Phone Tag to Computer Hack: Securus puts privacy at risk
by Stephen Raher, April 24, 2017
The apparent suicide of former NFL player Aaron Hernandez has received much media attention, due to Mr. Hernandez’s celebrity status. While many news reports noted that Mr. Hernandez was recently acquitted of additional murder charges, I wanted to highlight one of his experiences while awaiting trial: a civil lawsuit against prison telecom company Securus.
While he was awaiting trial, Hernandez was held in the Suffolk County Jail in Massachusetts. The county has chosen Securus as the exclusive provider of telecom services for people incarcerated in the jail. According to a document we received, Securus has determined that an unauthorized person (or people) accessed recordings of Mr. Hernandez’s phone calls. Securus later informed the federal court that the recorded calls were between Hernandez and his fiancée.
Mr. Hernandez sued Securus in Massachusetts state court, alleging invasion of privacy and other related claims. Securus tried to move the case to federal court, but in March 2017, the U.S. District Court for Massachusetts concluded that the lawsuit did not implicate federal law, and sent it back to state court, where it is still pending.
What does this mean for incarcerated people and the loved ones they talk to?
Securus’s self-serving “Integrity Pledge” claims that the company understands and honors “confidentiality of calls.” But as with so much corporate PR, when something actually goes wrong, Securus’s commitment to stated principles is nowhere to be found. In response to Mr. Hernandez’s lawsuit, Securus argued that Hernandez couldn’t sue for unauthorized access to call recordings, because “inmates have no expectation of privacy in their communications” and thus Hernandez “suffered no cognizable privacy injury.”
Notably, Hernandez was not suing because jail officials listened to his calls, but rather because he believed that Securus didn’t take adequate steps to prevent a hacker from breaking into the database of recordings and listening to private conversations. Most people realize that law enforcement can listen to non-privileged jail phone calls (Securus has also been accused of illegally taping privileged attorney-client phone calls, but this did not appear to have happened in Hernandez’s case); however, this should not mean that private phone calls can be shared with anyone in the world. Nonetheless, this is basically what Securus is arguing when it says that Hernandez doesn’t even have a right to go to court.
What additional concerns does this raise for families and friends of incarcerated people?
The same privacy concerns discussed above also apply to family and friends who call or video-chat with incarcerated people. But folks on the outside have another potential source of worry: they are often granting Securus access to their personal computers.
In the case of video visitation, Securus requires users to install a Java applet that—according to Securus—allows the transmission of audio and video. When users install the applet, they receive a warning that the applet “run[s] with unrestricted access which may put your computer and personal information at risk.” This warning suggests that Securus’s applet can potentially access unrelated information on a customer’s computer, like photos, emails, or other private files. This, in turn, raises several concerns, given the terms and conditions that customers must agree to.
Of greater concern is Secrurus’s language about monitoring by law enforcement. Securus forces its customers to agree to the following language:
Securus assumes no responsibility for the activities, omissions or other conduct of any member of Law Enforcement (a “Law Enforcement Official”). Relative to [video visitation], Securus acts solely as a portal for the online distribution and publication of electronically distributed information and has no obligation to screen communications or information in advance and is not responsible for screening or monitoring electronic communications sent via this Service.
If the Java applet does create a backdoor into a user’s computer (either intentionally or accidentally), then law enforcement could exploit this backdoor (either on their own or at Securus’s invitation), and access private information on a user’s computer. In such a scenario, Securus has set itself up to disclaim any liability—an argument that is foreshadowed in the Hernandez lawsuit.
Securus is able to charge high prices because it knows it can exploit the desire of families who want to maintain contact with their loved ones. Adding insult to injury, Securus now argues that its customers have no privacy rights whatsoever. And making matters even worse, Securus’s terms of service don’t clearly tell customers what information they are surrendering.
While Aaron Hernandez had the resources to fight back, most incarcerated people do not. This situation illustrates an increasingly obvious fact: as prisons adopt new technologies (like video visitation, electronic fund transfers, and electronic messaging), incarcerated people and their families will be unfairly exploited unless lawmakers get serious about extending consumer protections inside the prison walls.