Policing the Cloud: We Should Expect More from Law Enforcement Cloud Providers

MIKHAIL GRACHIKOV/Shutterstock.com

What controls exist to protect privacy and secure records from unauthorized access?

Julie M. Anderson is managing director of Civitas Group and an expert with SafeGov.org, an online IT forum promoting secure cloud computing security.

It starts the moment you wake up and turn off your alarm: Your smartphone records and sends to the cloud each interaction you make -- from every email thread to every check-in you make at any location.

Getting to work or school is no different. The turn-by-turn navigation app on your phone is silently sending and receiving your GPS location data, while the photo your sister uploaded on Facebook from last night automatically tags you because it has learned to recognize your face after processing hundreds of your photos.

When you actually stop to think about its reach into our activities, behaviors and movement, it is undeniable that technology is ingrained in our daily lives. And it brings us immense benefits, including personalized services and conveniences that connect people across continents and enrich our lives.

Moreover, such data -- part of an ever-growing record of everyone's online activity -- has also begun to be used by police and law enforcement agencies to solve crimes.

But as our digital footprints grow in volume and complexity, what controls do we have in place to protect our privacy and secure our records from unauthorized access?

The use of technological records and a digital footprint to solve crimes may not be surprising, but its application within law enforcement is increasingly becoming commonplace.

For instance, since 2012, the FBI has been funding technology to employ facial recognition data in traffic cameras, citing its use in catching crime suspects and potential terrorists. A recent and highly publicized hate crime in Philadelphia saw its suspects identified within hours as a result of publicly released surveillance footage and online volunteer sleuthing.

Meanwhile, it's no secret law enforcement and federal intelligence agencies regularly request companies like Facebook and Google to provide them information on user activity for investigative purposes.

While some ponder and decry the ramifications of a government that can gain access to intimate data on its citizens, there hasn't been as much discussion -- at least not public discourse -- about the types of safeguards we need to put in place if law enforcement agencies are indeed going to continue requesting, accessing and sharing information on citizens' digital activities.

For instance, what types of encryption and user permissions do agency cloud storage systems have to prevent nefarious users or cyber hackers from getting their hands on citizen data? And while federal agencies do have increasing requirements to procure cloud systems through the FedRAMP-certified providers, what types of controls carry over to state and local law enforcement agencies?

Fortunately, these types of issues have already begun to be addressed through guidelines set out by the FBI’s Criminal Justice Information Services.

These compliance rules apply to all law enforcement IT systems that touch or access criminal justice data, including biometric data (e.g., fingerprints, palm prints, iris scans, facial recognition data), identity history, biographic data, property data and case/incident history -- in essence, any electronic record of anything related to victims, suspects, crimes or any law enforcement incident.

There are two things government authorities can do to go even further than current standards. 

First, the FBI can create more formal mechanisms for reviews and audits to ensure providers continue following the rules. Previous attempts at meeting CJIS compliance, for example, have been met with confusion or delay. 

Law enforcement agencies are attempting to modernize their systems, yet must navigate through vendors that may meet federal standards like FISMA or FedRAMP, but fail to hit the more stringent criteria for CJIS. 

For instance, when the Los Angeles Police Department in 2011 looked to move its email to a Google's Gmail, it found the provider was unable to meet the strict demands of CJIS, which require all IT personnel or contractors to pass criminal background checks and require that contractors do not “mine” the data they are managing. 

Despite the fact there are indeed CJIS-compliant cloud providers, many major cloud providers have failed to step up and agree to the requirements, perhaps because of a perceived lack of profitability or difficulties in the business model. 

Second, it is also important to look toward the future of cybersecurity and data privacy.  CJIS’ more stringent requirements, could become a technology standard for more than just law enforcement. Many federal, state and local agencies could benefit from providers complying with CJIS-like standards. 

Given that personal citizen data lies in the hands of the government and private companies alike -- the Facebooks, Googles, Dropboxes we log into every day -- shouldn’t we expect these organizations to also make the effort to do everything possible to protect our data?

(Image via MIKHAIL GRACHIKOV/Shutterstock.com)