Privacy for Cops
Police officers are increasingly targeted online and outside of their professional roles. How can you protect yourself?
From protests to domestic disputes, law enforcement officials often find themselves in high-risk situations. However, today, police officers are increasingly being targeted online and outside of their professional roles. Contrary to what you may think, web-based attacks can be just as serious as offline ones and can lead to harassment, threats, or even damaged reputation. Some threats that originate online can also manifest in the physical world.
To stop situations like having your personal information posted on the internet for the whole world to see or your identity being stolen, it’s vital that you know how to protect yourself from cyber threats. Keep on reading to learn about the kinds of risks cops face, whether there are any laws that protect against them, and the steps you can take to protect your privacy.
Risks and Threats to Cops
Law enforcement officers face a myriad of risks online. The most common threats include doxxing, phishing, ransomware, identity theft, stalking (facilitated by the availability of personally identifiable information online), and extortion (or blackmail). Below, we discuss each threat in greater detail, giving real-world examples where appropriate.
You know things are serious when the FBI, the Internet of Crime Complaint Center, and the US Department of Homeland Security all issue warnings about the threat doxxing (or doxing) poses to law enforcement officers. Short for “dropping documents,” doxxing is the act of leaking identifying information — like home addresses, phone numbers, and vehicle identification — online, usually with malicious intent.
In most cases, doxxers get their hands on this type of information via publicly available sources, like social media and data brokers. However, in some instances, cybercriminals may also resort to hacking or phishing.
Although this toxic practice has been around for a few decades, it has become more frequent in recent years:
- In 2015, at least two Los Angeles Police Department officers had their personal data, including their children’s school locations, exposed following a controversial police shooting.
- In 2019, a A group of cybercriminals breached three FBI-affiliated websites and posted their contents, including the personal records of thousands of law officials, on the internet.
- In 2020, police officials nationwide had their personal information dumped online amid the rising tension which followed George Floyd’s death.
A phishing attack is a type of scam where cybercriminals impersonate legitimate people or organizations via email, phone, or text to trick victims into sending them money, steal sensitive information, or even hack into a system.
Although law enforcement agencies are often the ones warning the public about these types of scams, they’re not immune to these attacks themselves.
Successful phishing attacks often go unreported but looking at ones that fail can help explain how they work. In 2020, for example, the Wells Police Department in Maine received an email that, at first glance, appeared to have come from Chief Jo-Ann Putman. The contents of the email were strange, though (a request for Amazon gift card codes) and on closer inspection, the officers noticed that the email was sent from an unknown Gmail account.
Speaking of phishing, did you know that phishing emails are the number one vehicle for ransomware? One of the biggest security problems on the internet today, ransomware is malicious software that limits or completely prevents users from accessing certain file types or even entire systems until a ransom is paid in return for a decryption key.
Although all public institutions and businesses are vulnerable to ransomware attacks, police computers are especially at risk because many smaller police departments use outdated IT systems. It doesn’t help that in many cases, these systems contain vital and sensitive information, including 911 call records, important evidence as well as rape and other violent crime reports.
What would happen if cybercriminals locked law enforcement officers out of this data? We don’t have to wonder. In 2019, the Stuart Police Department in Florida suffered a ransomware attack, which resulted in evidence from 11 cases being lost. The result? Six suspected drug dealers walked away free.
It’s important to note here that although hackers often use phishing to launch ransomware attacks, other methods for executing a ransomware attack abound, too. For example, if you run unknown software, visit an untrustworthy website, or fail to install the latest security patch, you could easily fall victim to a ransomware attack.
Often, a ransom attack that takes down an entire network starts with a single infected computer.
Normally, individuals who have their identity stolen report the crime to the police. But what happens when police officers themselves fall prey to identity theft?
If you don’t think that’s possible, think again. In 2020, several law enforcement officials from the Trumann Police Department in Arkansas were targeted with identity theft. One officer had their credit card used in a different state, whereas another was subject to attempted financial fraud. The suspect used the officer’s name, Social Security number, place of employment, and salary schedule in an attempt to collect unemployment benefits.
But financial gain is just one motive for cybercriminals to steal someone’s identity. Malicious actors may also use stolen information to:
- Take over your accounts.
- Pretend to be you if they are arrested.
- Get medical care.
Being a police officer doesn’t necessarily protect you against stalkers. If anything, it can make you an even bigger target.
In 2017, for example, William Young, a 54-year old man, was charged with stalking a police officer for 20 years — ever since the officer arrested him for stalking and menacing women in 1999. In 2010, Young said he wanted the officer “fired” and wanted him to “eat his gun.”
More recently, a man named Jeffrey Quintin McCray was accused of stalking an officer from the St. Paul Police Department after she launched an investigation into his online misconduct.
Worryingly, a 2015 paper titled “Stalking Victimization Among Police Officers” found that few police officers report stalking to the police. Many officers feel that it’s a “contradiction to be stalked and serve as a police officer.”
Another threat police officers face is extortion or blackmail. For example, a criminal may threaten to expose the “wrongdoings” (real or imagined) of a police officer unless the latter stops investigating him.
In some cases, blackmail is combined with ransomware. Indeed, a new strain of ransomware steals data before encrypting it and threatens to leak it online if the victim refuses to pay the ransom.
In other cases, blackmail can lead to doxxing. In 2014 Jon Belmar, the chief of St. Louis County Police Department, had his personal information revealed online because he refused to disclose the name of the officer involved in a controversial shooting. The data leaked included his home address, phone number, and the names and pictures of his wife and kids.
What Does the Law Have to Say About That?
Luckily, when it comes to most online (and in some cases, offline) risks, affected individuals are usually protected by state and federal laws (with a few exceptions). Here’s what the law has to say about each one of the above threats to police officers.
Technically, it’s not against the law to find someone’s publicly available information and share it online. However, doxxing is potentially illegal if the information posted is acquired using illicit means, such as hacking. Doxxing could also be unlawful if the information is published with malicious intent, like to harass the victim.
While only some states in the U.S. have specific anti-phishing laws, all states prohibit acquiring someone else’s personal information in a fraudulent manner. There isn’t a single federal statute that makes phishing a crime, either. That being said, broader federal laws — like the wire fraud law — can be used to bring charges across the country.
All states have computer crime laws and at least five states specifically prohibit ransomware and/or computer extortion. On the other hand, there isn’t a federal law that expressly criminalizes ransomware. Rather, several cybercrime laws, like the Electronic Communications Privacy Act (ECPA) or the Computer Fraud and Abuse Act (CFAA), can be applied to the crime of ransomware.
Every state makes it a crime to misuse someone else’s personally identifiable information. Some states may increase the penalty if the victim was a vulnerable individual (particularly in a caretaking capacity), deceased, or a child or if the cybercriminal stole multiple people’s identity. Identity theft is also a federal crime. In 1998, Congress passed the Identity Theft and Assumption Deterrence Act, which was later followed by the Identity Theft Penalty Enhancement Act of 2004 and the Identity Theft Enforcement and Restitution Act of 2008.
Stalking is criminalized in all 50 states, but each state has its own criminal definition of stalking. Federal legislation makes it a crime to stalk someone, as well. In addition, it also prohibits stalking a person via electronic communication systems. In this way, the federal anti-stalking law also covers cyberstalking (stalking someone online).
Even though the terms “extortion” and “blackmail” are often used interchangeably, they don’t actually mean the same thing. Blackmail is when one person threatens to reveal sensitive information about someone else as a means of coercing them. In contrast, extortion typically involves the threat of physical harm unless the extortioner gets compensation, whether it’s money or a non-tangible benefit. Because both extortion and blackmail involve threats to get something of value, most states include them under the same statute. Both crimes are illegal in all 50 states. Federal statutes make many types of extortion and blackmail a crime, too
How to Protect Your Privacy As a Cop
1. Google Your Name
If a criminal entered your name into a search engine, what would they find? To see for yourself, log out of your Google account or use the “Incognito” tab or a privacy-oriented search engine like DuckDuckGo. That way, you’ll see the same information a criminal would (otherwise, the results could be skewed based on your user profile).
Don’t forget to check out the images that pop up when you Google your name, as well, and do a reverse image search for any photos of yourself you find. Right-click on each image and “search Google for image” to see where else the images may be floating around.
What kind of information about you is out there and where is it cropping up? Could an ill-intentioned individual use this information to dox you, threaten you, or stalk you?
If you’re unhappy with the results, we have a guide on how you can remove at least some of your information from the internet.
2. Remove your name from data brokers
Chances are, when you Googled yourself, your name appeared in at least one data broker or people search site. Data brokers are entities that gather information about you — think your name, home address, and phone number, among other things — from various sources (like public records and social media) to compile scarily accurate individual profiles. They then sell these profiles to more or less anyone willing to pay for them.
You can see how that may be a problem. If a disgruntled criminal wants to find out where you live, all they have to do is search for your name on a data broker site like Intelius, Spokeo, or Whitepages.
Luckily, you can delete your name from most data broker sites. Even better, we’ve a thorough, step-by-step guide to help you.
Note that most sites have a unique removal process, so make sure you set aside enough time to submit all the forms. To really protect the safety of you and your family, you may also want to remove your spouse and children from these databases, as well.
Don’t forget to repeat this step periodically, too, as data brokers are known for relisting people’s profiles after a month or two. If you’d rather spend your time catching the bad guys, get professionals to do it for you.
3. Limit what you share online and offline
If your social media profiles are public, then anyone can see everything you post. Make your profiles private and never accept friend requests from people you don’t know. Certain information, like your Social Security number, driver’s license, and credit card details, should never be shared online, not even over instant messages or emails (hackers could intercept your details on either).
You should also:
- Refrain from using your real name on Facebook (at the very least, consider using your middle name as your last name).
- Give the bare minimum when filling out your social media profile.
- Use a non-identifying profile picture.
- Don’t post about your location and turn off geotagging.
- Monitor the posts your friends and family share online.
- Avoid joining Facebook groups, like law enforcement related groups, as someone could find you that way.
Information like your date of birth or your mother’s maiden name may seem less important, but criminals could use it to verify your identity and gain access to your accounts.
Be careful not to overshare offline, as well. In 2019, an officer from the Metropolitan Police Service in the UK was blackmailed after talking about a murder case on a night out.
Last but not least, when joining an organization, let them know that you don’t give your approval to have your name published without your consent.
4. Always be skeptical
Phishing attacks are getting more sophisticated. Whether it’s an unusually urgent email, a sketchy phone call from your bank, or a dubious text message, think twice before clicking on any links, opening email attachments, or supplying any personal information — even if you think you know the sender or caller.
If in doubt, always get in touch with the person or institution that reached out to you to confirm that their request was, indeed, genuine.
5. Stop putting off device updates
Most cyberattacks try to exploit vulnerabilities within operating systems and third-party applications, including antivirus software. Patching your applications with the latest updates can stop malicious actors from hacking into your machine and causing a lot of damage.
Patching your applications with the latest updates can stop malicious actors from hacking into your machine and causing a lot of damage.
6. Use strong passwords and multi-factor authentication
Strong passwords are vital for keeping your online accounts and personal data safe from malicious actors. Never, ever use the same password more than once and stay way from easy-to-guess passwords. A password manager, like Abine Blur, can help you create and manage complex passwords.
Whenever possible, enable two-factor authentication, as well. That way, even if a hacker obtains your password, your account will still be protected unless the hacker can also get a hold of the second factor of authentication.
7.Backup your data
If you backup your data — and get your colleagues to do the same — you’ll minimize the risk of losing essential case files in the event of a ransomware attack.
However, make sure you backup your data correctly. Cybercriminals can infiltrate a backup system, so you need to backup your data on the cloud or to an offline storage device.
Also, if you’re backing up your data to an external drive, make sure you disconnect it when not using it.
8. Monitor your bank account and credit report
Check your credit report regularly for any suspicious activity. Also, make time to read all of your financial statements and ensure you recognize every transaction. Many victims become aware of identity theft when they notice money missing from their accounts.
For additional information on how you can protect yourself online, check out the below resources:
- AccessNow, a non-profit organization that protects the digital rights of individuals around the world, has a useful self-doxing guide.
- Phishing.org has more information on phishing and a list of free tools, like a Phishing Security Test, Phishing Reply Test, and Phish Alert Button.
- The No More Ransom project contains tips on how to prevent a ransomware attack as well as decryption tools if you’ve already fallen victim to one.
- DeleteMe is a subscription service that deletes your personal information from all the major data brokers and people search sites out there. There’s also a comprehensive guide on how you can opt-out of these databases yourself. Be warned, though: it’s a time-consuming process.
- IdentityTheft.gov can help you report and recover from identity theft.
- Have I Been Pwned? is a site that allows you to see if your personal data has been compromised by data breaches.
- Abine Blur secures your passwords, masks your email, and protects your credit card.