By N. Puffer
It’s just about two years since the Supreme Court decided Herring, so I figured I’d take a look back and see what, if any, impact it’s had. At the time of the finding several people in the infosec community were worried by Justice Ginsburg’s dissent; which pointed out the dangers of removing any penalty for a lack of integrity in systems used by law enforcement.
To recap the story so far …
In 1981 a few cops in California were tracking down some drug dealers. While watching the people come and go they identified a couple of other people, got the appropriate warrants, and arrested them. The problem was the courts pencil whipped the warrant; the police didn’t actually meet the needed rigor for a search. A lot of lawyers did a lot of talking, and we ended up with United States v. Leon (1984) saying that if the police were acting in good faith (in this case they were), then the exclusionary rule doesn’t apply. Sounds scary, and Orwell would love the coincidence in dates. What the courts really seem to be saying is that the Justice system is run by people, and has for a long time acknowledged that people are fallible (appeals process). If good work comes from an honest mistake society shouldn’t be punished by letting a drug dealer go free.
Of course, detractors may say that ignorance of the law is no excuse for citizens (I didn’t know the speed limit officer), and that members of the justice system should be held to a higher standard when it comes to a persons Freedom. Fair points. Feel free to discuss among yourselves.
Fast forward to 2004, the age of networked policing, and Alabama. Mr. Herring goes to the Coffee County police station to pick up an impounded vehicle. As part of a routine warrant check, neighboring Dale County tells a Coffee County investigator that there’s an outstanding warrant for Mr. Herring. The vehicle is searched, weapons and meth are found, hilarity does not ensue. The issue? Turns out Dale County had made a mistake in their data entry. The warrant had been recalled months prior to the incident, but the system of reference (the database) was incorrect. Part of the process of warrant notification includes pulling the actual paper warrant (system of record) and faxing it. When it was discovered that the paper warrant didn’t exist a check was performed and Coffee County was notified. Elapsed time to correct the mistake, 15 minutes. Time served by Mr. Herring, 27 months.
Five years of legal workings later, and a 5-4 ruling of the Supreme Court upheld Mr. Herring’s conviction. The central supporting opinion seemed to reach back to Leon. However, the dissenting opinion submitted by Justice Ginsburg touched on what caused the watchdogs to perk up. As mentioned above, from an information management point of view, the police actions by Dale County were fundamentally flawed. Specifically, a system of reference was used to trigger a critical action, even though procedurally, a system of record needed to be consulted. Given the fact that the mistake only caused a 15 minute delay, it’s reasonable to assume that there would have been no tangible impact to law enforcement if both systems were checked, but that wasn’t really the point.
The issue seemed to be, as decided, do errors in information systems (court records) extend good faith exceptions to the exclusionary rule? From section ‘A’ of Justice Ginsburg’s dissent, “Is it not altogether obvious that the Department could take further precautions to ensure the integrity of its database? The Sheriff’s Department is in a position to remedy the situation and might well do so if the exclusionary rule is there to remove the incentive to do otherwise.”
So, everyone agrees that there was a mistake in the Dale County records. It’s also agreed that the mistakes were negligent (Justice Roberts Opinion), and the courts ruled that even though the system was flawed, it wasn’t enough to exclude the results of the system. Furthermore, according to Justice Ginsberg, there’s no incentive to fix the problem. And now we’re back to the beginning; Police don’t need to ensure that systems are accurate, much less secure, as long as they aren’t complicit. There’s no motivation to ensure system integrity. In fact, there’s a motivation to not know how bad the systems are; if you knew, you may have to fix it.
Yet in the past two years there’s no evidence that law enforcement is purposely letting their systems atrophy to game the courts. A search of citations brings up McDonald v City of Chicago, which has a tangential citation of Herring in a right to bear arms case. US v Farias-Gonzales also comes up. This is a case concerning unreasonable search and seizure, but the most technological part of the case is that a portable fingerprint scanner was used.
People v Branner also comes up, and yet again the issue is with people and not systems. In this case cops working on an outdated knowledge of judicial findings. And you can keep searching; Montejo v Louisiana, People v. Lopez; all dealing with people or straight forward citations.
People v. Washebek filed in November of 2010, comes closer. Here the prosecution successfully argued that Herring rejected the distinction between law-enforcement error and errors in court records. The facts of the case concerned a search based on probation status that was incorrect, a mistake in probationary record-keeping.
So in two years, that’s a single similar filing, and nothing about widespread flaws in a law enforcement system. There are of course, other writings about this ruling. Some feel this is just the inevitable march of the court towards killing the exclusionary rule all together. Others feel these are the necessary and correct interpretations of the Constitution meant to keep us secure through the actions of police. In either case it seems clear that there wasn’t an overarching trend towards a purposeful degradation of integrity or promotion of ignorance with regard to the security of critical law enforcement systems.
But why not? Perhaps it’s because there’s another motivator involved. The police don’t just interact with the courts as a consumer of data to enforce laws, they also place information into those same systems. Lack of integrity works both ways in most cases, and it is naturally in the best interest of the police to have a system that accurately represents the real world. I can’t imagine a cop would be happy if the paperwork they filed to finish off some good police work vanished, or appeared vanished to the prosecution.
And as far as security? Well the same forces likely apply. While it may benefit police to occasionally get a pass based on errors, this doesn’t seem to outweigh the risks of having a system that can be manipulated. So in the end, while Justice Ginsburg makes an insightful point, there may be additional sides to the story that the courts were not asked to consider.
During peer review I was asked, “so what” for the rest of the world that’s not in law enforcement. Fair point. On one hand this was an interesting case in the context of digital forensics and the legal system. The author also likes to consider issues that impact overarching trends in information security, especially when they impact our Freedom. However, that is admittedly self-indulgent and this isn’t a legal blog. If you wanted to abstract a theme to corporate motivations, I’d ask “Are you considering the value of information relative to ensuring its integrity?”. More specifically, in what situation would you reasonably stand to benefit from the lack of integrity of your information systems? If there’s interest in expanding here leave a note in the comments and we can follow up…