TN- More cops in Tennessee caught snooping

12-21-2008 Tennessee:

Lack of training, oversight leads to citizen data abuse
In 2006, the state rolled out a new crime-fighting weapon designed to give police across Tennessee quick Web access to privileged information collected on many of the state's 6 million citizens.

Driving records, photos, home addresses, Social Security numbers, car registrations and some criminal history records — all of it became available to officers from Bristol to Memphis with the ease of a mouse click.

The law enforcement community heralded the Tennessee Criminal Justice Portal as a breakthrough that linked isolated databases and reduced search times to minutes, where they previously would take hours or sometimes days.

A Tennessean review of the history of the portal, however, shows that access was granted with little training and oversight to about 350 law enforcement agencies, creating an environment ripe for abuse.

Only after a spate of recent cases have authorities begun to roll out new ways to protect against misuse. The cases themselves have raised questions about how widely the tool is being abused.

Tennessee Highway Patrol Lt. Ronnie Shirley was fired after running checks on as many as 182 state employees and private individuals, many of them women, including country star Gretchen Wilson. Shirleycontends that what he did is commonplace among his law enforcement peers. He says that leadership refuses to look at the broad problem, and that he was singled out unfairly.

Other cases have come to light since Shirley's. On Saturday, the Metro Police Department confirmed an internal investigation is under way involving seven employees, including three officers, who also allegedly ran Wilson's name through portal checks.

Last month, a Wilson County commissioner, who was a police officer for the Smyrna/Rutherford County Airport Police, was accused of misusing the portal to check on Mt. Juliet city officials and two fellow commissioners. A state probation officer accused of running checks on neighbors also faces termination.

"These databases are designed for law enforcement personnel for law enforcement purposes," said James F. Blumstein, a professor of constitutional law at Vanderbilt University. "When they are used for other ends, it's an abuse of authority."

Those who helped create the system say the portal has received rave reviews from police across the state. Any problems are isolated cases of abuse, they say.

While the portal offers easier access to data, it also has the ability to catch those who misuse it because each search leaves a footprint traceable back to the user. In the past, abuse of information held on paper or in a file left no audit trail.

"The information itself isn't new, it's the way they can access it," said Ann Lynn Walker, an assistant director in the state's Administrative Office of the Courts, which administers the portal. "The potential for abuse, and I would suspect the abuse itself, has been occurring all along."

Information is power
Sharing information has been a problem for police across the country. In Tennessee, the court system is decentralized among 95 counties, with their varying police and sheriff's agencies. Add the state government's various departments and disparate data centers, and the sum is a patchwork of information systems that have historically been unable to communicate.

This has led to both frustration and criticism as police have, at times, lacked tools to catch the bad guys or protect the public more effectively. The state received a $1 million grant in 2001 to try to fix the problem.

The portal was the product of this effort. It linked through the Web almost 350 agencies and 5,500 officials to the following six databases: driver's license, title and registration, Correction Department, sex offender registry, state protection orders and wanted persons.

"It's a great tool," said Nashville attorney David Raybin, who was the Tennessee Bar Association's representative on the committee that oversaw the portal's creation. "The problem with a thing like this is it has a great potential for helping and a great potential for abuse. We assumed law enforcement agencies would act responsibly in using this. Most law enforcement agencies already have variations of this."

There was an effort to encourage use of the system and to ensure crippling bureaucratic barriers were not erected. Each agency had to sign a user agreement and assign an administrator as the gatekeeper for that agency.

That administrator received over-the-phone training from Administrative Office of the Courts personnel, a process that lasted about 90 minutes, and then the agency was up and running. In the case of Wilson County Commissioner Chris Sorey, that training didn't seem to drill home the message.

Sorey was the administrator for the small Smyrna/Rutherford County Airport police force. The TBI audited his use of the portal to access information on members of the Mt. Juliet government and the County Commission. He resigned in November from the department, and the state revoked the tiny agency's access to the portal.

The idea of preventing abuse or devoting extra resources to training was not a focus during the creation of the system.

"Maybe we should have emphasized it more or made a bigger deal about it in retrospect," Raybin said. "I don't want to say it was a mistake because there is no system that you can design that is 100 percent foolproof. You can train from today until tomorrow, and at the end of the day it requires a certain amount of trust of the law enforcement officers."

Raybin said one possibility for reform would be passing a law that allows citizens to seek civil penalties, possibly as much as $10,000, against agencies that access or abuse their information. That would provide a necessary deterrent that would require individual police departments to monitor and prevent abuse.

Call for investigation
Most of the attention has focused on the Department of Safety, one of the largest departments in the state with access to the portal. Until the Shirley matter came to light in August there was no formal training for users within the agency.

Some officers signed a user agreement before logging on, but others were able to access the system without signing the user agreement or by simply checking an access agreement box online. Others received login information but were reluctant to log in because of the lack of training. Some signed the user agreement only after gaining access to the portal.

After the Shirley episode, Safety Commissioner Dave Mitchell started sending regular e-mails to remind officers of proper use and the penalties that could follow for abusing the system. Mitchell said he and Col. Mike Walker are passing along proper procedures through the command staff and to incoming cadets.

Mitchell said the department has reviewed policies related to computer usage. And a high-ranking THP officer now checks regular audits on portal usage with hopes of catching any irregularities.

Two other officers have been investigated and given written reprimands for running checks on immediate family members or ex-wives.

Mitchell, however, takes issue with any suggestion that his agency has a systemic problem.

"I've been in this profession for over 35 years," Mitchell said. "Law enforcement on a daily basis accesses data to do their job. When there's an abuse it's investigated, just like with Lieutenant Shirley, and that's the end of it. There's not systemic abuse of databases."

Shirley's attorney, Rob Briley, disagrees. He says the department has turned a blind eye to others who have may have misused the portal and doesn't want to know about possible abuse within the agency.

"If the offense is serious enough to terminate somebody then the Department of Safety ought to be very concerned about who's using it and why," Briley said. "As far as we can tell it has not undertaken any investigation to determine if people are using it inappropriately."

More oversight coming
The Metro police internal investigation came about as a result of the Shirley episode. The Tennessee Bureau of Investigation reviewed prominent names that had been accessed by Shirley and found the hits by Metro employees, according to Don Aaron, a Metro police spokesman.

Three officers and four civilian employees are under investigation, Aaron said, for running nine checks on country singer Wilson from November 2006 to June 2008. He said if violations occurred disciplinary action would follow, although he would not release the names of the employees under investigation. The Police Department was informed that it was one of several agencies that had queried the singer's name, Aaron said.

TBI spokeswoman Kristin Helm said Saturday that improper checks had possibly been done on a couple of celebrities. On Saturday, she did not have access to the list of agencies that ran the queries.

Aaron said the department has 116 employees, mostly investigators and some civilians, with access to the portal. They received no formal training, other than receiving a copy of the user manual and a user agreement emphasizing the sensitive nature of the information, which they signed before gaining access.

"As a result of The Tennessean's reporting and as a result of the TBI offline check, the message is out loud and clear that computer queries to satisfy curiosity should not be occurring," he said. "To a great extent all the publicity, and certainly now our Police Department's internal investigation, is going to do quite a bit to ingrain that message."

Aaron said the problems shouldn't overshadow the fact that police use the portal and other data for legitimate police purposes each day, and that such information is vital to carrying out the mission of public safety.

"The portal has the capability of providing information that may be needed in an investigation very quickly without an investigator having to pick up the phone and call other agencies," Aaron said.

As a result of the myriad of problems, the state required Metro officers, along with the 5,500 other portal users statewide, to sign new user agreement addendums due Monday, outlining more clearly the rules and the penalties for abusing the system. If agencies fail to sign this new addendum they will lose access to the portal.

It's one of the steps the portal's steering committee is taking in the wake of the problems. The Administrative Office of the Courts will begin early next year providing monthly audit reports telling each agency about its officers' use of the portal, which officialshope will provide more oversight.

Also, a subcommittee has been created to search for other ways to improve the system. TBI sits on the committee and plans to provide one of its database auditors to assist in finding solutions.

Brad Truitt, TBI's information systems director, said the portal's ease of use is the beauty of the system, but perhaps, in retrospect, that is part of its problem. He said creators of the portal believed police had been accessing various types of sensitive data for years. For those who needed a refresher, the user agreement spelled out the rules.

"They should know what data this is and what the requirements are," he said. "What parts of it are sensitive and not. ... Obviously we've got some issues." ..News Source.. by Brad Schrade • THE TENNESSEAN