Schneier on Security

It'd be comforting to think that his activity tripped an alarm and attentive system administrators detected the unusual behavior, wouldn't it? However, since this is a government database such an outcome is unlikely.

No doubt he acted on the information he uncovered somehow - tipping off the ex-girlfriend. She may have been previously aware of the surveillance possibilities of his job (as mid-level insiders with his access often like to brag about it.) She figured it out based on his subsequent behavior, lawyered up, and they looked into allegation. Yay, the system works!

huh???

He got CAUGHT ?
You call after AT LEAST __ 163 __ violations "getting caught" ??

I think 'blabbing to his boss that he was tracking his ex-girlfriend using the 'puter' has been misconstrued as "getting caught".

Alternatively, what kind of system, process or procedure only catches people after ""AT LEAST"" 163 SUCCESSFUL abuses !!??

The (other) question which comes to my mind is: how much information did the TECS system deliver? What does it do, and how does it get its data?

One would infer that, if it can deliver tracking information on a random individual (albeit one associated with an insider), it can do so for any member of the population.

And what practices made it possible for the repeated abuse? Were the 'searches' for this woman's information logged to this employee's name, and found in a routine audit?

With the whole 'paperwork is such an inconvenience' meme that was sold to gut FISA, I'm afraid we're going to see even more of this kind of thing.

Here is a complete list of the possible ways to prevent dishonest government employees from abusing their access to private information about individuals:

1. Don't store private information about individuals in government databases.

Do we really think that his ex-girlfriend is the only person this guy abued his power against? Or that he's the only one engaging in this kind of behavior?

Even the guidelines cited in the original news article -- "in the performance of their official duties" rather than "in conjunction with a specific investigation" or "after written judicial authorization" -- are way too loose to give any confidence that this system is anything other than a mechanism for random snooping.

@ paul:

He's definitely not the only one. One of my (federally connected) exes has been harassing me since 1993. I have no way to get proof, so it continues. No one is watching the watchers anymore.

It's simple. If I were a manager or auditor, I'd like to know why someone was so interesting to generate 163 search requests. I'd assume they are a "person of interest" and want to be aware of them also. The guy was stupid thinking this activity wouldn't get caught.

What Trichinosis said... abuse of these sort of databases, particularly by LE personnel, is quite common, because even if there are logs (which there usually aren't), no one is looking at them. I'm personally aware of several cases of abuse, as well as of threatened abuse, of such systems.

No doubt the people who are getting caught are the borderline nut jobs who make easily traceable threats, shoot their mouths off, etc.

Abuse of access to privileged data is not a new problem.

Perhaps these agencies should look at the solutions deployed by Hospitals and related IT groups in response to HIPAA, where all access to patient data is logged and reported.

I know of multiple incidents where medical staff have been summarily terminated for viewing patient medical records that they had no business accessing. Why can't LE do the same?

"I know of multiple incidents where medical staff have been summarily terminated for viewing patient medical records that they had no business accessing. Why can't LE do the same?"

Because maybe they are Civil Service employees?

The basic problem is one of "who watches the watchers". Which is a problem which exists so long as you have anything other than a "web" of oversight. About the only practical way of doing this is to enable everyone to watch everyone.

"Because maybe they are Civil Service employees?"

That shouldn't be a barrier. I have participated in such terminations.

http://www.mercurynews.com/crime/ci_6946687

A) He probably wouldn't have been charged if he hadn't tried to sue them for race discrimination.

http://lawfuel.com/show-release.asp?ID=15185 (this is probably the original press release that is the source forother stories).

B) He did it for almost a whole year before being detected.