Guest Blog: A Look Back at the Ransomware Attack on Baltimore City Government Using the NIST Framework Core Five Functions

DISCLAIMER FOR GUEST BLOGS: The views below reflect those of the author alone, and do not necessarily represent the views of the University of Maryland Center for Health and Homeland Security nor its employees. 

By Guest Blogger Christopher Van De Verg

Chris is a cybersecurity expert and a principle at Van de Verg Law Office, LLC, in Baltimore, Maryland. He previously served  as General Counsel to Annapolis-based communications service provider CoreTel from 1999-2017 He is a Spring 2019 graduated of the University of Maryland Francis King Carey Law School Masters of Science in Law (MSL) program in cybersecurity. Previously, Chris graduated from the University of Virginia with a B.A. (With Distinction) in History in 1993, and from the University of Maryland School of Law with a J.D. in 1996.

Five months removed from the initial discovery of a ransomware attack on Baltimore City government networks,[i] now is an opportune time to evaluate the event in its entirety, from the initial response through the arduous recovery process. That process recently reached a milestone as water bills (covering three months of usage) finally went out to City residents for the first time since the attack began.[ii] The NIST Framework Core, the preeminent framework for cybersecurity analysis and planning, provides a useful template for evaluating the City’s handling of the attack. Using the Framework’s five logical functions helps us analyze a significant breach such as the ransomware attack on Baltimore through an objective lens and minimizes opportunities for broad generalizations and unfounded conclusions.

According to the NIST Framework, “[f]unctions organize basic cybersecurity activities at their highest level. These Functions are Identify, Protect, Detect, Respond, and Recover. They aid an organization in expressing its management of cybersecurity risk by organizing information, enabling risk management decisions, addressing threats, and improving by learning from previous activities.”[iii]

Although the five functions are usually thought of as a cycle of interconnected competencies, the Identify function logically comes first in any organized analysis.

Identify – Develop an organizational understanding to manage cybersecurity risk to

systems, people, assets, data, and capabilities.

The activities in the Identify Function are foundational for effective use of the Framework. Understanding the business context, the resources that support critical functions, and the related cybersecurity risks enables an organization to focus and prioritize its efforts, consistent with its risk management strategy and business needs.[iv]

In a nutshell, Identify means for an organization to be self-aware: of its assets, its internal governance structure and the threat environment surrounding it. There is evidence that the City did identify existing cybersecurity risks, at least at the organizational level. Prior to the March attack, the Baltimore City Information Technology (“BCIT”) Five Year Plan identified the City’s “current decentralized model” as a recurring problem, and highlighted “the continued risk to the city if certain IT functions are not centralized” including “[c]ontinued inability to provide expertise, quality assurance and quality control at the department level for cyber security, DevOps, data integration and data collection.”[v] While this observation is admittedly broad, it does indicate that BCIT leadership was aware that the City’s cybersecurity was compromised by piecemeal networks and lack of centralized control.

The City also identified more specific risks at the information system level, including an aging email system, stalled firewall upgrades, an inability to install software upgrades in a timely or efficient manner and a lack of physical redundancy on key fiber routes.[vi]  Whether the City identified ransomware as a risk is unclear. But the City’s response to the attack did reveal that it was capable of separately accounting for diverse online and data systems and their respective security statuses. For example, the City was able to quickly quarantine non-essential services to prevent the ransomware-initiated encryption from spreading.[vii] At the same time, the City continued to provide critical services such as 911,[viii] apparently without fear that the data and networks underlying those services were or would become compromised.

Overall the City deserves credit for identifying existing issues within its aging infrastructure, even if it proved unable to remedy those issues in time.

Protect – Develop and implement appropriate safeguards to ensure delivery of critical


The Protect Function supports the ability to limit or contain the impact of a potential

cybersecurity event.[ix]

Whether the City’s efforts demonstrate adequate Protect capability depends in part on the definition of “critical services”. While the Framework does not define that term, it does define the related term “[c]ritical infrastructure” as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”[x]

Adapting this definition of “critical” to the local government context, the City was able to maintain delivery of critical services throughout the attack and its aftermath. Perhaps because of the decentralized nature of the City’s IT systems, its police, fire and emergency services remained operational, although the City-wide email outage appears to have impacted these agencies.[xi] Whether by design or chance, the damage was limited to systems that did not directly implicate health, safety or human welfare. Nevertheless, the impact on non-essential services was extensive and caused extreme inconvenience for hundreds of thousands of City residents as well as people doing business in and around the City. Salient examples include:

  • City government email: The entire email system was disabled beginning May 7 and recovery continued agency-by-agency through the middle of June.[xii] City agencies began to create Gmail accounts although Google algorithms briefly shut them down over security concerns.[xiii] The email outages, transition to Gmail and restoration of City servers presumably handicapped City agencies’ ability to communicate with constituents and deliver services.
  • Online revenue collection. From May 7 through the end of June, systems that collect online payments for property taxes, vehicle citations, permit fees and other taxes were disabled.[xiv] As a result, City residents were unable to make payments on time and the City itself lost $8 million in lost or delayed revenue.[xv]
  • Real estate transactions. Real estate professionals were unable to access online property records relating to existing liens, new deed recordation and outstanding water bills, which prevented City property sales from closing beginning May 10.[xvi] The City implemented a manual workaround on May 20.[xvii] For ten days, no real estate transaction involving a City property could close and for an unspecified subsequent period, purchasers were obliged to visit a downtown City office building to obtain lien certificates which were normally available online.

Ultimately the City’s efforts to Protect were mixed at best. Whether the City deserves credit for protecting critical services is debatable. However, its failure to protect non-essential systems and services was clear and comprehensive in scope and impact.

Detect – Develop and implement appropriate activities to identify the occurrence of a

cybersecurity event.

The Detect Function enables timely discovery of cybersecurity events.[xviii]

Detect is an overlooked but crucial function. The amount of time between when an initial breach occurs and when that breach is detected dictates the amount of damage the attack is capable of perpetrating. Nothing in any public report suggests the city ever detected the ransomware attack. Rather, it was the attackers themselves who revealed what had happened—when they made their ransom demand. While we don’t know everything the City and the FBI now know about how the attack unfolded, it is reasonable to assume that the City’s systems (or one of them) was initially compromised by a phishing attack: something as simple as a single City employee, contractor or even guest clicking on a single malware download link. Similarly, we don’t know whether the City had policies, practices and software in place to detect unauthorized or unusual activity (the attackers claimed to have scoped out City networks “for days” prior to the attack).[xix] If it did have systems in place, those systems failed to detect this attack in time to prevent it. If it did not, the City should invest more resources into the Detect function.

Respond – Develop and implement appropriate activities to take action regarding a

detected cybersecurity incident.

The Respond Function supports the ability to contain the impact of a potential

cybersecurity incident.[xx]

The City’s Response plan was to shut down most or all non-essential IT systems, isolate and decontaminate each one separately, then bring each one back online once thoroughly cleared of malware.[xxi] The City also appears to have maintained backups of at least some of the affected systems, presumably with the intent of using them to minimize downtime and maximize recovery. [xxii] So far, so good. However, in real-time both tactics failed to achieve desired outcomes.

Although shutting down systems may have saved some data from ransomware encryption, it nevertheless had a similar impact to encryption in that it disabled City operations and services—at least until the city deemed it safe to return them to active state. As for those backups, the City chose not to use them to restore services in real-time because it was not confident that the backups were clear of lingering malware.[xxiii]

Contacting an insurer is normally part of any good Response. Insurers can provide experts to help contain the damage and pay for remedial actions, systems repair and replacement and lost revenue. However, despite warnings that it needed a data protection policy, the City did not have one in place at the time of the attack[xxiv] and was therefore not able to secure any assistance.

Deciding whether to pay the ransom in hope of recovering encrypted data is another aspect of Response. Following FBI protocol, the City refused to pay.[xxv] Just weeks after the Baltimore attack, two Florida cities were attacked and agreed to pay their ransoms, totaling over $1 million.[xxvi] While those cities may have benefitted in the short-term, their decision to pay may prove more costly in the long-term. First, those six-figure payments surely made news in the ransomware underworld, undermining the FBI’s efforts to deprive criminals of their revenue source. Second, getting back access to ransomware-encrypted data is just one step in a laborious data recovery process. The integrity of the data may have been compromised. The data might contain malicious code, giving the attackers a new backdoor into future networks. The painstaking work of scanning every file and every system cannot be avoided.

Communicating with law enforcement and stakeholders is another staple of Response. To its credit, Baltimore began working with FBI immediately upon learning about the attack,[xxvii] and seems to have continued that cooperation throughout the response and recovery phases. Unfortunately, it appears the City initially rebuffed an offer of help from the State of Maryland Department of Information Technology.

The City’s Response to the attack had a few bright spots but proved inadequate overall. It was able to quarantine impacted systems and eventually restore all services, and it deserves praise for not buckling to the attackers’ cash demands. But the failure to plan for an incident like the ransomware attack meant that Response activities were slow and inefficient, backups could not be deployed, insurance was not available, a credible offer of much-needed technical assistance was rejected at a critical juncture and communication with stakeholders was poor.

Recover – Develop and implement appropriate activities to maintain plans for resilience

and to restore any capabilities or services that were impaired due to a cybersecurity


The Recover Function supports timely recovery to normal operations to reduce the impact from a cybersecurity incident.[xxx]

While ransomware attacks are perhaps inevitable, the sheer amount of time it has taken to restore operations and services to their pre-attack status speaks volumes about the City’s Recover capability. While the efforts of individual agencies and officials (e.g., creating manual workarounds on the fly) have been admirable, the City had no comprehensive recovery plan in place.[xxxi] Proper planning could have ensured not only the existence of data backups but the ability to rapidly deploy that data into restored or alternative IT systems to minimize the downtime for City operations and services. Planning could also have eliminated the need for inefficient manual workarounds and the overtime pay required to implement them. Overall the City’s Recover capability gets a failing grade.


While the City performed some functions better than others, the City’s failure to plan and prepare for a significant cyber-attack is the salient fact which runs throughout this analysis. Improving the City’s capabilities will not be easy or cheap. The City’s $18 million estimate in damages arising from the attack ($10 million in restoration of services; $8 million in lost revenues)[xxxii] does not cover upgrades needed to prevent or contain future attacks. On the other hand, the ransomware attack and tortured recovery highlights multiple opportunities for cybersecurity improvements, such as centralized IT management, structured segmentation of the centralized network to provide multiple layers of security, designing and implementing a reliable cloud backup system, planning for incident response and recovery, conducting tabletop exercises and obtaining insurance, to name a few.  There is some indication that the City incorporated improved cybersecurity upgrades into the recovery process,[xxxiii] which is laudable. Whether future efforts are termed “Recovery” or “Rebuilding”, any dollar the city spends on information technology going forward should be viewed as an opportunity to invest in the security of the City’s long-neglected systems and networks.


[i]               Baltimore city government computer network hit by ransomware attack, by Ian Duncan and Colin Campbell, The Baltimore Sun (May 7, 2019),,amp.html?gclid=CjwKCAjwyqTqBRAyEiwA8K_4O6lZZlb2ZjA0q_8BnkxfZKdoc73KIAZytB4VqTq_KNBiXCiKarS23xoCBegQAvD_BwE.

[ii]              Baltimore expected to begin issuing water bills again this week, three months after ransomware struck, by Ian Duncan. The Baltimore Sun (August 5, 2019),

[iii]             Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 National Institute of Standards and Technology April 16, 2018 (the “Framework”), at 6. Available online at:

[iv]             Framework, at 7.

[v]              City of Baltimore, 2018-2023 INCLUSIVE DIGITAL TRANSFORMATION STRATEGIC PLAN (BCIT Strategic Plan Final 7.10.18) (July 10, 2018), at 14,

[vi]             Analysis of ransomware used in Baltimore attack indicates hackers needed ‘unfettered access’ to city computers, by Ian Duncan and Christine Zhang, The Baltimore Sun (May 17, 2019),,amp.html?gclid=EAIaIQobChMI7J-omOWP5AIVg5yzCh0ppAgrEAMYASAAEgJANPD_BwE.

[vii]            Baltimore city government computer network hit by ransomware attack, by Ian Duncan and Colin Campbell, The Baltimore Sun (May 7, 2019).

[viii]           Id.

[ix]             Framework, at 7.

[x]              Framework, at 45.

[xi]             Mayor Young Announces IT Update, City of Baltimore Press Release (May 29, 2019) (“Baltimore City is in the process of restoring email and computer access to city employees. We are prioritizing public safety agencies and are working on other agencies simultaneously.”),

[xii]            Almost all city workers are back online after ransomware attack, but hurdles remain, by Brandon Weigel, Baltimore Fishbowl (June 26, 2019),

[xiii]           Google disables Baltimore’s Gmail accounts used during ransomware recovery, by Ian Duncan, The Baltimore Sun (May 23, 2019),

[xiv]            Baltimore restores online payment systems for speeding and parking tickets and property taxes, by Ian Duncan, The Baltimore Sun (July 3, 2019),

[xv]             Id.

[xvi]            Home sales are held up; Baltimore ransomware attack cripples systems vital to real estate deals, by Ian Duncan, The Baltimore Sun (May 14, 2019),

[xvii]           Baltimore officials announce manual workaround for property sales during ransomware recovery, by Ian Duncan, The Baltimore Sun (May 17, 2019),

[xviii]          Framework, at 7.

[xix]            Baltimore city government computer network hit by ransomware attack, by Ian Duncan and Colin Campbell, The Baltimore Sun (May 7, 2019) (quoting ransom note: “[w]e’ve watching you for days and we’ve worked on your systems to gain full access to your company and bypass all of your protections”),

[xx]             Framework, at 8.

[xxi]            ‘It is preferable for us to be safe’: Baltimore ransomware recovery going slowly so defenses can be hardened, by Ian Duncan, The Baltimore Sun (May 23, 2019),

[xxii]           “RobbinHood” ransomware takes down Baltimore City government networks – A year after 911 system hit, most of city’s networks are down, by Sean Gallgher (May 8, 2019),

[xxiii]          Id.

[xxiv]          Analysis of ransomware used in Baltimore attack indicates hackers needed ‘unfettered access’ to city computers, by Ian Duncan and Christine Zhang, The Baltimore Sun (May 17, 2019) (“Baltimore’s head of computer security told City Council members last year at a budget hearing that the city needed such a policy, but officials did not obtain one.”).

[xxv]           A tale of two cities: Why ransomware will just get worse, by Sean Gallagher, ars TECHNICA (June 21, 2019),

[xxvi]          Another Hacked Florida City Pays a Ransom, This Time for $460,000, by Patricia Mazzei, The New York Times (June 27, 2019),

[xxvii]         Baltimore city government computer network hit by ransomware attack, by Ian Duncan and Colin Campbell, The Baltimore Sun (May 7, 2019) (“a spokesman for the FBI’s Baltimore office, said agents from its cyber squad were assisting the city.”)

[xxviii]        Baltimore officials rebuffed offers of state help for a ‘week’ after crippling hack of city computers, by Doug Donovan and Ian Duncan, The Baltimore Sun (June 14, 2019),

[xxix]          Id.

[xxx]           Framework, at 8.

[xxxi]          A tale of two cities: Why ransomware will just get worse, by Sean Gallagher, ars TECHNICA

(June 21, 2019) (“Baltimore’s mayor claimed the city had backups, but the city did not have a concrete disaster recovery (DR) plan.”).

[xxxii]         Baltimore estimates cost of ransomware attack at $18.2 million as government begins to restore email accounts, by Ian Duncan, The Baltimore Sun (May 29, 2019),

[xxxiii] Over a Month On, Baltimore Still Grappling with Hack Fallout, by Lucas Ropek (June 17, 2019) (quoting Deputy Chief of Staff for the Mayor’s Office Sheryl Goldstein: “[w]e’ve brought in some experts in cybersecurity that are working with us to develop methods, mechanisms and tools to secure the network and keep it secure going forward,” she said. “We also have plans to make cloud-based our finance and HR functions.”),

CDC Issues a Warning for Vape Users

On August 30, 2019 the Center for Disease Control and Prevention (CDC) issued an official Health Advisory for users of e-cigarette products. Patients from several states have experienced respiratory symptoms such as cough, shortness of breath, or chest pain. The symptoms appeared in e-cigarette users a few days to several weeks after the use of the e-cigarette. In a couple of states, many of the patients reported a recent inhalation of cannabinoid products (no single substance or e-cigarette product has yet consistently been associated with illness). The CDC has issued recommendations for clinicians, public health officials, and for the public, urging the later to refrain from purchasing any products “off the street”, or from modifying the product as supplied by manufacturers in any way. The CDC also recommends that “…[r]egardless of the ongoing investigation, e-cigarette products should not be used by youth, young adults, pregnant women, as well as adults who do not currently use tobacco products.”

Since June, at least 215 cases in over 25 states have been reported. Many of these individuals have been hospitalized. The first death related to e-cigarettes was reported on Friday, August 23, 2019.  As e-cigarette usage becomes more popular, we need to ensure that we are monitoring the situation and are bringing awareness to as many public health officials as possible.  Clinicians and Public Health Officials must ensure that they are generally aware of how e-cigarettes work, and the dangers that they may pose.  At a time when our nation is already struggling with a response to the rise of fentanyl-related opioid overdoses, we cannot afford to let another public health crisis swell out of control.

Maryland Gov. Larry Hogan joins coalition focused on flooding, sea level rise

The Republican governor says Maryland is particularly vulnerable to flooding, because it has 7,000 miles (11,265 kilometers) of shoreline. Maryland’s Ellicott City has suffered two major floods less than two years apart. Maryland’s capital city of Annapolis experiences tidal flooding at least 40 days out of the year. The coalition is a nonpartisan group of cities, elected officials, military leaders, businesses and civic groups. It is focusing on national solutions to address higher seas, stronger storms and more frequent flooding.


CHHS Assists Howard County Department of Fire and Rescue Services Line of Duty Death Investigation

Last week, the Howard County Department of Fire and Rescue Services (HCDFRS) released an Internal Safety Review Board report regarding the Line of Duty Death of Lieutenant Nathan Flynn. CHHS is honored to have worked closely with the Internal Safety Review Board throughout its eleven month investigation, providing project management and writing support. Senior Law & Policy Analyst Maggie Davis worked closely with the ISRB throughout the writing and revision process, providing on-site project management support, and was assisted by former Senior Law & Policy Analyst Jonathan Lim and Research Assistance Kyle Clevenger. Additionally, Public Safety Technology & Communications Director Christopher Webster was part of the Peer Review committee during the revision process. The report provided both analysis of the factors contributing to Lieutenant Flynn’s untimely death as well as a safety review of the entire department. CHHS commends the ISRB for their professionalism and exemplary work ethic throughout the difficult process.

WHO Refuses to Declare Second-Deadliest Ebola Outbreak a Global Public Health Emergency

Despite the rising death toll in the Democratic Republic of Congo, last week the World Health Organization (WHO) declined for the third time to declare the current Ebola outbreak as a global public-health emergency. The WHO based their decision on the finding that the risk of spread of Ebola outside the Congo was low and that any public health emergency declaration would have a negative economic impact by forcing the Congo to suspend trade and flights and close their borders.

The current outbreak in the Congo is the world’s second-deadliest Ebola epidemic with the first being the 2014 outbreak in West Africa that killed more than 11,000 people in Guinea, Liberia, and Sierra Leone. Since the current Ebola outbreak was declared in August 2018, at least 2,108 people have contracted the disease. Of those 2,108 people, 1,411 have died. Although three cases of Ebola have been identified in Uganda, officials do not expect the Ugandan outbreak to worsen because of Uganda’s strong central government and organized health care system. Additionally, the spread to Uganda is considered unlikely because Uganda has prepared extensively for an Ebola outbreak by taking preventative measures including vaccinating front-line health workers and building training facilities.

For now, the greatest area of concern is the East Congo. Due to increased violence in the area, distrust of health officials, and a shortage of Ebola vaccines, standard strategies like case identification, vaccination, and treatment of Ebola are difficult to implement. In the East Congo, about half of those individuals who have died from Ebola had no contact with doctors. Therefore, health officials are often unable to provide vaccinations and contain the further spread of the disease because the infected patients die before reaching a clinic.

With the Ebola outbreak currently contained to the Congo, the WHO declined to deem the outbreak dire enough to constitute a global public health emergency. While the WHO found the current outbreak not significant enough for such declaration, other global health experts argue that such declaration must be issued to raise international support, enhance diplomatic, public health, security, and logistic efforts, and to increase financial resources. Despite the availability of an effective vaccine and containment protocol, the current Ebola outbreak in the Congo remains largely uncontrolled and poses security risks to other countries.

An Update on the Measles Outbreak in Maryland

Hassan Sheikh is a Law & Policy Analyst for CHHS, and works full-time assisting the Baltimore City Department of Public Health. 

Measles can present in a patient anywhere between 10 to 14 days after initial exposure to the virus. Symptoms can include fever, dry cough, runny nose, sore throat, inflamed eyes, or a skin rash. Although cases have become rare due to vaccination efforts (with the United States averaging about 60 cases of measles a year from 2000 to 2010), the CDC has reported 555 individual cases of Measles between January 1st to April 11, 2019, in over 20 different states.

Measles outbreaks, defined as 3 or more cases, are currently ongoing in New York State (Rockland County), New York City, Washington, New Jersey, California (Butte County), and Michigan. The majority of individuals who developed measles were unvaccinated.

Measles is highly contagious, and can be found in the air after an infected patient coughs or sneezes. The virus can remain contagious on surfaces for up to 2 hours; an individual can spread measles from 4 days before to 4 days after the signature rash develops. Any person who is in close contact with someone who has measles should be notified of the exposure, determine if they are susceptible to getting the disease, and receive treatment if necessary. A vaccination given within 72 hours of measles exposure may provide some protection from developing measles in some cases.

Measles can be prevented with a measles vaccine. Two doses of the vaccine are recommended for children, starting at 12 to 15 months of age. In Maryland, all school children in Kindergarten through Grade 12 must be vaccinated.  Women should not get the vaccine if they are pregnant, or plan to get pregnant within 4 weeks after getting the vaccine. For more information regarding the vaccine, please click here.

If you suspect you may be in contact with someone who has developed measles, please contact your doctor or local health department immediately to be tested. The Baltimore Sun reports that anyone who has visited the following locations at these times may have been exposed;

  • 4000 Old Court Rd in Pikesville on Sunday, April 14 from 10:30 a.m. to 1:30 p.m.
  • Market Maven (1630 Reisterstown Road, Pikesville) on Sunday, April 14 from 11:45 a.m. to 2:30 p.m.
  • Seven Mile Market (201 Reisterstown Road, Pikesville) on Sunday, April 14 from 12:45 p.m. to 3:15 p.m.

There have been two clinics in Baltimore wherein the measles vaccine was administered without cost to concerned individuals. There is no current word on whether there will be another clinic. Additional information regarding measles, including instructions on what to do if you think you may have been exposed can be found here.

Sign-Up to Volunteer for Prince George’s County Emergency Preparedness Exercise on July 19th, 2019

On July 19th, 2019, the Prince George’s County Emergency Preparedness Program and Partners will facilitate a Full Scale Exercise to practice mass medication dispensing capabilities. We are currently seeking volunteers to serve as clients to walk through a point of dispensing (POD) at Largo High School. Volunteers will be needed from 9:00 am until 12:00 pm. Please sign-up below:

Securing a Final Four

By CHHS Extern Alec Prechtel

The NCAA Men’s Basketball Tournament concluded Monday night, in host city Minneapolis, with a thrilling overtime victory by the University of Virginia. Lost in the bright lights and confetti of Virginia’s victory however, were the immense security measures taken by the city of Minneapolis and event partners to ensure that the Final Four went off without a hitch. While events of this magnitude can bring tremendous publicity and economic windfall to the host cities, there are an incredible amount of security measures that need to be taken to prepare for a party of this size.

The Final Four drew a massive amount of people to downtown Minneapolis. 72,711 fans attended Saturday’s Final Four games alone, which notably does not include those without tickets who came downtown to participate in the festivities. For a city of only 422,000 people, a remarkable amount of coordination and planning is required to handle this influx in population. Security planning for a Final Four often spans longer than a year and across many state and private entities. Thirty different law enforcement agencies worked together to ensure the safety of the event. This year, law enforcement made an emphasis to have a large presence of uniformed officers to make attendees feel safe.

Security for an event of this magnitude can be expensive too, with an estimated cost of $1.3 million for the Final Four security enhancements. Minneapolis is no stranger to hosting large events, as the city recently hosted Super Bowl LII. However, there are fewer federal resources made available for hosting the Final Four. In order to help fill this gap, planners relied on a large number of volunteers, security cameras, and partnerships with private security firms. Law enforcement also relied on coordination with local bars and restaurants, and on attendees themselves, who were encouraged to speak up if they noticed anything suspicious.

Changes were made this year to attempt to provide a more fan friendly atmosphere for the Final Four as compared to the Super Bowl. The National Guard presence as well as some of the other increased security measures needed to host a Super Bowl made some notice the distinct “military feel” during the Super Bowl festivities. An event like the Final Four typically receives a Level III SEAR (Special Events Assessment Rating), which is a lower level rating than a Super Bowl, but a step up from a regular season professional sporting event. Still, the FBI had an estimated fifty to sixty local special agents, analysts, and support staff responsible for the Final Four.

While the level of security may have been lower than a Super Bowl, authorities still made sure to have a robust law enforcement presence and to make public safety a top priority. Fortunately, this preparation allowed the Final Four to go on without any major public safety issues. The weekend was considered to be a large success, with Minneapolis receiving a lot of praise for the event.

NSA Considers Allowing Controversial Phone Surveillance Program Exposed by Snowden to Expire

by CHHS Extern Jiah Park

In 2013, Edward Snowden, a former Central Intelligence Agency (CIA) employee and former employee of Booz Allen Hamilton, a National Security Agency (NSA) contractor, leaked information regarding the United States’ (U.S.) government’s surveillance practices, which were used on both its own citizens and foreign individuals. Through different programs, the NSA collected both content and metadata of private communications. Notable programs include PRISM, governed by Section 702 of the Foreign Intelligence Surveillance Act (FISA), and the telephone records program, conducted pursuant to Section 215 of the United and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act.

Under PRISM, the government can obtain a FISA order from a Foreign Intelligence Surveillance Court (FISC), requiring an Internet services provider to disclose the contents of communications of a foreign individual. However, FISA orders are not search warrants under the Fourth Amendment, which require probable cause, and do not require a showing of probable cause that the target of the surveillance committed a crime. In fact, there is no requirement that the government have a reasonable suspicion that the target is involved with terrorist activities. Rather, the government must establish only that “a significant purpose of the acquisition is to obtain foreign intelligence information.”

Although PRISM “has not been as controversial [] in the U.S., because it does not target Americans, . . . some content from Americans’ communication gets caught in the dragnet.” The program collects private communications of Americans “incidentally” when Americans communicate with foreign targets. Furthermore, according to Section 702 of FISA, FISA orders may be authorized to “target[ ] persons reasonably believed to be located outside the United States.”

Despite outcry from privacy advocates, PRISM, which was set to expire, was renewed in January 2018.

Another controversial surveillance method is the phone records program, in which the NSA collects metadata in bulk from telecommunications companies. Metadata includes information such as when you made the call, whom you called, the duration of the call, and all the same information if you received a call.

Although seemingly less invasive than disclosing the contents of a call, metadata can be just as, if not more useful to the government. While “content generally requires labor-intensive human analysis to become meaningful to the intelligence agencies,” metadata can be analyzed by a computer, “easily provid[ing] a complete [profile] of all your personal associations and interests,” says Shayana Kadidal from the Center for Constitutional Rights. This profile can be so detailed, it can be more informative than the content of the communication itself. Additionally, this metadata is collected in bulk, meaning that, in the program’s original form, which was authorized by the USA PATRIOT Act, phone companies had to disclose all logs they collected about all customers. However, in 2015, Congress passed the Uniting and Strengthening America by Fulfilling Rights and Ending Eavesdropping, Dragnet-collection, and Online Monitoring (FREEDOM) Act, which renewed many portions of the USA PATRIOT Act that were set to expire, but with limits concerning bulk collection, due to backlash from the Snowden leaks. Under the FREEDOM Act, phone companies no longer have to automatically provide the government with all of their records. Instead, phone companies retain their records, and the NSA may request access to the records from a FISC under a “reasonable articulable suspicion” standard.

The Freedom Act has decreased the number of records collected, but the NSA still collects hundreds of millions of records per year—151 million call records in 2016 related to 42 terrorism suspects, and 534 million call records in 2017 related to 40 suspects.

Although PRISM is still in effect, portions of the USA PATRIOT Act that authorize metadata collection are set to expire in December 2019, and the NSA is considering allowing its expiration because the program lacks operational value, according to people familiar with the matter.

Furthermore, technical issues may have resulted in the unauthorized collection of information, forcing officials to “purge hundreds of millions of call and text logs [from the agency’s database that] it got from phone companies . . . .”

According to a podcast segment with Luke Murray, a national-security adviser for Republican congressional leadership, the program has not been used in six months and the NSA may not seek renewal of the portions of the USA PATRIOT Act that authorize it. Lack of use of the program and lack of interest in preventing its expiration seriously undermines the NSA’s previous claims that metadata collection is vital to national security.

However, deliberations are still in the early and informal stages, and earnest debate is not expected to begin until the fall. Furthermore, any final decision about whether to end the program would be made by the White House. Nevertheless, there are a multitude of reasons that support nonrenewal.

In 2014, the Privacy and Civil Liberties Oversight Board (PCLOB) released a report regarding the phone records program. In its report, the PCLOB recommended that the government end the program, in part due to the fact that the program has not contributed in a demonstrable way to the effort to safeguard the nation from terrorism. Out of fifty-four counterterrorism events in the summer of 2013, only twelve incidents involved the use of the 215 program. The PCLOB found that the program primarily provides value to the NSA in two ways, both of which relates to information already known by law enforcement. Furthermore, the PCLOB could not identify “a single instance involving a threat to the United States in which the telephone records program made a concrete difference in the outcome of a counterterrorism investigation.”

In any case, in instances in which phone records may be necessary to an investigation, there are alternative methods by which the government may gain access to the records, such as court orders, subpoenas, and national security letters (“NSL”), authorized by the Electronic Communications Privacy Act (“ECPA”). In addition, technological changes and advancements have also made the program less useful since its introduction, such as the major shift from landline to cellular technology.

Finally, the program has serious implications on peoples’ privacy and civil liberties. As mentioned above, metadata has the ability to “reveal intimate details about a person’s life, particularly when aggregated with other information and subjected to sophisticated computer analysis.” Permitting the government to collect such data “fundamentally shifts the balance of power between the state and its citizens.”

The Call for Privacy Regulations of Big Tech Companies

By CHHS Extern Jaime McCoy

Big tech companies are currently self-regulated, but that could soon change. With members of Congress being younger and more diverse than ever before, it seems to be the perfect time to address the regulation of technology. Congress is currently holdings oversight hearings, and lawmakers are proposing new regulations in a crackdown on how big tech companies’ use and resell their customers’ personal information. The need to know what big tech companies are doing with consumers data is a growing need that policymakers have not adequately addressed in the past. Rep. Jan Schakowsky (D-Illinois) told NPR, “In the last two weeks alone, we learned that Facebook exposed individuals’ private health information that consumers thought was in a protected closed group, and collected data from third-party apps…on issues as personal as woman’s menstrual cycles and cancer treatment.”

The main motivation for stricter privacy regulations is that people want to know how these big tech companies are using their data. The more people are relying on technology and entrusting these companies with their private information, the clearer it becomes that Congress needs to step in and hold these companies accountable.

In the context of the current divisive political climate, it is rare for privacy regulation of tech companies to garner bipartisan support. On Tuesday, March 12, 2019, GOP Senator Josh Hawley (R-Missouri), questioned Google’s senior privacy counsel, Will DeVries, about Google’s tracking policy for the company’s Android mobile devices. It might be surprising to learn that even when users turn off their location tracking services, or even turn off their phone, the company is still gathering data about that devices’ location. DeVries defended this action by stating, “gathering location data is what makes maps work, what makes routing of calls work, and other functions.”

Hawley criticized this defense by responding, “Any robust definition of consumer welfare must acknowledge that [Google and Facebook] have harmed consumers by conditioning participation…on giving away enormous—and growing—amounts of personal information.”

This issue is not exclusive to mobile devices. Social media platforms are constantly gathering data from its users as well. Social media platforms offer free access to users, once they agree to the terms and conditions. But are these services actually free? Big tech companies make billions of dollars each year by selling advertisers insight information from the data users share on their platforms. This data is gathered from the website users visit, the posts users like on social media, and even users locations.

Most users do not normally read the Terms of Conditions before agreeing to their terms. These terms are normally lengthy, filled with legal jargon and updated frequently, making it difficult for the average user to fully understand what they are agreeing to. Tech companies should be required to inform their users upfront what data they will be collecting and what they plan on doing with that information.

Currently, some states have taken it upon themselves to enact privacy legislation that is lacking at the federal level. However, due to the global reach of technology, separate state legislation would eventually be problematic for tech companies and consumers. Dave Grimaldi of the Interactive Advertising Bureau said, “The Internet is global, it most certainly goes over state lines. And I think that changing or altering the Internet experience to state to state would be something that would be a giant turnoff to consumers and just wouldn’t help anyone.”

Unfortunately, it is very unlikely that big tech companies will stop gathering data from users. Furthermore, having states coming up with their own solutions to this issue is not the answer, as it would create greater problems for tech companies and consumers. The best resolution would be for Congress to require big tech companies to disclose what they are doing with the data collected. Congress should also consider putting requirements in place for how and what information these companies can disclose to advertisers. In regards to the terms and conditions, companies should be mandated by Congress to simplify the wording for the common user that does not have a technology background. This standard could be in line with the reasonable person standard. It is important that Congress begin to regulate big tech companies in regards to the data they are collecting from users and what they are doing with that information. Without this regulation, users are disclosing more information than the may realize to data consumers who could potentially disclose that information in the long run.