Police Department Privilege Escalation
It’s easier than you think to create your own police department in the United States.
Yosef Maiwandi formed the San Gabriel Valley Transit Authority—a tiny, privately run nonprofit organization that provides bus rides to disabled people and senior citizens. It operates out of an auto repair shop. Then, because the law seems to allow transit companies to form their own police departments, he formed the San Gabriel Valley Transit Authority Police Department. As a thank you, he made Stefan Eriksson a deputy police commissioner of the San Gabriel Transit Authority Police’s anti-terrorism division, and gave him business cards.
Police departments like this don’t have much legal authority, they don’t really need to. My guess is that the name alone is impressive enough.
In the computer security world, privilege escalation means using some legitimately granted authority to secure extra authority that was not intended. This is a real-world counterpart. Even though transit police departments are meant to police their vehicles only, the title—and the ostensible authority that comes along with it—is useful elsewhere. Someone with criminal intent could easily use this authority to evade scrutiny or commit fraud.
Deal said that his agency has discovered that several railroad agencies around California have created police departments—even though the companies have no rail lines in California to patrol. The police certification agency is seeking to decertify those agencies because it sees no reason for them to exist in California.
The issue of private transit firms creating police agencies has in recent years been a concern in Illinois, where several individuals with criminal histories created railroads as a means of forming a police agency.
The real problem is that we’re too deferential to police power. We don’t know the limits of police authority, whether it be an airport policeman or someone with a business card from the “San Gabriel Valley Transit Authority Police Department.”
Andrew • March 15, 2006 8:37 AM
Isn’t this really a social engineering hack? From the time we played Cops ‘n Robbers we’ve learnt that the police have certain powers and authority.
Call these company units what they really are: security firms.