Saturday, October 25, 2008

Who at TPD ran Joe the Plumber's records?

The Columbus Dispatch is reporting that several state databases may have been accessed illegally to obtain information on 'Joe the Plumber,' including one through the Toledo Police Department.

"The State Highway Patrol, which administers the Law Enforcement Automated Data System in Ohio, asked Toledo police to explain why it pulled BMV information on Wurzelbacher within 48 hours of the debate, Hunter said.

The LEADS system also can be used to check for warrants and criminal histories, but such checks would not be reflected on the records obtained by The Dispatch.

Sgt. Tim Campbell, a Toledo police spokesman, said he could not provide any information because the department only had learned of the State Highway Patrol inquiry today."

As the former Clerk of Toledo Municipal Court I was responsible for my office and employees' access of the LEADS (Law Enforcement Automated Data System) program. I was also a certified user. I can tell you that the restrictions on when and how it is used are limited and specific - and using it in an illegal manner is not only a criminal offense, it can result in an entire agency losing access to the system.

LEADS gives users access to multiple sources of data. It's used by law enforcement, courts and prosecutors across the state to inquire on information about driving records, vehicle ownership and outstanding warrants. Through the LEADS connections to other agencies, users can review drivers license images, past criminal histories or parole status. LEADS also serves as the gateway to the National Crime Information Center, (NCIC). Through NCIC, LEADS users have access to the same information on a national and international level.

Individuals having access to LEADS have to take a periodic test - the first question of which was always about proper use of the system. From the LEADS manual:

Data accessed through LEADS, NCIC, NLETS and other intra-state systems is restricted to the use of duly authorized law enforcement and/or criminal justice agencies and is not to be sold, transmitted or disseminated to any non-law enforcement agency, non-criminal justice agency or unauthorized person. Participating agencies have assumed responsibility for system security and integrity when they execute the LEADS participation agreement (LEADS Administrative Rule 4501:2-10-13).

Audit trails of all activity through the system are maintained for six years. Those audit trails are extremely detailed and identify the agency, the actual computer terminal, the user, the date/time, and the specific activity. While checks on warrants and criminal histories were not part of the public record available to The Dispatch, such activity was captured and included in the audit - and is known to the State Highway Patrol, who oversee the system, and to the Toledo Police Department now that's they've been made aware of the query.

The identify of the person who accessed the data is known and whoever it is should be held accountable. Additionally, I expect TPD will also want to know with whom the information was shared and how any other people might have used the data, including if it was used for a political purpose.

Having worked with TPD Chief Mike Navarre, I am confident this violation will be taken seriously and any unauthorized access will be appropriately punished. I call on him to share with the public what he finds out in his internal investigation and what action, if any, he takes.


gordon gekko said...

Isn't there a certain irony that the very people worried about George Bush listening to their phone conversations in the White House have no problems using government resources to persecute people?

Hooda Thunkit (Dave Zawodny) said...


Yeah but...

When a user fails to log off of their terminal, then anybody else with the skill to access the information can do so, with the previous user getting the credit/blame.

That is, unless they have to ID themselves for each search/use.

Never having tried to use a terminal to do such a thing, I have no real way of knowing, but I have had access to many Open (left logged on) terminals in my day ;-)

Maggie said...

ah - Hooda - that's the way it used to be...but with the new NORIS system (yes, the one I ushered in during my time as clerk) those 'open terminal' issues were negated.

Trust me - a simple check will identify the individual.

Carol said...

Hmmmm ...... me seeing a great big Ruh-Roh coming up.

Isn't it funny how selective enforcement of the rules can work?

:::::still seeing lipstick on that darned pig!::::

Kadim said...

Well that's very interesting.

A few years back a local Columbus politician got in trouble after someone called the Dispatch and revealed inconsistencies in his driver's license record.

I called him up and asked him who he thought made the call...and he said he thought it was a highway patrolman who had pulled him over outside of Columbus earlier that week.

So we did the natural thing...and made a request to see his LEADS audit record so that we could figure out who looked at it and could have made the call to the Dispatch.

The Highway Patrol refused to hand it over, saying they would do an internal investigation, but they didn't think an individual had the right to see their own LEADS audit record.

Two agents of the BMV showed up at his house, apologized for the situation, and said they would clean up the inconsistencies themselves.

With any luck, the Highway Patrol is more responsible about the LEADS audit records than they were in the late 1990s.

Maggie said...

Kadim - I don't believe the LEADS audit records are public because of the non-public information that is reflected in them. I've seen both the old and new versions of the audit trail printout, so I'm pretty confident in making that statement, but admit that some things could have changed in the last couple of years.

However, whether or not the audit trails are released, there is no reason not to disclose who ran the information, when and who they might have shared the data with.

Kadim said...

Well, yes, that's true, strictly speaking the LEADS data isn't public.

But this wasn't a search on any random record. This was a request from a guy to see his *own* record, which I believe is protected by state law.

Otherwise, the inability to see what records the state may have on you...and who has seen those records, would be a disaster.

Maggie said...

yes, we should be able to see our own records...and since, in your example, the record had been run, it makes no sense to show it to the individual.

I'm not sure the audit trail would be the same as the actual record.

But then, the way the law is written, unless there's a criminal justice reason for running the record, it can't be run. So it seems we'd have to change the laws and regulations to allow for the running of an individual's record for personal use of checking and verification.

Here's the other quirk some may not be aware of: For certain traffic charges, a LEADS query is run and placed into the court case file. Once it's in the file, it's a public record.

Maggie said...

makes no sense to NOT show it...


Mad Jack said...

However, whether or not the audit trails are released, there is no reason not to disclose who ran the information, when and who they might have shared the data with.

I don't agree with this. I can think of three reasons off the top of my head why the audit trails and the identity of the person querying the system would not be released by the government. One, the government is not benevolent, and each time the government accedes to a civilian's wishes, it gives up a tiny bit of control. Two, because the query was run for malicious reasons and the people responsible don't want to be found out. Three, sense of ownership of the data. The department being questioned believes that it owns the data, and as such will refuse to turn the data over to the general public. This relates to my first reason.

There are other reasons, such as loss or contamination of the audit trail. One of my past projects involved creation of an audit trail and after the end users took a look at the trail, they became hostile to the poor programmer. The reason? The system did what it was designed to do: Track the activity of the end users and deny the end users access to the audit trail. Management could print the audit trail, but only by enlisting the cooperation of the systems administrator and the IT dept. The end users didn't like that.

Maggie said...

MadJack...regardless of the audit trail, the person who committed an illegal act needs to be identified to the public and we not only deserve but also have a right to know what punishment was given.

I can live with the audit trail and the actual report information being confidential...but not the identity of the person, the discipline and who else got the data...

af vet said...

Even though WE are required to be
LAW abiding citizens,the shoe may not fit on the other foot.Especially if they are protected by professional ethics and not giveup or prosecute your own.The troopers miss step may just mysteriously dissapear. Thanks for the update.The media dropped the ball again.

Google Analytics Alternative