Maryland -–(Ammoland.com)- MSI, AGC, MSRPA and MD Dealers Assoc. sued the state police to stop them from placing our private information at risk.
Recently they acknowledged their failures and were forced to explain their actions to a judge. You can read their reply here.
Contrary to the “opinion” of our Attorney General just a few short days ago suggesting that your private data was safe, the state acknowledged that our allegations were correct and agreed to completely correct their bad acts.
- The State Police acknowledge that the login portal to the 77R database portal was not encrypted. They have since corrected this serious problem.
- The State Police acknowledge that they did not provide unique usernames and passwords to the many volunteers who had access your private information. They have since cancelled all previous usernames and created new unique credentials for each user of the database, and stopped using employees who are not vetted by a police agency.
- The State Police acknowledge that they did not restrict access to the database to state-controlled assets on state networks. They have since limited access to state controlled IP addresses and networks.
- The State Police acknowledge that they gave open access to any person using the database and that those persons could perform historical searches without bounds. They have since planned to limit the ability of the user to enter new information only, and the only persons who will have lookup/retrieval powers are those who have supervisory control. We do not know when this will be completed.
- The State Police acknowledge that there were no audit controls sufficient to track the actions of individual users in the system, and to verify the actions they took. They have agreed to add additional logging to track user actions.
In light of the fact the state had already responded to our concerns, the need for an order restraining their activity was largely moot. We forced them into action.
This episode illustrates the danger of creating “lists” of people who exercise a fundamental civil right. Once you create a list, you risk every person on it. Those risks magnify every time they are used.
This also highlights a common and discouraging pattern with those who wish to oversee the exercise of our rights: we catch them doing something illegal, and they refuse to acknowledge or correct the issue until we take them to court. Then they race to correct their deficiencies on the way up the courthouse steps, in order to avoid court sanction.
The People should not have to force these issues in court. The state should respond thoughtfully and thoroughly when we find issues, and work with our community to correct them. Instead, their default behavior is to lie, deny and evade. Throughout this episode, the State Police and State employees – including the Attorney General – all denied in public that their systems violated any regulation or policy. The Attorney General’s office responded to a State lawmaker who voiced concerns over the arrangement using carefully controlled words, in order to avoid the real issues. That is not the transparency we are owed by this esteemed office. The State Police spokesperson told lawmakers and reporters that the entirety of the data chain was protected and safe. We know now this was absolutely incorrect. He also said they had “monitored” actions taken by users of the system, yet we now see there was no technical capability to perform that monitoring. The people and the press deserve more from this critical point of contact at the State Police. We deserve more than obfuscation and denials.
Today we can say with certainty that the State Police exposed the information of tens of thousands of its citizens over an open and unsecured internet link. This data traversed multiple systems and routers on its path through the internet, none of which were controlled by the state. All it took was one single transaction in any one system to be intercepted, for the entirety of the 77R database to be compromised. The state had no controls in place to prevent it, and no audit in place to even know if it happened. Computer security experts agree: the State Police violated nearly every common sense safeguard that should be used to protect private information. Your name and social security number could be sitting on a hacker’s website right now, and the State Police cannot even detect that it was stolen.
The simple truth is that the State Police violated the trust of the people, the lawmakers and the media. Given the chance, they obfuscated and denied. Yet again, the only thing that forced them to change their ways was a lawsuit and the threat of legal sanction.
Maryland Shall Issue calls for the state police to finally do the right thing. It is important that they begin notifying all people in the 77R database that their private information was possibly exposed, and to give those people the information and tools required to protect their financial affairs. The loss of this information is a permanent loss. There is no way to un-ring that bell.
Identity Theft is real and pervasive. Sending your private information over an unsecured internet connection is a violation of law and common sense. The State Police must adhere to the standards set under law for commercial firms in Maryland and nationwide. They need to accept their responsibility and inform the people in that database that an exposure was likely. They must do this today.
If past is predictor of the future, the only way the state will take that step is with external pressure. You need to call your elected representatives and tell them to force the police into action. You need to call mass media and tell them the state exposed information on the internet, and that they need to pressure the state into notification. Maybe this time the state will move before some lawyers do.
There will be other hearings as we move into the second phase of this lawsuit. We will provide more information as it becomes available.Maryland Shall Issue, Inc.
1332 Cape Saint Claire Road #342
Annapolis, Maryland 21409
Mission Statement: Maryland Shall Issue is an all volunteer, non-partisan effort dedicated to the preservation and advancement of all gunowners’ rights in Maryland, with a primary goal of CCW reform to allow all law-abiding citizens the right to carry a concealed weapon; and to the education of the community to the awareness that ‘shall issue’ laws have, in all cases, resulted in decreased rates of violent crime.