GuidelinesForCybervetting0111_Appel
Download
Report
Transcript GuidelinesForCybervetting0111_Appel
Cybervetting and Posting
Monday, January 10, 2011
12:30 PM – 1:10 PM
Ed Appel
Proprietor, iNameCheck
1
Presentation
• What is cybervetting?
• Why should we care about cybervetting
and postings online?
• IACP-PERSEREC Guidelines project
• Issues to consider for your agency
This presentation is based on five years of Internet
investigations and policy studies, and co-authorship
of the IACP-PERSEREC study. All views expressed
are my own.
2
What is Cybervetting?
Cybervetting: an assessment of a person’s
suitability to hold a position or security
clearance using in part information found on
the Internet.
3
Positions of Trust
DoD
2.5 Million Security
Clearance holders
1.4 M Active Duty
Military
4.3 Million DoD CAC
holders (ID Badges)
Law Enforcement
State & Local:
731K Sworn
346K non-sworn
Federal:
106K Sworn
Total Sworn: 837K
4
Key Issues
• IACP-PERSEREC Study provides first guidelines
• Internet has profoundly changed behaviors of
– Law enforcement personnel
– Criminals
– Witnesses, associates and sources
• Privacy
• Laws and litigation lag behind technology
5
What’s Changed?
•
•
•
•
•
•
Use and reach of the Internet
Relative ease of searching and finding data
Behavior online: opportunities for misbehavior
Social networking sites
Video and photo sharing sites
Proclivity to post compromising information
6
Potential Pitfalls
• Violating Constitutional, labor, privacy rights
• Basing decisions on information:
• applicable to a different person
• falsely manufactured to harm the candidate
• irrelevant for predicting behavior
• Discriminating against protected classes (age, sex,
race, religion, etc.)
• Over-reacting to trivial indiscretions
• Losing valuable PR/crime solving/recruiting tools
7
Potential Benefits
• Identify people:
– Who use the Web for criminal or terrorist acts
– Who are members of gangs or terrorist groups
– Engaged in offensive, predatory or illicit conduct
– Unsuitable due to a history of unlawful behavior,
including drug or alcohol abuse
• Identify people who endanger themselves or
others
8
Officer’s Profiles Bring Acquittal After Cross-Exam
NYPD Officer Vaughan Etienne’s MySpace mood was
"Devious" on the day of the arrest, his Facebook status
“Vaughan is watching ‘Training Day’ to brush up on
proper police procedure” as the trial approached. Online
comments he left on an arrest video included, "If he
wanted to tune him up some, he should have delayed
cuffing him... If you were going to hit a cuffed suspect, at
least get your money’s worth ’cause now he’s going to
get disciplined for a faggot-ass love tap."
The accused, Gary Waters, ran from police on a stolen motorcycle, fought
officers, then claimed they planted a gun to justify breaking three of his ribs in
a steroid-induced rage. Waters was acquitted of gun charges and convicted
only of misdemeanor resisting arrest. Etienne, who had previously been
suspended for steroid usage, told the NY Times, “What you say on the
Internet is all bravado talk, like what you say in a locker room.” Etienne
blamed himself for the acquittal: “…it’s reasonable doubt in anybody’s mind.”
The defense bar is using the Internet as an investigative tool.
9
Spc. Bradley Manning Accused in Wikileaks Case
Bradley Manning was
reportedly despondent
over losing a lover and
disciplined for striking a
soldier
“Wikileaks” chief suspect Spc. Bradley Manning, 22, of Potomac,
MD, was arrested in Kuwait and incarcerated at Quantico
Marine Base, charged in July 2010 with leaking classified videos
of US air strikes in Iraq to the Wikileaks website in April 2010. An
online chat acquaintance, Adrian Lano (formerly convicted of
computer hacking) told authorities and the press that Manning
provided thousands of classified documents to Wikileaks. Julian
Assange, Wikileaks’ founder, claimed the leaker exposed US
military misdeeds. US government leaders voiced fear that US
troops and informants would be killed based on secrets leaked,
and defended the actions depicted. 75 MB of classified
documents posted by Wikileaks numbered in the thousands.
Julian Assange, Wikileaks
Adrian Lamo ~2001
Leaked videos included US air strikes that killed
civilians, including a Reuters reporter & driver
© 2010
Manning’s charges
include illegally
transferring classified data
to his PC, placing
unauthorized software on
military computers and
delivering national
defense info to an
unauthorized party
10
Postings and Actions Attributed to Manning
• Wired.com reported that Manning had previously been
punished for uploading videos on YouTube in which he
talked about classified buildings at the base and classified
materials he saw.
• Posted: “Bradley Manning didn’t want this fight. Too
much to lose, too fast.”
• Posted: “Bradley Manning is now left with the sinking
feeling that he doesn’t have anything left.”
• Posted: He was “beyond frustrated with people and
society at large.”
11
Ex-FBI Linguist Pleads Guilty to Leaks to Blogger
FBI Linguists like Leibowitz
hold Top Secret clearances
and handle highly sensitive
intelligence data
Shamai Kedem Leibowitz, a former FBI
contract linguist was sentenced in May
2010 to 20 months in prison for unlawfully
providing five classified documents that
were posted on an Internet blog. He pled
guilty in December 2009. The documents
pertained to “communications intelligence
activities of the United States.”
12
• Sexual Harassment Law Suits
Waterford, MI police sued
♦ Sexting Photos
A former & current employee
alleged sexual harassment,
retaliation by co-workers
♦ Explicit Text messages
Waterford Township and its
Police Chief Daniel McCaw
were sued by a former & current
police department employee
who contend they were targets
of sexual harassment by
officers (before McCaw took
over). The city paid large
settlements.
♦ On-line behavior at
work, like frequently
visiting porno cites
♦ Explicit Emails
♦ Inappropriate Postings
& Videos
13
Illicit Behavior Online: People We Trusted
Florida Asst. US Attorney arrested in 2007
as he arrived in Detroit with doll, earrings,
Vaseline, for trying to arrange to have sex
with 5-year-old in Internet chats. He
committed suicide in his cell in 2007.
Army Chief Warrant Officer, Director of Army
School of Information Technology, arrested in
2010 for collecting and sharing child pornography
over the Internet
US military contractor in Baghdad hacked girls’ computers,
extorted them for nude photos & sex tapes, tried to meet some for
sex while on leave, had over 4,000 victims when arrested. Serving
a 30-year sentence, 2010.
14
According to information placed on the website of
Peter M. LaSorsa’s law offices:
Lafayette College settled a sexual harassment
lawsuit for $1 million involving a campus police
officer who allegedly sexually harassed females and
subjected them to other lewd behavior. According to
the that website probably the most damaging
evidence was that he sent the women e-mails with
pornographic content.
15
What Might You Find Online?
• History of malicious online activities: ~3-6%
• Derogatory information, e.g.
– Arrests, convictions, lawsuits, bankruptcies, firing
• Misuse of “anonymous” virtual identity online
• History incompatible with position sought,
based on employee behavior standards
• Most likely: Verification of qualifications and
eligibility for the position sought in vetting
16
Cybervetting Guidelines: Objectives
Identify cybervetting policies & procedures &
cyber posting restrictions for law enforcement &
national security that are effective, efficient & just,
for hiring & continued evaluation
These are guidelines, not standards.
Implementation will depend on agency
resources, state employment laws, collective
bargaining agreements, etc.
17
Methodology
•
•
•
•
Literature review
Subject matter experts interviews
Survey
Focus groups: 17 nationwide
– Law enforcement chiefs, investigators, specialists
– Privacy, employment, HR and legal experts
– Internet, fraud, background & cybervetting
investigators
– Security managers, private sector representatives,
city, state, and federal officials
18
Separation of Projects
•
•
•
•
•
Law Enforcement
Focus on judgment
Low number vetted
Discretion of chiefs
Different state laws
Local standards
•
•
•
•
•
National Security
Highly structured in law,
regulations, systems
Up to 1 million vetted/yr.
Due process standards
Adjudication standards
Different concerns, e.g.
foreign preference,
loyalty
19
IACP Cyber Vetting Guidelines
Developing a Cybervetting Strategy for Law
Enforcement, December 2010, IACP
[Companion study for national security]
http://www.iacpsocialmedia.org/Portals/1/documen
ts/CybervettingReport.pdf
20
Examples of Cybervetting Guidelines
Purpose and Scope:
Law enforcement agencies should create a cybervetting
policy that describes the purpose and scope of
cybervetting. The policy should include information on
the general types of information checked, collected, and
used. This policy should be:
• Applied uniformly to all applicants, candidates, and
incumbents,
• Reviewed periodically by management and updated as
needed,
• Reviewed and approved by the agency’s legal counsel,
• Made available to the public.
21
Guidelines Highlights
Before drafting cybervetting practices,
agencies should first ensure that policy
makers know how social media tools work.
Decision makers should stay abreast of
policy and technical changes made by social
networking sites.
22
• Applicants and incumbents may be asked to
access password protected websites so that
the recruiter or background investigator can
review their profiles, blogs, or other online
forums for disqualifying content.
• Law enforcement agencies should not ask for
passwords.
23
Internet Search Restrictions:
Internet searches may not unlawfully bypass
applicants’ or incumbents’ privacy settings on
social networking sites.
Cybervetting Results:
Law enforcement agencies shall follow existing
procedures that ensure information relating or
pertaining to protected classes does not
negatively impact hiring decisions.
24
Employees’ use of Social Media
Social media guidelines are policies and
practices designed to limit employees’ ability to
expose their agencies to increased liability by
degrading their agencies’ image through online
behavior, or to endanger themselves or their
families by posting information that could be
misused by others.
25
Case Law and Social Media
Risk of requirement to report online
misbehavior to defense counsel:
Brady v. Maryland, 373 U.S. 83 (1963)
Giglio v. United States, 405 U.S. 150 (1972)
If we don’t find it, defense counsel will
26
Public Employees and Freedom of Speech
Personal issues are generally not protected
if they violate rules, offend or harm agency
Snyder v. Millersville University et al,
2:2007cv01660 (2008)
“Drunken Pirate” Snyder lost her suit against
Millersville University to gain education
degree/teaching credentials the she lost for
inappropriate MySpace postings and other
deficiencies in her student teaching. Court:
postings were private, not a “public concern,”
27
Law Enforcement and Freedom of Speech
• At least 7 cases over 20 years establish the
principle that law enforcement officers are not
protected when their speech harms the
agency
• Several incidents of police officers posting on
social sites with racist, sexist, offensive talk,
photos & videos have been fired
28
Guidelines (Continued)
Social Media:
Absent exceptional circumstances, law
enforcement personnel may not be prohibited
from having a personal website or social
networking profile.
Law enforcement personnel shall not post,
transmit, or otherwise disseminate:
• Text, pictures, audio, or videos of department
training or work-related assignments without
written permission from the chief executive or
designee.
29
Law enforcement agencies should educate
personnel on what constitutes an appropriate
web presence as it relates to representing
one’s agency and personal safety. Briefings
should include but are not limited to:
• The impact Internet postings and other electronic
communications have on one’s ability to work in
assigned positions (e.g. undercover assignments),
and active criminal cases (e.g. impeached
testimony).
• Personal and work-related information posted by
employees, their families, or their friends may be
misused
30
Authentication
• Authentication is the assessment of the validity and
reliability of online information pertaining to
applicants, candidates, and incumbents.
• The Internet is an evolving resource for background
investigations. Search engines help investigators
identify sources of information concerning a specific
person. But almost anyone can create a website or post
online content, and this accessibility impairs one’s
ability to recognize records of fact from opinion and
sometimes even fiction.
Related terms: Attribution and Verification
31
Authentication Guidelines:
Law enforcement agencies should ask
applicants and incumbents to confirm the
accuracy of any information found online.
Applicants, candidates, and incumbents
should be allowed to provide the names of
references who can speak knowledgably
about the online information of concern.
32
Adjudication
Adjudication is an assessment of an individual’s reliability,
trustworthiness, and fitness to serve in a position of trust.
Adjudication Guidelines:
• Hiring, retention, promotion, and disciplinary decisions may
be affected by information found on the Internet.
• Law enforcement personnel, whose actions can be directly
linked to websites that promote misconduct or bring discredit
to the agency or a member of the agency, unless linked for
official work-related purposes, should be investigated.
• Law enforcement personnel, who violate their Department’s
social media policies, shall be appropriately disciplined by the
chief executive or designee.
33
Key Policy Issues
• Who conducts investigative Internet searches
– Ability, training & uniformity are important
– In-house or outsourced (can address EEO issue)
• When Internet searching is done
– Policy, supervision should dictate (not on a whim)
– Liability if Internet searching is done improperly
• What is done with results of searching
– Do not discriminate, be fair (Title VII)
– How reports are written & handled
34
Issues for Regulators
• Licensing of cyber investigators
– Library science vs. PI practice: use of reports
– Investigators vs. data vendors vs. computer
forensics
– Cybersecurity licensing in US Senate bill
• Legal and ethical guidelines for cyber vetting
• Watching the watchers: regulators online
• Keeping up with the Internet
35
Forthcoming Book:
Internet Searches for Vetting, Investigations
and Open-Source Intelligence
By Edward J. Appel
Taylor & Francis
http://www.taylorandfrancis.com/books/details/9781439827512/
Scheduled publication date: Jan. 14, 2011
…contains more details on topics discussed here
36
Questions?
Contact Information:
Ed Appel, Proprietor, iNameCheck
(301) 524-8074
[email protected]
www.inamecheck.com
37