This article was originally published by PORAC Magazine August 2011.
“I can never fear that things will go far wrong where common sense has fair play.”
– Thomas Jefferson
Over the last twenty years, technology has become an integral part of society. Consequently, law enforcement relies on various technologies to perform daily operations efficiently.
As a new patrol officer almost eighteen years ago, I went 10-8 with a note pad and a map book to navigate the city. Today, calls are transmitted to an officer’s patrol unit and viewed on an MDC (Mobile Data Computer) or MDT (Message Distribution Terminal). GPS mapping systems assist officers in locating addresses and in finding the most feasible routes to calls. We’ve traded our note pads for computers and our map books for satellites.
Patrol officers are commonly issued mobile computers, SmartPhones, GPS navigation units, and other technologies to aid with their duties. Over the last few years governmental agencies have been making a concerted effort to update their employee policy regarding the use of these types of devices. Unfortunately, problems can arise when department-issued electronic equipment is utilized for personal activities. In this context, personal activities are defined as the implementation of work-issued technologies for purposes that do not involve work-related tasks.
On the side I own and operate an investigations and consulting business, where I contract computer forensic services to other entities involved in handling personnel investigations. Most of these examinations involve employees who’ve used company equipment for inappropriate activities. Additionally, I’m often asked to examine the content and duration of Internet usage for work-related violations. I generally do not participate with internal affairs investigations by way of my employment at the Corona Police Department. Some of the private sector investigations I’ve conducted begin with seemingly minor offenses, but result in employee termination after the auditing of company-issued devices.
Most agencies have computer usage policies in which department equipment containing electronically stored information, commonly referred to as ESI, can be seized and audited by employers at any time, for any reason. Auditing includes the careful examination of any data, including PERSONAL DATA, stored on these devices. Data is magnetic information stored on metal platters of hard drives or flash memory chips. Keep in mind that funny or gag emails and texts sent by family, friends, and colleagues often contain off-color images or videos. In other words, if you store any personal information on a department-issued device, either intentionally or unintentionally, your employer has access to it. What’s more, sometimes agency-issued computers, cell phones, and emails belonging to government employees may be viewed, by the public and the media, via an FOIA (Freedom of Information Act) request.
Depending on the group policy settings your I.T. Department configures on its devices, inappropriate data might be deletable. However, in a Windows environment, simply deleting the file doesn’t remove the data. Therefore, computer forensic examiners routinely recover deleted information from unallocated disk space.
The only way to ensure that data is removed from your device’s storage media is to “wipe” the data. Wiping involves a process of overwriting (replacing) old data with new data. Often, the subject data is overwritten with zeros. Importantly, studies show that most of today’s media can be effectively cleared by one overwrite.
Sometimes cited as a standard for sanitization to counter data remanence, a more comprehensive wiping method of wiping is known as the DOD 5220.22-M U.S. Standard 7 pass wipe. Wiping data in a Windows environment may remove the contents of a file; however, it will leave behind trace artifacts showing that the file was present on the device.
It’s important to note that some agencies may have policies regarding the destruction of departmental data. In this case, attempts to completely wipe issued devices of all data, including software installed by your agency, could result in a policy violation. Be sure you review your department’s computer usage policies to comply with their policies.
The following are steps you can take to prevent your work and personal data from being commingled:
1. If you are issued a work laptop, do NOT use if for personal business (i.e. checking your personal email, bank balances, YouTube or video hosting sites, or ANY social networking accounts). Consider purchasing your own WebBook or Netbook (they cost around $300.00 at Costco or Sam’s Club).
2. Purchase your own personal cell phone or Smartphone. Don’t use your work phone to make personal calls, access your personal email, surf the web, or store your data. The adage “better safe than sorry” applies here. Also, keep in mind that most cell phone carriers now have the ability to provide GPS tacking for their cellular products. This gives your employer the potential to know your exact location any time you’re carrying the device.
3. Do NOT use your work e-mail account for personal business. Tell your friends, family, and colleagues to send those messages to your private email account. Work email is the easiest ESI for agencies to audit and represents the foremost electronic data disciplinary problem for law enforcement. If you don’t have a personal email account, get one for free at gmail.com.
4. Unless asking questions directly relating to calls or work activities consider an “87” and meet with your partner to discuss personal business. DON’T use your MDT/ MDC for this type of communication. THINK about what you’re saying! Imagine having your MDT/ MDC comments read in open court. Take the following example:
“I haven’t beaten anyone this bad in a long time.” — Officer Laurence Powell
(MDT message from Powell to another officer after his encounter with Rodney King in 1991).
5. If you’re involved in a major incident, assume that any device in your possession (personal or department-issued) can have its ESI subpoenaed and reviewed. Consider taking a digital break for at least 48 hours (no cell phones, texting, computers, emails, etc.). At the very least, wait until you’ve had the opportunity to get professional legal guidance.
6. If you have a social networking account (e.g. Twitter, FriendFinder, Facebook, LinkedIn or MySpace), do not access it during work hours. Don’t post law enforcement-related pictures or references on your account. This is a safety issue and probably, depending on your agency, will result in policy violation. Assume that your employer or supervisor will routinely browse your social networking accounts.
7. Don’t post any potentially damaging information on social networking accounts; it may be cited in court. Your social networking activities can be used by the prosecution or defense as a character reference against you. The Facebook newsfeed post you made about arresting the defendant could be cited in court during preliminary or trial. As a general rule, use the most restrictive privacy settings on your social networking accounts and ‘vet’ your friends. Even with privacy settings in place, you should still be very conservative with the information you post.
There is no such thing as being too cautious where private data is concerned. By following these simple guidelines and using common sense, you’re choosing not to be a victim of circumstance.