Fear of spread from coronavirus, prisons and prisons remain closed. Visitors cannot see their loved ones spending time, forcing friends and families to use prohibitively expensive video visiting services that often don't work.
But now the security and privacy of these systems are being scrutinized after a St. Louis-based video visitation provider had a security breach in prison that exposed thousands of phone calls between inmates and their families, as well as calls to their lawyers that needed protection by attorney privilege.
HomeWAV, which serves a dozen prisons across the United States, left a dashboard for one of its databases, available on the Internet without a password, so anyone can read, search, and search through the call logs and transcripts of calls between inmates and their friends and family members. The transcriptions also showed the phone number of the caller, the inmate and the duration of the call.
Security researcher Bob Diachenko found the dashboard, which has been public for at least April, he said. theinformationsuperhighway reported the problem to HomeWAV, which shut down the system hours later.
HomeWAV's managing director, John Best, confirmed the vulnerability in an email.
"One of our third-party vendors has confirmed that they accidentally removed the password that allowed access to the server," he told theinformationsuperhighway, without naming the third party. Best said the company will notify inmates, families and lawyers of the incident.
Somil Trivedi, a senior attorney for the ACLU's Criminal Law Reform Project, told theinformationsuperhighway, “We see time and time again that when the system goes down, the rights of prisoners are the first to be trampled on – as always. ”
“Our justice system is only as good as protection for the weakest. As always, people of color, those who cannot afford lawyers, and people with disabilities pay the highest price for this mistake. Technology cannot fix the fundamental shortcomings of criminal law – and it will exacerbate them if we are not deliberate and careful, ”Trivedi said.
Inmates have almost no privacy expectations, and almost all prisons in the US record their inmates' phone and video calls – even if this is not announced at the beginning of every call. Prosecutors and investigators are known to listen to recordings in the event that an inmate incriminates himself when he calls.
However, calls between inmates and their attorneys should not be monitored because of the attorney-client privilege. This rule protects the communication between a lawyer and his client from judicial use.
Nonetheless, there are known cases where US prosecutors use recorded calls between a lawyer and their imprisoned clients. Over the past year, prosecutors in Louisville, Kentucky allegedly bugged dozens of calls between a murder suspect and his attorneys. Earlier this year, lawyers in Maine said they were routinely registered by multiple county jails and that their calls, protected under the prerogative of an attorney or client, were routed to prosecutors in at least four cases.
The HomeWAV website states: "Unless a visitor has previously been registered as a clergyman or legal representative with whom the inmate is entitled to privileged communication, the visitor is encouraged to record and monitor visits."
However, when asked, HomeWAVs Best wouldn't say why the company recorded and transcribed conversations that are protected by attorney and client law.
Several of the transcriptions reviewed by theinformationsuperhighway showed that attorneys were clearly stating that their calls came under legal and client law, effectively telling anyone who would listen that the call was prohibited.
theinformationsuperhighway spoke to two attorneys whose communications with their clients in prison had been recorded and transcribed by HomeWAV for the past six months, but asked that we not name them or their clients as it could compromise their clients' legal defenses. Both raised the alarm that their calls had been recorded. One of the attorneys said they verbally asserted attorney and client rights on the call, while the other attorney also believed that her call was protected by attorney and client law, but declined to comment, until they had spoken to their client.
Another defense attorney, Daniel Repka, told theinformationsuperhighway that one of his calls to a client in prison in September was recorded, transcribed, and then exposed, but said the call was not sensitive.
"We have not passed on any information that would be considered to be protected by lawyers and clients," said Repka. "Every time I have a customer calling me from a prison, I am aware of the possibility of not only security breaches, but the potential for prosecutors to access those phone calls," he said.
Repka described the legal privilege as "sacred" for lawyers and their clients. "This is the only way we can ensure that lawyers can represent their clients as effectively and zealously as possible," he said.
"The best practice for attorneys is to always visit your client in person in jail where you are in a room and you have far more privacy than over a phone line that you know has been recorded on device" , he said.
But the challenges posed by the pandemic have made personal visits to some states difficult or impossible. The Marshall Project, a non-partisan organization focused on criminal justice in the United States, said several states have suspended in-person visits because of the coronavirus threat, including legal visits.
Even before the pandemic, some prisons ended personal visits in favor of video calls.
Video visit technology is now a billion dollar industry. Companies like Securus make millions each year by frequently overcharging callers to call their imprisoned loved ones.
HomeWAV isn't the only video visiting service that has had security issues.
In 2015, an apparent breach at Securus resulted in around 70 million inmate calls being leaked by an anonymous hacker and relayed to The Intercept. Many of the records in the cache also included calls protected by legal and tenant law, the publication reported.
In August, Diachenko reported a similar vulnerability in TelMate, another prison visits deployment that exposed millions of inmate messages due to a passwordless database.
You can securely send tips via Signal and WhatsApp to +1 646-755-8849 or send an encrypted email to the following address: email@example.com