Ohio scrambles to secure facial recognition system
Spotlight is on attorney general’s office to protect software from misuse
Written by Chrissie Thompson | Article Courtesy of: Mansfield New Journal
Ohio Attorney General Mike DeWine held a press conference in his Columbus offices Monday morning.
Police officers say the database has revolutionized some parts of their jobs, even as civil liberties groups worry about misuse.
1. It’s a smart search engine.
Even before facial recognition software, OHLEG could help identify an unknown suspect. It might bring up “Chrissie” even if the officer searched “Christy” or “Krissy,” Hamilton Police Chief Scott Scrimizzi said. Even just searching for a white female with an approximate age, height and weight can start to narrow down results, he said.
2. The same smarts work for cars.
Colerain Township police once used the system to track down a person who had driven away without paying for gasoline. They put in all the information they had about the car – “Say they’ve got a red, four-door Honda with a partial license plate” number, Colerain Township Police Chief Dan Meloy said. The system came back with 10 possible cars in the area, and the officers used that list to locate the suspect.
3. It remembers.
Any time an Ohioan comes up in an OHLEG search, the system shows which other Ohio officers have viewed information about that person, said Sgt. Jeff Howell, who leads the District 2 investigative unit for Cincinnati Police. “Why is an officer in Columbus running the same person I am? It may be that a person has written a forged check or something,” Howell said.
With attention focused on Ohio’s new facial recognition system, Attorney General Mike DeWine’s office is already rushing to beef up security for the state’s law enforcement database, requiring stronger passwords to help keep hackers from viewing information about nearly every Ohioan. But DeWine’s office doesn’t plan to start auditing to try to catch any officers misusing the system before they’re accused. That concern, along with questions about restricting facial recognition searches, searches on teenagers and other restrictions, is set to be among the main issues under consideration by the new advisory group that starts meeting this week.
An Enquirer investigation last month found DeWine’s office launched a facial recognition system in June without informing the public and without first reviewing security rules for the database. The new software is designed to help law enforcement identify crime suspects by analyzing a snapshot or, in some cases, a security camera image, and matching it with an Ohio driver’s license photo or police mug shot.
DeWine last month created a nine-member advisory group to make recommendations for security changes to the facial recognition system, along with the Ohio Law Enforcement Gateway, or OHLEG. That group of criminal justice experts first meets at 10:30 a.m. Tuesday at the Bureau of Criminal Investigation in London, Ohio, according to group members. The meeting is open to the public.
Ahead of the meeting, The Enquirer reviewed policies and interviewed police officersand officials in the attorney general’s office to illustrate OHLEG’s existing security and some of the questions surrounding its facial recognition system.
The Ohio Law Enforcement Gateway is a state-of-the-art electronic information network that allows Ohio law enforcement agencies to share criminal justice data efficiently and securely.
OHLEG provides law enforcement with data on criminal histories, evidence submissions, missing children, gangs, protection orders and a myriad of other topics.
The Web-based platform — which has more than 30,000 users — provides law enforcement with dozens of investigative tools and training applications to help solve and prevent crime.
Ohio is a leader nationally in providing multiple resources to law enforcement statewide via the Internet.
Use of OHLEG is limited to law enforcement officers and officials.
Officials rushed to fix security loopholes in OHLEG database
Most workplaces have rules for passwords, often requiring a mix of upper- and lowercase letters, numbers and special characters, such as ampersands or parentheses.
Until last week, that wasn’t the case with OHLEG.
The 10-year-old database serves as law enforcement’s source for not only driver’s license information and photos, but also registries of license plate numbers, concealed-carry permits, identity theft victims, sex offenders, financial fraud cases and pharmacy thefts. The facial recognition software is OHLEG’s newest feature.
Passwords for 30,000 Ohioans using OHLEG were simply to be between six and 20 characters, according to information on the attorney general’s website as late as Thursday. Special characters weren’t required.
On Friday, the password requirements had been changed.
OHLEG now requires the passwords to be at least eight characters long. Passwords must contain at least three of the following: an uppercase letter, a lowercase letter, a number and a special character, according to the same webpage. The online OHLEG sign-in page on Friday indicated across-the-board password changes “in a continued effort to protect the confidentiality of your account and your OHLEG activities.”
The changes indicate concern in the attorney general’s office over more than just misuse of the facial recognition system. Only after the system launched June 6, amid U.S. outrage over the federal National Security Agency’s secret spying efforts, did Ohio officials begin to consider policy changes that might help prevent internal abuse of their new software. But in recent weeks, DeWine’s office also scrambled to protect OHLEG better from outside security threats.
The decision was a result of “just our ongoing analysis of OHLEG in general,” said Tom Stickrath, head of Ohio’s Bureau of Criminal Investigation. “It’s probably just consistent with the evolution of the technology. I think it’s part of the ongoing analysis of what’s right for a password.”
But the industry standard for passwords has long been more than what OHLEG was requiring.
A short, “anything-goes” password like OHLEG allowed until Friday “is breakable in a matter of minutes” by hacking software, said Anish Arora, a computer scientist at Ohio State University who researches security. “The single most effective thing is to encourage people to use secure passwords and to demand that passwords are complex.
“You have to be paranoid that these things are going to be broken into. That is the least they could do, to improve that.”
More secure systems now require multiple entry barriers, not just passwords, Arora said. For instance, OHLEG could add more security by issuing “tokens” to users – electronic key chains programmed to generate a several-digit number every minute or so, in sync with a program running in a database. Only people with the token would be able to enter the number, along with their password, to gain access to the database.
Using a sophisticated system to encrypt passwords to an online database is also essential, Arora said.
Citing security concerns, Stickrath declined to say whether OHLEG uses any form of encryption. He did say OHLEG will also start requiring users to change their passwords more frequently. He declined to give more details, although a new user of OHLEG told The Enquirer he had not been prompted to change his password in his first six months of access.
Misuse of system is always a possibility, spokesman says
Hackers aren’t the only threats to OHLEG’s trove of information. But Stickrath said the threat of discovery is still enough to deter the 30,000 police officers and civilian law enforcement employees who use OHLEG from using the system for personal reasons.
Meanwhile, the attorney general’s office is beefing up training and user agreements to drive home that OHLEG and its facial recognition software are only for “the administration of criminal justice.”
“We’ve had these user agreements and criminal sanctions in place, and we’ve used them,” Stickrath said. “Can we strengthen them? Yes, we are, and we have.”
The attorney general’s office keeps a record of every search made by any officer. If a local police officer is suspected of misusing the system – say, an ex-girlfriend calls the police department, wondering how he found her new address – the department accesses that record to see what, or who, the officer has been searching.
That’s how police have caught past misusers of the system, such as former Cincinnati police officer Helen “Lanie” Bliss. Bliss ran an illegal background check on a man to help her boyfriend decide whether to do a marijuana deal with him. She was convicted in 2005 of unauthorized use of state property.
But what if an officer’s misuse goes undetected, while she sits at her computer and searches photos of bar hoppers or looks up coworkers of her family members?
Law enforcement officers contacted by The Enquirer agreed with Stickrath: The threat of being caught and prosecuted for a felony is enough to keep them from misbehaving.
“I’m not saying it’s not going to happen. There’s always a bad apple in every bushel,” said Hamilton County sheriff’s spokesman Jim Knapp. Still, “they are aware of every person I’ve run in my cruiser.”
“We drive into these guys’ heads that once you type it in there, it’s documented, and it never leaves,” agreed Scott Scrimizzi, chief of police in Hamilton. “People know that they shouldn’t be doing it, they know that there’s a record of it, and usually that’s enough in and of itself to police that issue.”