Governor Compromises the Privacy of Thousands of Maryland Gun Owners

[44man]

I just received this from Senator Kathy Klausemier, D-8

thats a BS form letter (or a version of one) that i have received by a few reps the first of the week.

 

[Mr H]

thats a BS form letter (or a version of one) that i have received by a few reps the first of the week.

Yup... nothing more than MSP talking points, completely avoiding the real security issues

 

[csanc123]

Interesting..wonder if MSP is going to try to pull a "how did you folks know authentication data was going in the clear?"

Computer Crimes unit and the Computer Forensics Laboratory. This office also specializes in recovering pertinent information for a criminal investigation and providing expert testimony in the methods required to retrieve computer information.

Since I wasn't aware of a MSP facility in Columbia I searched and found this:

http://columbia.patch.com/listings/maryland-state-police-bureau-office

One stop shopping

 

[Miss Lead]

Interesting..wonder if MSP is going to try to pull a "how did you folks know authentication data was going in the clear?"

Computer Crimes unit and the Computer Forensics Laboratory. This office also specializes in recovering pertinent information for a criminal investigation and providing expert testimony in the methods required to retrieve computer information.

Whoa....

 

[CrazySanMan]

Interesting....

I tried to download the 77R so I could quote parts of it in a letter to my Senator, and I get this for any MSP webpage (mdsp.org)

[/URL][/IMG]

 

[johnnyu]

So anyone in one of those positions , with a friend who can't get a weapon, technically could approve someone if they wanted to? No checks and balances?

 

[MDNavyVet]

Senator calls for federal investigation of firearms application processing:

http://www.gazette.net/article/20130913/NEWS/130919583/-1/senator-calls-for-federal-investigation-of-firearms-application&template=gazette

 

[DC-W]

So anyone in one of those positions , with a friend who can't get a weapon, technically could approve someone if they wanted to? No checks and balances?

NO.

The people that were payed overtime by the state were ONLY responsible for data entry.

 

[Mr H]

Shipley said the application information was parceled out to each of the five agencies on encrypted discs, and each agency was given a separate log-in and password.

Wow... that makes it SOOOO much better........

My cipherin' machine isn't working this morning, so I need some help.

What's 1/5 of immeasurable exposure of PII???

 

[csanc123]

Wow... that makes it SOOOO much better........

My cipherin' machine isn't working this morning, so I need some help.

What's 1/5 of immeasurable exposure of PII???

Ok...so let me get this straight. They sent "encrypted disk" to each agency. (the data they sent were images of scanned forms).

How did they "distribute" all those images to the data entry folks?

Did each data entry person get a copy of the disk or did they "load" the data to a central server and have the data entry folks take it from there.

Who handled the decryption keys? Was that given to each data entry person?

Is there a verifiable log of chain of custody for each of those encrypted disk?

If the data was stored on a central server at each agency how was it protected?

 

[CrazySanMan]

Yup... nothing more than MSP talking points, completely avoiding the real security issues

My reply:

Senator Klausmeier,

Thank you for your reply. The problem goes much deeper than the Maryland State Police have admitted to. Let me explain.

The 200 employees were not law enforcement personel and do not have the extensive background checks of law enforcement personel. Here is the relevent law and COMAR for processing 77R forms:

Maryland Code, Public Safety 5-121

(a) On receipt of a firearm application, the Secretary shall conduct an investigation promptly to determine the truth or falsity of the information supplied and statements made in the firearm application.
(b) In conducting an investigation under this subsection, the Secretary may request the assistance of the Police Commissioner of Baltimore City, the chief of police in any county maintaining a police force, or the sheriff in a county not maintaining a police force.

Here's what the corresponding regulation says...

COMAR 29.03.01.06

C. Upon proper completion of the application form, the dealer, dealer's designee, or designated law enforcement agency shall forward the original white hard copy of the necessary forms to the Firearms Registration Section. Upon receipt of the properly completed forms, the State Police shall conduct the required investigation.

Again, these were not employees of any state or county police force or sheriff's office. Look at the recent prison fiasco to see how trustworthy state employees who have signed a confidentiality statement can be.

The 200 employees were given a single username/password to log into the MSP gun registry database from home. The website they used had no encryption - the login, password, and all PII transmitted were sent in the clear. That means anyone with access to any computer in the path of data from the empoyees' home computers to the MSP database was unencrypted and readable. You and I could have sat in the driveway of one of these employees with a laptop computer, ran a packet analyzer, and saved every bit of PII that they transferred, including their username and password. This email between yourself and I is much more secure than the PII that was transmitted. Yes, the disks the employees were given were encrypted, but the transmission of the data contained therein, and the database it was stored in, were not. Breeching the security of that site and downloading the MSP database is as trivial as doing a Google search. Based on the lack of any kind of security it must be assumed that this PII for more than 80,000 Marylanders has been released into the wild.

I have been a computer system administrator with xxxx for 15 years. I have worked on many sensitive and classified computer systems. Recently, I ran the computer lab where the software was developed that enumerated and stored the data from the xxxxxx. I am absolutely appalled at the complete disregard for computer security that the MSP has shown. If I had handled PII for the xxxxx the way that the MSP has, I would be immediately terminated and would be tried and sent to jail.

Here is a link to the State of Maryland Information Security Policy. http://doit.maryland.gov/Publications/DoITSecurityPolicy.pdf None of the policy was followed by the MSP.

The Form 77R that is required to purchase a regulated firearm has a box on the form for the purchaser's Social Security Number. The Privacy Act of 1974 Statement is not on this form. The Maryland State Police have said that they do not use the SSN of the applicant, but there is no statement that says providing the SSN is optional. Furthermore, the bottom of the 77R has a statement which says any application that is not completely filled out will be rejected.


The Maryland Public Information Act Manual states in chapter 11:

http://www.oag.state.md.us/Opengov/Chapter11.pdf

The statute also mandates that State agencies collect personal information from
the person in interest to the greatest extent practicable. SG §10-624(c)(2). The person in
interest is to be informed of: (1) the purpose for which the personal information is
collected; (2) the consequences of refusing to provide the information; (3) the right to
inspect, amend, or correct personal records; (4) whether personal information is generally
available for public inspection; and (5) whether the information is shared with any other
entity. SG §10-624(c)(3).

There is no reason or explanation given as to why the SSN is requested on the form if it is not mandatory and not used by the MSP. Now, the SSN of more than 80,000 Marylanders has been released into the wild, and the collection of the SSN itself violates both state and federal law.

The Maryland Personal Information Protection Act (Md. Code Ann. Comm. Law 14-3504) clearly defines “Personal information” as "an individual's first and last name in combination with a: Social Security Number, Driver's License Number, Financial Account Number or Individual Taxpayer Identification Number unless the information is encrypted, redacted or otherwise rendered unusable. A 'security breach' is defined as the unauthorized acquisition of computerized data that compromises the security, confidentiality or integrity of personal information."

Additionally, the statute declares, "In the event of a security breach, notice must be given to consumers as soon as reasonably practicable following the investigation."

When initially passed, PIPA applied to business entities. But I have received confirmation that, as of July 2013, PIPA is now applicable to the state and its various agencies.

In light of this, I am hereby requesting information regarding the current state of such notification to Marylanders, and scope of the compromise, as required by PIPA. I will be happy to provide my information (and that of my wife, as we are both handgun owners) under separate cover, to the appropriate party authorized to handle these issues.

PIPA requires:
- Description of the information compromised.
- Contact information for the [business], including a toll-free number if the [business] has one.
- Toll-free numbers and addresses for each of the three credit reporting agencies: Equifax, Experian and TransUnion.
- Toll-free numbers, addresses and Websites for the Federal Trade Commission (FTC) and the Office of the Attorney General (OAG).
- A statement that the individual can obtain information from these sources about steps to avoid identity theft.

As a result of these potential breaches, a large number of Marylanders are now feeling compelled to enroll in PII and credit monitoring/insurance programs, where they have had no previous perceived need. I am of the belief that this cost should be borne by MSP and/or the state, for at least three years, as the possible release of our PII was through no fault of our own.

 

[Mr H]

Other than I don't think we know for sure whether they were working at their regular workstations, or across the internet from home (or Starbucks, wherever), I like it.

Some of it seems AWFULLY familiar, though.........

 

[csanc123]

My reply:

That sir...out of the park.

 

[Mr H]

From Del. Wendell Beitzel...

I agree that the gun legislation recently signed into law (SB 281) was an absolute travesty. I feel your pain and frustration. The claim that gun control measures will stop gun related crimes is such utter nonsense when one looks at the content of the bill. There is not a single thing in this misguided law, or any others like it, that will do anything to stop the murders in Sandy Hook, Baltimore City or anywhere else. Not one thing. The only thing this bill does is infringe upon a constitutionally guaranteed right being exercised by law abiding citizens. If they can take away our guns then they will take away our freedom.

It is abundantly clear that Maryland residents, particularly those who have made firearm purchases in the last several months, are outraged, not only by the passage of the gun control measures, but especially by the long delays in processing the applications to purchase regulated firearms.

The Governor’s actions were not made public until a press release was put out by the Maryland State Police Office on Saturday, September 7, 2013. I did not receive the press release until it was forwarded to me by email from a State Senator.

Unfortunately, it came out after the Governor and state police had already implemented their plan to share applicants’ information with other agencies. In this press release, which you can read for yourself here (http://www.mdsp.org/News/PressReleases/tabid/359/ctl/Detail/mid/1088/xmid/21967/xmfid/4/Default.aspx) , is a feeble attempt at best to cover their tracks.

It has been confirmed what we now already know, that state employees from the Department of Health and Mental Hygiene, Department of Transportation, Department of Public Safety and Correction Services; Department of Human Resources, and the Department of Juvenile Services are involved in processing the applications to purchase regulated firearms.

We are told that "This procedure was reviewed and approved as appropriate by an assistant attorney general assigned to the MSP.” This assistant attorney general may as well have been written to try to somehow justify what they are doing after the fact. The opinion did not come from Attorney General Douglas Gansler, therefore I have made a personal request that he provide an opinion on this issue.

It has been reported in the media by audits of state agencies that personal information is vulnerable on state computer systems. (You can read the full article here- http://marylandreporter.com/2012/10...able-on-state-computer-systems-auditors-find/) “A legislative audit revealed that the Maryland Personal Information Protection Act that governs how businesses protect personal information does not cover state agencies, including the protection of individual social security numbers.” The audit recommended that the Department of Information Technology implement a process to enforce agency compliance, but the department said it does not have resources to do so and will continue to leave compliance up to each individual agency.

Five state agencies were evaluated in the audit report, each of which handles personal information of one kind or another. The Comptroller's Office, Department of Health and Mental Hygiene, Department of Public Safety and Correctional Services, Department of Human Resources, and Maryland Department of Transportation were all included in the audit as being state agencies that are in need of improved system protection processes. Four of the five agencies listed above are involved in entering data taken off firearm applications and putting them into spreadsheets.

The MSP Press Release states that: "Each of the employees involved in the data entry process is bound by a confidentiality agreement," and that "State employees from these five agencies deal with sensitive and confidential information every day in the course of their regular duties - this includes mental health records, inmate records, driving records, and social services records, all of which contain information like social security numbers." I am not convinced that this gives the applicants a great deal of comfort that their personal and private information is secure.

COMAR 29.03.01.06 states, "The State Police shall review the application for accuracy, omissions, or discrepancies before investigating the applicant". The signature of the applicant only gives authorization for state agencies to disclose information to the MD State Police. It does not allow the State Police to disclose information to other agencies, which is exactly what they are doing.

There is also another regulation in COMAR 29.03.01.03, Subsection A, (8) it states, "In order to verify the accuracy of the applicant's representations, the applicant's written authorization to the Department of Health and Mental Hygiene, or any other similar agency or department of another state, to disclose to the Department of State Police information as to whether the applicant:" This section is talking about the mental health component of the application in order to verify the applicant's truthfulness in completing the application.

I vigorously opposed this bill, as did nearly all rural delegates and every Republican Delegate. You and all other fellow 2nd amendment protectors need to come out in full force in the upcoming election to help elect representatives who understand how crucial it is for citizens to retain their Constitutionally guaranteed rights. It is vitally important for continued support throughout the state to remove of those elected officials who supported this legislation to strip us of our 2nd amendment constitutional rights. This is just one example of the abuse of power when one political party is given total control of the state.

I was proud of all of the people that came to Annapolis to oppose this legislation, but you witnessed the steam roller effect of the O'Malley administration and the General Assembly dominated by the same party that goes along with his every wish, even in the face of such overwhelming opposition to its passage. Those few members of the dominate party who did stand up against this bill will certainly be punished by the House and Senate leadership.

The next election of all state elected officials is coming up, the Primary next May 2014 and the General Election in November 2014. All, with emphasis on - ALL of like-minded citizens, like yourself, must get out voting, bringing others out, and making sure that those you vote for are of like mind. It doesn't end there, hold their feet to the fire, and make sure they keep their promises.

I am one of those who opposed this legislation and supports freedom, find out if your delegate and senator did, and if not, do something about it by getting involved to support good political candidates for office, then vote, and encourage all your friends to do the same at the next election cycle!

Otherwise, expect more of the same piling on of taxes and infringements of our constitutional rights. To quote Ben Franklin "We must, indeed, all hang together, or most assuredly, we shall all hang separately."
Respectfully,

Wendell R. Beitzel, Delegate
Allegany & Garrett County

 

[Jaybeez]

just on the radio at wcbm

they will be using natural resources police, dot, and something else I didn't catch for phase 2.

we need an injunction stat.

 

[CrazySanMan]

Other than I don't think we know for sure whether they were working at their regular workstations, or across the internet from home (or Starbucks, wherever), I like it.

Some of it seems AWFULLY familiar, though.........

Yeah, I borrowed some well-written paragraphs at the end...

 

[jpo183]

Still no word from Del. Hough's office. I got an auto email about that stupid hotel idea in frederick but nothing on this...........

I really wanted to get some communication from him on this and also see if he would sponsor / get legislation together for recalling officials as well as starting a push to get women to be able to ccw without the stupid G&S

I guess I should try another district?

 

[Mr H]

Just sent my AG letter off to Doogie, and also to justice@foxnews.com (sent the Judge a link to this thread as well).

 

[MJD438]

Here's what the law says...

Maryland Code, Public Safety 5-121

(a) On receipt of a firearm application, the Secretary shall conduct an investigation promptly to determine the truth or falsity of the information supplied and statements made in the firearm application.
(b) In conducting an investigation under this subsection, the Secretary may request the assistance of the Police Commissioner of Baltimore City, the chief of police in any county maintaining a police force, or the sheriff in a county not maintaining a police force.

Here's what the corresponding regulation says...

COMAR 29.03.01.06

C. Upon proper completion of the application form, the dealer, dealer's designee, or designated law enforcement agency shall forward the original white hard copy of the necessary forms to the Firearms Registration Section. Upon receipt of the properly completed forms, the State Police shall conduct the required investigation.

I just passed that along to one of our responsive Delegates. While it is nice that "sworn" personnel are performing the investigations, I don't see where the agencies involved are legally permitted to be assigned the work.

Even reading that section implies that the listed agencies may only assist with the investigation, not perform the entire thing...of course, IANAL, so what do I know?

 

[Doctor_M]

This continues to get better and better....