|The Password is “Trouble”|
|By Art Bowker, Cybercrime Specialist|
Years ago there was a game show called Password where one contestant had to guess the secret word or “password” known by the other contestant. I see Saturday Night Live does a parody on it every once and a while for those too young to know what I am talking about. Well, I am hearing some rather distributing things in regards to passwords and social networking sites that I thought I would delve into here. Lets deal with it first from an officer and offender relationship and then we will move to agency and officer perspective.
Officers and Offenders
Officers supervising offenders, particularly those dealing with offender computer management, frequently ask for all an offender’s social networking site (SNS) profiles as well as the passwords associates with those profiles. Some sex offender jurisdictions are likewise asking for passwords as part of registration. Before SNS became a phenomenon supervision officers frequently asked for e-mail passwords. Obviously, having a password is the key to an offender’s accounts. However, and this is a BIG HOWEVER. Having the password and using it to gain access to an offender’s account is a BIG NO! NO! There are legal prohibitions against accessing someone’s e-mail account or SNS, even if you have the password. Even if one does have permission or authorization, it can create a chain of custody nightmare. After all and offender could allege the officer deleted or sent something from the account. There can be better ways of getting at the information. For instance, directing the offender to log on to the account in your presence and going through it with them, in the presence of another officer.
So why ask for the password in the first place? Well, it is a good practice to ask for the password in case it is needed later after the appropriate legal authorizations are in place. Additionally, individuals may use a password numerous times. It may be used to log into an e-mail account, SNS, or to log in to their computer or an encrypted file. Let me explain. You have an offender’s e-mail password and you find a computer later they were not suppose to have. The computer is secured with a password. The offender tells you he doesn’t remember the password. Well the e-mail password might be the same one to unlock the computer. Even if is not, it might be very similar to the password and be of use by password cracking tools in brute force or dictionary attack to access the computer.
Think of it in these terms. Officers are allowed to visit offenders in their homes and even to conduct searches upon authorization. However, I can’t think of any supervision agency that demands an offender provide a key for the officer to enter the home at any time they wish. In short, having the password to a SNS or e-mail account means an officer has the key to the offender’s virtual home. That does not translate into accessing the virtual home at will, even if they are on supervision.
Officers and Agencies
Now lets move on to the officers and their agencies. I have previously noted the concerns with officers posting personal information on SNS. Well some agencies are starting to look at new employees and current officer’s SNS profiles. I see no issue at looking at what is publicly posted on these profiles. However, some agencies are taking a more aggressive position and asking for passwords to their employee’s profiles. They want access to the private areas too. Imagine, officers being subject to a “search” of their personal space as a condition of employment. The next step is obviously having to consent to a search of their home at any time without a warrant.
It really is not that farfetched. Take Google+, which is Google’s venture into creating a social networking site business. If one has a profile on this site the password that accesses it is the same as the user’s e-mail account. Imagine an employer being able to not only search the SNS profile but each and every e-mail sent or received from the user’s account. Oh yeah and Google’s wonderful search engine works just as great on a user’s e-mail account on their server. Google also has Google Documents that allow the user to save letters, resume’, spreadsheets, etc. on Google servers. Yep, those are also accessed by the same password. So as a condition of government employment, an officer has to consent to having their digital life searched…even private information. Now there is an incentive to get a low paying dangerous job! Well, not all is loss. In large part due to the efforts of the American Civil Liberties Union of Maryland, the Maryland Department of Corrections suspended their SNS policy for prospective hires.
So what is the point to all this. Sit down with some legal beagles and hammer out a policy for this stuff. As it stands, offenders can be asked for their passwords but using those passwords to access a SNS or e-mail account without the proper legal authorization will get the officer and their agency in very hot water. For agency’s asking for passwords of their employees or potential employees, don’t even think of asking unless you want a call from your local ACLU. In short, the password for not knowing what you are doing in today’s technological and legal environment can be “Trouble.” By the way my password is CIGAR…. I am of course kidding. Be safe out there!
Art Bowker is the author of the soon to be released book The Cybercrime Handbook for Community Corrections: Managing Offender Risk in the 21st Century, publisher Charles C Thomas Pub Ltd. He has over 26 years experience in both law enforcement and corrections at the state and federal level. In 2008, Art was the International President of the High Technology Crime Investigation Association (HTCIA). This professional non-profit organization is the largest of its kind devoted to the prevention, investigation, and prosecution of crimes involving advanced technologies (htcia.org). Art is also member of the American Probation and Parole Association (APPA) and is a member of their Technology Committee, He has a Master of Corrections degree from Kent State University. Follow Art on Twitter.com at: (http://twitter.com/Computerpo)
Other articles by Bowker:
IN CASE YOU MISSED IT