June 4, 2008



Fingerprint Misuse and Identity Theft

By: Meghan Reilly, Legislative Fellow



You asked for an update of OLR Report 95-R-0596 regarding the misuse of fingerprint records resulting in wrongful convictions.† You also wanted information on safeguards protecting fingerprint information from identity theft or record-switching.


We found no instances of false identification based on fingerprint data in Connecticut, but we found a New York incident in which a clerical error resulted in misidentification and arrest.† For fingerprint data security, Connecticut law requires identification data for a person who has no prior criminal record to be deleted when the charges against him or her are dismissed or nolled or he or she is found not guilty.† The state maintains fingerprint data in the Criminal Justice Information System-Offender Based Tracking System (CJIS-OBTS).† It protects against theft and misuse through three elements.† First, a userís identity is verified through digital user authentication.† Second, role-based security restricts system access to authorized users.† Third, data encryption transforms information using an algorithm to make it unreadable to anyone except authorized users.


After a search of lawsuits and news articles, we were unable to find any instances of false identification based on fingerprints leading to unjust convictions in Connecticut.† A case in New York nearly resulted in the deportation of an innocent man whose fingerprints were inadvertently placed in another personís file.† That error resulted in a series of wrongful arrests and imprisonment between 1998 and 2002.† However, in that case, the issue was not deliberate misuse but a clerical error (Benjamin Weiser, Can Prints Lie?, N.Y. Times, May 31, 2004).†


According to Connecticut law, law enforcement officials must take the fingerprints, physical description, and photographs of anyone arrested for a crime of moral turpitude and immediately furnish the State Police Bureau of Identification (SPBI) with two copies of a standard identification card imprinted with the fingerprints, photograph, description, and other information the bureau requires. †If the officials take the fingerprints or photographs electronically, they must send the electronic images. †The law requires the bureau to delete all electronically maintained fingerprints, photographs, physical description, and other identification data for a person who has no prior criminal record when the charges against him or her are dismissed or nolled or he or she is found not guilty (CGS ß 29-12).


For data kept in the CJIS-OBTS, the state protects these materials from theft or misuse using three key security elements: authentication of users and agencies through digital certification, role-based security for access to data, and encryption of data passing through the network via secure socket layer (SSL) for online access and native encryption for messages (Sierra Systems: Connecticut, www.sierrasystems.com).


Offender fingerprint information is provided to OBTS via a secure link between the Master Name Index/Computerized Criminal History system (MNI/CCH) and OBTS.† OBTS flags offender profiles to alert the certified user whether the information he or she is viewing for an offender is deemed to be fingerprint-supported by the SPBI.† SPBI personnel manually input associations between fingerprint-supported arrest information, provided manually or by the FBI Automated Fingerprint Identification System (AFIS), and court information provided by the Judicial Criminal Motor Vehicle System via the current MNI/CCH online system. †The Department of Public Safety is working on an automated interface to send fingerprint information from AFIS to MNI/CCH via a secure link.


All feeding systems for OBTS are behind firewalls in either the Judicial or Department of Information Technology (DoIT) data centers. In addition, OBTS resides behind the CJIS firewalls, which are within the DoIT data center firewall protection layer.† All server-to-server communications by application systems under the CJIS umbrella are required to use SSL encryption, an Internet security protocol used to transmit sensitive information. All data flowing over the network is encrypted at both the sending and receiving points at the router level, compliant with federal standards.


Many additional physical and policy safeguards have been put in place through the CJIS infrastructure, which includes the CJIS firewalls, to safeguard information in repositories such as OBTS and AFIS (according to DoIT staff).