Red Hot Cyber

Cybersecurity is about sharing. Recognize the risk, combat it, share your experiences, and encourage others to do better than you.
Search

Data Brokers: How Law Enforcement Rely on Inaccurate Data to Supplement Investigations

Olivia Terragni : 15 June 2022 07:00

Author: Jesse McGraw, alias Ghost Exodus
Publication date: 11/06/2022

Government public record databases apparently help law enforcement officials save lives, prevent further crimes from being committed by perpetrators, and also provide a detailed information platform that can stitch together obscure tidbits of data that can help them hunt down and capture fugitives and individuals fleeing from an arrest warrant.

Access to these public record systems is set to help legal professionals solve cases faster by reducing the number of people it would ordinarily take to resolve the cases, as well as the time and expenses associated with lengthy investigations.

Acquista il corso Dark Web & Cyber Threat Intelligence (e-learning version)
Il Dark Web e la Cyber Threat Intelligence rappresentano aree critiche per comprendere le minacce informatiche moderne. Tra ransomware, data breach e attività illecite, le organizzazioni devono affrontare sfide sempre più complesse per proteggere i propri dati e le infrastrutture. Il nostro corso “Dark Web & Cyber Threat Intelligence” ti guiderà attraverso i meccanismi e le strategie utilizzate dai criminali informatici, fornendoti competenze pratiche per monitorare, analizzare e anticipare le minacce.

Accedi alla pagina del corso condotto dall'Prof. Pietro Melillo sulla nostra Academy e segui l'anteprima gratuita.

Per un periodo limitato, potrai utilizzare il COUPON CTI-16253 che ti darà diritto ad uno sconto del 20% sul prezzo di copertina del corso
Per ulteriori informazioni, scrivici ad [email protected] oppure scrivici su Whatsapp al 379 163 8765 

Supporta RHC attraverso:


Ti piacciono gli articoli di Red Hot Cyber? Non aspettare oltre, iscriviti alla newsletter settimanale per non perdere nessun articolo

It’s not uncommon to associate our ideas of such databases with images and scenes from television and films, from the lowly black and white text-based terminals to the highly graphical and sophisticated interfaces depicted in blockbuster spy films.

As a former hacker, I became very familiar with law enforcement databases such as the Texas Law Enforcement Telecommunications System, International Justice and Public Safety Network, Bureau of Prisons Network, Legal Information Office Network System, as well as the National Crime Information Center.

However, there exists a data mining giant called Accurint for Law Enforcement (Accurint LE) that leaves nothing to the imagination.

In 2009, I was arrested and charged for two counts of Transmitting a Malicious Code, or installing malware, basically. During the Detention/Bond Hearing, the prosecuting attorney representing the government in this case falsely accused me of owning a fake ID kit in addition to the claim that I used multiple false identities.

This information was patently inaccurate and became a convincing factor that influenced the magistrate judge to deny me a bond. After discussing this issue with my public defender, we moved to petition the prosecutor to produce evidence in support of this claim.

The information the prosecuting attorney provided came from Accurint.

What Does Accurint LE Know About You?

Accurint for Law Enforcement is a widely popular and exceedingly exhaustive public records research tool provided by the data broker LexisNexis. It has powerful tracking and people-mapping capabilities that harvest its resources from a multitude of records databases using data mining technology to converge information into a single, massive, centralized information pool.

It can reveal connections between people, businesses, assets, and locations that can’t be found in public records, even if the user has only fragments of information on the individual they are searching for.

Broker di dati accurint le
Link analysis between entities sample. Source: Accurint LE User Guide

The Accurint database holds 84 billion public records on 283 million unique identities—an average of about 290 records per identity. Millions of Accurint reports are sold each year to government agencies, law enforcement, insurance companies, banks, collections, and any other entities.

Examples of some of the records Accurint can extract include assets such as property, motor vehicles, FAA (Federal Aviation Administration) aircraft, and watercraft licenses as well as firearms registrations.

It can generate a detailed information tree of the relationships between individuals and where they live, how to contact them, cellular and landline records, vehicle registration and accident reports, employment history, who their coworkers are, their affiliations, criminal records as well as intricate details into their financial behaviors. Birth records. Credit reports. You name it.

Investigative intelligence apparently has never been easier. Accurint LE can also monitor social media, allowing agencies to discover risks and threats by leveraging social media to provide actionable intelligence.

Government, law enforcement, and commercial customers are among the database’s many users, and the cost of running lightning-fast searches can amount to mere pocket change. It is used by over 4,000 federal, state, and local law enforcement agencies across the U.S.

LexisNexis—the highly acclaimed legal, regulatory, business and analytics information giant and data broker who owns the rights to the tool—describes Accurint LE as “a cutting-edge investigative technology that can expedite the identification of people and their assets, addresses, relatives and business associates by providing instant access to a comprehensive database of public records that would ordinarily take days to collect.”

According to the company, it “assists 70% of local agencies and almost 80% of federal agencies to safeguard citizens and reduce financial losses due to fraud and abuse.”

Hank Asher, who is best known as “the father of data fusion” is the celebrated creator and computer mastermind behind this impressive data mining and records-linking titan. It shouldn’t be surprising that he was described by one of his employees as a “mad scientist.”  Others consider the man something of a legend.

Damaging Consequences Caused by Inaccuracies

The damage my Accurint report caused was irreparable. My prosecutor mailed a detailed printout from Accurint to my attorney, who then forwarded it to me so I could review the source of the government’s claim.

The database inaccurately reported that I supposedly had multiple aliases connected to my social security number (SSN) by rearranging and combining variations of my birth name and legal name in conjunction with my mother’s married name. These were names I had never used before at any given time in my life.

However, the damage was done, and this misinformation was already being repeated by news media reporters. Eleven years later and those same news stories are still all over the web. The disclaimer at the top of the records compiled by Accurint seemed to be ignored. In short, it stated that the information input into these databases is sometimes inaccurate and that further investigative inquiries are necessary. Imagine that.

Another example of inaccurate information provided by Accurint was similarly described by Meghan Koushik, a research associate at the Brennan Center for Justice, who had the opportunity to run a search for her name in 2014. Under the impression that she had a small information footprint due to having a unique name, no driver’s license, and no criminal record, she was shocked by the results.

“…The reports listed every phone number and address I had ever been associated with, from my college mailbox to the relative’s home where I’d forwarded mail while abroad. Accurint listed the apartment I rented while interning in DC, along with the names and phone numbers of its current occupants. It even provided the sale price and mortgage on each home I’d lived in. Surprisingly, much of the information was also inaccurate. 

[…] Accurint listed someone named Florinda as ‘Associated with Subject’s SSN’ though it assured me this ‘doesn’t usually indicate fraud’.”

broker di dati mappatura accurint
Mapping results sample. Source: Source: Accurint LE User Guide

She explained at the time, that amending the inaccurate data proved impossible because the data brokers did not allow individuals in the U.S. to access and amend their data. There’s too much red tape involved, and changes to the information oftentimes aren’t retained permanently.

No Possibility to Amend Inaccurate Data?

This may be because data being scraped and stored by the data brokers isn’t redundant. The information is being siphoned from such a variety of sources that any changes to a person’s report will likely be overwritten as the report is updated.

It seems the only exception to this problem is exclusively reserved for residents of the State of California under the California Consumer Privacy Act (CCPA) who otherwise reserve the right to requests to delete certain personal information in addition to requesting to not have their personal information sold.

Furthermore, individuals who are not residents of the State of California who desire to amend inaccurate information in their Accurint report may find the process a daunting and fruitless endeavor.

“There is no general federal privacy law that specifically provides consumers with the right to choose whether or not their information can be collected and/or used,” Karen Gullo, speaking on behalf of the Electronic Frontier Foundation, nonprofit defending civil liberties in the digital world, told forklog.media. 

“Strong privacy legislation in the U.S. is long overdue. California’s data privacy law is a state law that allows consumers to learn what companies collect about them, delete it, and opt-out of its sale. But it does not give consumers the right to choose whether their data is collected,” said Gullo.

Michael Rapp, a consumer attorney from Kansas City, said his firm has litigated dozens of cases against LexisNexis, and companies like it for more than a decade.

“People can have their reputations hurt by companies they’ve never heard of, and often don’t know until the damage is done”, he said and continued: “This is the biggest thing you don’t know anything about. It’s almost impossible to avoid being tracked by data brokers—not just LexisNexis.”

Accurint’s report stated it “may not contain all personally identifiable information in our databases” and they “do not verify data, nor is it possible to change incorrect data.” A statement like this should cause heads to roll when you factor in the magnitude of the amount of data being collected on private citizens.

Abuse of Data

For years, LexisNexis sold Accurint without complying with the federal Fair Credit Reporting Act (FCRA), on the theory that Accurint is not a “consumer report” that triggers the Act’s protections. Back in 2013, LexisNexis settled a $13.5 million class-action lawsuit brought by 30,000 plaintiffs who accused the company of harvesting background data and selling it to debt collectors who use Accurint reports as a skip tracing tool to track down consumers, were “consumer reports” as defined under the FCRA.

In 2019, another instance of abuse involved former Alice police Officer Enrique Saenz who was the subject of an FBI investigation regarding the misuse of Accurint. The City of Alice was notified by the FBI that Saenz was using his law enforcement access of Accurint to illegally search individuals that had no connection to a law enforcement case—something that may remind us of the instances where at least a dozen National Security Agency employees were caught using NSA surveillance tools to spy on the emails or phone calls of their current or former spouses and lovers.

They actually have a name for that: “LOVEINT” aka love interest, which is defined as the practice of intelligence service employees making use of their extensive monitoring capabilities to spy on their love interest or spouse.

Is Security More Important Than Privacy?

Are we as members of a global society susceptible to arbitrary abuse of the information being mined and utilized by government and law enforcement agencies? It’s hard to believe that something of this nature could ever affect everyday citizens like you and myself since we aren’t informed or knowingly affected in regards to how our personal information is being used, who is using it, who is selling it, and who is buying it. Is this alarming?

Consider this, under normal circumstances, such as during legal proceedings, we have to sign a waiver and provide oral confirmation in order to sign away a constitutionally protected right. In other words, we have to actively participate in the matter directly in order for the waiver to be legally authenticated and therefore binding.

It seems a bit self-serving after we examine the forces controlling what is no longer ours and consider the fact that we as citizens have no legal authority over our personal information, and no reliable legal protections to defend our civil liberty interest against corporations and government entities who are taking our information while we look the other way in favor of “national security.”

Thus, the question remains: Is security more important than privacy?

Sometimes I wonder why so many of us only seem to think in binary terms as though we can only have one without the other. The question we should ask ourselves is whether or not the existence of such powerful public record databases has had any effect on the significant drop in the American crime rate.

If the answer is yes, then perhaps it would be prudent to press legislators to create laws that protect the interest of the public whose records are otherwise being used without their consent. Access to our information should be free, and amending inaccurate information should never become an impossibility for any reason.

But what if tools such as Accurint LE have had no effect on the drop in the current crime rate? If that’s the case, should it exist at all, seeing that law enforcement would be able to produce the same results without it as they could with it?

“The bottom line is we need to require private companies that collect, use, retain, or share information about us—including our faceprints or other biometric information—to get informed opt-in consent before doing so, and to minimize the data they process to what is necessary to give consumers what they asked for. And we need to give consumers the right to bring their own lawsuits against the companies that fail to do so,” Gullo stated.

Some even go so far as to say that none of this even matters. They’ve got nothing to hide. But consider this. In the words of Edward Snowden, the NSA contractor and world-renown whistleblower:

“Arguing that you don’t care about the right to privacy because you have nothing to hide is no different than saying you don’t care about free speech because you have nothing to say.”

This piece has been written by Jesse McGraw, aka Ghost Exodus, founder of the Electronik Tribulation Army. He is an activist, writer, former black hat hacker, and first person in recent U.S. history convicted for corrupting industrial control systems.

Ana Alexandre contributed reporting for this story on Forklog

Olivia Terragni
Author, former journalist, graduated in Economic History - Literature and Philosophy - and then in Architecture - great infrastructure - she deepened her studies in Network Economy and Information Economics, concluded with a Master in Cyber Security and Digital Forensics and a Master in Philosophy and Digital Governance. She is passionate about technological innovation and complex systems and their management in the field of security and their sustainability in international contexts. Criminalist. Optimistic sailor. https://www.redhotcyber.com/post/author/olivia-terragni/