18 comments

[ 2.6 ms ] story [ 44.0 ms ] thread
I think the bigger issue (which another article I read on this last week described, but I sadly can't find it right now) is that low punishment for when it's caught means its more likely to happen and not be caught. There were 3 cases reported in 2015, how many went unreported? If the culture is "oh it's fine, just don't be egregious about it" I expect it's happened a lot more than 3 times in the last year.

Do they not maintain proper audit logs? I work for Stack Overflow and I can't look at a user's PII without it being logged in multiple systems, do we have higher internal security than the police department?

> I work for Stack Overflow and I can't look at a user's PII without it being logged in multiple systems, do we have higher internal security than the police department?

Most likely: yes.

Imaging how these low-lifes would be treated if these were HIPAA violations.
One could argue that they aren't necessarily low-lifes: I'd wager many, many people would abuse such power if they could. Which is why it's more important to place constraints on positions of power, than to hope that we only staff those positions with wholly noble people (who are incredibly few in number, in reality).

The other consideration is that if they were doing so under the threat of HIPAA violations, they may not have abused the information quite so casually. Jealous husband fears a slap on the wrist, he abuses the database. Jealous husband fears jail time, he possibly [hires P.I. / follows his wife / etc.].

I'm not defending them–law enforcement enjoys some protections that are arguably unconstitutional, and as such should be held to a much higher standard–but it's unproductive to examine what would have happened if the penalties were different, while simultaneously assuming that the actors would have made identical decisions based on different criteria.

And the reason that's important brings me back to my first point–built-in constraints are the only way to solve this sort of thing, which is the same reasoning the founders used to try to place constraints on American politicians.

> One could argue that they aren't necessarily low-lifes: I'd wager many, many people would abuse such power if they could.

The fact that there may be more of them does not change that they are low-lifes.

Sure, but then we wind up having to broadly categorize most people as low-lifes. Which may be true, but that's all the more reason to construct a system that can survive them, not a system that falls apart when representative human beings are part of it.
Lack of fear of penalties is likely why this happened in the first place. Regardless I should not have used the term low-lifes. I'm fairly sure it's not the appropriate kind of discourse for this place.
There are very few examples of punishment or loss of licensure related to HIPPA violations (at least the last time I looked into it, to calm my RN wife that she didn't violate HIPPA and even if she did, her life isn't over.)
I'm interested to know how your system ensures that anyone accessing PII goes through the system. Don't sysadmins have full access to the db? When you are granted access, can you see the full table or just the row about this user?
Of course you do. They still don't know what Snowden has.
To protect and serve...remind me who the criminals are again?
What would be my penalty if I gained access and used the same information they did in exactly the same way? I would certainly be arrested, even if the data was publicly available.
The buried lede: one of the officers used the information to drive to the victim's house and threaten him, yet received only a written reprimand.

If the situation had been reversed, and that man had driven to a police officer's house to threaten him, I think that man would have been criminally charged or even shot on the spot.

That's not the way I read it. I read it that the husband threatened the would-be adulterer, not that the police officer did:

"When a Colorado man thought his wife might be having an affair, he asked a Denver police officer to dig up personal details about the man he suspected. The husband then drove by his house and threatened him, according to a civilian oversight agency’s report."

What a dumb cuck. Should have taken care of his wife first.
> I read it that the husband threatened the would-be adulterer, not that the police officer did:

You are right; I was wrong.

The problem with State-run police is that they live under a different set of laws than the rest of us. We need to start treating all equally under the law, rather than having two classes of people: the State-connected, and the commoners.