“If you have nothing to hide… “
One of the oft-used arguments concerning surveillance is, “If you have nothing to hide, you have nothing to fear.” The argument has been discussed by many people by now (cf, Dan Solove’s article and blog, John Dean’s essay, Michael Hampton’s thoughts, and Bruce Schneier’s article and blog). I often wonder how many who have used that argument do not realize that they might be the next victim of misuse of a database. Broader issues about “surveillance state” and the risk of ID theft put temporarily aside, there are the “little everyday misuses” of databases that should lead us to advocate for more restrictions on data collection, more controls on access, and much more severe penalties for abuse.
Undoubtedly, there is too much snooping into patients’ medical records. Staff may peek at celebrities’ medical records, or they may be looking up the records of family or friends without the knowledge of those individuals. In some cases, they are looking up ex-spouses or ex-spouse’s new lovers. Their motivation may be curiosity but in at least some cases, their motivation may be to acquire information that they can use to harm the individual’s reputation, chances of election, or employment.
The problems are not confined to the medical community, however. Law enforcement officers also engage in unauthorized access to databases. In 2001, a news story in the Detroit Free Press reported that police in Michigan used the state law enforcement database to stalk women, threaten motorists and settle scores: “Over the past five years, more than 90 Michigan police officers, dispatchers, federal agents and security guards have abused the Law Enforcement Information Network (LEIN).” More recent examples of problems include:
- Deputy Terri Lucas from the Collier County Sheriff’s Office in Florida was recently fired and a co-worker, Kelly Marsh, resigned after they were found looking up personal information about other deputies, their families and even an FBI agent. Lucas’s “defense” was that although she was sorry, it was a “victimless” crime because no one got hurt: “It was for pictures. This is my hairdresser. This is a deputy. He’s cute. We used it like a yearbook,” she said.
- In Washington, Caroline Pepperell lost one job with the Mountlake Terrace Police force in 1994 for misusing police databases to run license plate checks on men she found attractive. She subsequently got into trouble again in 2007 for misuse of computers while employed by the Sultan Police Department. In the latter case, she misused police resources to harass a neighbor.
- Drew Peterson, suspected of killing his wife, allegedly used police computers and databases to track his wife’s friends (video).
- Sgt. Reginald Allen of the Hartford, Conn. police was recently charged with a computer crime for allegedly disclosing information from a national law enforcement database to a female friend who then allegedly used that information to harass her ex-boyfriend’s pregnant girlfriend.
- Officer Teresa Shover of the DeKalb County Police Department admitted using the Georgia Crime Information Center — a classified database — to obtain personal information about a woman dating Shover’s ex-husband. She then used the data to create a flyer with her victim’s picture and name that calls her a homewrecker, an adulterer, etc. The flyer was sent to the woman’s family, friends, past employer, and neighbors. Even though Officer Shover had previously signed a form acknowledging that it is a crime to misuse the classified law enforcement computer, she was neither fired nor charged criminally:
Burrows recommended the five week suspension and says Shover’s actions were extremely severe but criminal charges aren’t necessary. “Handling it internally was the best route to take. It would serve no legitimate or useful purpose to pile on. We feel that we got the employee’s attention,†said Burrows.
What if someone from outside the department had hacked into the same database, obtained the information and used it for the very same purpose? Would they have charged that person with a crime? I suspect that they would.
Everyday misuses of databases are not confined to the U.S.:
- In Australia, Acting Detective Sergeant Richard Coates managed to keep his job with the Victoria Police anti-corruption unit in 2004, despite being found guilty of misusing the force’s confidential database over a 6-year period. In one incident, he used the police database to “find some dirt” on a person whose car he ran into.
- In Canada, RCMP Const. Pablo Maciuk was docked five days’ pay in 2007 after he used police computers to run the name and license plate of his ex-girlfriend’s new boyfriend.
- Computer misuse is also reported in the UK. In one case, Inland Revenue found some employees were looking at celebrities’ tax returns. In another case, Geraldine Tabor, a Dorset Police Special Constable, was charged under the Data Protection Act for “maliciously” using confidential police records to check personal data on non-police workmates she held a grudge against. She was convicted and fined.
- In Ireland, 28 tax officials who wrongly accessed confidential files relating to lottery winner Dolores McNamara were let off with a rap on the knuckles.
While some of the above incidents may seem trivial in their import to those who feel that invasion of privacy without demonstrable financial or reputational harm is “no big deal,” let us not forget that some instances of misuse of databases can have dire consequences:
- In 2007, James Andrew Hardy, a UK police officer, accessed a police database and passed three individuals’ personal details on to a man with a violent criminal record who wanted to take action against the three in retaliation for their actions against him or a friend. Found guilty of misfeasance in a public office for improperly accessing the police database, Hardy was given a suspended prison sentence of 28 weeks and 300 hours of community service. The Attorney General appealed that sentence and the prison term was increased by the Court of Appeal to nine months.
- In England, Bernard Gilbert, 79, died of a heart attack after a brick was thrown through his window by Mark Forbes and Forbes’ brother. Forbes had used a policeman friend to trace Gilbert after Gilbert was verbally abusive to Forbes’ wife, Zoe, over a parking space. The three were charged with manslaughter. Zoe Forbes was acquitted when the judge instructed the jury to acquit based on “insufficient evidence.” Mark and Steven Forbes were convicted of manslaughter. News coverage of this story by multiple sources all fail to name the police officer involved, simply referring to him as a “then-serving police officer,” suggesting that he was fired over this. Why wasn’t he charged with misfeasance in a public office or violation of the Data Protection Act, though? Perhaps he will be at some point. (h/t, the IT Law in Ireland blog for originally making me aware of this incident)
- In Australia, Constables Tyrone Stacey and Brendan Ritson are currently on trial for violating the Privacy and Personal Information Protection Act. They are accused of informing a man in custody that his girlfriend used to be a man. After being released from custody, the man went over to her apartment and beat her up. The victim said she suffered concussion after falling over the balcony of her loft bedroom and woke up “covered in blood.” Apart from the extensive physical injuries, the publicity and exposure from the case has “ruined” her life as a woman. The victim has sued the constables.
How many victims might have told others, “Well, if you have nothing to hide, you have nothing to fear” because they didn’t know that “having nothing to hide” may simply indicate that you don’t know who might wish to harm you at some point — either your person, your reputation, or your ability to get employment or health insurance.
I sure can’t wait for the abuses that come out of Real ID’s implementation.