aGameOfThrones
10-22-2014, 09:37 PM
Chris Isherwood
A newly publicized document shows that five local police departments in southeastern Virginia have been secretly and automatically sharing criminal suspects’ telephone metadata and compiling it into a large database for nearly two years.
According to a 2012 memorandum of understanding (MOU) published for the first time Monday by the Center for Investigative Reporting, the police departments from Hampton, Newport News, Norfolk, Chesapeake, and Suffolk all participate in something called the "Hampton Roads Telephone Analysis Sharing Network," or HRTASN.
The Peninsula Narcotics Enforcement Task Force, or PNETF, "will provide administrative and technical assistance to participating agencies in conducting pen register intercepts as described below."
According to that MOU, those agencies "agree to share telephone intelligence information derived from any source with the PNETF including: subpoenaed telephone call detail records, subpoenaed telephone subscriber information, and seized mobile devices. The telephone intelligence information will be stored in the master Pen-Link telephone database at the PNETF, and participating agencies can make inquires of the database by either telephone or e-mail contact with a PNETF member."
Such data transfers, the document goes on to explain, can happen automatically if the agency agrees to have certain software installed on its computer, or via e-mail or DVD.
The eight-page document doesn’t precisely make clear what type of analysis is done on this dataset, nor how many records are kept. But based on the above description, it seems clear that this would include all made and received calls, their duration, their provider, possible geo-location information, and probably any other data seized from a particular handset.
The fear is that by amassing such a large quantity of metadata, an inordinate amount of information can be gleaned from it. As Ars demonstrated in March 2014, metadata can be incredibly revelatory and can expose all kinds of information about a subject.
Ars has a filed Freedom of Information Act and state public records request with various agencies to learn more.
Feds are totally cool with it
Ars contacted all five of the police departments, only two of which responded with prepared statements on Tuesday—none responded to direct questions.
According to Sgt. Jason Price, the spokesman for the Hampton Police Division, the system is overseen by not only its five local police department members, but the PNETF also includes the Peninsula Association of Commonwealth Attorneys and the Virginia State Police.
"Meetings regularly include the US Attorney’s Office," Price said in a statement.
"The system is very commonly used in policing throughout the US for criminal intelligence, which is subject to federal guidelines contained in 28 CFR Part 23," he added. "The Hampton Police Division gathers, shares and retains information after obtaining a search warrant or court order in accordance with local, state, and federal law. The Government Data Collection and Dissemination Practices Act contains an exemption for personal information systems maintained by law enforcement that pertain to investigations and intelligence gathering related to criminal activity (VA Code §2.2-3802.7). The Network is covered by this exemption and is not contrary to the Attorney General’s opinion."
Corporal Melinda Wray, a spokeswoman for the Norfolk Police Department, said in a statement that her agency had participated in the HRTASN since 2013.
"Any phone records in the possession of the Norfolk Police Department are obtained pursuant to a court order or search warrant issued after a finding of probable cause by competent authority (judge or magistrate)," she said. "Any finding or probable cause requires a link to a specific criminal incident or investigation and is compliant with Virginia code. "Therefore, all telephone information is gathered, stored and retained in accordance with local, state and federal law."
Michael Kelly, the spokesman for the office of the Virginia Attorney General, said, "this is not something our office has been involved in" and referred Ars to the individual municipalities instead.
He did not respond to an e-mail or text message asking whether such a data exchange would be explicitly in line with Virginia law.
The American Civil Liberties Union of Virginia believes that such data aggregation could be in violation of Virginia's Government Data Collection and Dissemination Practices Act.
At least one Virginia lawmaker agrees.
On Tuesday, Chap Petersen, a Democratic state senator from Fairfax, concurred in a post on his website:
Again, Virginia law (Section 2.2-3800) is very clear: government cannot hold personal information in covert databases, which are inaccessible to ordinary citizens. Nor can it collect this personal data “except as explicitly or implicitly authorized by law.”
Phone records which reveal your cell or home phone numbers are, by definition, records which contain personal information. While an agency can gather this information by subpoena or warrant for a criminal investigation, it cannot simply hold the data ad nauseam in a regional database until it is deemed relevant. This is exactly what 2.2-3800 was designed to prevent.
We need some sort of ombudsman (the AG’s office?) to bring everyone into compliance. The law is already on the books and it’s clear.
continue: http://arstechnica.com/tech-policy/2014/10/handful-of-virginia-police-agencies-sharing-seized-phone-data/
A newly publicized document shows that five local police departments in southeastern Virginia have been secretly and automatically sharing criminal suspects’ telephone metadata and compiling it into a large database for nearly two years.
According to a 2012 memorandum of understanding (MOU) published for the first time Monday by the Center for Investigative Reporting, the police departments from Hampton, Newport News, Norfolk, Chesapeake, and Suffolk all participate in something called the "Hampton Roads Telephone Analysis Sharing Network," or HRTASN.
The Peninsula Narcotics Enforcement Task Force, or PNETF, "will provide administrative and technical assistance to participating agencies in conducting pen register intercepts as described below."
According to that MOU, those agencies "agree to share telephone intelligence information derived from any source with the PNETF including: subpoenaed telephone call detail records, subpoenaed telephone subscriber information, and seized mobile devices. The telephone intelligence information will be stored in the master Pen-Link telephone database at the PNETF, and participating agencies can make inquires of the database by either telephone or e-mail contact with a PNETF member."
Such data transfers, the document goes on to explain, can happen automatically if the agency agrees to have certain software installed on its computer, or via e-mail or DVD.
The eight-page document doesn’t precisely make clear what type of analysis is done on this dataset, nor how many records are kept. But based on the above description, it seems clear that this would include all made and received calls, their duration, their provider, possible geo-location information, and probably any other data seized from a particular handset.
The fear is that by amassing such a large quantity of metadata, an inordinate amount of information can be gleaned from it. As Ars demonstrated in March 2014, metadata can be incredibly revelatory and can expose all kinds of information about a subject.
Ars has a filed Freedom of Information Act and state public records request with various agencies to learn more.
Feds are totally cool with it
Ars contacted all five of the police departments, only two of which responded with prepared statements on Tuesday—none responded to direct questions.
According to Sgt. Jason Price, the spokesman for the Hampton Police Division, the system is overseen by not only its five local police department members, but the PNETF also includes the Peninsula Association of Commonwealth Attorneys and the Virginia State Police.
"Meetings regularly include the US Attorney’s Office," Price said in a statement.
"The system is very commonly used in policing throughout the US for criminal intelligence, which is subject to federal guidelines contained in 28 CFR Part 23," he added. "The Hampton Police Division gathers, shares and retains information after obtaining a search warrant or court order in accordance with local, state, and federal law. The Government Data Collection and Dissemination Practices Act contains an exemption for personal information systems maintained by law enforcement that pertain to investigations and intelligence gathering related to criminal activity (VA Code §2.2-3802.7). The Network is covered by this exemption and is not contrary to the Attorney General’s opinion."
Corporal Melinda Wray, a spokeswoman for the Norfolk Police Department, said in a statement that her agency had participated in the HRTASN since 2013.
"Any phone records in the possession of the Norfolk Police Department are obtained pursuant to a court order or search warrant issued after a finding of probable cause by competent authority (judge or magistrate)," she said. "Any finding or probable cause requires a link to a specific criminal incident or investigation and is compliant with Virginia code. "Therefore, all telephone information is gathered, stored and retained in accordance with local, state and federal law."
Michael Kelly, the spokesman for the office of the Virginia Attorney General, said, "this is not something our office has been involved in" and referred Ars to the individual municipalities instead.
He did not respond to an e-mail or text message asking whether such a data exchange would be explicitly in line with Virginia law.
The American Civil Liberties Union of Virginia believes that such data aggregation could be in violation of Virginia's Government Data Collection and Dissemination Practices Act.
At least one Virginia lawmaker agrees.
On Tuesday, Chap Petersen, a Democratic state senator from Fairfax, concurred in a post on his website:
Again, Virginia law (Section 2.2-3800) is very clear: government cannot hold personal information in covert databases, which are inaccessible to ordinary citizens. Nor can it collect this personal data “except as explicitly or implicitly authorized by law.”
Phone records which reveal your cell or home phone numbers are, by definition, records which contain personal information. While an agency can gather this information by subpoena or warrant for a criminal investigation, it cannot simply hold the data ad nauseam in a regional database until it is deemed relevant. This is exactly what 2.2-3800 was designed to prevent.
We need some sort of ombudsman (the AG’s office?) to bring everyone into compliance. The law is already on the books and it’s clear.
continue: http://arstechnica.com/tech-policy/2014/10/handful-of-virginia-police-agencies-sharing-seized-phone-data/