By Dave Maass / Electronic Frontier Foundation
Confirmed cases of misuse of California’s sprawling unified law enforcement information network have doubled over the last five years, according to records obtained by Electronic Frontier Foundation under the California Public Records Act.
That adds up to a total 389 cases in which an investigation concluded that a user—often a peace officer—broke the rules for accessing the California Law Enforcement Telecommunications System (CLETS), such as searching criminal records to vet potential dates or spy on former spouses. More than 20 incidents since 2010 have resulted in criminal charges.
Unfortunately, those figures are only what was self-reported by government agencies to the California Attorney General. The actual number of misuse cases of CLETS are likely substantially higher since the California Attorney General’s Department of Justice (CADOJ) has let many agencies slide on their annual misuse disclosures. Among the delinquent are two of California’s largest law enforcement agencies: the Los Angeles Police Department (LAPD) and the Los Angeles County Sheriff’s Department.
What’s worse is the government body charged with overseeing disciplinary matters—the CLETS Advisory Committee (CAC)—seems to have taken no action to address the problem or ensure accountability from individual agencies.
Law enforcement abuse of confidential databases have been a growing concern for privacy and civil liberties groups like EFF. It occurs at all levels of government. In 2013, the NSA acknowledged that agents used intelligence systems to snoop on romantic interests (a practice dubbed “LOVEINT”). Last month, a Border Patrol supervisor was arrested and charged for allegedly manipulating a Homeland Security database to retaliate against a man who had made “child-rape” allegations against the supervisor’s brother.
Of the hundreds of cases of verified misuse of CLETS each year, only a handful of stories have reached the public, often years after the fact. Here are a few of the worst ways that police have abused the system in recent years:
- In 2010, a Los Angeles Police officer used LAPD’s communications system, which is connected to CLETS, to pull information on witnesses who testified against his girlfriend’s brother in a murder case. Chief Charlie Beck told the press the department would “vigorously prosecute” the officer. Two years later, however, the Los Angeles County District Attorney dropped the case. By then, the officer had already resigned. (Los Angeles County District Attorney)
- In the fall of 2010, an officer, who had been sending his estranged wife abusive text messages, used CLETS to dig up information on her new boyfriends. His wife complained to the police. The officer ultimately pled no contest to a misdemeanor harassment charge, but the charges for violating CLETS were dropped. He was also fired. (California Public Employee Relations Journal)
- Two Fairfield Police officers were investigated for using CLETS to screen women from dating sites such as Tinder, eHarmony, and Match.com. (Daily Republic)
- Court records show that in 2009, a Westminster Police Officer was fired after accessing CLETS 96 times to gather information on 15 people for non-law enforcement purposes, such as meeting women and spying on his ex-wife and ex-girlfriends. In 2013, he pleaded guilty to domestic violence charges and unlawful disclosure of DMV records. (Orange County Register)
- In 2013, the Madera County Sheriff’s Department of Corrections staff broke the rules by using a CLETS terminal at the county jail as a regular workstation. Consequently, officials failed to receive crucial communications, leading to the accidental release of a detainee. Days later, the released man was involved in a car chase that resulted in a crash that killed an innocent civilian. (Madera County Grand Jury)
EFF began investigating CLETS after reviewing official “misuse statistics” presented in public hearings that made little sense and did not seem to reflect misuse at all. Digging deeper, we learned the CLETS Advisory Committee has aggressively moved to expand the system’s capabilities, while more often than not turning a blind eye to the also-growing misuse.
What Is CLETS?
Think of CLETS as California’s law enforcement “cloud.”
Source: Public Safety Communications Association [.pdf]
CLETS links together more than 5,200 unique “points of presence,” such as dedicated office computers and mobile terminals in patrol cars. It’s a system so large that CADOJ told EFF it doesn’t even keep a master list of which agencies have signed agreements to access the system. In addition, many CLETS features are accessible through a web app called “SmartJustice.” The system also allows CLETS users to send millions of messages to each other every day, such as all-points-bulletins and Amber alerts.
CLETS users are granted access to whole universes of databases that don’t just contain information on Californians, but records from other states and the federal government.
If you’ve got a California-issued ID, registered a car in California, received a parking citation, have any kind of criminal history or protective order, or any kind of record in 11 other databases, then you likely have files that can be accessed from CLETS.
But that’s not all: CLETS also connects to Oregon’s equivalent network, which means if you’re an Oregonian, California police may be able to access your information too, especially if you drive a car. But those datasets pale in comparison to the access CLETS provides to an interstate database called NLETS and the FBI’s National Crime Information Center.
Who Oversees CLETS?
Under state law, there are two government bodies in charge of overseeing CLETS.
The legislature assigned the California Attorney General the responsibility of administering CLETS on behalf of the state’s law enforcement agencies. But lawmakers also decided that the attorney general would take direction on policy and disciplinary matters from CAC (again, that stands for the CLETS Advisory Committee), a nine-member body that meets several times a year. Currently, members representing law enforcement and local government lobby groups have a voting majority. There are no members representing civil liberties or privacy organizations.
Over the last five years, CAC has never once pursued any of those measures against an agency over misuse of the system. In fact, there is nothing in CAC’s meeting minutes to indicate that the body has ever publicly discussed the growing cases of misuse.
Based on our research and discussions with CADOJ, it seems the agency is not enforcing reporting requirements, nor is it presenting what information it does collect to CAC. Meanwhile, CAC doesn’t seem to mind that it’s not being provided this information. The problem is circular: CADOJ can’t take action against misuse unless it has been directed to do so by CAC. And CAC can’t recommend an action against misuse unless CADOJ provides the committee with misuse reports. As a result, neither body seems to be addressing the issue.
(EFF could only identify one instance where CAC even discussed a particular misuse case, although it wasn’t characterized as misuse at the time. In 2014, a Madera County Grand Jury investigation concluded that misuse of the CLETS terminal at the county jail resulted in the accidental release of an arrestee, who later killed a bystander during a car chase. According toCAC meeting minutes [.pdf], CADOJ only told the committee that Madera County was “not compliant with security awareness training” and would be given six months to get it together.)
The CLETS agreement also requires each agency to file an annual report of misuse statistics. The information in these reports includes: number of misuse complaints the agency received, whether those complaints were received from internal or external sources, the outcome of the investigation, and what actions were taken. If criminal charges were filed, the agency must report if prosecution resulted in a conviction.
CADOJ has not passed these statistics onto the oversight committee either. Instead, at each meeting, CADOJ staff present the committee with a series of numbers that they call “Misuse Statistics,” but are really nothing of the sort.
Here’s an example of a slide presented by CADOJ at the March CAC meeting:
CAC generally glosses over this information during its meetings without asking questions. However, when EFF asked what these numbers actually mean, CADOJ staff explained that these numbers only show how many times the access log was checked for misuse. It does not, in any way, indicate actual misuse.
So, EFF filed a request under the California Public Records Act to get the real numbers for CLETS misuse.
What We Know About CLETS Misuse
The data was astounding: CLETS abuse more than doubled between 2010 and 2014.
Agencies received 641 complaints over that period and between 586 and 619 investigations were conducted (the data is internally inconsistent). Approximately two-thirds of those investigations resulted in an affirmative finding that misuse had indeed occurred.
Of those 389 cases of confirmed misuse, 109 resulted in no action taken at all. As for the rest:
- 6 cases resulted in a felony charge
- 15 cases resulted in a misdemeanor charge
- 35 cases resulted in terminations
- 32 cases resulted in resignations
- 62 cases resulted in suspension
- 136 cases resulted in reprimands or counseling.
- 56 cases were simply listed as resulting in “other” action
Even these numbers fail to paint a complete picture of the problem. Currently, 143 misuse investigations remain mysteries; their outcomes are listed as simply “pending,” and the documents were never updated after the investigations were concluded. Of the 21 cases where users faced criminal charges, only four so far have resulted in convictions, with the dispositions of the remaining cases undisclosed.
In addition, even when an agency says it recorded zero CLETS misuse, that doesn’t necessarily mean there was none. For example, Madera County didn’t report the 2013 jail case in its statistics because it didn’t start an investigation until a year after the incident (after the grand jury slammed the sheriff for failing to conduct an investigation). Furthermore, there are places where the numbers provided by agencies don’t seem to add up.
More alarmingly, however, was our discovery that many agencies hadn’t filed disclosures at all. Because CADOJ doesn’t keep a master list of agencies that should be reporting, EFF had no way to determine how many agencies were delinquent.
We were, however, able to confirm the Los Angeles County Sheriff’s Department did not file any disclosures between 2010 and 2014. LAPD—which caught an officer digging up information on murder witnesses in 2010—only filed a form once, in 2012. Calls to the sheriff department went unreturned, while LAPD staff could not determine who was responsible for filing the forms. Meanwhile, there’s nothing to indicate either the CADOJ or CAC ever followed up.
There’s one further reason to be wary of the data: the source material no longer exists.
In our initial request, we asked for each individual annual misuse report. Instead CADOJ provided us a series of tables, explaining that “once received, the data is entered onto a spreadsheet and the form destroyed.” Throwing out the original records makes it difficult, if not impossible, to double-check inconsistencies in the data.
What Is CAC Doing Instead of Overseeing Misuse?
CAC does provide critical oversight in one capacity: ensuring agencies are in compliance with CLETS and FBI security standards—such as encryption, password strength, and training. For example, a March 2014 audit by the FBI found widespread compliance issues among 10 agencies, including failure to conduct appropriate training, failure to fingerprint all personnel with access to the system, and failure using sophisticated encryption. Many of these issues remained unresolved more than a year after they had been identified.
Despite the skyrocketing misuse and the ongoing cybersecurity challenges, CAC has spent the last year coming up with new ways to expand CLETS. In December 2014, for example, CAC authorized CADOJ to link CLETS to an interstate driver license photo-sharing system, granting California police access to DMV photos from across the country. At CAC’s July 2015 meeting, the body quietly approved the 2015 Strategic Plan, which calls for expanding biometric data capture and sharing real time and historical GPS data on offenders statewide.
Can Anything Be Done?
EFF would like to see the California Attorney General and CAC do their jobs by properly monitoring CLETS and holding agencies responsible for misuse.
CADOJ should collect the misuse information it is supposed to, stop destroying the original records, and provide that data to the official oversight committee. CAC, in turn, should openly discuss how CLETS policies can be improved to reduce the potential for abuse and recommend action against agencies that fail to comply. Sadly, these bodies have demonstrated they see little value in enforcing the rules and even less value in public participation.
All year, EFF has been trying to ensure accountability with CLETS—filing public records requests, sending letters, and addressing the committee during public comment. Our goal so far has been to fight CLETS expansion plans and to demand greater transparency in how it conducts its meetings.
In March 2015, EFF demanded CAC drop its plans to integrate facial recognition technology with the California DMV photo database and share DMV photos with other states. After 1,500 supporters sent emails to CAC, the committee removed that goal from its strategic plan.
We were joined by the ACLU of California, Californians Aware, and First Amendment Coalition in a letter warning the committee that the way it is conducting its hearings is likely in violation of the state’s open meetings laws. At its July 2015 meeting, CAC responded that “convenience” for its members trumped the public’s right to meaningfully access and participate in decisions regarding CLETS. Then CAC voted to pass a 2015 Strategic Plan—a document that had never been publicly released or announced on an agenda before being finalized.
It may be time for the California legislature to step in to protect the privacy of their constituents. Measures could include holding investigative hearings, adding new, non-law enforcement members to the committees, and requiring full and public disclosures of misuse statistics.
In the meantime, you can count on EFF to remain vigilant. Stay tuned, because we may need your help.
Originally posted at the EFF Deeplinks Blog