By Chuck Strouse
By Scott Fishman
By Terrence McCoy
By Ryan Yousefi
By Ciara LaVelle, Kat Bein, Carolina Del Busto, and Liz Tracy
By Pepe Billete
By Ryan Yousefi
By Kyle Swenson
Get ready to see your local justice system spirited away over the next few years, thanks to a flaw in a brave new computer imaging system that Miami-Dade County is using to scan and file court records. "The SPIRIT system is not adequately secured or protected to ensure the reliability and accuracy of record keeping and judges' rulings," eight senior programmers who maintain the system wrote in a May 28 e-mail sent to three county judges, the county manager, and the Miami-Dade mayor. "Records can be easily tampered with practically by anyone working in this system without any reliable audit trail." The fatal flaw: SPIRIT requires everyone using it to enter the exact same ID and password to access the image database. In their memo, the eight programmers, who are all county employees, said their bosses, who are private consultants, had ignored their security concerns for four years.
Currently SPIRIT, which stands for Simultaneous Paperless Image Retrieval Information Technology, is being used only for traffic court filings, but the plan is to put the entire county court system's records on it one day. The project has been in the works since the early Nineties. SPIRIT sources estimate it has already cost at least $20 million. Accenture, the former subsidiary of Andersen Consulting (Enron's now defunct accounting firm) that designed SPIRIT and remains a project consultant, is hoping to take it to other cutting-edge municipalities across the country. But a few glitches need to be eliminated before SPIRIT takes the nation by storm.
For example: "You could wipe out all the records and there would basically be no trace that you did it," warns Johnny Hoben, one of the eight programmers, all employees at the county's Enterprise Technology Service Department. Right now at least 240 people "could access the database directly and mess around with the data," he notes. About 200 of them are data-entry types who toil in the Richard E. Gerstein Justice Building; about 40 others are stationed at several smaller courthouses in Miami-Dade. A gaggle of private consultants who've left the project could also have the ID and password in their heads.
Every day clerks scan citations into the SPIRIT system by the dozen. Each image is indexed with a case number. There are currently about 17 million such images on file. To retrieve an image, you need the number. "If you delete that index number, you no longer have any reference to the image and it basically disappears from the system," Hoben says. The scanned image of your DUI, reckless driving, or speeding violation will be on SPIRIT's platter (like a big DVD), but it may as well not be. The hard copy of your citation could still be in a box in a storage room somewhere, but even you may not recall that it exists.
A more creative tamperer could open up an image in Adobe Photoshop, says Byron Jones, another of the county's concerned senior programmers. "You could change it from, say, a DUI, where you're going to lose your license and maybe go to jail, to something like careless driving, where you might get three points or six points on your license," Jones submits. "Right now there are only three or four people on the project with the technical experience to do something like that, and I'm one of them. But that's the whole point. The system should never be designed so you have to trust anyone. You shouldn't have to trust me to be ethical as a programmer. There should be enough checks and balances and so forth to make it so that even I can't do that sort of thing."
So why not issue individual IDs and passwords? Because Accenture, the consulting firm responsible for SPIRIT, wrote the program to have only a single ID and password. "It's hard-coded into the application. You'd have to rewrite it. That's the problem," Hoben adds. That job could take a year and add hundreds of thousands of dollars to an already expensive project.
Tom James, chief information officer for the Miami-Dade Clerk of the Courts, disagrees with the programmers. "This is the way most systems are built. It's nothing unusual. They would hold us to a higher standard than any other system," he insists. "We believe the system is secure. We believe that we ought to have trustworthy people running it. And we believe we do for the most part."
James calls the security issues "minimal," but acknowledges that he is now taking steps to address them. So what took so long? "We have to prioritize and we have to assess what the risks are," he declares. "And in our judgement the types of risks that they're talking about are so improbable that we didn't feel like it was all that important."
Fanatic FolliesThanks to further advancements in Atlantic Broadband's ongoing commitment to incompetence, Miami Beach subscribers will soon find themselves without the Independent Film Channel. The IFC, which is dedicated to alternative, art-house, sometimes low-budget cinema (its devotion to Donnie Darko is largely responsible for the cult hit's emergence and rerelease as a mainstream hit), will be dropped from the cable provider's roster of channels this week. This is not good news to South Beach resident and film buff Peter Nellhaus,though Nellhaus has mixed feelings about IFC owing to his dashed dreams of minor game-show fame.