Lawsuit Against Little Rock Police (FOIA Access to Records)

On Friday, I filed a lawsuit against the Little Rock Police Department under the Arkansas Freedom of Information Act, requesting access to historical audio recordings and encryption keys. This lawsuit became necessary because Little Rock denied my request for record access for unsubstantiated reasons.

Let’s start from the beginning. Not with the creation of mankind but somewhere towards the end of July 2014. That’s the time when Little Rock Police started changing their communications on the Arkansas Wireless Information Network (AWIN). This move made it not only nearly impossible but also possibly illegal for anyone to listen to the radio transmissions of Little Rock Police (“LRPD”). Since timely access to radio traffic is a big issue for News Media, KATV asked LRPD if recordings exist and if they are subject to a Freedom of Information Act (“FOIA”) Request. On August 6th, KATV reported that LRPD responded by stating that “Encrypted scanner traffic is recorded and subject to Freedom of Information Act requests.” [1]

On August 19th, I filed a FOIA request with LRPD and requested (among encryption keys and talkgroup IDs) a week’s worth of recordings. To my surprise and contrary to their initial statement towards KATV, LRPD denied my request. Sgt. Sloan argues for LRPD that “The encrypted audio recordings that you requested contain information that is exempt from disclosure under the Arkansas Freedom of Information Act (‘FOIA’) and the department does not have software with the capability of removing the information that is not subject to disclosure. Therefore, the only way respond to your request would be to have an employee physically listen to recordings and note information that should be redacted, identify where it is on the recording, and then create a new record that does not contain such information. The FOIA does not require the creation of a [new] record in order to respond to a request.

No longer able to listen to Little Rock Police: BCD996XT APCO25 radio scanner

No longer able to listen to Little Rock Police: BCD996XT APCO25 radio scanner

This is, of course, nonsense. LRPD and – judging by a statement Little Rock city attorney Carpenter made toward the Arkansas Democrat Gazette [2] – misinterprets what documents I have requested. I did not request transcripts of audio recordings. The records I requested were the recordings themselves. The response could be incompetence or a slick and classic manipulation technique. Misinterpreting a small detail of a request, maybe even adding a fictitious reason (lack of software), to manipulate the outcome of an argument is a classic in legal matters. LRPD’s statement would be correct if I would have requested transcripts. But I didn’t.

LRPD would be required to redact the original record. In this case, that would mean to either silence or otherwise remove information exempted from disclosure. It’s the equivalent of redacting a paper record by blacking out certain sections. This is not considered a creation of a new record. Therefore, LRPD has to do it to be in compliance with the FOIA. If LRPD argues that they don’t have the right software, it is the paper equivalent of arguing to be out of black markers. It simply does not matter for the substance matter of the law. An agency is required to dedicate resources to fulfill FOIA requests. Furthermore, the question needs to be asked why LRPD is all of a sudden concerned about citizens’ privacy. In retrospect, citizens should ask: Why did LRPD not mind to blast names, phone numbers, addresses and license plates over the air in the clear for everyone to hear in the past? A sudden change of heart and department wide tolerance for a person’s right to privacy? I think not.

The previous paragraph assumes that such information is even present in the audio recordings. LRPD occupies 34 different Talkgroups (Channels) on the AWIN system. The statistical odds of every single recording for the given time frame for every Talkgroup containing information exempt from the Arkansas FOIA is lower than me winning the lottery. And that is considering that I don’t even buy lottery tickets. Therefore, LRPD is legally required to submit at least a partial record of non-exempted information. The Talkgroup labelled “LRPD Training,” for instance, had absolutely no activity relating to real information that may fall under privacy laws in the time frame I requested. The funny thing is that Little Rock has no idea how much access to their system I currently already have. I don’t want to give them too much strategic information upfront, but let me say that I’m looking forward to their faces when I will introduce my evidence in court. No matter what the legal outcome will be, exposing lies of government officials is always a great embarrassment. And who is going to trust a police department that blocks access to records and lies to the public about such records? Not saying that LRPD is lying but you can make up your own opinion once I introduce my evidence.

Just to be nice to LRPD, let’s assume what they claim is true. Let’s assume every single second of the recordings for all 34 Talkgroups contains only exempted information. And let’s assume they couldn’t find any possible way to redact without creating a new record. In that case, Little Rock still has certain formal requirements to comply with. A government agency has to indicate that it has a) performed a search for responsive documents, b) analysed them, c) found information exempt from disclosure, and d) indicate what EXACT nature the exempted information is. Little Rock can’t just use a “catch-all” assumption that such information may possibly be present. They have to back this claim up. And that’s the part that should make this case very interesting: It may not even come down to the legal substance at all if LRPD isn’t even able to write a proper denial.

Deeper into the legal substance it will be interesting how the value of Privacy Laws vs. Freedom of Information Laws will play out. Even if LRPD can claim that private information may be present, it may not be a valid reason for exemption if the FOIA’s right to access trumps the privacy law’s right to privacy. The Arkansas FOIA most certainly does not provide an exemption for the information LRPD alleges to be present in the recordings. A complete list of reasons for exemptions can be found in Arkansas Code § 25-19-105 (b). On the federal level, this has been decided in favor of the (federal) FOIA multiple times. LRPD’s illegal attempt to block access is not new; the FBI has tried this nationwide on several occasions. After courts put them in their place, they stopped this behavior for the most part. The average city attorney is far from being an overachiever when it comes to educational and intellectual properties. So cities sometime try things that others have failed doing simply because they didn’t do their research. Anyhow, bottom line is what city attorney Carpenter said: “I think, frankly, maybe a judge is going to have to decide.”

If you want to get updates on the development of this story, either bookmark the following link or subscribe to this article by leaving a comment below and checking the “Notify me of new posts via email” box: http://jaunty-electronics.com/blog/category/other/lrpd/

The complete set of documents for the lawsuit is available here: http://jaunty-electronics.com/blog/wp-content/uploads/2014/09/Amended_Complaint_w_Exhibits_Redacted1.pdf

UPDATE (08/24/2014): Follow and Share the Facebook page I created for this case for news and updates https://www.facebook.com/LRPDlawsuit

Links and Sources:

[1] KATV: http://www.katv.com/story/26212791/q-a-encrypted-police-communication
[2] Arkansas Democrat Gazette: http://www.arkansasonline.com/news/

 

Hobbyists and the Cost of Software Options

This article takes a closer look at the cost and value of software license keys as found in modern test equipment.

Today I came across an article on Hackaday [1]. The article was Hackaday’s response to a DMCA Takedown Notice they have received from Tektronix. The DMCA Takedown Notice was aimed by Tektronix at a previous article that explained in great detail how to enable software options in Tektronix oscilloscopes without actually paying the licensing fee. What really shocked me was Hackaday’s attitude towards those software keys.

First off, let’s talk about how software options are installed on some Tektronix oscilloscopes. Instead of using actual text keys that a user would have to type into the oscilloscope, Tek has come up with rather nifty little hardware dongles. I find them nifty because they do not tie the license to a given scope. Technically speaking, you are buying a “floating license.” Just insert it into the scope you’d like to use a certain feature on and voilà, the software option is enabled.

Tektronix License Module installed in my Tek MDO4104B

Tektronix License Module installed in my Tek MDO4104B

Apparently, these modules, or rather the whole key authentication, can be hacked quite easily. Hackaday responds to this fact as follows:

“The real story here is that Tektronix designed a woefully weak system for unlocking these modules. Learn from this. If you’re ever designing a hardware key, don’t do it like this!

An EEPROM, a connector, and a plain text string of characters which is already published publicly on their website is all that is necessary to unlock these “crippled” features. Let’s just say that again: apparently every hardware key is the same and just uses a plain-text string found on their website which is not encrypted or obfuscated. If you were selling these keys for $2.99, perhaps this would be adequate but Tek values these modules at $500 apiece.”

All I can say, in kind: Hackaday, you have demonstrated how disengaged you are with the matter.

Judging by the comments under the referenced article, I couldn’t help but notice that understanding software options and associated cost seems to be a common problem among hobbyists. Since most of my readers are hobbyists, I thought I’ll help out.

First off, let me state the obvious: When purchasing a license module, you are purchasing a license that allows you to use a certain feature on your oscilloscope. You do, however, not pay for an EEPROM, a connector and a plain-text string. The module is merely the delivery method of the license key (i.e. your right to use that software option). It’s the same with PC software keys that are nowadays offered on a plain plastic card in retail stores. Nobody would accuse Adobe of selling overpriced plastic cards. People know they are paying for the software, not the card. Therefore, I was quite surprised to see how tough it seems for some to understand the concept of license keys in modern test equipment.

The irony is really this: Hackaday and many commenters suggest that Tektronix should learn its lesson and improve proper encrypted serial number based keys. Guess what happens to the cost? That’s right, developing such a system will cause non-recurring engineering (NRE) cost that has to be recovered from the customers legally purchasing the options. Isn’t it funny how a group complaining about the cost of such software options suggests a narrow minded solution that will only increase such cost?

The next thing that seems very hard for many people to grasp is why they have to pay for something that is technically available (but not enabled) in the instrument they purchased already. This is actually a very common complaint I hear at trade shows in particular. The complaints usually go on about how much more certain options cost and how that’s just not right for something that’s already there.

Like with the previous statement, this is something that is usually viewed from the wrong perspective. It is not the case that users who use more advanced features have to pay a steep surcharge. It is more so the case that customers who don’t use these features get a hefty discount. And companies don’t do this because they’re super nice. Sure, this is also used to drop the “starting at” sticker price a bit, but the secondary reason is something that hobbyists probably have a hard time understanding. Hobbyists are used to being “alone” when trying to figure things out. If they run into issues with their equipment, they will consult other hobbyists on online forums. A commercial user who paid a 5-digit amount of money for their instrument will call an Applications Engineer at the company who he bought the instrument from and demand instant help. And he will receive it. Thanks to pathetic customer support of cheap Chinese companies like Rigol, this doesn’t even cross a hobbyist’s mind.

The amount of support (and the associated cost) is highly dependent upon the feature set that a customer uses. If you take a look at what kind of software options are available, you’ll find that only very few are generic. Most of them are designed for very specific and complex tasks. Helping someone with a support request originating from such a complex task costs a whole lot more money than telling someone how to push a button on the front panel.

I hope this helps to better understand how software options work and what is really involved. Just as a disclaimer, I’d like to add that I am not a fan of DMCA Takedown Notices and similar legal action without first approaching an alleged copyright offender in a less formal way. That’s why I am in no way commenting on that side of the matter. Tektronix is one of my blog’s sponsors. It’s important to know that this has zero influence on why I am writing this article. As a matter of fact, even though I am defending Tek, I am certain that Tek will in no way like me addressing this issue and thus drawing more attention to it. However, this article is very important to me on a personal level.

Links and Sources:

[1] Hackaday.com: http://hackaday.com/2014/08/05/hardware-security-and-a-dmca-takedown-notice/