Saturday, December 20, 2008

Policeman uses Crime database to blackmail criminals

It sounds more complicated than it really is, and represents a big, big problem.

A UK policeman used his access to a database of sex and drug offenders to blackmail the criminals:

PC Amerdeep Singh Johal, 29, was arrested by anti-corruption cops from Scotland Yard in July 2007. Johal was employed in checking names and address on the police database, called Crimint, on behalf of beat cops.

He abused the role to contact 11 convicted offenders and threaten to spill the beans on their crimes unless he was given "hush money". Johal requested between £29,000 and £31,000 for his silence, threatening to tell work colleagues or neighbours of convicted sex offenders about their crimes. In one instance Johal demanded £89,000 as a "goodwill gesture".

He was caught, prosecuted, and convicted, so well done for the UK police services. So far.

The case has raised wider concerns about the misuse of police databases, which the Metropolitan police is keen to downplay.

A Scotland Yard spokesman told the BBC: "There are strict guidelines in place regarding the use of intelligence databases and if anyone abuses it that is taken extremely seriously."
Well, that's all right, then. Srlsy.

People on the seedier side of cyber security used to have a saying ten years ago. You want to give someone a Bad Day, break into the National Crime Information System and put out an All Points Bulletin: Armed And Dangerous.

The most compelling argument for small government is that all government power will eventually get abused. In this case, it was the bad apple doing a bit of unauthorized moonlighting, but we see this occur for purposes both large and small.

Joe the Plumber had political flunkies snooping into his background. Some other folks were just arrested for applauding a speaker at a Board of Supervisors meeting in Phoenix.

The problem of petty officials abusing their authority is very, very old - literature is full of examples. Until the crooked timber of humanity is straightened, we can't expect any change.

This is precisely the argument against the Patriot Act: we don't know the specifics of how it will be (is?) abused, but we know that it will be (is?). It's the reason that gun owners oppose - or should oppose - registration.

From a computer security point of view, there's nothing that you can do about this that does not result in FAIL. You have an authorized user accessing data that they are authorized to see. There are no technical controls that can be used to mitigate this risk. About all you can do is aggressively prosecute (and jail) bad apples like Police Constable Johal.

And it's why it's so important to always err on the side of prosecution. It doesn't happen this way, of course, but each small episode of "we'll deal with it internally" further erodes the system.

UPDATE 22 December 2008 12:04: For a system that is high risk for this sort of abuse, read this. Yes, the ATF is involved.

No comments: