Before I get into the story it, let me be v-e-r-y clear…I am NOT here to debate the effectiveness or morality of red-light/speed enforcement systems, nor am I here to cast dispersions on any of the organizations involved in the press release…this blog posting is strictly about using the Gatso press release to emphasize a point about security and privacy - when we engage in innovative law enforcement technology solutions, we need to take extra care to adequately address the security and privacy of personally identifiable information.

Here’s the press release from Gatso-USA:

GATSO USA Forms Unique, Strategic Partnership with Nlets

Earlier this month, GATSO USA was approved as a strategic partner by the Board of Directors of the National Law Enforcement Telecommunications System (Nlets). Nlets is….general narrative about NLETS was deleted. The approval of GATSO is an exciting first for the photo-enforcement industry.

Nlets will be hosting GATSO’s back office and server operations within the Nlets infrastructure. GATSO will have access to registered owner information for all 50 states plus additional provinces in Canada. The strategic relationship has been described as a “win-win” for both organizations.

From Nlets’ perspective, there are key benefits to providing GATSO with hosted service. Most importantly, it virtually guarantees personal data security. Due to this extra step of storing personal data behind the DMV walls of Nlets, the public can be assured that security breaches — such as the recent incident with PlayStation users — are avoided.

From GATSO’s perspective, hosting the system with Nlets will provide a ruggedized, robust connection to comprehensive registered owner information — without the security issues faced by other vendors in this industry. Nlets was created over 40 years ago…more stuff about NLETS was deleted).

The main points I took away from this press release were:

1. Nlets is going to host the back-end server technology that GATSO needs to look up vehicle registration information of red-light runners;
2. Gatso is going to have access to vehicle registration information for all vehicles/owners in ALL 50 states in the U.S. and (some) provinces in Canada; and
3. And, because it’s behind Nlets firewalls, security is not an issue.

Again, please don’t call me a party-pooper as I am a huge advocate for finding innovative ways to use technology to make law enforcement’s job easier. However, I am also painfully aware (as many of you are) of the many security and privacy related missteps that have happened over the last few years with technology efforts that meant well, but didn’t do enough to make sure that they covered the bases for security and privacy matters. These efforts either had accidental leakage of personal information, left holes in their security posture that enables direct attacks, or created opportunities for nefarious evil-doers with legitimate access to use that access to sensitive information for other than honorable purposes.

After I read the press release, I thought that it would be a good case-study for the topic of this blog - it involved innovative use of technolgy for law enforcement, a psuedo-government agency (Nlets), two foreign-owned private companies, and LOTS of PII sharing - some might even say it had all the makings of a Will Smith movie.

To help set the stage, here are a few facts I found online:

• Gatso-USA is a foreign company, registered in New York State, operating out of Delaware; its parent company is a Dutch company, GATSOmeter BVGatso.
• Gatso does not appear to vet all of the red-light/speed violations itself; it uses another company – Redflex Traffic Systems to help with that (Redflex is not mentioned in the press release).
• Redflex seems to be a U.S. company, but it has a (foreign) parent company based in South Melbourne, Australia.
• Finally, there are no-sworn officers involved in violation processing. Red-light/speed enforcement cameras are not operated by law enforcement agencies; they outsource that to Gatso, who installs and operates the systems for local jurisdictions (with Redflex) for free, (Gatso/Redflex is given a piece of the fine for each violation).

There are no real surprises here either; there are many foreign companies that provide good law enforcement technologies to jurisdications across the U.S., and outsourcing traffic violations is not new…BUT what is new here is that a sort-of-government agency (Nlets), has now provided two civilian companies (with foreign connections) access to Personally Identifiable Information (PII) (vehicle registrations) for the entire U.S. and parts of Canada…should we be worried?

Maybe; maybe not. Here are nine questions I would ask:

1. Personnel Security: Will Nlets have a documented process to vet the U.S. and overseas Gatso and Redflex staff who will have access to this information through direct or VPN access to Nlets systems?
2. Data Security: Will Gatso or Redflex maintain working/test copies of any of the registration information outside of the Nlets firewall? If so, are there documented ways to make sure this information is protected outside the firewall?
3. Data Access: Will Gatso/Redflex have access to the entire registration record? or, will access be limited to certain fields?
4. Code Security: Will any of the code development or code maintenance be done overseas in the Netherlands or Australia? If so, will all developers be vetted?
5. Network Security: Will overseas developers/site suport staff have access to the data behind Nlets firewalls? What extra precautions will be taken to protect Nltes systems/networks from abuse/attack?
6. Code Security: Will Nlets conduct any security testing on code loaded on the servers behind their firewalls?
7. Stakeholder Support: Have all 50 U.S. states, and provinces in Canada, been made aware of this new information sharing relationship? Do they understand all of the nuances of the relationship? And, are they satisfied that their constituents personal information will be protected?
8. Audit/Logging: Will all queries to vehicle registration information logged? Is someone checking the logs? How will Nlets know if abuses of authorized access are taking place?
9. Public Acceptance: How do states inform their constituents that their personal vehicle registration information is being made available to foreign owned company? Will they care?

How these questions are answered will determine whether or not we should worry…

Did I miss any other important questions?

Beyond this particular press release and blog posting, I suggest that you consider asking these kinds of questions whenever your agency is considering opening/connecting its data systems to outside organizations or private companies—it may just prevent your agency from becoming a headline on tonights news, like St. Louis –> St. Louis Police Department computer hacked in cyber-attack .

The bottom-line is that whenever you take advantage of opportunities to apply innovative technologies to public safety, make sure that you cover ALL the bases to protect your sensitve data and PII from leakage, direct attacks, or misuse and abuse.

As always, your thoughts and comments are welcome.

r/Chuck

March 17, 2009

Hi Jeff,

With sincere apologies to Sean Connery, I am dismayed that people are still bringing a knife to an information sharing gun fight—the importance of information sharing, data discoverability, security protections, metrics and incentives, and empowerment have been documented many times over since I became involved in information sharing in 1999 and have proved to be of little value to making information sharing happen.

I believe a significant reason for this is that information sharing has been seen as the “main thing.” Information sharing should NEVER be seen as the main thing; it is simply a means to an end. I have never forgotten what Scott McNealy of Sun Microsystems said—“The main thing is to keep the main thing the main thing.” And, the main thing for government is safe streets, clean air and water, a strong economy, etc…NOT information sharing.

The “guns” that we need to bring to the information sharing table are simply engaged executive leadership and accountability for mission results.

Of the many significant information sharing projects around the country that I have been a part of, I can tell you that the most important ingredient for successful information sharing is: “An agency executive who actively communicates an operational imperative for mission success and then holds their managers accountable for using information sharing as a critical enabler for achieving desired mission results.” [I have a few blog posts on the subject at http://www/nowheretohide.org/wordpress]

While I agree that good security, good technology, good project management, good metrics and the like are necessary, none of this will matter if the need for information sharing is relegated two or three levels down the organization chart or is just seen as an edict from above—federal, state, and municipal agencies are already choking on multiple (and often conflicting and unfunded) mandates.

With my apologies to our President, the PM-ISE, and the Markle Foundation there is nothing more they can print on a sheet of paper to make information sharing happen—hundreds of executive orders, national strategies, task force reports, and security policies have been published—what more could they possibly say?

I believe it now comes down to the individual will of executive leadership in those federal, state and municipal agencies who hold the information that should be made shareable and their capacity to make it happen within their respective agencies. And that Jeff is the one area where I do believe that President Obama and our Congress can help—by simply ensuring that the people they choose to lead those agencies a) truly embody the will, character, and leadership qualities to achieve the mission and b) understand the value that information sharing brings to help make that happen.

r/Chuck Georgo
chuck@nowheretohide.org

1. Resist the urge to see information sharing as an outcome. Information sharing is a means to an end, not the end itself. Each federal agency, every state and regional fusion center, and all law enforcement intelligence units should have a clear set of information requirements, questions if you will, that information sharing and the intelligence process should work to answer–hold agencies accountable for having clear and valid requirements. This has been a common practice in the intelligence community for decades and should be a practice for all information sharing elements.
2. Build clear accountability into the information sharing process. Every federal agency, fusion center and law enforcement agency should have one person, preferably an impassioned, well-respected leader, that can ensure that their agencies requirements are  well documented and communicated horizontally across federal boundaries and vertically to local, state, and municipal agencies, and (where applicable) private sector organizations.
3. Establish clear linkage of information sharing to agency operational performance measures. Just as staffing, information technology, facilities, and utilities are seen as strategic resources in a performance-based budget, information sharing must be seen as a resource to be strategically used to help an agency achieve its mission. When measuring the success of information sharing, focus on the extent to which it helped achieve agency goals–just as counting cases in law enforcement is a misleading way to judge public safety success, counting RFIs, records shared, SARs submitted is not a good way to gauge information sharing success–successful information sharing can only be measured through the extent to which it helps agencies (at all levels) achieve their operational goals.
4. Discourage agencies from using stovepiped portals for information sharing. All shareable data should be available as a “service” for consumer agencies to ingest into their systems and not through a dedicated portal that users will need a discrete login to access. You can read my previous “Portal-mania” blog post for more detail here, but all federal agencies should be required to make their data accessible through National information Exchange Model (NIEM) based web services. This will enable consumer agencies to integrate multiple data streams into their workflow and will reduce the number of websites and portals analysts are required to access to perform their work.
5. Give the same amount of attention to what is shared and how it is shared. Over the last few years, a significant amount of effort has gone into how information is shared at the expense of understanding the depth and breadth of information actually being shared. Many regional and national information sharing efforts still only contain basic levels of information, or worse are just pointer systems that require additional human effort to gain access to the actual record. Encourage agencies to communicate to each other what specific information is being shared, and what is not being shared, and help everyone understand the consequences of their decisions.
6. Encourage maximum use of NIEM and the Information Exchange Package Descriptions (IEPD) contained it its clearinghouse. NIEM has emerged as the dictionary of shareable data elements. When you string together sets of these data elements to satisfy a specific business need, an IEPD is born. The NIEM IEPD clearinghouse contains more than 150 IEPDs, many of which apply to national security, law enforcement and public safety missions. While many federal agencies have pledged their support of NIEM, more effort is needed to ensure that they first seek to use IEPDs already contained in the clearinghouse and do not develop one-off IEPDs designed to meet very narrow applications.
7. Finally, foster a culture of transparency to help communicate an appreciation of personal civil rights and civil liberties.  All information sharing and intelligence operations should engage in proactive efforts to help alleviate any fears that individual privacy and liberties are violated by any of the actions taken by those agencies. In my September 3, 2009 blog posting I list ten questions a fusion center director should ask of their own intelligence operations. I’d like to offer up these questions as a beginning framework for any information sharing or intelligence operation. They also serve as a good framework for evaluating the extent to which information sharing and intelligence operations are in fact seriously working to do the right thing.

In closing, I hope you can see how these seven points help to frame how you might structure a results oriented evaluation of information sharing across our federal agencies and with our state and regional fusion center, and private sector partners. Taken together you will be able to report the extent to which agencies have:

• Documented their information sharing requirements – what needs to be shared;
• Someone who can be directly held accountable for effective and proper information sharing;
• Linked their need for information to specific operational goals and strategies;
• Implemented mechanisms that makes it easy for other agencies to access their information;
• Ensured that they are sharing the right information (most meaningful) information;
• Taken advantage of NIEM as a way to save money and expedite information sharing; and
• Taken measures to proactively diffuse public (and media) perceptions of information misuse.

I wish you well in your new role as Senior Director for Information Sharing Policy.

Regards,

Chuck Georgo
chuck@nowheretohide.org

It’s no secret, the National Information Exchange Model (NIEM) is a huge success.  Not only has it been embraced horizontally and vertically for law enforcement information sharing at all levels of government, but it is now spreading internationally.  A check of the it.ojp.gov website lists more than 150 justice-related Information Exchange Package Documentation (IEPD) based on NIEM–it’s been adopted by N-DEX, ISE-SAR, NCIC, IJIS PMIX, NCSC, OLLEISN, and many other CAD and RMS projects. 

For at least the last four years, Search.org has been maintaining the Justice Information Exchange Model (JIEM) developed by Search.org.  JIEM documents more than 15,000 justice information exchanges across  9 justice processes, 75 justice events, that affect 27 different justice agencies. 

So if JIEM establishes the required information exchanges required in the conduct of justice system business activities, and NIEM defines the syntactic and semantic model for the data elements within those justice information exchanges…then…

Wouldn’t it make sense for JIEM exchanges to call-out specific NIEM IEPDs?

And vice-versa, wouldn’t it make sense for NIEM IEPDs to identify the specific JIEM exchanges they correspond to?

Here’s a diagram that illustrates this…

Let me know what you think..

r/Chuck

chuck@nowheretohide.org - www.nowheretohide.org

If you haven’t heard about the Department of Health and Human Services Federal Health Architecure and CONNECT project, I suggest you pop over to this website where documentation for version 2.0 of the software resides:

http://www.connectopensource.org/display/NHINR2/Release+2.0+Home

CONNECT is an open source software gateway that connects public and private health orgaizations to the National Health Information Network.  Think of it like a giant peer-to-peer N-DEx, but with an open source “front-porch” that drops into each agency and extracts the data from back-end systems.

I’ll be doing more investigation into the CONNECT project to see if we can adapt it for law enforcement information sharing use–the closest thing to this on the LEIS side is the FINDER project in orlando, FL.

as always, comments and thoughts welcomed.

r/Chuck

chuck@nowheretohide.org - www.nowheretohide.org

Let me first layout the agency landscape :

• There are about 14,000 state and local law enforcement agencies;
• In roughly 3,000 counties;
• That make up the 50 states of our great nation.

Now let’s layout the funding landscape:

• For 2008 the Department of Homeland Security (DHS) allocated $3,200,000,000 (billion) for state and local assistance grants;
• In that same year, the Department of Justice (DOJ) made another $2,000,000,000 available;
• For 2008 that’s a total of $4,200,000,000;
• For 2007 that number was $4,500,000,000;
• For 2009, we are hoping that number stays about the same or goes even higher.
• To all these numbers you must add funding from the Department of Defense, Department of Transportation, Department of Health and Human Services, or State funding sources for LEIS.

Finally, let me lay out the cost landscape for LEIS:

• In my eight or so years of experience of building and deploying LEIS, I’ve seen the costs associated with hooking up an agency to vary between $5,000 and $80,000 per record system connection;
• On average though, I feel the safer number is between about $20,000 and $40,000;
• For arguments sake, let’s use the high number of $40,000.

Now comes the fun part…let’s do some math…

• To be realistic, let’s say that 25% of the 14,000 agencies are already sharing information;
• That leaves about 10,000 agencies left to connect;
• At $40,000 an agency, we would need a total of $560,000,000 (Million);
• Divide that by the 3,000 counties, and we will need about $190,000 per county;
• If we do this over three years, that’s only $63,000 per county, per year for three years!

With (on average) every county getting about $1,400,000 every year for law enforcement and public safety (out of the $4.2 Billion allocated annualy), I would like to think that we (collectively) can see the benefits of LEIS enough to spare $63,000  a year for three years to get it done.

Here’s where the issue of choices and priorities comes in.  If we can agree that the money IS there, what we really need to work on are ways to convince the policymakers and law enforcement exectutives in those counties that investing a little in LEIS is a better investment than whatever it is their currently spending their part of the $4,200,000,000 on.  Do you agree?

I’d also like to know what role youthink the IACP, MCC and NSA would play here?

Thoughts and comments invited…and yes, I used a calculator…;-)

r/Chuck Georgo

I think we can take a lesson from Tom and the OMB and begin using a formal framework for evaluating the level of implementation and real-world results of the many Law Enforcement Information Sharing projects around the nation.  Not for any punitive purposes, but as a proactive way to ensure that the energy, resources, and political will continues long enough to see these projects achieve what their architects originally envisioned. 

I would like to propose that the evaluation framework be based on six “Standards for Law Enforcement Information Sharing” that every LEIS project should strive to comply with; they include:

1. Active Executive Engagement in LEIS Governance and Decision-Making;

2. Robust Privacy and Security Policy and Active Compliance Oversight;

3. Public Safety Priorities Drive Utilization Through Full Integration into Daily Operations;

4. Access and Fusion of the Full Breadth and Depth of Regional Data (law enforcement related);

5. Wide Range of Technical Capabilities to Support Public Safety Business Processes; and

6. Stable Base of Sustainment Funding for Operational and Technical Infrastructure Support.

My next step is to develop scoring criteria for each of these standards; three to five per standard, something simple and easy for project managers and stakeholders to use as a tool to help get LEIS “done.”

I would like to what you think of these standards and if you would like to help me develop the evaluation tool itself…r/Chuck

Chuck Georgo
chuck@nowheretohide.org
www.nowheretohide.org