On Q Professional Investigations

As businesses, public agencies and colleges continue to request social media account user names and passwords from students and job seekers, two Bay Area lawmakers are pushing bills to stop the practice.

Yesterday, the Assembly Judiciary Committee unanimously approved Senate Bill 1349, authored by state Sen. Leland Yee, D-San Francisco/San Mateo, that prohibits public and private colleges and universities in the state from requesting the information.

Today, the Senate Labor and Industrial Relations Committee will consider Assembly Bill 1844, authored by Assemblywoman Nora Campos, D-San Jose.

The Campos bill specifically prohibits businesses from requesting social media user names and passwords.

Lawmakers are crafting similar bills in states across the country.

In late March, however, a proposed Facebook user protection amendment was shot down by the U.S. House of Representatives.

The amendment to the Federal Communications Commission Process Reform Act of 2012 would have allowed the FCC to stop any employers from seeking the confidential information.

Facebook officials would not comment on the two new California bills yesterday but pointed to a statement made by Erin Egan, the company’s chief privacy officer, back in March after the House voted against the Facebook user protection amendment.

“This practice undermines the privacy expectations and the security of both the user and the user’s friends. It also potentially exposes the employer who seeks this access to unanticipated legal liability,” Egan wrote in a statement.

The most alarming practice is the reported incidents of employers asking prospective or actual employees to reveal their passwords, Egan wrote.

Facebook users should never have to share their password or let anyone access their accounts, she wrote.

The increase in reports of employers asking for inappropriate access to accounts is distressful to the company, she wrote.

In California, Yee and Campos are co-authoring each other’s bills.

“These social media outlets are often for the purpose of individuals to share private information — including age, marital status, religion, sexual orientation and personal photos — with their closest friends and family,” Yee wrote in a statement. “This information is illegal for employers and colleges to use in making employment and admission decisions and has absolutely no bearing on a person’s ability to do their job or be successful in the classroom.”

The two California bills would also prohibit employers and colleges from demanding personal email addresses and login information of employees, applicants and students.

SB 1349 will be considered by the Assembly Higher Education Committee next week.

Read more

The FBI plans to test by 2014 a database for searching iris scans nationwide to more quickly track criminals, according to budget documents and a contractor working on the project.

The Next-Generation Identification system, a multiyear $1 billion program already under way, is expanding the server capacity of the FBI’s old fingerprint database to allow for rapid matching of additional physical identifiers, including facial images and palm prints.

Today, iris scans conjure images of covert agents accessing high-security banks and laboratories. But, increasingly, law enforcement agencies are spending state and federal funds on iris recognition technology at jails to monitor inmates. Some Missouri prisons are buying the same system the FBI acquired, partly so that they can eventually exchange iris images with federal law enforcement officials. And many counties are storing pictures of prisoner irises in a nationwide database managed by a private company, BI2 Technologies.

The FBI expects to collect many of these state and local iris images, according to B12 officials and federal documents.

A May 17 budget justification document states one of the “planned accomplishments for BY13” — the budget year that begins Oct. 1 — is to “demonstrate iris recognition capabilities via the iris pilot.”

A June FBI advisory board memo that Nextgov reviewed states, “supervised release/corrections are candidates for the pilot, being that many already have the capability in place. The additional goal is to start to build an iris repository.” Iris recognition is a helpful identification tool, according to the memo, because it “is very accurate,” does not require human intervention and “the hardware footprint is also very small [due] to the size of the iris image.”

The aim of iris recognition at corrections facilities, according to law enforcement officials, is to promptly catch repeat offenders and suspects who try to hide their identities.

Building a Repository

Officials at the Pinal County Adult Detention Center in Florence, Ariz., appreciate the nonintrusiveness of the BI2 iris recognition system, which does not touch prisoners’ faces when snapping photos of irises or scanning eyes for recognition. The inmates place their eyes three to 10 inches away from binocular-like lenses, which record the iris image, so wardens stay out of harm’s way during head counts, county officials said. The technology also ensures the center does not mistakenly release similar-looking siblings, twins or parents, when one family member comes up for parole, they added.

President and Chief Executive Officer Sean G. Mullin said BI2 Technologies has been working closely with the FBI unit chief responsible for implementing NGI. “BI2 Technologies provided the FBI [Next-Generation Identification system] over 12,000 iris images from current law enforcement agency clients for analysis and testing by NGI,” he said. Company officials said they were not aware of a specific pilot program that has been undertaken to demonstrate iris searching capabilities.

Mullin said his company was told the FBI plans to conduct an iris pilot in 2014. Local agencies in 47 states now participate in B12’s nationwide Inmate Identification and Recognition System, or IRIS, which has been operating for six years, he said.

FBI officials declined to comment on progress using NGI for iris matching. “Because we are in the early stages of development of additional biometric capabilities, including the facial recognition pilot, there is no new information to report at this time,” said Stephen G. Fischer Jr., a spokesman for the FBI’s criminal justice information services division.

The interstate network that BI2 maintains uses a high-resolution camera to obtain an image of an offender’s iris during the booking process. Special software then transforms the picture into a digital file that is encrypted and stored with the company. For recognition purposes, the camera takes a live shot of an individual’s iris and the software then compares the new image with archived iris pictures collected during intake to confirm the person’s identity.

“Everybody that gets booked into our adult detention center, we get a capture of their iris. That gets hooked to their photo. And then everybody that’s being released goes through the system again to make sure we’re getting ready to release the same person,” said James Kimble, deputy chief of the Pinal County Adult Detention Center.

Pinal County used $30,000 in state funds to buy three cameras, supporting devices and access to BI2’s nationwide iris database, he said. Within a few months, some Pinal patrol officers will receive a handheld recognition tool that synchs with the database through an iPhone app.

The Yavapai County Sheriff’s Office in Arizona also is using iris recognition for many of the same safety purposes, said Dwight D’Evelyn, media/crime prevention coordinator for the office. Yavapai contracts with BI2 using in-house jail enhancement funds. “The data is stored in both the system of record at the Yavapai County Sheriff’s Office and the national server,” he said. “The iris images are stored, accessed and utilized by participating agencies on the national server, which is located at a secure site in Texas.”

D’Evelyn stressed that the iris files are the property of the sheriff’s office and, “during transmission, the iris images are always encrypted.”

Security Concerns

Jennifer Lynch, a staff attorney at the Electronic Frontier Foundation, a digital rights group, found the concept of a privately run, national iris network disconcerting because of the many recent data breaches at businesses. She cited financial institutions exposing customer account data and passwords stolen from job seekers using the professional networking website LinkedIn.

“That’s really concerning to me — the fact that they are held by a private company,” Lynch said. “You can change your credit card data. But you can’t change your biometric data.”

Oftentimes, however, the data cribbed during these incidents was not adequately encrypted, cybersecurity experts are quick to note.

BI2’s iris images are “encrypted using strong cryptographic algorithms to secure and protect them,” the company website states. “Thus, standing alone, biometric templates cannot be reconstructed, decrypted, reverse-engineered or otherwise manipulated to reveal a person’s identity. In short, biometrics can be thought of as a very secure key: Unless a biometric gate is unlocked by using the right key, no one can gain access to a person’s identity.”

The average iris recognition time — from when an image is captured to when an officer receives a response — is 7.8 seconds, Mullin said.

“No agency — and there are more than 400 BI2 systems in operation across the nation — that has implemented BI2’s IRIS technology has ever had an erroneous or mistaken release because of an identification error,” he said.

During a six-month period at the Los Angeles County Sheriff’s Department, BI2’s system immediately spotted 119 repeat offenders previously booked by the department who provided different names and identification to avoid detection, Mullin said.

The June FBI advisory board memo states the bureau has chosen an L-1/MorphoTrust iris capture system for NGI. (L-1 Identity Solutions was acquired in 2011 by Safran and reorganized as MorphoTrust.) In 2011, the Missouri Sheriff’s Association bought the same system using federal grant money partly so the association’s database could eventually interface with NGI, said Jeff Merriman, a grant consultant for law enforcement agencies. He also works part time for the Jasper County Sheriff’s Office in Missouri, where he was a former police commander.

Jasper and more than 50 other Missouri agencies are hooked up to the association’s central system for statewide sharing, he said.

“Not only are we capturing multibiometrics at jails and prisons, we are also linking dozens of disparate criminal records systems across the state, connecting the dots between all the offenders and using that information tactically to combat crime,” Merriman said.

But the Missouri iris scans can’t get to the FBI. The problem is the Missouri State Highway Patrol, which is responsible for sharing criminal history records with the FBI, doesn’t have an iris database to collect the state’s iris files, he said. The FBI visited the Missouri Sheriff’s Association biometric system as part of the bureau’s NGI research, according to Merriman.

Now, he is working with law enforcement agencies in Oklahoma and Tennessee to acquire grant money for starting iris database systems that can connect with the Missouri Sheriff’s Association biometric system.

Separately, York County Prison in Pennsylvania has been using an LG Electronics iris recognition system for about a decade, prison spokesman Joe Borgiel said.

The Electronic Frontier Foundation’s Lynch said she was concerned by the breadth of iris recognition in the law enforcement realm. That said, she added, iris scans can be less sneaky than facial searches, which governments and social networks such as Facebook are embracing. Nextgov reported in 2011 that the FBI would begin a limited trial of facial recognition in early 2012.

“With iris scans and facial recognition, one of the differences is you can take a picture of a face surreptitiously,” Lynch said.

Thomas E. Bush III, who helped develop NGI’s system requirements when he served as assistant director of the FBI’s criminal justice information services division between 2005 and 2009, acknowledged people will worry about authorities combing through candid videos and photos for suspects, and, inadvertently, collecting images of innocent passersby.

“I’m an American citizen. I get that,” he said, but, “no, we will obtain these from the people who come into contact with law enforcement.”

Bush, now a private consultant, added, “It’s not public source data.” And, the FBI would not upload a bank vault’s iris database into NGI. “The FBI’s No. 1 priority is protection of civil rights,” he said.

In 2008, the bureau distributed a privacy impact assessment describing controls to ensure NGI complies with federal privacy regulations. FBI officials have said the bureau has an elaborate system of checks and balances to guard irises, palm prints, mug shots and all manner of criminal history data.

“The information sharing of the future is biometrically based,” Bush said. “That’s when you know that you have Tom Bush. This makes me more confident that I do have the right [bad] Tom Bush and then the good Tom Bush goes on his merry way. It’s about getting the right bad guy . . . We’ve got limited resources.”

Read more

Customer, student, employee and patient information is most at risk for cyber attacks today, and defending that data is a top concern for IT professionals this year, according to a survey published by CDW.

Concern about data loss is well founded: One in four organizations has experienced a data loss in the last two years. Many organizations report breaches jeopardizing their network, email or other sensitive information, CDW found in its poll, which examines data security concerns across industries, including medium and large businesses, financial services and healthcare organizations and higher education institutions.

One IT professional at a financial services company noted: “Security is harder every day due to the ease with which personal information is gained.”

Data loss comes at a cost: A Ponemon Institute study published in March found that organizations suffering a data loss in 2011 paid an average of $5.5 million per breach, which translates into an average of $194 per record lost.

“The damage resulting from data loss – to the bottom line and to an organization’s reputation – is very real,” said Christine Holloway, vice president of converged infrastructure solutions, CDW. “Perhaps it should come as no surprise that IT professionals view data loss as the greatest business risk to organizations this year. As telework and access to mobile computing grows, preventing data loss is increasingly important – and increasingly complex.”

CDW’s survey shows that the number of people accessing business networks increased by an average of 41 percent during the last two years. Inadequate security policies contribute to security challenges: While most organizations allow employees to access their networks with personal mobile devices, security policies for employee-owned devices are often less strict than for employer-owned devices.

Twenty-seven percent of IT professionals said they do not have security policies for employee-owned mobile devices.

Organizations that give their data security an “A” grade layer nearly all available data loss prevention measures, including encrypted storage, backup and email gateway; endpoint data loss prevention and security solutions; full-disk encryption; and Web security filters.

Organizations with “A” security are also more likely than others to require employee-owned mobile devices to comply with defined security procedures before they are granted network access.

Data loss prevention solutions help to protect personal, financial and research and development data, and they also flag any data being handled in a way that deviates from established security policies. CDW recently achieved Master Specialist designation in data loss prevention from Symantec. The designation recognizes investment and deep expertise in delivering advanced consulting and technical services in Symantec data loss prevention.

“No organization appears to be immune from data loss – blue-chip companies, small business, schools and governments have been affected,” said Rick Hanson, senior director of sales, Symantec. “Prevention is essential. Organizations that layer security solutions to address network endpoints, data at rest and data in motion are more aware of potential security threats, less susceptible to breaches and better able to respond when a breach occurs.”

Read more

Mobile devices, like smartphones and tablets, can be used for more than just communication – they can become a valuable tool in your investigations. Using the latest technologies and applications, you can turn your mobile device into a handheld surveillance monitor. What if you could track down skips that are on the run – or hiding out – by pinpointing their exact location via satellite or BlueTooth signal? You can!

Here are some applications to help you get started:

1. Creepy: Albeit a startling name, this application allows you to gather geolocation-related information about a person from social networking platforms and image hosting services like Twitter and Flickr. The app searches a person’s account for pictures tagged with geodata and then displays the locations on a map.

2. Mobile Spy: mSpy from Mobile Spy lets you monitor, track, backup and access data. You can view photos, videos, text messages, contact lists, emails, calendar items, Web history, and more.

3. ToothTag: This technology from NeuAer allows you to track someone’s location using their mobile phone’s BlueTooth signal.

4. Spyera: Spyphone from Spyera uses GPS positioning to show the coordinates of a skip’s mobile device and its physical location on a map. You can configure your account settings to get real-time updates and display a skip’s travel route a certain periods of time.

Read more