Pages 27-28, Inmate / Parolee Access to Computers, of Title 15 of the California Code of Regulations prohibits internet access for inmates, but with each prohibition allowed with the approval of the department’s Information Security Officer (ISO).

Section 42020.6 (page 264 of Chapter 4) of the Operations Manual (DOM) of the California Department of Corrections states, "It is essential that the security of the facility be maintained and that no unauthorized communication is made by a computer to another computer or to an electronic mail device.", but then it further defines "unauthorized" as under inmate control rather than under custody control. Curiously, that section of the DOM covers inmate programming of prison applications. Though discouraged, it is permitted and represents a greater security risk than many computer threats.

The DOM does include the prohibition "There shall be no communication capabilities such as telephone, computer line, or radio communication devices in the area." (of the inmates). This by inference prohibits any internet connectivity within areas accessible to inmates, even as restricted as at a Department of Defense secure location. Whereas this prohibition is dated and possibly off point, it would be the last word except for one fact. It is already violated often and everywhere. In many work locations, networked PCs are present for managers, albeit with clear restrictions against inmate use. Correctional officers are slated to get internet access within facilities in order to better manage inmates with current and detailed information.

These internet incursions are the result of profound and irreversible changes in the world around all prisons, and the pressure for more will increase, particularly in locations where inmates work and learn. This is because of how integral internet access is becoming to all workplaces, all job skills, and all learning environments.

In response, well-intentioned work managers have experimented with various restricted forms of internet access for inmates. Tech support requests for products and services, for example, have migrated to the web and its knowledge bases, with inmates given over-the-shoulder access whereby they direct inmate managers to the resources they need to do their jobs. Security professionals will confirm that over-the-shoulder access is one of the most vulnerable. Where expediency compelled more access, instances of inmate abuse are used as validations of the fortress mentality against any inmate access.

In the few such instances that can be studied, the common thread seems to be that a comprehensive security assessment was not part of granting access, only the expediency of the need and the trustworthiness of the inmate. If "security is the system" is true, a well-worn moniker of many internet security firms, then the problem is that there was no system, no policy and procedure reflecting current realities to govern granting inmates access.

The main problem appears to be a view of internet access as an inmate benefit that comes with risk and cost. The question not often asked is whether leveraging this emerging technology can improve inmate control, the effectiveness of custody, and the associated costs.

The thought of inmates with an email account as enjoyed by the rest of us is so contrary to the prison experience that it is rejected without consideration. But email can take many forms much more restrictive than an MS Outlook account.

Consider a forms-based online email system like webmail. Every message is a record in a database with each field (From, To, Subject, Message Body, etc) subject to examination and control. More importantly, the examination and control can be automated. That means:

1. With retinal and fingerprint scans, validation of sender and recipient becomes more secure than with paper mail.
   
   
2. A concordance file of objectionable words can be used to flag email for human review. This can include:
   • correctional officers home addresses, even embedded in seemingly innocuous phases like, "Go visit Susie at 123 Myrtle St."
   • word relations, for example, allowing kill time but not kill warden
   • foreign words, including kites written in Nahuatl, even when mixed with English
   • statistical inconsistencies, for example, the occurrence of Mary Jane more often than warranted as a person's name, indicating an encryption
     
     
3. Once an inmate's email identifies a person of interest on the outside, all of that person's email can be monitored (with judicial authorization).
   
   
4. With all email stored, trend analysis over time can reveal overall shifts in inmate attitudes, preferences, interests, agitation, and demeanor.
   
   
5. Email traffic analysis can be used in forensic studies of events such as riots (actual and averted) to identify instigators and mitigators.
   
   
6. A delay system can delay all inmate email for a day (incoming or outbound) for time-based analysis.
   
   
7. Manual code breaking is replaced by the much more effective computational systems used by our intelligence community.
   
   
8. Code broken through one inmate is instantly available to break the same code used by another inmate.
   
   
9. Just as inmates are charged for stamps, they can be charged to use email, including their pro-rata share of infrastructure, retinal and fingerprint scanners, associated surveillance software, and human oversight. On a per-piece basis, email will still cost the inmates less than stamped mail. The net result should be a revenue vehicle for CDCR.¹
   
   
10. The number of email messages an inmate is allowed to send or receive can depend on classification or behavior of the inmate, as posted without human intervention from the systems used to track classification and behavior. As a perceived inmate benefit, email access can be used to encourage behavior modification.
    
    
11. Unlike handwritten letters, email can be spoofed to appear sent by whomever prison officials require to unmask criminal activity.

Note that email need not replace postal mail, except in those cases where the additional inmate control of email is required.

In the final analysis, compare the labor-intensive, error-prone methods of monitoring postal mail, visitation, or telephone conversations to the many email monitoring and management tools already available in the private sector. Had the Mexican Mafia been confronted by the above email communication surveillance system, would they have been able to exploit prison communication as part of their expansion of criminal activities?

The thought of inmates with network or internet access as enjoyed by the rest of us provokes an immediate allergic reaction from prison professionals. But we are far from advocating Facebook accounts for inmates. As with email, the aspects of connectivity to be considered here are those that support the custody mission by increasing inmate monitoring and control.

To begin, consider the vulnerabilities of the two current methods of controlling inmate connectivity, over-the-shoulder access and the sneaker net. Over-the-shoulder access has the inmate looking over the shoulder of an authorized prison employee, for example, directing a tech support inquiry through a vendor's online knowledge base. If that inmate observes a password, by accident or on purpose, the system is completely compromised. The sneaker net physically carries computer content on media such as memory sticks (aka thumb drives). Unlike point-to-point wires, the travel paths of memory sticks are not always predictable and their contents cannot be monitored.

Every computer has a unique IP address, with sensitive computer areas given their unique IP address. This includes the servers hosting specific websites. Security software such as Fortress, commonly used by CDCR to restrict inmates's access to their workstations, can be enhanced to allow access to other computers only if their IP address matches what is on the inmate's allowable list. Whereas this passive security is important, dynamic security is just as important, but dynamic security is only possible with connectivity.

Dynamic security doesn't wait for an intrusion; it monitors and reports on computer usage looking for patterns that indicate upcoming threats. Using techniques like digicam surveillance, keystroke loggers, and system logs, access probes can be detected before they turn into intrusions. An unsuccessful attempt to locate a correctional officer's home address should not be disregarded because it was unsuccessful. The same connectivity can bring inbound traffic such as periodic automated security assessments and workstation health monitoring.

Connectivity also allows:

1. Real-time behavior reporting, alerting prison management to threats as they occur, not at some point in the future when a disconnected workstation is evaluated, perhaps after a talented inmate removes evidence of his misdeeds.
   
   
2. Traffic monitoring as with email whereby a concordance file checks for objectionable content.
   
   
3. As with email, a centralized inmate behavior system can provide trend analysis over time to reveal overall shifts in inmate attitudes, preferences, interests, agitation, and demeanor.
   
   

As with so many technological innovations, connectivity presents threats that can be mitigated and opportunities that can be exploited. Key is not to let the pressure of technology find unplanned outlets in the hands of well-intentioned but underqualified prison employees. Better is to integrate those outlets into a comprehensive security plan managed by computer security professionals.

In summary, internet access need not be feared as much as controlled through careful planning, effective implementation, and systematic vigilance.