infrequently and they ask for your address, phone number, or name, and you’re in their system? Freaky right? At some point you’ve provided them with your personal information. Larger companies own smaller companies…your personal data is bought and shared daily.

Tax season just passed and it’s a good bet that when you filed your taxes, electronically of course, your return was rejected by the IRS because, surprise, the return associated with your social security number has already been filed.  

The IRS estimates that more than 122 million returns were filed electronically in 2017. While the IRS has seen a decline in personal tax fraud, falsified business returns have increased. The IRS identified 10,000 compared to 4,000 fraudulent business returns in 2016.  The IRS doesn’t publish everything it is doing to combat tax identity fraud. Some of the public efforts are tightening access to private sector filing software and more thoroughly scrutinizing refunds. When your SSN has been compromised the IRS issues you an electronic identification number for future filings. This solution should keep your tax information safe, as it is a unique number. But so was you’re your SSN at the time it was generated. 

We use to worry about someone stealing a driver’s license or credit card. If that didn’t happen you didn’t have much to worry about. Years ago, while working as an undercover detective, and when I say “years ago” I mean before there was a computer in every home and a world-wide inter web of computers.  A senior administrator had a briefcase stolen that contained contact information for all of the detectives. Not just name and phone numbers but addresses, birthdays and yes the coveted social security number. Not sure what we called it then, but it wasn’t a breach. But in today’s terminology, the breach compromised so much personal information what could one do? You couldn’t completely change everything. In those days though we were more concerned with operational security than identity theft. Yes, identity theft occurred, but not on the level or frequency as today. The criminals at that time weren’t as sophisticated in that skill set as they are today. Plus, copying and sharing was a literal concept. The documents would have to be photocopied and personally distributed. 

We knew that if we worked hard and fast to recover the documents, we could determine the extent at which the information had been distributed. The faster the culprit was caught, the less chance the information could be distributed. Today, your information can be stolen from a third party vendor’s database by a criminal in another country and uploaded to a distribution network all from a keyboard, in a matter of minutes.

Document, document, document

The tenets of the paper world of long ago still hold true. Identify the breach and work fast to stop the leak.

Once you’ve identified a problem, you need to start working to quickly plug the leak. Contact the source in which you became aware of the breach-credit card, driver’s license, IRS, etc. Get that entity started on resolving the issue. File a complaint with the Federal Trade Commission, your State’s Attorney Generals Office, even the FBI if you seem to be apart of a larger breach. File local police reports also. It may seem for naught but you’ll have a record of the report and a case number to go with any other complaint filings. Most of the entities you will deal with, including law enforcement, have online complaint forms. It doesn’t take long and you can get it done in less than a day.

Document, document, document, everything you do and the entities you’ve contacted. Keep your notes for future reference.

Consider a monitoring program. There are lots of companies out there that perform this service. Of course do your research and choose wisely. If the breach occurred from a major retailer, financial, or health institution, they may offer some sort of credit monitoring or identity repair service for free. Take advantage of it.

Update, update, update

If you get notification of a password breach or hear it on the news, such as the recent Twitter breach, don’t ignore it. Like Twitter, companies publicize that no personal data was infiltrated but passwords “may” have been compromised. It is important to regularly change passwords as a matter of routine. However, when a company has had their password database specifically breached it is important to act quickly and update your settings. It is equally important to update other accounts in which you use that same password. Maybe get in the habit of updating passwords whenever there is a breach in the news. 

We should have different passwords for every account but let’s face it no one does that. So when one password is compromised the other accounts that use that same password are now in danger of being hacked. Cyber-criminals have highly sophisticated search processes. They may not be searching for you, specifically, but once they get your logon or password they can use that to find other accounts. Once they have one piece of the puzzle it is isn’t that difficult to break the rest.

How secure are apps?

Every business is pushing their mobile apps. Some are highly interactive, giving access to secure accounts. Others are merely informational almost static platforms. Everyday we become more and more dependent on our phones. The Pew Research Center estimates that 77% of Americans have a Smartphone. A conglomerate of different studies from 2017 reported that Americans average five (5) hours a day using mobile devices and of that time 90% is spent using apps. Now when you allow that everything on your phone is an app of some sort it kind of diminishes the 90%, but the point being is that we are on are phones a lot.

Why have an app?

Phones are now like appendages. We are rarely without them. This is a big reason why companies push apps. That and because the phones create a focal point for data collection. Most apps require some sort of registration. That provides a modicum of security but it is mostly for data collection. Location services on smart phones allow app users to be tracked and pinpointed where they are using the app. This let’s the business collect, not only, your personal information but how, why and where you’re using the app, and what you are buying. All of this data is used to target advertising and reshape sales.

Since 2014 mobile Internet use has been more common on mobile devices than desktops. You can accomplish so much on your phone now you probably could go days without turning on a laptop or desktop. Apple has a cute commercial where the camera follows a girl throughout her day using her iPad.

A neighbor asks her what she is doing on her computer. She answers, “What’s a computer?”

The procession to apps began with the advent of online access to accounts and shopping. To encourage electronic account access, some companies even threatened higher fees for receiving paper documents through the mail. Then everything moved to our phones. Businesses lure customers into their apps with rewards or deals for using them. Some put more effort into their apps than their websites.

Secure?

How secure are all these apps we’re either using voluntarily or “forced” to use by companies? The transmission of data between the users phone and the app servers usually has end-to-end encryption. Meaning the data being sent and received is encrypted. The problems arise from the users lack of security awareness and hacks into the apps servers.

A high percentage of our phone use is in public. If you’re concerned about data usage you’re always looking for a WiFi signal. Logging into public WiFi is one of the most unsecure actions a Smartphone user can do. If you don’t inadvertently log into a hackers signal then you’re sending a signal that your phone is publically available. Once a hacker zeros in on your phone they can intercept your transmissions to and from the apps you are using. Intercepting the phone’s connection to the router is commonly known as “man in the middle”. While that is still a popular hack it is time consuming and much more work than going after the bigger treasure. Company servers.

Why is it important to frequently change passwords? And not use the same passwords or login/password pair for more than one account? More sophisticated cyber criminals know where the money is. It’s in the servers of big companies. If not the financial records then the personal data. Recently, Under Armour announced that their app had been breached. They assured users that no financial data had been accessed only user names and emails. While that may give some a sigh of relief there’s still a problem. Hackers will sell those users names, emails, and passwords on the dark web. They’re valuable because many users will use the same login information across many accounts. Hackers can use the data gleaned from one breach to access your other accounts.

Using apps are as safe as the host makes their server data and how you use the app. Most of the security issues are out of your hands. If you are not compromised in public more than likely the company’s servers or app itself will be hacked, exposing your data. All you can do is be as safe and aware as possible on your end. Monitor accounts and change passwords frequently.

Please feel free to share. Check the archives for other posts about privacy and online security.

One born every minute February 2018

Are you being watched? February 2018

Time expired on parking meters November 2017

Cleaning up your online presence September 2018

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach February 2015

Social media checks

Background checks use to be associated with financial institutions during applications for loans. Now they are performed during job applications, college admissions, even dating sites. One of the most important parts of the background check is the character reference. References were historically performed by field investigators interviewing the person’s friends, neighbors, associates, coworkers, etc. This is still an integral part of checking someone’s references, but in today’s online all the time society, social media is fast becoming the standard.

Who’s looking?

Private employers are. Social media checks are now on the checklist during candidate research. HR hiring surveys estimate that more than half of employers search an applicant’s social media during the hiring process. The New York Post reported on January 29, 2016, that at least 40% of college admissions officers report they check applicants’ Facebook pages and other social media when weighing who should get accepted. A third say they Google applicants. Even professional sport franchises do their due diligence when deciding on draft picks. As part of the vetting process, social media of potential draftees are reviewed. With the media attention on football players gone wild in recent years, franchises are doing every thing they can to determine the character of the player they are drafting.

Now the federal government is getting into the game. Investigators will now be probing social media as part of background checks for security clearances. Seems far-fetched that federal investigators didn’t perform these checks in the past, but now it’s official. On May 13, 2016, Director of National Intelligence James Clapper signed a policy directive that allows investigators to collect publicly available social media information pertaining to the person whose background is being investigated. In a press release, Bill Evanina, Director of ODNI’s National Counterintelligence and Security Center stated, “We cannot afford to ignore this important open source in our effort to safeguard our secrets—and our nation’s security.” While federal investigators are prohibited from requiring or requesting applicants’ password information, they will be searching for publically accessible accounts.

Privacy concerns

States and the Federal government have responded in a challenging effort to protect citizens’ privacy and rights. Twenty-three states have enacted laws that prevent employers from requesting passwords to personal accounts to either apply for or keep a job. Maryland was the first state to enact such a law, which took effect on October 1, 2012. Maryland’s law states that employers may not require employees or applicants to disclose a user name, password or other means of accessing a private Internet site or electronic account.

The Equal Opportunity Employment Commission (EEOC) and National Labor Relations Board (NLRB) regulate, monitor, and enforce employer misuse of social media during the hiring process. Since 2010, the NLRB has heard dozens of cases regarding employers infringing on employee rights through social media. Both the EEOC and the NLRB have issued guidance to employers regarding social media rights of employees.

Does your mother see your posts?

Whether you’re currently looking for job or suddenly need a clearance, you never know when a situation will surface that requires a background check, which will now more than likely include social media checks. As we are seeing, the trend is spreading beyond dating sites to employers, college admissions, pretty much anyone who wants to know more about who you are. A picture truly is worth a thousand words.

Getting a lot of ambiguous rejections? Check your social media posts.

Even social media posts from years ago can haunt you. During the 2016 NFL draft, a potential first round pick had his Twitter account hacked.  A years old video showing him allegedly smoking marijuana with a bong hit the web. As this sorted out, draft round after round passed. He eventually was chosen in the thirteenth round, costing him millions.

Because of the anonymity of the Internet, the narcissist in us all, and the instantaneous culture we have, social media seems to be a window into our daily lives. Not only what cat videos we find hilarious or what we’re eating and where, but social media goes a long way in determining who we are, the character of the person doing the posts. Now one could argue that it’s not how they really are, that they use social media as an alter ego. But over time, patterns do develop and the onus appears to be on the account holder to justify the veracity of their posts and not the reviewer.

A good rule of thumb is-If you wouldn’t want your mother to see it, then don’t post it.

See our blog archive for other posts relating to social media:

What’s your social media policy? March 22, 2016

Enforcing company policy May 8, 2015

Convicted? Never convicted. October 17, 2014