Not So Securus
by Jordan Smith and Micah Lee, The Intercept
An enormous cache of phone records obtained by The Intercept reveals a major breach of security at Securus Technologies, a leading provider of phone services inside the nation’s prisons and jails. The materials – leaked via SecureDrop by an anonymous hacker who believes that Securus is violating the constitutional rights of prisoners – comprise over 70 million records of phone calls, placed by prisoners to at least 37 states, in addition to links to downloadable recordings of the calls. The calls span a nearly two-and-a-half year period, beginning in December 2011 and ending in the spring of 2014.
Particularly notable within the vast trove of phone records are what appear to be at least 14,000 recorded conversations between prisoners and attorneys, a strong indication that at least some of the recordings are likely confidential and privileged legal communications – calls that never should have been recorded in the first place. The recording of legally protected attorney-client communications – and the storage of those recordings – potentially offends constitutional protections, including the right to effective assistance of counsel and of access to the courts.
“This may be the most massive breach of the attorney-client privilege in modern U.S. history, and that’s certainly something to be concerned about,” said David Fathi, director of the ACLU’s National Prison Project. “A lot of prisoner rights are limited because of their conviction and incarceration, but their protection by the attorney-client privilege is not.”
The blanket recording of detainee phone calls is a fairly recent phenomenon, the official purpose of which is to protect individuals both inside and outside the nation’s prisons and jails. The Securus hack offers a rare look at this little-considered form of mass surveillance of people behind bars – and of their loved ones on the outside – raising questions about its scope and practicality, as well as its dangers.
Securus markets itself to government clients as able to provide a superior phone system – its Secure Call Platform – that allows for broad monitoring and recording of calls. The company also promotes its ability to securely store those recordings, making them accessible only to authorized users within the criminal justice system. Thus, part of the Securus promise is not only that its database is vast, but also that it meets rigorous standards for security. “We will provide the most technologically advanced audio and video communications platform to allow calls with a high level of security,” reads the company’s Integrity Pledge. “We understand that confidentiality of calls is critical, and we will follow all Federal, State, and Local laws in the conduct of our business.”
But the fact that a hacker was able to obtain access to over 70 million prisoner phone call records shows that Securus’ data storage system is far more vulnerable than it purports to be.
More broadly, the Securus leak reveals just how much personal information the company retains about prisoners and the countless people to whom they are connected. It is information that, in the narrow context of incarceration, may not be considered private, but in the larger world raises serious questions about the extent to which people lose their civil liberties when their lives intersect, however briefly, with the criminal justice system.
Securus is a telecommunications company based in Dallas, Texas, owned by a private equity firm. Its primary business is providing phone and video visitation services to incarcerated people – ostensibly offering a meaningful way for them to keep in touch with loved ones on the outside, as well as to communicate with attorneys. Until now, Securus was probably best-known for the incredibly high rates it has traditionally charged for phone calls, a burden borne almost exclusively by the very people who are the least able to afford it. (The Federal Communications Commission in October 2015 voted to cap calling rates and fees, a move that Securus and other industry leaders had fought, claiming the change would have a “devastating effect” on their businesses.) [PLN Ed. Note: The FCC’s rate caps remain stayed by a federal appellate court in the District of Columbia due to a lawsuit filed by Securus and other parties.]
It isn’t just Securus whose business model has relied on gouging people caught up in the criminal justice system. The industry’s other players, including the leading prison telecom company, Global Tel*Link, largely do the same. Prison and jail communications is a $1.2 billion a year business, whose handsome profits come from serving a captive and inelastic market. According to public relations materials, Securus provides communications platforms used by more than 1.2 million prisoners across the country, who are confined in more than 2,200 facilities; by 2012 the company was processing more than 1 million calls each day. In 2014, Securus took in more than $404 million in revenue.
Securus does business with local and county governments (which operate the nation’s jails) and with state departments of correction (which, with some exceptions, run the nation’s prison systems). A key selling point to its clients is that the company not only installs and maintains phone systems at little to no cost to the government, but also that it agrees to pay back to its clients generous “site commissions,” a kickback that comes from revenue generated by prisoner calls – on average 42 percent of the revenue from its state contracts, according to research done by Prison Legal News. (The FCC rate caps threaten the industry’s ability to keep revenues large enough to fund the exorbitant kickback scheme it created. Lowering and capping the rates and fees charged for calls means at least some industry players could be forced to dip into company coffers in order to comply with contracted payoff schedules, unless they renegotiate existing contracts. How the new rate caps will impact these payoffs remains to be seen.)
In addition to the sweetheart deal it offers clients, Securus also touts the technology of its Secure Call Platform, which allows recording and monitoring, with few exceptions, of all calls made by prisoners. The superior technology, it claims, ensures that its database is well-protected, and only accessible to authorized users – among them corrections workers, police investigators and prosecutors. Law enforcement personnel are particularly important to the company: Securus promises it can provide recordings on demand to investigators across jurisdictions, promoting its system as a powerful crime-solving tool.
But the scale of the Securus hack shows the company has failed to fulfill its own promises on security. The more than 70 million phone call records given to The Intercept include phone calls placed to nearly 1.3 million unique phone numbers by more than 63,000 prisoners. The original data was contained in a 37-gigabyte file and scattered across hundreds of tables, similar to spreadsheets, which The Intercept merged into a single table containing 144 million records. A search for duplicates reduced this figure to more than 70 million records of individual phone calls.
The database contained prisoners’ first and last names; the phone numbers they called; the date, time and duration of the calls; the prisoners’ Securus account numbers; as well as other information. In addition to metadata, each phone call record includes a “recording URL” where the audio recordings of the calls can be downloaded.
The vast majority of the calls appear to be personal in nature; downloaded audio files leaked alongside the larger database of recordings include one in which a couple has an intimate conversation; in another, relatives discuss someone whose diabetes is worsening. In a third, a couple discusses Dancing With the Stars, TV dinners and how much money is available to pay for their regular phone conversations – versus how much should instead be spent on food. But a subset of the recordings – a minimum of roughly 14,000 – were made by detainees to attorneys, in calls that range from under a minute to over an hour in length.
To arrive at this figure, The Intercept looked up each of the nearly 1.3 million phone numbers that prisoners called in a public directory of businesses to find out whether a law firm or attorney’s office is associated with that number. We found that Securus recorded more than 14,000 phone calls to at least 800 numbers that clearly belonged to attorneys. That 14,000 figure, however, is likely an underestimate because it does not include calls to attorney cell phone numbers. In other words, the 14,000 attorney calls are potentially just a small subset of the attorney-client calls that were hacked.
In short, it turns out that Securus isn’t so secure.
In fact, this doesn’t seem to be the first time that Securus’ supposedly impenetrable system has been hacked. According to documents provided to The Intercept by a Texas attorney, the company’s system was apparently breached on July 18, 2014, when someone hacked three calls made by a prisoner named Aaron Hernandez, presumably the former player for the New England Patriots, who was awaiting trial for killing a friend. In an email thread from July 21, 2014, two Securus employees discuss the breach – the system was accessed by someone in South Dakota, they discover, though they don’t have that person’s name. “OMG……..this is not good!” reads one email contained in the document. “The company will be called to task for this if someone got in there that shouldn’t have been.”
There is no indication the 2014 hack has previously been made public. Securus did not respond to numerous requests for comment for this story. [Editor’s note: See update below for a statement from Securus in response to publication of this story.]
Prisoners do not generally enjoy a right to privacy while incarcerated – a fact that is emphasized in the course of virtually any communication with the outside world. Like other jail and prison telecoms, Securus inserts a recorded message at the beginning of each prisoner-initiated phone call, reminding recipients that “this call is from a correctional facility and may be monitored and recorded.” In this context, anyone who hears the warning and still chooses to use the phone has effectively waived a right to privacy during that call, a condition all too familiar to people with incarcerated loved ones. Still, it is hard to imagine that people on either end of the line would ever anticipate that their conversations would be stored for years, in a manner that could potentially expose their intimacies to the larger public. By failing to prevent hackers from accessing the calls, Securus appears to have done just that.
This is troubling to the ACLU’s Fathi, because “waivers of rights are not meant to be all or nothing. Waivers are meant to be only as extensive as necessary to accomplish the goal underlying the waiver,” he said. If the goal for recording and monitoring detainee phone conversations is to enhance safety both inside and outside a facility that’s one thing – but those conversations should not be stored indefinitely, once they’re determined to be free of intelligence that would aide the institutional goal.
The mass recording of detainee calls was originally rationalized as improving safety within a facility – a way to hedge against contraband being brought in, to ferret out escape attempts or potentially violent uprisings, and to curb the possibility of witness tampering or intimidation. But if the goal is to see if a “person is smuggling drugs [or] plotting an escape,” said Fathi, “it doesn’t mean that the prisoner and the ... outside person they’re talking to has forever waived all privacy rights and that any conceivable use of that recording is OK.”
The implications are especially alarming for calls that are understood to be the exception to the record-everything rule. Securus’ phone systems are supposed to be set up to allow certain phone numbers to be logged and flagged so that calls to those numbers are exempt from being recorded – let alone stored.
Indeed, that a criminal defendant or prisoner should be able to speak frankly and honestly with a lawyer is a cornerstone of the criminal justice system – inherent in a defense attorney’s ethical obligations, and firmly rooted in the Sixth Amendment right to competent and effective legal counsel. A review of contracts and proposals completed by Securus in a handful of states reflects the company’s understanding of this right. In a 2011 bid to provide phone service to prisoners in Missouri’s state prisons, Securus promised that each “call will be recorded and monitored, with the exception of privileged calls.” But the database provided to The Intercept shows that over 12,000 recordings of prisoner-attorney communications, placed to attorneys in Missouri, were collected, stored and ultimately hacked.
The data provided to The Intercept also includes at least 27 recordings of calls to attorneys in Austin, Texas, made between December 2011 and October 2013 – a fact that is particularly compelling in light of a federal civil rights suit filed there in 2014 against Securus, which provides phone service to the county’s jails. At the heart of the lawsuit is the allegation that calls to known attorneys have been – and continue to be – recorded. The company’s contract specifically provides that calls “to telephone numbers known to belong [to] attorneys are NOT recorded” and that “if any call to an attorney is inadvertently recorded, the recording is destroyed as soon as it is discovered.”
The lawsuit was brought by the Austin Lawyers Guild, four named attorneys and a prisoner advocacy group, and alleges that, despite official assurances to the contrary, privileged communications between lawyers and clients housed in the county jails have been taped, stored, “procured” and listened to by prosecutors. The plaintiffs say that while some prosecutors have disclosed copies of recordings to defense attorneys as part of the regular evidential discovery process, other prosecutors have not, choosing instead to use their knowledge of what is in individual recordings to their “tactical advantage” in the courtroom “without admitting they obtained or listened to the recordings.” (None of the recordings provided to The Intercept appear to be connected to any of the Austin attorneys named in the suit.)
The Austin attorneys argue that the intrusion into their communications with clients undermines their ability to effectively represent them. And those most disproportionately impacted are often clients who are the most disadvantaged: those who can’t afford bail and have to stay in jail awaiting prosecution. Austin defense attorney Scott Smith, who discovered this summer that an intern in the prosecutor’s office had inadvertently listened to a portion of a phone call he had with a jailed client, points out that it rigs the adversarial legal process in favor of the state. “How do you plan your strategy? It’s like being at the Superbowl and one team gets to put a microphone in the huddle of another team.”
Challenging the lawsuit, Securus notes that government intrusion into the attorney-client relationship could be a violation of the Sixth Amendment. But the company insists it has abided by its policy of not recording privileged phone calls – while at the same time maintaining that any existing tapes were voluntarily turned over by the state to defense attorneys during discovery. What’s more, Securus argues that the plaintiffs have not proved that “such recordings” had any adverse effects on their cases. ”Securus acknowledges that Plaintiffs have alleged that recorded attorney-client calls have been shared with prosecutors, but they have failed to articulate a single instance where they have been harmed or prejudiced,” Securus said.
Exactly who is to blame for the recording of attorney calls is unclear. In many jurisdictions – including in Austin – the onus is on lawyers or their clients to give phone numbers to prison officials so that they can be placed on a do-not-record list. Failing to provide up-to-date contact information would make any inadvertent recordings the attorney’s or prisoner’s fault. But properly logging these numbers is the government’s responsibility. And the secure storage of these is squarely up to Securus – particularly given that it markets itself as providing a service to do exactly that.
It wasn’t always the case that detainee phone calls were recorded in bulk. The practice really took hold in the 1990s, says Martin Horn, a lecturer at John Jay College of Criminal Justice in New York, who previously served as commissioner of the New York City Department of Correction and, before that, as secretary of corrections in Pennsylvania. When Horn went to Pennsylvania in 1995, the state did not allow for the recording of prisoner calls. But that decade saw “numerous horror stories,” he said, of prisoners “perpetrating crimes” from within prison, “continuing to run their criminal enterprises” from behind bars, or “threatening witnesses, and so on.” At the same time, telephone technology had evolved significantly, making monitoring, recording and storage of call data possible.
Until the mid-1980s, prisoner phone services were provided by AT&T via operator-assisted collect calls from pay phones. But after the breakup of AT&T the market became more competitive – and less regulated – and companies such as Securus, originally known as the Tele-Matic Corporation, entered the market to offer equipment and, ultimately, sophisticated monitoring systems.
Today, Horn regards call monitoring as an important correctional tool. And while Horn said he was never made aware of any recording of attorney-client communications during his time in corrections, he said to the extent that a privileged communication is either monitored or recorded, there isn’t necessarily a harm – “if in the course of listening to it you become aware that it’s a conversation with a privileged party, such as an attorney, you stop listening,” he said. “So the fact that it was recorded, while unfortunate, you know, isn’t necessarily damaging.”
But the massive amount of data provided to The Intercept suggests that the scope of surveillance within the system goes far beyond what the original goals might have been. A 2012 Securus contract with the Illinois Department of Corrections describes an optional product called Threads, branding it “one of the most powerful tools in the intelligence community.”
“Securus has the most widely used platform in the industry, with approximately 1,700 facilities installed, over 850,000 inmates served, literally petabytes of intelligence data, and over 1 million calls processed per day,” the company bragged to Illinois officials. “This valuable data is integrated directly into Threads and could be available at [Department of Correction]’s and [Department of Juvenile Justice]’s fingertips.”
Today those numbers are even higher. Securus’ website says that the Threads database contains the billing names and addresses of over half a million people who are not incarcerated, as well as information about more than 950,000 prisoners from over 1,900 correctional facilities, and includes over 100 million call records. The amount of data sold to corrections and law enforcement investigators “continues to grow every day.”
As Adina Schwartz, a professor at John Jay College, points out, when you consider that these recordings can be stored “forever, with no supervision,” the potential for abuse increases. “I think any criminal defense attorney who wasn’t worried by that prospect is basically somebody who doesn’t do his or her job.”
And the recordings with known attorneys are not limited to calls with defense lawyers. The hacked database also includes records of calls between prisoners and prosecutors – including 75 calls to a United States Attorney’s office in Missouri. These, too, are potentially problematic, particularly if they include conversations with cooperating witnesses who could be vulnerable if the details of their dealings with the government were exposed.
The attorney-client privilege is “the oldest privilege of confidentiality known in our legal system,” said Fathi. In a criminal case it prohibits defense attorneys from divulging, or prosecutors from using, any case-related information that was obtained in confidence. But the reality is that keeping conversations with incarcerated defendants confidential is a challenge. Experts point out that the recorded notice embedded within phone calls initiated inside jails and prisons means that there should be no real expectation of privacy. “If a client is making an out-of-prison call to an attorney, the attorney-client privilege, arguably, doesn’t apply,” said Michael Cassidy, a professor of law at Boston College Law School, because by consenting to speak over a phone line that is subject to recording, the client and attorney should expect that is happening. But that isn’t the end of it: Even if the privilege doesn’t apply, “the Sixth Amendment right to counsel applies and the government can’t interfere with it,” he said. “So even if you could argue that notifying a prisoner that their calls are being recorded negates the privilege, it doesn’t negate the Sixth Amendment right to not have the government interfere with counsel.” And monitoring, recording and potentially using information gleaned from attorney-client calls would do just that.
That’s why prison calling systems, such as Securus’ Secure Call Platform, are set up to log numbers that should not be recorded. “But that’s a technological issue and sometimes it doesn’t work,” said Cassidy.
But Schwartz argues that the logging of attorney phone numbers provides a “recognition that there is attorney-client privilege” and that it is “incumbent on the government to follow through” in protecting that privilege. When attorneys learn that their calls have been recorded, it shakes the foundation of trust, inevitably impinging on their Sixth Amendment obligations. “Once people know there is trickery, there is a chilling of attorney-client communications – because how do you know it won’t happen again?” Schwartz asked.
Indeed, that is precisely the risk that Fathi sees arising from the breach of Securus’ database. “Going forward, prisoners will have very good cause to question whether their phone calls with their attorneys are confidential. And that undermines that very core and fundamental purpose of the attorney-client privilege, which is to allow persons consulting an attorney to give a full and frank account of their legal problem,” he said.
Still, challenging the recording could be tricky, says Cassidy, even if there is clear evidence of taped communications. If a call was recorded because the attorney or client failed to put a phone number on the do-not-record list, he says, then the state is off the hook – a prisoner can’t sue for damages, or seek to have his or her criminal charges dismissed (although the government would still be prohibited from listening to or using the content of the call). However, if one can “show a regular and systemic practice” of recording such calls, a case could be made that “the company is violating multiple prisoners’ Sixth Amendment rights,” which could have more of an impact, perhaps prompting systemwide reforms.
And Fathi believes a case could also be made that the recording and storing of non-attorney calls is unconstitutional. “Prisoners do retain some privacy rights and certainly people on the outside who just happen to be talking to prisoners retain privacy rights. And, again, the fact that you’re passively consenting that the call can be monitored for security purposes doesn’t mean you’re consenting to all conceivable uses of that recording for all time,” he said. “I think even with the non-attorney calls there may be a case to be made that this is just so spectacularly overbroad that it is unconstitutional.”
Indeed, Austin attorney Scott Smith believes that, at least in the nation’s jails – where the majority of prisoners are awaiting prosecution and have not yet been found guilty of anything – the blanket recording of phone calls should be stopped. If there are specific detainees worth monitoring, that can be accomplished in a far less intrusive manner, he said. “You can say safety mandates a reduction of civil liberties all the time. And that’s essentially the old debate – how much do you have civil liberties and how much do you need to get rid of them in order to be safe?”
Fathi agrees that the practice of recording detainee phone conversations should be reined in and limited. “It is another manifestation of the exponential growth of the surveillance state. Obviously that’s been noticed and commented upon in other contexts, but if we’re talking about [more than 70] million [calls], even if some of those are repeat calls between the same people, that’s a lot of people – including non-prisoners whose privacy has been compromised by a private company that is acting as an agent of the government,” he said.
Part II: Lawyers Speak Out About Massive Hack of Prisoners’ Phone Records
In the summer of 2013, Missouri criminal defense attorney Jennifer Bukowsky was preparing for an evidentiary hearing in the case of a pro bono client, Jessie McKim. The stakes were high: Along with his co-defendant, James Peavler, McKim had been convicted in 1999 of killing a woman named Wendy Wagnon and was serving life without parole at a maximum-security prison. At the upcoming hearing, Bukowsky planned to argue that her client was innocent – and that the murder that sent him to die in prison was never a murder at all.
McKim was convicted in part based on the testimony of a local medical examiner, who claimed that the presence of petechiae on a dead body – small spots on the skin or the whites of the eyes where capillaries have hemorrhaged – is proof that a person was suffocated. But a toxicology report – completed after Wagnon’s cause of death had already been determined as asphyxiation – revealed that Wagnon had lethal levels of methamphetamine in her system when she died. Among the witnesses Bukowsky planned to call at the hearing were five different pathologists who would testify that the state’s medical examiner was wrong when he claimed Wagnon was suffocated – and that evidence pointed to a meth overdose instead. (A sixth pathologist, retained as an expert by the state, also agreed that Wagnon died of an overdose, not of suffocation.)
“It was a really big time, and a crucial time, for his case,” Bukowsky recalls. As she prepped witnesses and decided who else should take the stand, she shared her strategy with McKim via lengthy phone calls – calls understood to be protected by attorney-client privilege. Unlike calls between prisoners and their family or acquaintances, which are routinely monitored, conversations with lawyers are not to be recorded. During these calls, says Bukowsky, “I’m telling him my concerns about calling this or that person – that is crucial information that should be private between us.”
The hearing took place in August 2013. The following spring, a circuit court judge ruled against McKim, upholding his conviction and saying that even if Wagnon was not suffocated, McKim and his co-defendant could have killed her another way – by intentionally forcing her to overdose on meth, a theory the state had never previously argued, for which there was no supporting evidence.
Bukowsky was confounded by the ruling, but remained undeterred – she is convinced of McKim’s innocence and knows from experience that in a system that favors finality, undoing an unjust conviction can be frustrating work. “It takes a lot of grit & it makes me angry,” she wrote in an email.
Last fall, Bukowsky received an unexpected phone call related to McKim’s case. The call came from The Intercept, following our November 11, 2015, report on a massive hack of Securus Technologies, a Texas-based prison telecommunications company that does business with the Missouri Department of Corrections. As we reported at the time, The Intercept received a massive database of more than 70 million call records belonging to Securus and coming from prison facilities that used the company’s so-called Secure Call Platform. Leaked via SecureDrop by a hacker who was concerned that Securus might be violating prisoners’ rights, the call records span a 2 1/2-year period beginning in late 2011 (the year Securus won its contract with the Missouri DOC) and ending in the spring of 2014.
Although Securus did not respond to repeated requests for comment for our November report, the company released a statement condemning the hack shortly after the story was published. Securus insisted there was “absolutely no evidence” that any attorney-client calls had been recorded “without the knowledge and consent” of the parties to each call.
The Intercept’s analysis, to the contrary, estimated that the hacked data included at least 14,000 records of conversations between prisoners and attorneys. In the wake of the story’s publication, we informed Bukowsky that her phone number had been found among the records and provided her a spreadsheet of the calls made to her office – including the name of the client and the date, time and duration of the calls. In turn, Bukowsky searched her case files for notes and other records, ultimately confirming that at least one call with McKim – which was prearranged with the Missouri DOC to be a private attorney call – was included in the data. The privileged call, more than 30 minutes long, was made at the height of Bukowsky’s preparations for McKim’s hearing. A unique recording URL accompanied each of Bukowsky’s calls included in the data, suggesting that audio had been recorded and stored for more than two years – and ultimately compromised by the unprecedented data breach.
The discovery was distressing. “I was in the thrust of litigating with the state attorney general’s office a very hotly disputed habeas petition, and I was acting under good faith that they were not recording,” she said. “And,” it appears, “they were.”
The ability of counsel and client to communicate confidentially is a cornerstone of the American legal system. The recording, monitoring or storage of such legally protected communications not only chills the attorney-client relationship, but may also run afoul of constitutional protections – including the right to effective assistance of counsel and access to the courts.
The mass recording of prisoner calls is itself a fairly recent practice, sold by private telecommunications companies, like Securus, to jails and prisons as a security measure – a way to thwart violent uprisings, for example, or curb the introduction of contraband into a facility. This bulk surveillance – the recording and long-term storage of millions and millions of routine communications – raises serious concerns about the privacy rights of incarcerated persons and their loved ones, says David Fathi, director of the ACLU’s National Prison Project. And indeed, while incarceration may compromise some individual rights, a detainee’s right to confidential communication with an attorney is not one that can be trampled by the state – or a private company. In criminal cases, the attorney-client privilege bars defense attorneys from disclosing, or prosecutors from using, any case-related information obtained in confidence. It is, says Fathi, “the oldest privilege of confidentiality known in our legal system.”
After The Intercept exposed the Securus hack, numerous defense attorneys contacted us to find out whether the database contained any of their call data. As we previously reported, the data contained 1.3 million unique telephone numbers; to determine if the 70 million call records contained attorney-client calls, we did a reverse lookup of each number, finding that at least 14,000 calls were made to attorneys. But because the reverse lookup was limited to a commercial directory, and because we searched only for business listings that included the words “attorney,” “law” or ”legal,” we concluded that we were likely missing thousands of additional calls – including those made to attorney cell phone numbers, which would not necessarily be listed in a commercial directory.
The attorneys who contacted The Intercept helped advance our investigation into the data by identifying additional phone numbers as belonging to lawyers, which were not previously included in our estimate. We have now identified at least 43,000 additional records of attorney-client communications – including both attempted and completed calls – contained within the hacked data. (But again, because the subsequent searches were done only for attorneys who reached out to The Intercept, we suspect there are still many more attorney-client call records not yet identified in the data.)
Among these additional records are more than 33,000 calls that detainees placed to lawyers working for Missouri’s state public defender office, and more than 1,000 made to the Midwest Innocence Project, which handles wrongful conviction cases in Missouri and four other states. That the hack contained so many calls to the MIP is distressing to the nonprofit’s executive director, Oliver Burnette. “It really gave us pause, and I think it can really hinder how we try to do business for the most vulnerable among us, those people ... who are in jail and may be innocent,” he said.
As with Bukowsky’s calls, some of these additional records correspond to phone conversations arranged with prison officials to be confidential attorney-client communications, which never should have been recorded.
After a detailed review of several specific fields contained within the hacked records, The Intercept has been able to narrow the geographical scope of the recorded calls, tracing all of the detainee call records to Missouri prison facilities. Although, as we previously reported, the database reflects calls to at least 37 states, the vast majority – 85 percent – were made to phone numbers in Missouri. An additional 5 percent were placed to numbers with Kansas and Illinois area codes – states that border Missouri’s largest cities, Kansas City and St. Louis. Each phone record includes the name of the prisoner making the call, an acronym for a location that maps to a correctional facility in Missouri, as well as an identification number that appears to correspond with Missouri DOC prisoner IDs. The records do not include the number from which each phone call originated.
For Bukowsky – who founded her eponymous firm in Columbia in 2010 – the potential for damage was vast. At the August 2013 hearing in McKim’s case, the state called to the stand a woman, Melissa McFarland, who was with Wagnon just before her death and then implicated McKim in that death, a circumstance Bukowsky would have discussed with McKim. “So for them to hear me – if they’re listening to me, which I don’t know if they did – but were they to, they would know all the different things that I’m saying to my client that I think are problems for McFarland that I’m going to cross-examine her on [and] they could then prep her accordingly.”
In an email response to The Intercept, a spokesperson for the Missouri attorney general said that its office did not have access or listen to any phone calls between Bukowsky and McKim.
Bukowsky notes that violating attorney-client confidentiality in the manner that appears to have happened – and could still be happening, whether in Missouri or any of the jurisdictions where Securus operates, which include 47 states and the District of Columbia, as well as Canada and Mexico – is just another way the odds are stacked in favor of the state in criminal prosecutions.
In our initial report, the ACLU’s Fathi described the hack as potentially representing the “most massive breach of the attorney-client privilege in modern U.S. history.” Upon learning The Intercept was able to confirm that the data included prearranged, privileged communications between lawyers and their clients, Fathi was even more troubled: “It’s very disturbing that calls that were explicitly set up as attorney-client calls were also recorded,” he said. “There’s no excuse for recording attorney-client calls, and there’s certainly no excuse for indefinitely retaining those recordings.”
Securus’ first public statement following our November report characterized the breach as an inside leak. In a subsequent press release on November 13, 2015, the company dropped the language about the hack being an inside job, declaring that it was “working on multiple fronts to fully investigate ... and to prevent future criminal attacks.” The company said it had hired a forensic data analysis firm to determine how the hack happened and “to confirm that it happened outside of the Securus network and systems.” Securus has not publicly released any additional information related to the breach, nor responded to our requests for additional information and comment for this story.
Securus previously contested The Intercept’s conclusions about the recording of potentially privileged calls. “While The Intercept reports that they matched call data from the stolen data with phone numbers attached to attorneys’ offices,” it said in its second release regarding the hack, “no evidence has been provided that any of these calls were actually recorded, and if so, whether any of them would actually constitute privileged communications,” In addition, Securus said that its calling systems contain “multiple safeguards to prevent attorney-client recordings from occurring,” and pointed out that “licensed attorneys are able to register their numbers or a specific call to exempt them from recording.”
Although specific procedures differ depending on the state or locality involved, it is commonly the responsibility of lawyers to verify and register their numbers with jail or prison officials – ostensibly to ensure that legal calls are not recorded or monitored.
“While it is possible that not all of these safeguards were followed by the callers in some cases,” the company continued, “we have seen no evidence to date of recorded calls that would fall under that category.”
But criminal defense lawyers in Missouri told The Intercept that, unlike other jurisdictions in which Securus provides inmate calling services, the Missouri DOC does not allow attorneys to provide individual phone numbers to the agency or to individual facilities for inclusion in a standing do-not-record list. In an email, Missouri DOC Communications Director David Owen said the DOC “respects the right of offenders to have privileged communications with their attorneys” and explained that in order to guarantee a call is private, “attorneys must demonstrate, in written form, they are a licensed attorney, and request to have a privileged telephone call with an incarcerated offender.” Once scheduled, such calls are “set to private,” he explained, adding that lawyers “must make this request every time they wish to have a privileged telephone conversation with an incarcerated offender.”
But, after reviewing call record information provided by The Intercept, five attorneys in Missouri confirmed that contained in the hacked data were calls that were prearranged with the DOC to be private communications. “How can a client feel safe sharing information with his attorney when he suspects that the opposing party is listening to the call? How can an attorney expect to share legal strategy with their client if she suspects the same?” asks Jennifer Merrigan, a defense attorney who has represented Missouri death row prisoners for more than a decade, including as a former staff attorney and director of the Death Penalty Litigation Clinic in Kansas City. “A critical foundation of trust and confidence in the process has been destroyed.”
“It’s a little bit disconcerting,” says Missouri criminal defense attorney Kent Gipson, who discovered three calls made to him by three different clients that he could confirm were set up in advance, through prison authorities, as privileged calls that were not to be recorded. Each call record he identified also contained a unique recording URL. At the same time, Gipson notes, the allegation that all calls, including attorney calls, are routinely recorded or monitored is not a new one among attorneys or prisoners. “Nothing much surprises me anymore,” he said.
After reviewing records found in the hacked data for calls made to public defender offices across Missouri, Michael Barrett, director of the Missouri State Public Defender System, said in an email that his office’s “initial finding” did not reveal any call records that match up with calls known to have been prearranged by system attorneys. “Not to say it didn’t happen,” he wrote, “just that we cannot identify a prearranged call that was recorded.”
But Barrett is among those The Intercept interviewed who suggest that the recording of any attorney-client communications can hinder the effectiveness of counsel. “Confidentiality is at the heart of what we do, and if a client feels as if what they say is being compromised, to whatever degree, he or she may not be sufficiently forthcoming with counsel so that the most effective defense can be presented on their behalf,” Barrett wrote. The best approach, he suggests, is to have a policy of never recording phone calls between lawyers and their clients. This would also mean “the risk of confidential information being leaked is zero.”
The MIP’s Burnette agrees, noting that there is no reason for clients to call except to talk about their cases – and any call in which representation is discussed should be considered privileged and thus not recorded, monitored, logged or stored. “I think that any time someone calls our office, it’s a legal call,” he says. “I mean, we’re not talking about the [Kansas City] Chiefs game.” That is “not their concern when they call us. They’re trying to go into issues on their case.”
Tricia Bushnell, the MIP’s legal director, said that while review of the call data is not yet complete, so far she has been able to locate within the records The Intercept provided three calls that were prearranged in the manner the Missouri DOC has said is required.
Still, that may not necessarily reflect the true number of calls within the data that were intended to be privileged – indeed, despite the Missouri DOC’s insistence that only prearranged calls would be considered privileged, one Missouri attorney told The Intercept that policies governing how attorney-client calls are handled vary from facility to facility within the system, which makes it difficult to determine exactly how many privileged call records are contained within the leaked data.
“Every place is different,” Burnette agrees. “Perhaps that’s part of the problem, is that there’s no standardization.” But Burnette says the volume of legal calls included in the hack suggests that the Securus-Missouri DOC call system simply doesn’t work – and isn’t meeting its duty to protect prisoner rights. “Neither of those organizations are above the law afforded to everyone,” he says.
In response to a list of additional questions The Intercept emailed to the Missouri DOC, a spokesperson reiterated the agency’s initial response – that privileged calls must be prearranged – but added a caveat: “If a requested private call goes past its scheduled time that has been entered into the vendor software, the telephone software system will begin recording the call. At this time, the users will be [given] a notification that the call is being recorded.”
After The Intercept reported on the Securus hack, the company said there was no evidence that any confidential attorney-client calls were actually recorded. However, the hacker had provided The Intercept with several audio files – recordings of actual conversations – that had been downloaded by clicking on the recording URLs within the call records, leading us to draw the logical inference that the other live links were also connected to audio files. Subsequently, Securus appears to have moved the more than 70 million calls in question to a new server, severing further access to the audio files through the links in the data.
Even if an audio file was not available for each of the calls identified by lawyers as confidential, the collection of metadata on those calls is a problem, says the ACLU’s Fathi. The database includes names and locations for individual detainees, the date, time and duration of their calls, as well as the number called and data that appears to indicate how the call was paid for. “You can imagine all kinds of cases where the metadata would itself reveal confidential information,” says Fathi.
Burnette agrees that even collecting metadata on attorney-client calls is concerning. “We’ve talked about this on calls for private citizens – we know what they can glean from metadata,” he said. “We know the danger of it – and the value of it. If it wasn’t a valuable resource, there wouldn’t be Google, right? [With] metadata they know a lot about us.”
Take, for example, calls made by detainees to prosecutors – of which we found numerous examples within the data, including calls placed to a U.S. Attorney’s office in Missouri. “The disclosure that a prisoner called a prosecutor’s office could potentially put that prisoner in very great danger,” Fathi points out. “If the prisoner were to be, rightly or wrongly, labeled a snitch or informant that could have very serious, and indeed, lethal consequences for the prisoner.”
Among prisoners, it is an open secret in Missouri (and, indeed, throughout the criminal justice system) that calls intended to be confidential are monitored and/or recorded by the state. Defense attorney Gipson says that “a lot” of his clients suspect that all of their calls are monitored and/or recorded – despite official assurances to the contrary. “They think that even though it’s supposed to be a confidential call, they put [attorney calls] on a line that can be monitored – and then do, I think.”
One woman whose husband is housed in a Missouri prison told The Intercept that he and his fellow prisoners consider it common knowledge that all calls – including privileged communications – are monitored and recorded. According to her husband, she said, at least one fellow prisoner related that, while in a court proceeding, prosecutors demonstrated knowledge of information they couldn’t possibly have obtained without being privy to communications between the man and his attorney.
This isn’t an isolated allegation: In Austin, Texas, a federal lawsuit alleging that privileged calls have been recorded by Securus in the county’s jail facilities is currently pending against the company. The lawsuit claims that lawyers there have received copies of their privileged conversations from prosecutors during the evidence discovery process. [PLN Ed. Note: The suit has since been settled, and will be reported in a future issue of PLN.]
The Missouri prisoner’s wife also said that it wasn’t until December 14, 2015 – more than a month after our initial story was published, but just days after we emailed the DOC a series of questions for this story – that prison officials informed her husband and other prisoners of the hack, telling them only that “the system was breached and everyone needed a new PIN” in order to place calls. The Intercept obtained a copy of the letter prison officials provided to prisoners, which says that the data hacked was “historical call detail records” and did not include any compromising information, such as credit card information or Social Security numbers. Moreover, the letter reiterated Securus’ previous press statements regarding the hack, insisting that there is “no evidence” that attorney-client calls were recorded. “The system has been verified and is working properly,” the letter reads.
The breach of Securus’ data in Missouri suggests something larger not only about the mass recording and storage of prisoner calls but also about the perils of privatizing core state responsibilities – as is often the case in corrections, where health care, food service, phone service and even some prison facilities have been privatized.
“These are ... services for a population that has very little political power,” said Fathi. “So there’s not really a lot of care being put into oversight and monitoring and making sure that this service is being provided correctly,” he continued. “It continues to be incredible [to me] the sheer scale of what has happened here ... and I think it shows what happens when technological advances and lax oversight come together to produce a bad result of very large proportions.”
In fact, the scale of recording and storage of prisoner calls by Securus – as well as by its competitors, including industry leader Global Tel*Link – is infinitely larger than represented by the hacked data leaked to The Intercept. As of 2012, Securus alone was processing more than 1 million calls per day, from 1,700 facilities serving 850,000 detainees. According to company data provided to International Business Times, which ran a friendly profile of Securus CEO Rick Smith, the company has now grown to serve more than 1.2 million prisoners in 3,450 facilities. The article did not include data on how many calls are currently processed each day, though logic would dictate that the call volume has increased in proportion to the company’s expanded reach, from significantly less than 1 million detainees in fewer than 2,000 facilities three years ago to 1.2 million across 3,450 facilities today.
And there is no reason to think that thousands of attorney-client calls, including clearly privileged communications, were improperly recorded only in Missouri and only over a 2 1/2-year period. “Absolutely,” says Fathi. “I am 100 percent certain that this is just the tip of the iceberg.”
• • •
Update: On November 12, 2015, after this story was published, Securus provided the following statement:
“Securus is contacting law enforcement agencies in the investigation into media reports that prisoner call records were leaked online. Although this investigation is ongoing, we have seen no evidence that records were shared as a result of a technology breach or hack into our systems. Instead, at this preliminary stage, evidence suggests that an individual or individuals with authorized access to a limited set of records may have used that access to inappropriately share those records.
“We will fully support law enforcement in prosecution of any individuals found to have illegally shared information in this case. Data security is critically important to the law enforcement and criminal justice organizations that we serve, and we implement extensive measures to help ensure that all data is protected from both digital and physical breaches.
“It is very important to note that we have found absolutely no evidence of attorney-client calls that were recorded without the knowledge and consent of those parties. Our calling systems include multiple safeguards to prevent this from occurring. Attorneys are able to register their numbers to exempt them from the recording that is standard for other inmate calls. Those attorneys who did not register their numbers would also hear a warning about recording prior to the beginning of each call, requiring active acceptance.
“We are coordinating with law enforcement and we will provide updates as this investigation progresses.”
This article was published by The Intercept (www.theintercept.com) in two parts, on November 11, 2015 and February 12, 2016. It is reprinted with permission, with minor edits.