Addressing Judiciary Online Security Vulnerabilities

by  Kyle Yoder

The Problem—Increased Risk Due to Online Vulnerabilities

Forced prominence of the judiciary in the news and on social media sites by outside influencers has amplified public perception of the judiciary as policymakers, not interpreters of the law. This, combined with the increased political polarization nationwide on specific issues, has made all judges and judiciary executives more frequent targets for online invective and potential threats. Exacerbating this is the increased vulnerability of judges and employees when located outside of their court’s facilities and offices because of the prevalence of their personally identifiable information (PII) appearing and being accessible on the Internet. Specifically, the Internet has made information such as home addresses, social security numbers, personal emails, and financial information easily available to potential threat actors, increasing the vulnerability of judges and judiciary staff to anything from physical attack to doxing and identity theft. This Article aims to discuss programs that can be used to reduce the frequency of judges’ PII appearing online.

A Comprehensive Solution—Legislation, Monitoring, and Redaction

Programs that deliver PII Reduction and Redaction and Vulnerability Management capabilities, such as those outlined in the Daniel Anderl Judicial Security and Privacy Act of 2021, can assist with addressing these vulnerabilities. Separating and defining these terms, PII Reduction and Redaction involves efforts to identify and redact or remove PII that can be used to physically or financially harm an individual or allow a threat actor access to information that could be used to compromise other sensitive systems. Vulnerability Management, on the other hand, entails efforts by a protecting agency to enhance their collaboration with enforcement agencies regarding PII found online to share potential threats, online sites promulgating protected PII, and protective measures and vulnerability reduction efforts. It is important to note, however, that to maintain efficacy of these programs, the objectives should be clearly delineated and narrowly focused. For example, a clear and narrow objective includes identifying online vulnerabilities of security programs designated for protectees and lowering their exposure through a multi-pronged approach. If the scope and scale of these efforts is too expansive, implementing agencies risk straying into the attempted or actual removal of First Amendment protected speech, leading to constitutional challenges to enacted legislation designed to protect judges and other personnel.

In review, data privacy and security programs designed to reduce online vulnerabilities of judges and employees have three components: 1) the implementing legislation; 2) specific reference to the PII to be protected through reduction and redaction efforts; and 3) clearly delineated processes to ensure collaboration with associated enforcement agencies. These components should share a few narrowly focused objectives:

  • An assessment of state data privacy laws to ensure clearly defined, narrowly tailored legislation concerning PII and the associated “online presence” locations that create the vulnerability.
  • An assessment of local and state public records agencies to ensure clear-cut and efficient processes to redact specific PII from publicly facing, searchable databases such as tax records, property records, and voter registration records.
  • Development and implementation of clearly defined and narrowly tailored criteria for the monitoring of the open-web, deep/dark-web, social media, data broker, and public records holder sites to identify the release of any protected PII.
  • Development of redaction processes for legislatively approved PII that include means to address all data types and from all possible sources (e.g., data brokers, open web, deep/dark web, social media, and public records).
  • Legislatively empowered methods to legally seek the redaction of PII from these sources if the underlying persons, businesses, associations, or public agencies fail to respond to individual or collective requests from the judiciary for redaction once the protected information has been identified as being publicly accessible.
  • Anonymous, secure web browsing and email alternatives for judges and other protected judicial personnel to further reduce the risk of accidental or malicious exposure of protected PII.

In terms of scoping of the objectives, I would offer the following points:

  • Clear exceptions within data privacy laws are needed to prevent conflict with other legal or constitutionally protected requirements, such as reporting, 911 and 411 services, banking and financial transactions, health insurance and medical care, etc.
  • Searching by members of the judiciary and related personnel for the unauthorized release of PII amongst the potential data sources needs to cast a narrow net. Those searching should not stray into active threat detection or the investigation of other criminal activity. Identification and investigation into threats and criminal activity needs to be left to appropriate law enforcement agencies, so as not to create a conflict of interest should a case be filed arising from the unauthorized release of PII. Any potential threat identified during monitoring should be immediately forwarded to the proper enforcement agency, and the individual should not “dig” deeper into online investigative details of the specific post.

Lastly, the following personnel, experts, and features should be included as part of any program implementation to maximize the effectiveness of the program’s delivery:

  • Trained online intelligence specialists with a background in law enforcement.
  • Trained data privacy specialists, with a background and understanding of data privacy and the corresponding legal landscape.
  • Legal professionals well-versed in data privacy and, to a small extent, lobbying, to engage and build coalitions with local and state public records agencies, data broker sites, and other web platforms and site owners that are responsible for promulgating PII.
  • Secure Infrastructure and Software as a Service (IaaS1 and SaaS2) solutions designed to facilitate the identification and, for data broker sites, redaction of allowable personal information.
  • Secure and anonymous web browsing and file downloading capability for specialists.
  • Secure means to collect and store protected PII.

Potential Alternatives—Efficacy Versus Cost

Alternatives to implementing a full program requires a “partial versus full” implementation scaling discussion to identify the priorities and elements to implement and to what extent. In terms of scaling, this can range from the lowest level of implementation, potentially just a commercial off-the-shelf third-party data broker removal service, to the highest, inclusive of all the elements previously mentioned. When determining the proper coverage scale for your specific program, it is important to note that there are no “single solution” services capable of addressing all protected PII found online. When evaluating solutions and trying to properly scale the number and type of services to implement, it is important to consider the full range of data types and sources, and which ones are your priority. No matter the scale of the services, 100% removal of all protected PII is not feasible. This is due to a variety of factors, but the effort should always be marketed as a constant assessment and re-engagement process, with re-postings of PII expected. Because of this, there will also always be a need for human intervention, support, and review, as fully automated solutions and services will not yet achieve any minimum removal requirements. Specific data type coverage and service options, ordered from lowest program efficacy and cost to highest program efficacy and cost, are:

  • Data broker only—third-party service provider option only.
  • Data broker, open web, and social media (identification and redaction only, no legal engagement component with persons, businesses, and association site owners)—a combination of third-party service providers and direct staff support comprised of data privacy and online intelligence analysts.
  • Data broker, open web, and social media (identification and redaction, legal engagement, coalition building amongst affiliated persons, businesses, and association site owners)—a combination of third-party service providers, and direct staff support comprised of data privacy, online intelligence analysts, and legal expertise.

Implementation Challenges of Judiciary PII Reduction and Redaction Programs

Dovetailing the previous commentary into this topic, program challenges—all of which are underpinned by general funding challenges—center on legal authority, jurisdictional make-up of a state, and supportable program scaling. Adequate funding is an overarching challenge to the proper implementation of PII reduction and redaction software and services. Funding for security is usually focused on the provision of physical security for a courthouse, and the ability to obtain funds specific to judiciary online data privacy initiatives can be somewhat limited and difficult. Compounding this is the fact that funding may also be needed by local and state agencies to implement complementary support services, which can entail additional staff, modification of current systems, or a combination of both to ensure successful implementation.

While the use of a third-party data broker removal service is relatively inexpensive and does not hinge on any specific legal authority, the sole use of such a service provides extremely limited protection. In the big schema of data types, data broker information comprises a small percentage of the available PII data, and that data will continue to repopulate if underlying data sources, such as open public records and social media, are not addressed. In essence, this is a lower-cost option for continuous identification and removal from a subset of sites that have a high potential to frustrate the intended protectees, as their data seemingly “goes away and then comes back again” on a quarterly or even more frequent basis. Some data brokers and other site owners also have indicated preferences to deal with an agency or individual directly for redaction requests, not a third-party vendor, and have refused to redact data from their sites until they have “proper level of engagement” criteria satisfied. Lastly, while some of these services market their product(s) as being capable of removing 100% of protected PII while also addressing PII contained in and held by local and state agency databases, such marketing is inherently flawed. This is because it is nearly impossible to redact 100% of a person’s PII found online, along with the fact that redaction from state and county sites/records is dependent upon underlying legal authorities, not a commercial vendor’s request. This is especially important to recognize because, like any other competitive business arena, there are robust advertising and sales efforts underway in this market space. Purchasers of these services need to approach conversations with vendors from a well-researched and informed perspective.

Legal authority is another persistent challenge to implementation, one that is comprised of multiple parts. First is the question of “what” and “who” is covered within the judiciary. In terms of “what,” we gauge the strength of the coverage on the specific information and locations covered, with anything that can specifically tie a person to a physical address or point-in-time location being the highest priority. As to the “who,” the focus is often limited to judges, though we find in a judiciary setting that Clerks of Court and other judiciary staff may be just as vulnerable. Secondly, there is the question of legal supremacy when a statute is passed. Most statutes fail to address this issue in terms of precedence over other existing statutes, such as state open data statutes and laws, or in terms of jurisdictional supremacy. The latter, jurisdictional issues, can be the most complicated, especially from a federal to state, or state to county, type of interaction, giving underlying jurisdictions no compelling reason to support the effort. This can lead to an inability or uneven application of the statute, leading to a complete failure to achieve the desired outcome.

There is also the challenge of data access and data security. Addressing access, to achieve maximum efficacy within a program such as this requires access by trusted agents to protectee PII. The information is used to both refine open-source intelligence search functions and validate information found to pursue specific redactions. That being the case, the secondary challenge after overcoming the accessibility of the information is its security. This is a multi-faceted concern beginning with the implementation of proper access controls to ensure limited and traceable accessibility by trusted personnel. Other security challenges involve issues such as secure storage of bulk PII of protectees, and a repeatable, sustainable means of secure transmission of PII, involving pathways from protectee to program team and, potentially, program team to a person, business, or association when requesting specific redaction actions. In an ideal end state, some of the transmission security concerns would be mitigated by developing secure means to provide third-party vendors and cleared individuals direct and limited access to specific data elements based upon need, avoiding transmission and storage of such information to and from multiple IT environments.

Lastly, the issue of consensus across not only government agencies but also data and information brokers and providers is perhaps the biggest challenge. Beginning with agencies, these programs are only slightly effective if the primary data-holding agencies are not a part of an informed and agreeable coalition supportive of the efforts. This holds true at the data broker, person, business, and association level as well. As previously mentioned, some of these entities are resistant to dealing with third-party redaction service vendors, but are open to direct interaction with the underlying agency or the affected individual. Additionally, some of the businesses represent multiple data broker sites, and developing and maintaining a partnership can achieve redaction of protected PII from a group of sites based on a singular request. A piece of this is also the development, with consensus from all groups, of sustainable, long-term practices that keep protected PII from repopulating, by providing updates on changes to protectee information throughout the program’s lifecycle.

Cost and Sources of Funding

While it’s impossible to assign a cost that would be consistent across all facets of the judiciary, there are some general costing strategies. As with any program, costs should be tied to specific deliverables. A cost map of a full program implementation such as this will generally show that a larger portion of available funds are going to supporting labor and SaaS and IaaS servicing functions, such as third-party data broker removal and open-source intelligence services, with the majority going towards labor. I include labor because there is a large time investment required in reviewing assessments of a protectee’s online exposure, building and discussing tailored mitigation strategies to reduce the specific vulnerabilities found, and providing some modicum of individual training concerning safe web browsing practices, the use of secure email services, and the safe and secure use of electronic devices. This is in addition to the time needed to build and maintain the partnerships and coalitions needed to support effective program implementation.

As to sources of funding, that is a very fluid conversation. States generally have limited funds for initiatives such as this, meaning that direct funding may only be, at best, a partial funding solution. A full funding strategy most likely will need to include a combination of direct funding, grant funding, and funding pursued through various court partnerships. While identifying and securing new funding can be cumbersome, it is imperative to assure long-term programmatic success. As a recommended action, judiciary program implementers should include, within their staff, a well-qualified grants management position, especially as the landscape of available grants is ever changing. Additionally, for state and local judiciary entities, the State Justice Institute online funding toolkit can serve as an aid in locating and obtaining available funds.

Measuring Program Success—Qualitatively Telling Your Story to Increase Support

Measuring and telling your program’s successes is critical to justifying continuing funding and other programmatic resources. As data privacy programs are being developed, a discussion should be had on viable metrics, to include how the metric itself will contribute to tying workload to results and measuring efficacy. Typically, data privacy program metrics, following a pathway from program inception to program maturation, begin with enrollment and reporting metrics, gravitate to include numbers of redactions accomplished and mitigation engagements conducted, and grow to include metrics on program efficacy (i.e., does the program reduce online vulnerabilities).

The first iteration of metrics, program enrollment, should be designed to capture not only the straight-line enrollment into the program, but also the amount of up-front program engagement and training that was conducted to support securing critical security coverage for protected individuals. In part, the metrics should illustrate the rapidity with which the team moved to accomplish a target goal, such as 75% enrollment of all protectees within the first six months of procurement. Additionally, there should be a qualifiable metric, paired with enrollment, that illustrates that the enrollment engagement was also used to impart some initial data privacy training and best practices. Combined, this establishes a baseline for both action and initial knowledge transfer, from which additional protection actions can grow.

Second-tier metrics, which generally should begin to be utilized after three months of initial enrollment and data broker removal coverage, include personalized mitigation strategies developed, the amount of PII redacted per protected individual overall, and continued training and education initiatives. The quickest, easiest capture of redaction data would be from whichever third-party data broker removal service the program is utilizing. There should, if applicable, also be inclusion of any redaction work performed outside of the removal service, such as state public record redactions or redactions accomplished through direct conversation with other people, businesses, and associations. Qualitative measurement should also capture the source where the PII data was found (e.g., data broker websites, public records held by government agencies). Tracking this information is crucial for understanding everyone’s online vulnerabilities and developing personalized mitigation strategies. Such strategies include appropriate education and training regarding measures they can implement on their own. In addition to quantifying the number of successful redactions, speaking to the reporting and education aspects, a workflow metric should be established to capture the number of engagements, “time-on-task,” and specific positive outcomes of the engagement (e.g., additional redactions, protectee behavior influence concerning personal practices, etc.). The goal of the second-tier metrics is to quickly tie enrollment to outcomes.

The final recommended set of metrics is a designed, qualitative approach towards measuring program efficacy through the capture of individuals’ online vulnerabilities over time. These metrics should be time-stamped and reflect, at a minimum, how much and what PII is discoverable; where it is discoverable; whether previous mitigation efforts have been fully implemented; and, if so, whether such efforts failed to prevent the reposting of the same PII. Most of the data needed to complete this would be collected in the second-tier approach. For example, after two years of full program implementation, the collected data should demonstrate how the program successfully reduced an individual’s online vulnerability when compared year to year. You will also be able to do a comprehensive data roll-up using this information to illustrate the totality of judiciary vulnerability management that has been accomplished through the program implementation. This is crucial to understanding not only program successes, but shortfalls as well, and where to focus future efforts.

Conclusions

Reducing vulnerabilities associated with the publicly available PII of judiciary protectees is a critical part of any physical security program, as judiciary protectees are at their most vulnerable when outside the physical courthouse. However, challenges with the redaction of judiciary PII in both private and public online systems will continue to exist due to the complexities of the data broker industry, the landscape surrounding state data-privacy laws, evolving technologies, the continued promulgation of protected PII by private parties online, and national data breaches. Countering judicial online vulnerabilities through PII reduction and redaction efforts must not be limited to those issues but also include methods and means to dynamically address the continuous changes in adversarial tactics, techniques, and procedures employed by bad actors. To further refine program implementation efforts within agencies, automation technologies need to be developed to increase program efficacy and move from “point-in-time” analysis to continuous monitoring and identification of PII that results in personal vulnerabilities. This should be paired with a programmed workflow response to more quickly mitigate the impacts of the PII releases, preferably before additional bad actors can capture the release of protected PII and further promulgate it online.

Successful PII Reduction and Redaction Programs need to be built using a tiered approach to both illustrate quick programmatic gains (i.e., enrollment and initial redaction) and create a forecasted, programmable cost escalation to full program implementation over time. This allows for a more scalable and manageable approach to researching and finding adequate funding. Using this approach, it is extremely important that the program metrics showcase the “wins” and emphasize the value added by all the program components. Within the funding, it is also imperative that funding and resourcing strategies include means for public partner agencies to adjust their critical systems and processes to support the PII program goals and objectives. Adequate resourcing for both the PII program and the public record agency support over time ensures PII program success, and the assistance to various agencies with a means to address potential resourcing shortfalls can only increase the potential for their acceptance of the PII program efforts. Outside of the funding discussion, using a tiered approach will allow these supporting agencies time, and clear future milestones, to make any necessary system or process adjustments.

Building a successful approach that starts small, gains momentum and executive leadership buy-in over time through clear demonstration of programmatic value to a systematic judiciary security approach, will ensure the future safety of judiciary components across the country. As this online landscape continues to evolve, the PII programs will also feed more initial information into partner agencies responsible for enforcement, increasing the potential for earlier threat detection. As a final thought, the approach put forth in this article has been tested in the federal judiciary and has resulted, over the course of multiple years, in a program that has now matured to the point of internally standardized processes and procedures, and has a growing external partner outreach and sharing component. While there will be some evolution in terms of tactics and techniques within the federal program, it can honestly be said that stabilization, in both cost and program scope, has occurred, and the program is, at the time of this article, in the final development stage of measuring efficacy. It’s hoped that as other agencies develop similar program efforts, a national group can be formed to periodically meet and discuss them, share best practices, and continue to improve support to judicial security nationwide.

ABOUT THE AUTHOR

Kyle Yoder is the chief of the Threat Management Branch in the Judiciary Security Division at the Administrative Office of the U.S. Courts. With 32 years of experience, he is a seasoned security and emergency management professional specializing in intelligence and analysis, emergency management, law enforcement, crisis planning, counter-terrorism, force protection, and hazardous materials response.

  1. Infrastructure as a Service, which offers on-demand access to virtual computer resources like servers, storage, and networking.
  2. Software as a Service, which means providing ready-to-use software applications over the Internet.