In 2013, Amy Krekelberg received an unsettling notice from Minnesota’s Department of Natural Resources: An employee had abused his access to a government driver’s license database and snooped on thousands of people in the state, mostly women. Krekelberg learned that she was one of them.
When Krekelberg asked for an audit of accesses to her DMV records, as allowed by Minnesota state law, she learned that her information—which would include things like her address, weight, height, and driver’s license pictures—had been viewed nearly 1,000 times since 2003, even though she was never under investigation by law enforcement. In fact, Krekelberg was law enforcement: She joined the Minneapolis Police Department in 2012, after spending eight years working elsewhere for the city, mostly as an officer for the Park & Recreation Board. She later learned that over 500 of those lookups were conducted by dozens of other cops. Even more eerie, many officers had searched for her in the middle of the night.
Krekelberg eventually sued the city of Minneapolis, as well as two individual officers, for violating the Driver’s Privacy Protection Act, which governs the disclosure of personal information collected by state motor-vehicle departments. Earlier this week, her case prevailed. On Wednesday, a jury awarded Krekelberg $585,000, including $300,000 in punitive damages from the two defendants, who looked up Krekelberg’s information after she allegedly rejected their romantic advances, according to court documents.
“I think that the jury’s verdict shows that people do take privacy quite seriously and that they take women’s privacy seriously,” says Sarah St. Vincent, a surveillance and national security researcher at Human Rights Watch who attended the trial. She is studying similar cases across the country.
There have been dozens of lawsuits against Minneapolis and other Minnesota cities in recent years over alleged abuses of license databases. Most of the cases were settled out of court or dismissed; Krekelberg’s is the only one to have gone to trial. Two of Krekelberg’s lawyers, Sonia Miller-Van Oort and Jonathan Strauss, say that their client suffered harassment from her colleagues for years as the case proceeded, and that in at least one instance, other cops refused to provide Krekelberg with backup support. She now works a desk job.
“We are disappointed in this verdict, but the city takes very seriously the importance of data privacy,” says Susan L. Segal, the Minneapolis city attorney. She stressed that the police department’s policies have changed in recent years. Minneapolis employees are now required to enter a reason when they search DMV records. Previously, to learn to use the database, officers were encouraged to “go back to work and look up some of [their] friends and family members,” says Segal. “There was not this awareness.”
Minnesota did have at least one rare accountability measure in place: It kept a log of when the DMV database was searched, and citizens have the right to request their file. Without that digital trail, Krekelberg likely wouldn’t have had the evidence to bring a case. In many other states, similar protections don’t exist, even for more advanced technologies, like facial recognition software. Policies can differ greatly between police departments, says Kade Crockford, director of the Technology for Liberty program at the ACLU of Massachusetts. “There’s virtually no uniformity,” she says.
That makes it difficult for citizens to know when their information has been improperly accessed by the government, which happens not infrequently. A 2016 investigation by the Associated Press found hundreds of instances where law enforcement officials misused confidential databases for personal purposes, like to dig up dirt on romantic partners, neighbors, and journalists. One Ohio officer ran checks on his ex-girlfriend, and pleaded guilty to stalking her. Two Miami-Dade officers looked up a reporter who published negative stories about their department.
“I was a trooper for a long time and it was a common practice for troopers to run someone’s name through the [Massachusetts criminal record] system for reasons besides law enforcement,” Michael Szymanski, a former state trooper who was disciplined for abusing a police database, told CommonWealth Magazine in May. “I can’t tell you how many times I saw troopers run their next-door neighbor through [the system], run their old girlfriends’ names, or run someone who they’re having a dispute with.”
The problem goes beyond DMV and criminal records databases. Law enforcement officials have also been caught abusing technology that allows them to monitor the location of people’s cell phones. In April, a former Missouri sheriff was sentenced to six months in prison for tracking a judge and members of the State Highway Patrol.
Employees at private tech companies have also abused their access to databases of sensitive user information. Uber settled a lawsuit with the New York attorney general in 2016 over its “God View” tool, which allowed employees to track the location of riders without their consent, including that of a Buzzfeed reporter. Employees at Snapchat also may have misused an internal tool to spy on users, according to a recent Motherboard investigation.
More lawmakers have started advocating for data privacy regulations at the state and federal level, but those conversations have mostly focused on reining in big tech companies, rather than information that public employees can access. “It’s very hard for people to get any kind of redress for privacy violations,” St. Vincent says.
More Great WIRED Stories
social experiment by Livio Acerbo #greengroundit #wired https://www.wired.com/story/minnesota-police-dmv-database-abuse