Corrections Telecommunication and Technology
F. Warren Benton, Ph.D.
John Jay College of Criminal Justice, CUNY
Reprints from a series published in Corrections Managers' Report.

Access the entire collection at the CTT Web Site.

Prisons and Prisoners on the Net

by Ned Benton
Copyright Corrections Managers' Report, December/January 1997
Should prisoners be permitted to use computers that are connected to the internet? Should they be allowed near to computers at all? An incident at the Minnesota Correctional Facility at Lino Lakes, recently featured in the New York Times (November 18, 1996) frames the issue in frightening terms.

Here's the story. Since the 1970s, the prison has been home to a model correctional industries program involving Control Data Corporation. Prisoners provided telemarketing and database management services to private-sector customers including major corporations. The program has demonstrated how private sector involvement in correctional industries can work. I am among the many correctional professionals who have considered it a model program.

Like many other successful programs in corrections, a single incident can mar the reputation of a generally successful initiative. However, in this case the incident can be a lesson for all of us.

An audit by a computer security company found files containing names and addresses of children, as well as pornographic pictures and messages concerning children. Over 8,000 files were discovered, some of which were apparently retreived over the internet. Some may also have been transmitted over the internet to pedofiles outside of prison. The apparent purpose of the lists was to enable pedofiles to identify specific children, and to use specific personal information to gain the child's, parent's, or other responsible adult's confidence.

The prisoners involved had sophisticated abilities to use computers. The files were located in a part of the hard disk that was hidden from regular users, that required a secret password and secret procedures to access, and that would self-erase if accessed without the secret codes. One of the prisoners thought to be involved was brought up on disciplinary charges, but the charges were dismissed due to lack of evidence linking the prisoner to the files. As I said, the prisoners were sophisticated computer users.

The lesson

So what's the lesson here? Obviously, the lesson involves the risks of mixing computers and prisoners. But prisons, prisoners, and computers are all complex, and the conclusions that we can draw require some careful evaluation of the exact risks involved. Computers Likely to Remain Part of Prison Infrastructure Regardless of Risks

Computers and prisoners are risky to mix, but computers are hardwired into the infrastructure of correctional facilities and operations, and few prisons are computer-free zones. There are three reasons further computerization is inevitable:

  • Common uses of computers involve prisoner, personnel, and financial records. Some other aspects of computerization are not obvious. For example, some security and alarm systems rely on computer network technology for communication between control points, sensors, and other devices. As technology advances, networks will be able to function without dedicated network wiring, using power, telephone, and cable television lines, or radio frequencies. Furthermore, sophisticated computers are being developed for uses that will be less obvious, as parts of appliances. Thus, risks will exist that cannot be mitigated merely by declaring traditional computer devices to be off-limits to prisoners.

    Regardless of the risks, correctional facilities will be required to use more and more computing and telecommunications systems. Government in general will integrate advanced computing into every aspect of public service, and correctional facilities will not be permitted to remain museums of quill-pen management.

  • A third impetus for computerization is the need to continue to improve the efficiency and effectiveness of correctional operations, and the central role of information technology to the improvements. We sometimes think of correctional care and custody as a mix of people, paper, food, medicine, concrete, and steel. But there is another essential ingredient -- information. Practically everything that we do in corrections requires information, whether it is a schedule defining when a yard or post opens, or a classification label that defines the limits of a prisoner's zone of movement, a sentencing order defining the moment of a prisoner's release, or a purchase order for next Wednes day's hamburger. The timeliness, completeness, relevance, and accurancy of information limits and enhances our abilities to be efficient and effective. Thus, information processing is central to correctional work, and improvements in efficiency and effectiveness will require advanced computing and telecommunications technologies.

Systems for Prisoner Access: The Benefits, Risks, and Tools

There are clear benefits to prisoner access to well-designed computer systems. The benefits occur when they save correctional labor, expedite the transmission of information, and improve the scheduling and logistical management of correctional operations. The following are some examples of ways that computing and telecommunications will transform correctional operations:
  • Prisoner E-mail to Staff: Today, prisoners usually communicate with staff directly or via "kites" which are written notes. Face-to-face communication is great if the staff member is available and if the staff member can solve the problem raised. Otherwise, the message does not occur, or the staff member is involved carrying a message from the prisoner to the staff member responsible to solve the problem. If kites are used, these paper messages have to be sorted, delivered, processed, and responded to. An e-mail system would provide for rapid communication, with precise accountability as to when a message was sent and what was said. A structured system (such as a health care request message or prisoner complaint message that uses a computer-screen form) permits inquiry of the prisoner as the initial message is created, improving the chances that staff receiving the message can respond effectively.
  • Prisoner E-mail to Family and Lawyer: Prisoner e-mail could be set up as a closed system that only reaches staff for official communications. Alternatively, it could be set up to permit external e-mail to an approved list of individuals. In this way, it would work like telephone systems that permit collect calls to an approved list for each prisoner. Since prisoners can write letters to practically anyone, adding e-mail on a structured basis would not increase the range of people who could be contacted. However, e-mail is more accountable than written mail, because the source and destination of messages can be documented, and messages can be stored for later retrieval. The legal aspects of procedures for storage and later retrieval will have to be confronted, but there is probably an acceptable policy somewhere between "It's a privilege - don't use it if you don't like the policy," to "We'll only retrieve messages from archive if there is probable cause of a crime."
  • Network Computers: Network computers can come in many versions, but the general idea is to simplify the computer at the desktop or work station, relying more on central network computers called servers. The network computer can be simpler, cheaper, more reliable, and more controlled. A correctional officer's desktop computer might have no disk drives, always relying on software from the network server. A computer intended to provide information to prisoners might not even have a keyboard, relying on a touch screen or a number pad as the means for prisoner identification.
  • Security Devices: Today many security systems rely on computers and computer networks, for functions such as monitoring and communicating alarm, lock, and monitoring devices. Future devices, such as inexpensive and small network-based video cameras, can be new components of security systems. Instead of having a video camera wired into a video network, the camera functions as a part of a computer network, sending a picture over the network whenever requested. The picture could be initiated by a movement or sound sensor, a button requesting the opening of a gate or door, or by a person or computer program from another point in the network.
  • Communication Devices: For functions as diverse as nursing and utility bill metering, hand-held devices have been developed to streamline access to information and record keeping. For correctional officers, integrated personal security devices will combine voice communication, personal security alarms, and work-related data access and entry, minimizing paperwork for reports and logs.

Manage Risks By Planning Systems with Security

All computer systems should be planned, designed, and monitored with security in mind. There are several basic strategies involved, focusing on user identification, network firewalls, and application security.

User Identification: A computer system should be designed to assure who is using the system. Traditionally, usernames and passwords have been the primary tools for user identification. New techniques involve smart identification cards, physiological means of identification such as voiceprints, eye scanners, or fingerprint and handprint scanners.

Firewalls: A firewall is a barrier, developed with equipment or with software, that limits access into or out of a computer network. A simple firewall can be created with space -- not connecting computers to other computers and systems that should not interact. This strategy can be defeated, however, by motivated users with diskettes. Sophisticated firewalls are combinations of software and hardware that limit the movement of information across networks by monitoring the information exchanged and by limiting the ways that it can move.

Application Security: A secure application reinforces user identification and network firewalls, but also limits the ability of the user to "hack" the application itself by modifying how it works.

The Lino Lakes Lesson

With the benefit of 20/20 hindsight, we can see that the Lino Lakes incident occured because many basic security concepts were not implemented. Application security was inadequate, a secure firewall from the internet does not appear to have been in place, and user identification was insufficient.

The easy answer would be to limit the use of computers in prisons, especially when prisoners might be involved. However, that answer will not work because we will not be able to limit computing and telecommunications technologies in prisons. The real answer is to become actively involved in understanding and guiding how these technologies are introduced, so that design and development is influenced by people who understand the risks and challenges of correction operations.

Minnesota has the reputation for innovation as a state government and as a corrections system. I expect that, when we look back on the Lino Lakes incident 20 years from now, we will see that it was the first of a series of challenging and frustrating incidents involving correctional computing and telecommunications across the nation -- unpleasant wake-up calls for corrections professionals as they enter the 21st century.