The Federal Bureau of Prisons was advised to develop rules of behavior for employees using its information systems after an official misused her bureau-issued Samsung mobile device to send sexually explicit photos.
Two connected Department of Justice Office of the Inspector General investigations raised concerns with BOP’s monitoring of computers, cybersecurity and records retention when the employees involved denied they had violated device policy.
DOJ’s IG found the employee in the first investigation had downloaded encrypted chat applications to her BOP-issued device “to prevent her official communications from being detected by BOP,” according to a memo released Monday.
Because the apps were downloaded within the device’s Knox “personal container,” the employee said they were exclusively for personal use.
“In some situations, BOP’s failure to educate employees on the appropriate use of the ‘personal container’ on the Samsung devices has led employees who have engaged in inappropriate uses of their mobile devices to claim privacy protections over the content of the ‘personal container,’” Michael Horowitz, inspector general of DOJ, wrote in the memo to BOP Director Michael Carvajal.
In the second, related investigation. DOJ OIG requested another employee turn over her BOP-issued device suspecting it contained evidence tied to the first investigation. The employee refused, saying the personal container protected their communications. Shw was subsequently served two administrative subpoenas that went ignored until a federal district court enforced the orders.
Legal action “impacted our timely access to highly relevant evidence” and delayed the investigation into “serious misconduct” in addition to wasting limited resources, Horowitz wrote.
The second employee said BOP didn’t restrict encrypted chat apps, despite DOJ’s Cybersecurity and Privacy Rules of Behavior prohibiting unauthorized apps.
DOJ OIG recommended the prison system train personnel on their information system security responsibility and using mobile devices in compliance, as well as renaming the personal container the “unsecured container” or “unsecured section.”
BOP should further develop rules of behavior — including a list of vetted apps — that comply with DOJ’s own and make clear employees consent to monitoring, recording, collection and search of data wherever it resides on agency devices, according to DOJ OIG.
The inspector general lastly recommended BOP set up a warning banner that appears on its mobile devices’ lock screens upon restart that states “users have no expectation of privacy” in communications or activities, even in the unsecured container.
The IG gave the bureau 60 days to reply to its recommendations with actions taken or plans to comply.