Report of Investigation - OH DRC, OH OIG, 2015
Download original document:
Document text
Document text
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
State of Ohio Office of the Inspector General RANDALL J. MEYER, Inspector General Report of Investigation AGENCY: OHIO DEPARTMENT OF REHABILITATION AND CORRECTION FILE ID NO.: 2014-CA00022 DATE OF REPORT: APRIL 7, 2015 The Office of the Ohio Inspector General ... The State Watchdog “Safeguarding integrity in state government” The Ohio Office of the Inspector General is authorized by state law to investigate alleged wrongful acts or omissions committed by state officers or state employees involved in the management and operation of state agencies. We at the Inspector General’s Office recognize that the majority of state employees and public officials are hardworking, honest, and trustworthy individuals. However, we also believe that the responsibilities of this Office are critical in ensuring that state government and those doing or seeking to do business with the State of Ohio act with the highest of standards. It is the commitment of the Inspector General’s Office to fulfill its mission of safeguarding integrity in state government. We strive to restore trust in government by conducting impartial investigations in matters referred for investigation and offering objective conclusions based upon those investigations. Statutory authority for conducting such investigations is defined in Ohio Revised Code §121.41 through 121.50. A Report of Investigation is issued based on the findings of the Office, and copies are delivered to the Governor of Ohio and the director of the agency subject to the investigation. At the discretion of the Inspector General, copies of the report may also be forwarded to law enforcement agencies or other state agencies responsible for investigating, auditing, reviewing, or evaluating the management and operation of state agencies. The Report of Investigation by the Ohio Inspector General is a public record under Ohio Revised Code §149.43 and related sections of Chapter 149. It is available to the public for a fee that does not exceed the cost of reproducing and delivering the report. The Office of the Inspector General does not serve as an advocate for either the complainant or the agency involved in a particular case. The role of the Office is to ensure that the process of investigating state agencies is conducted completely, fairly, and impartially. The Inspector General’s Office may or may not find wrongdoing associated with a particular investigation. However, the Office always reserves the right to make administrative recommendations for improving the operation of state government or referring a matter to the appropriate agency for review. The Inspector General’s Office remains dedicated to the principle that no public servant, regardless of rank or position, is above the law, and the strength of our government is built on the solid character of the individuals who hold the public trust. Randall J. Meyer Ohio Inspector General State of Ohio Office of the Inspector General RANDALL J. MEYER, Inspector General REPORT OF INVESTIGATION FILE ID NUMBER: 2014-CA00022 SUBJECT NAME: Various POSITION: Correction Officers; Maintenance Repair Worker; Warden. AGENCY: Ohio Department of Rehabilitation and Correction BASIS FOR INVESTIGATION: Agency Referral ALLEGATIONS: Theft; Suspected Copyright Violations; Failure to Report. INITIATED: February 20, 2014 DATE OF REPORT: April 7, 2015 INITIAL ALLEGATION AND COMPLAINT SUMMARY On February 19, 2014, the chief legal counsel of the Ohio Department of Rehabilitation and Correction (ODRC) reported in a memorandum to the Governor’s Office, Office of the Ohio Inspector General, and Ohio State Highway Patrol, potential misconduct or illegal activity by ODRC employees. The memo read that on February 4, 2014, an ODRC employee discovered 57 ODRC staff members at various institutions had found a gateway into the JPay system on the institutional data servers1 which allowed the staff members access to download or copy recordings of songs without permission or payment. The author of the memo believed these actions constituted unlawful piracy of the music and referred the matter for review and investigation in compliance with the April 7, 2011, Governor’s Memorandum on reporting employee misconduct or potential illegal activity. The Office of the Ohio Inspector General opened an investigation on February 20, 2014. BACKGROUND Ohio Department of Rehabilitation and Correction The Ohio Department of Rehabilitation and Correction (ODRC) is charged with the supervision of felony offenders in the custody of the state, including providing housing, following their release from incarceration, and monitoring the individuals through the parole authority. The department also oversees the community control sanction system that provides judges with sentencing options to reduce the inmate population. There are currently 28 state-operated correctional institutions and two privately operated correctional institutions throughout the state. The director of ODRC is appointed by the governor and confirmed by the Ohio Senate. ODRC is funded through general revenue funds, federal funding, and revenue earned through sales from the Ohio Penal Industries.2 1 A server is a computer capable of accepting requests for resources by another computer and enforces user privileges to these shared resources. 2 Source: ODRC biennial budget documents. 1 JPay JPay Inc. is a privately held and licensed money transfer company based in the United States and headquartered in Miramar, Florida. The company enters into contracts with state departments of correction, county jails, and private federal prisons to provide consumer and inmate services, including money transfers, email, and video visitation, to approximately 1.5 million inmates throughout 35 states, including Ohio. JPay was started in 2002 in New York. In 2005, the company moved its headquarters from New York to Miami, Florida. In 2009, JPay’s services expanded to offer an inmate MP3 player (JP3) and a library of music tracks for digital download. In 2011, JPay moved its headquarters from Miami to its current location in Miramar, Florida, to accommodate a larger call center. In 2012, JPay launched a tablet (JP4) designed for the corrections industry which enables inmates to read and draft emails, play games, and listen to music. It also allows inmates to view and attach photos and videos. The decision to permit use of the JP4, and the full extent of its functions, is made by the state corrections departments. JPay’s tablets have been distributed in several correction agencies, including Ohio. For a fee, an inmate’s friend or family member can use JPay’s money transfer service to deposit money to the inmate’s commissary or trust account. JPay offers electronic payment and deposit options which include credit and debit card payments via online, phone, and mobile app channels. The company has a relationship with MoneyGram to accept cash at MoneyGram’s U.S. agent locations. Additionally, the company processes money orders on behalf of its contracted agencies. JPay provides services that an inmate and an inmate’s family and friends can use to communicate, such as video visitation, email, instant messaging, and the JP4 tablet. JPay also provides payment services for offenders to make community corrections and courtordered payments. As part of its parole and probationary services, JPay offers a release card (JPay Progress Card), which is a prepaid, reloadable MasterCard card. While all agencies 2 contract to use JPay for money transfer services, they do not all utilize JPay’s full range of services. INVESTIGATIVE SUMMARY On March 19, 2014, investigators with the Office of the Ohio Inspector General attended a meeting at the Madison Correctional Institution with ODRC Infrastructure Specialist Rich Hamlin to gather additional information related to the investigation. Investigators had previously been told that Hamlin was the ODRC employee who discovered that other employees were accessing the JPay folders and copying audio files to their own user profiles.3 The JPay system set up at ODRC During a second meeting on March 25, 2014, with Hamlin and ODRC Chief Information Officer Vinko Kucinic, investigators learned that ODRC operates in a non-centralized network of data servers and is reliant upon each prison to maintain and operate individual servers. Members of management at the ODRC central office have the ability to remotely access and manage the individual servers; however, the information, data, or computer files of the prisons are stored locally on their respective servers. When JPay entered into a contract with ODRC on September 13, 2012, in order for users to have access, JPay required its system be installed on the individual data servers at each prison. In order for the JPay system to work, JPay needed server space to store data and the audio files 4 (songs) available for purchase by the inmates. These data and audio files were stored on the individual prison servers. In doing this, a folder5 created by JPay labeled “Inmates,” along with two other folders, were stored on the servers at each prison. One of the folders contained 53,000 approved audio files for purchase by the inmates. Copies of the audio files became available for purchase by inmates between July and October 2013, depending on the implementation date at each institution. 3 A user profile, as implemented at ODRC, provides a location for the storage of user files specific to an individual user (employee). NOTE: ODRC implementation of user profiles did not follow standard industry practices. 4 An audio file format is a file format for storing digital audio data on a computer system. 5 In a computer, a directory or folder is a catalog of computer files that are organized and grouped together for ease of use. 3 In order for inmates to purchase copies of the audio files, JPay installed kiosks at the prisons. It was through these kiosks inmates were able to access and purchase MP3 audio files from the ODRC approved list of songs. Upon purchasing an audio file, a sub-folder within the “Inmates” folder was created and labeled with the inmate’s ODRC identifying number. A copy of the purchased file was stored in this sub-folder. The inmate would then download the file to their JP4 player by connecting the player to the kiosk. Hamlin said he first learned of employees copying audio files to their own user profiles in early February after overhearing correction officers at the Madison Correctional Institution discussing the access to the JPay folders. Hamlin reported this to ODRC Chief Information Officer Vinko Kucinic and was then tasked with remotely accessing the servers at all of the ODRC prisons in search of JPay audio files in employee user profiles. On February 4, 2014, Hamlin reported to Kucinic that his review found 57 ODRC employee user profiles containing copies of suspected JPay audio files. On February 11, 2014, Hamlin began acquiring the user profiles of the 57 identified employees and saved the data to an external storage device. This device was provided to the Office of the Ohio Inspector General for further analysis. All of the folders installed on the servers by JPay were initially shared folders6 accessible by everyone who had access to the server. According to ODRC, JPay claimed this was a system requirement. The folders remained accessible to all system users until February 7, 2014, when after discovering employees had copied files to their own user profiles, ODRC requested that JPay modify the system and restrict access to these shared folders. Data Analysis On March 25, 2014, the Office of the Ohio Inspector General received from ODRC the external storage device containing the user profile folders of the 57 ODRC employees identified by Hamlin who may have been downloading JPay media files and saving these files to their individual user profiles. 6 In a computer, a shared folder or shared resource, is a location of files that have been made accessible from one computer to another with assigned privileges to users. 4 The analysis of the user profiles on this hard drive determined that only 16 of the 57 identified ODRC employees had JPay audio files stored within their ODRC user profiles. ODRC identified a JPay audio file being an MP3 file, where the file name ended with “__XXXXXXXX.mp3” (i.e., __9646566a.mp3), or the file might be identified by the symbols “@@” in the middle of the file name. The remaining 41 ODRC employees had MP3 files within their user profile, but the files were not JPay audio files based on JPay’s file name convention provided by ODRC. Employee Name User Profile Michael Reed reedma 100 Michael Andrews andrewsmd 259 Adam Bray brayap 340 Daniel Cearley Cearleyds Edwin Diaz diazee Candace Ferguson fergusoncm Zachary Greenwood greenwoodzd Robert Hess hessrk 75 Michael Hughes hughesmb 92 John Johnson johnsonjm 326 Anthony Margocs margocsap 177 Michael Miglets migletsms 155 Lena Ramos ramoslm 93 Donald Ransom ransomdc 463 David Ticherich ticherichdp 179 Jayme Weber weberjl 5 JPay Songs 33 552 84 342 88 On April 1, 2014, the Office of the Ohio Inspector General requested the ODRC email files for the identified 16 employees to determine if the employees were transferring JPay audio files through the state email system. The analysis identified 63 emails involving the file transfer of 126 JPay MP3 audio files. All of these emails were sent and received intra-agency from one ODRC employee state email account to another ODRC employee state email account. Below is a graph describing the use of ODRC email to transfer the JPay MP3 files between ODRC employees: ODRC also informed investigators the USB ports7 on the computers accessible to the 16 employees were inactive, thereby making it impossible to transfer the audio files to a portable storage device such as a compact disc or thumb drive. Computers with active USB ports inside the prisons are closely monitored and restricted to only those employees with a need for active ports. On March 31, 2014, and April 15, 2014, the Office of the Ohio Inspector General re-acquired individual forensic images of the 16 ODRC employees’ user profiles that were determined to contain JPay audio files. The forensic images were acquired directly from the ODRC file servers and included all the files and directories within their user profiles located on the file server at each institution. This second data acquisition was performed in order to: 7 USP port is a standard cable connection interface on personal computers and consumer electronics. USB ports allow stand-alone electronic devices to be connected via cables to a computer (or to each other). 6 1. Determine if any changes had occurred to the user profiles since ODRC acquired their data on February 19, 2014. 2. Attempt to obtain additional forensic artifacts in order to identify other JPay audio files within the user’s profile. 3. Analyze the dates and times of the identified JPay audio files to determine when the files were copied from the JPay server. The following is a summary of the analysis of the user profiles and interviews of the 16 identified employees: Michael Reed The analysis of Correction Officer (CO) Michael Reed’s user profile from the Chillicothe Correctional Institution data server revealed 100 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on March 31, 2014, the number of audio files in Reed’s profile had been reduced to 84 total files. The analysis showed that 14 of these files were active and 70 had been deleted. The analysis also revealed four video games in Reed’s user profile that were embedded within Excel spreadsheets. Reed’s user profile contained 2.4 gigabytes (GB) of information stored on the institution’s server. During an April 28, 2014, interview with the Office of the Ohio Inspector General, Reed acknowledged initially playing the audio files but said he was able to link the Windows Media Player on the computer he used directly to the JPay folders on the server and play the song from the folder rather than first having to copy it to his profile to be played. By linking the player to the folder, he was also able to search the entire folder for specific types of music. Reed said he did not recall intentionally copying the audio files to his profile, but acknowledged there were some audio files there. Reed surmised that early on, he may have inadvertently moved copies of the songs to his profile prior to setting up the link from the Media Player to the JPay folder. 7 When asked about the deleted files, Reed said he did delete files once the JPay folder was no longer accessible. Reed said he believed the files were causing the Media Player to slow down or lock up since it was trying to access the no longer accessible JPay folder. Note: Following Reed’s interview, the Office of the Ohio Inspector General learned that when a song is played through the Windows Media Player from a local network source, (i.e., the server), a copy of the file containing the song is automatically saved to the user’s profile in the My Music folder. Michael Andrews The analysis of CO Michael Andrews’ user profile from the Ohio Reformatory for Women data server revealed 259 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of audio files in Andrews’ user profile remained the same. Andrews’ user profile contained 2.13 GB of information stored on the institution’s server. During a June 16, 2014, interview with the Office of the Ohio Inspector General, Andrews acknowledged creating a folder within his user profile and copying JPay audio files to that folder. Andrews said he learned of the folder that contained the JPay audio files from other employees at the institution. Andrews commented that he had been disciplined on a separate issue at the prison recently and following this discipline, he deleted the folder containing the JPay audio files he had copied from the main folder on the system. This had occurred after the Office of the Ohio Inspector General had acquired the data on April 15, 2014. Adam Bray The analysis of CO Adam Bray’s user profile from the Lorain Correctional Institution data server revealed 340 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of audio files in Bray’s user profile remained the same. 8 Bray’s user profile contained 8.4 GB of information stored on the institution’s server. During a May 18, 2014, interview with the Office of the Ohio Inspector General, Bray acknowledged creating a folder within his user profile and copied JPay audio files to that folder. Bray said he learned of the folder where the JPay audio files were stored from other employees. Bray also said he had sent or attempted to send audio files to others, primarily CO Ramos, via email. Bray said he attempted to access the JPay folder a week or so prior to his interview with investigators “out of a whim,” but the folder was no longer visible to him. Daniel Cearley The analysis of CO Daniel Cearley’s user profile from the Madison Correctional Institution data server revealed 33 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of audio files in Cearley’s user profile remained the same. The analysis showed that all 33 of these files were active. Cearley’s user profile contained 0.25 GB of information stored on the institution’s server. During a May 19, 2014, interview with the Office of the Ohio Inspector General, Cearley acknowledged copying the audio files to a separate folder under his user name. Cearley believed he copied the files to his My Music folder. Cearley said he had heard of other employees listening to music in this manner and found the shared folder by chance. Cearley assumed this is where the other employees were finding the music. Later, after speaking with his supervisor, he learned the access to the JPay shared folder on the server was not permitted. Edwin Diaz The analysis of CO Edwin Diaz’s user profile from the Lorain Correctional Institution data server revealed 552 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of audio files in Diaz’s user profile remained the same. In addition to audio files, one movie file was found in Diaz’s user profile. A full version of the movie “Repo Men” was present at the time of the data acquisition. 9 Diaz’s user profile contained 11.17 GB of information stored on the institution’s server. During a June 10, 2014, interview with the Office of the Ohio Inspector General, Diaz acknowledged creating a folder within his user profile and copying JPay audio files to that folder. Diaz said he found the folder where the JPay audio files were stored while searching around on the computer system. When investigators asked about the movie file found in Diaz’s user profile, Diaz claimed he had no knowledge of the movie and said he was not familiar with the movie title. When asked if he brought a movie into the institution, Diaz replied he had not. Diaz had no explanation as to why the movie file was in his user profile. At the end of the interview, when asked if he would like to add anything, Diaz said, “I really did not know it was illegal to do that [copy audio files],” and “So, I mean it’s … if I would have known I would have never done anything like that. I would have never transferred the music or anything.” Candace Ferguson The analysis of CO Candace Ferguson’s user profile from the Lorain Correctional Institution data server revealed 84 active JPay audio files in her profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of active audio files in Ferguson’s user profile remained the same. Ferguson’s user profile contained 0.74 GB of information stored on the institution’s server. During a May 18, 2014, interview with the Office of the Ohio Inspector General, Ferguson claimed she was aware of the audio files and that another person had created the folder and assisted her in moving copies of the audio files from the JPay folder to the one created within her user profile. Ferguson would not name the person who assisted her copying the audio files. However, she said while being shown where to go to find the music, she did recall there was three folders visible on the system. Ferguson said she was shown that the middle folder was the folder to open to find the music. Ferguson said she did not know that copying the audio files to the folder was wrong; otherwise, she would not have done it. 10 Zachary Greenwood The analysis of CO Zachary Greenwood’s user profile from the Lorain Correctional Institution data server revealed 342 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of audio files in Greenwood’s user profile remained the same. The analysis showed that all 342 of these files were active. Greenwood’s user profile contained 2.97 GB of information stored on the institution’s server. During a May 18, 2014, interview with the Office of the Ohio Inspector General, Greenwood acknowledged copying the audio files to a separate folder he created under his user name. Greenwood said he had heard of other employees listening to music in this manner and found the shared folder labeled “Inmates” by accessing the system between the times he completed his rounds. Greenwood said that when he found the folder containing the audio files, it occurred to him the songs were probably copyrighted. Greenwood did not feel he violated any rules or laws by making copies of the songs, since the folder he had accessed was “open on the computer,” and accessible by anyone. Greenwood felt that if the employees were not to have access to the folder, then access should have been blocked. Robert Hess The analysis of CO Robert Hess’ user profile from the Lorain Correctional Institution data server revealed 75 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of audio files in Hess’ user profile had been reduced to 67 active JPay audio files and 3 deleted JPay audio files. The analysis also showed seven forensic artifacts indicating that a movie or some portion of a movie had been stored within Hess’ user profile at some point. Hess’ user profile contained 0.62 GB of information stored on the institution’s server. During a June 10, 2014, interview with the Office of the Ohio Inspector General, Hess said he was told by others how to access the JPay folder where the audio files were stored. Hess said he 11 found the folder and played some songs but did not copy any files to a folder he created. Hess also said he had emailed audio files from his home email address to his state email address and saved those files to his My Music folder within his user profile. When questioned by investigators about the forensic artifacts of movie files found within his user profile and how they got there, Hess said, “That I don’t recall.” He denied bringing movies into the institution or watching movies while on-duty. Hess said the only movies he was aware of were of those shown at the prison and authorized by the institution.8 Michael Hughes The analysis of Maintenance Repair Worker (MRW) Michael Hughes’ user profile from the Ohio Reformatory for Women data server revealed 92 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, there were no audio files remaining in Hughes’ user profile. Hughes had previously worked as a corrections officer at the Ohio Reformatory for Women and other institutions prior to working as an MRW. Hughes’ user profile contained 0.007 GB of information stored on the institution’s server. During a May 1, 2014, interview with the Office of the Ohio Inspector General, Hughes denied copying any audio files to his user profile. When asked if he had ever listened to music from a computer at any of institutions or assignments where he worked, Hughes replied, “Not that I’m aware of, no.” Hughes said he was familiar with the computer system and recalled times while working at the Marion Correctional Institution he would access “public” folders to find information such as schedules, seniority information, etc., but said he never saw any folders related to JPay. John Johnson The analysis of CO John Johnson’s user profile from the Lorain Correctional Institution data server revealed 326 active JPay audio files in his profile when ODRC acquired the data on 8 ODRC institutions maintain an authorized library of movies for viewing at each prison. 12 February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of active audio files in Johnson’s user profile had increased to 356 active JPay audio files. Johnson’s user profile contained 3.92 GB of information stored on the institution’s server. During a June 10, 2014, interview with the Office of the Ohio Inspector General, Johnson acknowledged copying the audio files to a separate folder he created within his user profile. Johnson said other employees had told him about the folder where the JPay audio files were stored and that he found the folder on the system when he looked for it. Johnson commented, “I just assumed whatever was on the network, we … that we had access to … that we were allowed to utilize.” Anthony Margocs The analysis of CO Anthony Margocs’ user profile from the Lorain Correctional Institution data server revealed 177 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of active audio files in Margocs’ user profile had increased to 178 JPay audio files. Margocs’ user profile contained 1.54 GB of information stored on the institution’s server. During a June 10, 2014, interview with the Office of the Ohio Inspector General, Margocs acknowledged copying the JPay audio files to a folder he created within his user profile. Margocs said he learned about the JPay folder where the audio files were stored from other employees. Margocs said there were no restrictions that prevented him from accessing the audio files within the JPay folder. Michael Miglets The analysis of CO Michael Miglets’ user profile from the Lorain Correctional Institution data server revealed 155 active JPay audio files in his profile when ODRC acquired the data on 13 February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of active audio files in Miglets’ user profile had been reduced to 120 and 35 files had been deleted. Miglets’ user profile contained 1.27 GB of information stored on the institution’s server. During a May 18, 2014, interview with the Office of the Ohio Inspector General, Miglets acknowledged copying the audio files to a separate folder he created under his user name. Miglets said he was told by others where to go on the system to find the folder that contained the music but he could not remember the name of the folder. Miglets said it didn’t occur to him, at the time, that the songs and audio files were copyrighted material since the folder was a shared folder and visible to anyone with access to the system. Lena Ramos The analysis of CO Lena Ramos’ user profile from the Lorain Correctional Institution data server revealed 93 active JPay audio files in her profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of audio files in Ramos’ user profile remained the same. Ramos’ user profile contained 0.87 GB of information stored on the institution’s server. During a May 18, 2014, interview with the Office of the Ohio Inspector General, Ramos acknowledged copying JPay audio files to a folder created for her by another person within her user profile. Ramos said she was told by others about the JPay folder on the computer system where the audio files were stored. Ramos said she did not know the songs she copied to her folder were copyrighted material, and acknowledged that she did receive some audio files by email from CO Adam Bray. Donald Ransom The analysis of CO Donald Ransom’s user profile from the Lorain Correctional Institution data server revealed 463 active JPay audio files in his profile when ODRC acquired the data on 14 February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of audio files in Ransom’s user profile remained the same. Ransom’s user profile contained 4.0 GB of information stored on the institution’s server. During a June 10, 2014, interview with the Office of the Ohio Inspector General, Ransom acknowledged creating a folder within his user profile and copying JPay audio files to that folder. Ransom said he was told by others about the folder that contained the music and searched the system to find the folder. Ransom then moved copies of the audio files into a folder he created. David Ticherich The analysis of CO David Ticherich’s user profile from the Lorain Correctional Institution data server revealed 179 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number of audio files in Ticherich’s user profile had increased to 585 active files. Ticherich’s user profile contained 16.4 GB of information stored on the institution’s server. During a May 18, 2014, interview with the Office of the Ohio Inspector General, Ticherich acknowledged creating several folders under his user profile and copying JPay audio files to these folders. Ticherich had named the folders he created: “Schedule,” “test,” and “New Folder” (the default name for a newly created folder). Ticherich was questioned by investigators about his choice of folder names. When asked if he created these names in an attempt to hide the contents of the folders and the sub-folders within, Ticherich denied that was the reason. Ticherich said he simply continued to move files into these folders so as not to have numerous folders on his desktop screen. Ticherich also said he had often moved other folders in their entirety to these “Schedule,” “test,” and “New Folder” folders rather than moving individual files from the other folders. Ticherich said he learned of the folder containing the JPay music by word of mouth and heard others discussing the folder at the institution. 15 Jayme Weber The analysis of CO Jayme Weber’s user profile from the Ohio Reformatory for Women data server revealed 88 active JPay audio files in his profile when ODRC acquired the data on February 11, 2014. When the Office of the Ohio Inspector General acquired data on April 15, 2014, the number in Weber’s user profile had been reduced to 75 active audio files. Weber’s user profile contained 0.63 GB of information stored on the institution’s server. During a May 19, 2014, interview with the Office of the Ohio Inspector General, Weber acknowledged copying the audio files to a separate folder he created under his user name. He said he had overheard others talking about the folder containing the audio files and found it while accessing the system. Weber did not recall the name of the folder but said it was a shared folder. Weber said, “… I mean if somebody would have told me it was an issue, I would have deleted all the music and I would have never went into the folder. I mean, I just thought by word of mouth, that it was okay to do.” ODRC Policy and System Access ODRC employees who have computer system access are required to fill out, sign, and submit a DRC 3424E - System Access Request form (Exhibit 1) to the ODRC Information Service Center for approval. The form contains the requesting employee’s pertinent information as well as an acknowledgement that reads, “My signature below indicates that I have read, understand and agree to follow all pertinent laws, regulations, operational guidelines and procedures stated in ODRC policy 05-OIT-10 and 01-COM-01.” Specifically, ODRC Policy 05-OIT-10 (Exhibit 2) states in Section VI – Procedures, Sub-section G: 2. Employees and other individuals with DRC system asset accounts, such as the internet, electronic mail, online services, and the VPN, shall not 16 g. Use their DRC accounts for recreational purposes such as downloading or playing computer games, gambling, or to send, distribute or solicit sexually oriented messages, materials or images. h. Use their DRC accounts to download, distribute, or print copyrighted materials including articles, books, software, or images in violation of copyright laws. All 16 of the employees interviewed about copying JPay files to their user profiles were required to sign a System Access Request form and acknowledge reading and understanding the two policies. However, during the interviews, several employees said they were not aware the audio files would be considered copyrighted material or that the actions they took in copying the files to their user profiles would constitute a potential violation of copyright laws.9 It was the belief of many of those interviewed, that since the folder where the JPay audio files were stored on the server was accessible and had no restrictions, it was permissible to listen to and copy the songs within the folder. A secondary issue addressed during the interviews with the employees was the amount of space on the servers dedicated to storing the employee’s personal files. As noted above, the user profiles of a majority of those interviewed contained over a gigabyte (GB) of information. A gigabyte is a measurement used for digital storage. A gigabyte is also the equivalent of 1024 megabytes (MB). As a reference, one gigabyte would be enough storage space for any one of the following types of data or information: 9 894,784 pages of plaintext (1,200 characters, dependent on font, etc.) 4,473 books (200 pages or 240,000 characters) 640 web pages (with 1.6MB average file size) 341 digital pictures (with 3MB average file size) 256 MP3 audio files (with 4MB average file size) 1 CD (650MB) Title 17, United State Code, Chapters 501 and 506. 17 For comparison, the 2010 edition of the “Encyclopedia Britannica” (the last print-edition ever published) consisted of 32 volumes and weighed 129 pounds. At 50 million words or about 300 million characters, it would require roughly one gigabyte to store the text electronically (leaving out images and diagrams). ODRC routinely creates a back-up10 of the information stored on their servers and in doing so, creates multiple copies of the personal files created and saved by employees and stored within their user profiles. These personal files serve no purpose in the daily operations of the agency. OTHER MATTERS During this investigation, the Office of the Ohio Inspector General learned another potential violation of copyright laws may have occurred at the Lorain Correctional Institution (LorCI). During interviews on May 18, 2014, investigators were asked by those being interviewed if they (the investigators) were there to discuss pirated movies that had allegedly been shown at the prison. Later, investigators reviewed various news articles released by the media also alleging that pirated movies had been shown to inmates at the prison. On May 20, 2014, the Office of the Ohio Inspector General contacted the ODRC chief inspector’s office by telephone and was informed by Deputy Chief Inspector Paul Shoemaker that his office was unaware of the allegations or the news articles. At the end of the call, the Office of the Ohio Inspector General requested additional information concerning the possible pirated movies shown at LorCI. Of concern was the lack of reporting of suspected illegal or improper activity by state employees at LorCI. Governor’s Office memorandum On April 7, 2011, the chief legal counsel for Governor John Kasich sent a memorandum (Exhibit 3) to all department and agency directors and chief legal counsels outlining the procedures to be followed when a state employee was suspected of illegal or improper activity within state departments or agencies. The opening paragraph of the memorandum reads: 10 In information technology, a back-up refers to the copying and archiving of computer data so it may be used to restore or recover data from an earlier time. 18 The purpose of this memorandum is to set forth the procedures to be followed when illegal or improper activity by any state employee or official is observed, suspected or reported. This Policy sets forth the procedures for processing such allegations and provides for the careful, expeditious handling of all allegations and claims made against state employees. The procedures described herein are not intended to waive or vary any rights or obligations set forth in any Collective Bargaining Agreement and/or any notification requirements imposed by law. Section II - Non-Emergency Suspected Illegal Activity Notification Procedure – of the memorandum reads: A state employee, who observes, becomes aware of, or suspects non-emergency illegal or improper activity should immediately notify his or her supervisor or the Chief Legal Counsel for the Department and/or the Department Director. If the notification is made to an employee’s supervisor, that supervisor should then immediately report the information to the Chief Legal Counsel for the Department and/or the Department Director. Employees who report conduct that they believe is illegal or improper should have a reasonable factual basis for believing or suspecting that illegal or improper activities have occurred or will occur, and should provide as much specific information as possible to allow for proper assessment of the nature, extent, and urgency of the illegal or improper conduct. Complaint timeline The Office of the Ohio Inspector General began reviewing Internet new articles concerning the allegation of pirated movies shown to inmates at LorCI. This review led to the website www.torrentfreak.com. The article posted on the website identified the former inmate who levied the allegation as Richard Humphrey. Imbedded in the article were photographs of the kites11 (Exhibit 4) to LorCI Warden Kimberly Clipper as well as a recording of a telephone call from Clipper to Humphrey that took place on or around May 9, 2014. 11 Kite – a written form of communication from an inmate to staff. Source: http://www.drc.ohio.gov 19 The following timeline was developed from the news articles and other information learned and obtained from ODRC by investigators: On March 5, 2014, Inmate Richard Humphrey sent a kite to Kimberly Clipper, warden at the Lorain Correctional Institution complaining of pirated movies being shown by staff members to inmates and other employees at the prison. Clipper in turn sent the kite to acting Major David Conwell and instructed him to make inquiries into the complaint. On April 9, 2014, a second kite from Humphrey was received by Clipper complaining that pirated movies were still being shown to inmates at the prison. Clipper responded to this kite by writing, “Sir, Thank you for bringing this matter to my attention. Your concerns have been addressed in the past but it appears this activity is still taking place. This matter will continue to be addressed until rectified.” On April 10, 2014, a third kite from Humphrey complaining of pirated movies being shown at the prison was received by Warden Clipper’s office. Deputy Warden Stevenson responded and advised Humphrey to contact his unit sergeant, case manager, and unit manager with his concerns. Humphrey was paroled on May 6, 2014. On or about May 9, 2014, Humphrey recorded a telephone call from Clipper where she addressed Humphrey’s concerns about what he believed to be pirated movies being shown to inmates at LorCI. During this call, Clipper assured Humphrey an investigation was being conducted but that she could not discuss the details. On May 13, 2014, an article was posted at www.torrentfreak.com, a website operated by Humphrey. The article detailed Humphrey’s complaint about the pirated movies being shown at LorCI and was later printed on other media websites. Shortly thereafter, other media sites began posting articles referencing Humphrey’s complaint as well. 20 On May 20, 2014, during a telephone call with Deputy Chief Inspector Shoemaker of the ODRC chief inspector’s office, investigators were told an investigation into the alleged pirated movie issue had been completed at LorCI. An email was sent to Shoemaker requesting a copy of the investigation. On May 21, 2014, Shoemaker forwarded a copy of the internal investigation conducted by LorCI to the Office of the Ohio Inspector General. The investigation was dated May 15, 2014. In the first kite dated March 5, 2014, Humphrey identified CO Campbell (no first name listed) as the staff member who showed copyrighted movies to inmates. Humphrey wrote that the movie shown to inmates was “Ride Along” and the movie had not yet been released to DVD. Clipper forwarded the kite to Conwell with written directions for him to bring the kite to Campbell’s attention in the presence of a union representative. She also directed Conwell to be clear that there was no evidence to support the allegation but that “bringing in bootleg movies is unacceptable and will not be tolerated.” Finally, she directed Conwell to document his conversation with Campbell. Sometime around May 9, 2014, a telephone call between Humphrey and Clipper was recorded by Humphrey. During this call, while discussing her response to one of his kites, Humphrey said to Clipper that she had written, “… it was going on and that you [she] would continue to rectify it.” Clipper is then heard responding to this comment by telling Humphrey he had “misinterpreted” what she had written in her kite response. On July 18, 2014, the Office of the Ohio Inspector General interviewed Clipper’s immediate supervisor, ODRC Deputy Director Todd Ishee. Ishee said he was first made aware of an Office of the Ohio Inspector General investigation of ODRC employees illegally downloading music sometime in the spring of 2014. He said he was informed by Clipper that investigators would be interviewing staff members with regard to this investigation on May 18, 2014. Ishee said he asked Clipper to brief him on her knowledge of the investigation and it was during this briefing, Clipper mentioned a kite she had received from an inmate about a CO showing an unauthorized 21 movie to a small part of the inmate population. Ishee stated between May 19 and 21, 2014, ODRC began receiving media inquiries about the movie being shown to inmates. Ishee said since the magnitude of media interest was growing, he requested an executive briefing at the ODRC central office. Ishee noted that it was during this briefing he first learned there was a possibility the movie allegedly shown was illegal or bootlegged. He said it was his understanding from his earlier briefing with Clipper that the alleged movie was on a DVD an employee may have brought into the prison. On July 24, 2014, the Office of the Ohio Inspector General interviewed Warden Kimberly Clipper. Clipper acknowledged she first became aware of the allegation of pirated movies being shown to inmates by staff members on March 5, 2014, after receiving a kite from then-inmate Humphrey. Clipper said her first course of action was to assign the complaint to then-acting Major Dave Conwell for investigation. According to Clipper, she gave explicit instructions to Conwell how she wanted the matter handled. In a follow-up conversation with Conwell, Clipper said she told him that “this type of behavior would not be tolerated if it was, indeed, true.” Also, Clipper noted that, in hindsight, her response could have been clearer to Humphrey’s second kite when she had stated, “Sir, Thank you for bringing this matter to my attention. Your concerns have been addressed in the past but it appears this activity is still taking place. This matter will continue to be addressed until rectified.” Clipper said after receiving the second kite from Humphrey, she responded to him under the assumption the investigation assigned to Conwell was ongoing. She said she went to Conwell to inquire about the investigation and learned he had not conducted one. Clipper said Conwell apologized to her and said he had forgotten about the investigation. According to Clipper, Conwell was later reprimanded for not conducting the investigation as instructed. Clipper said that on May 12, 2014, upon learning there was to be a media release concerning the alleged pirated movies being shown at the prison, she notified her supervisor, Ishee, and briefed him of the situation. Clipper said she told him about the original investigation concerning the JPay system and the music downloads and about the media release concerning the alleged movies shown to inmates at the prison. Clipper stated she told Ishee she had assigned Conwell 22 to conduct an investigation and he did not follow her direction. Clipper said she might have used the terms “bootleg” or “pirated” when discussing the movies with Ishee. Clipper said ultimately an investigation was conducted at her direction and two correction officers were searched; however, no evidence of any unauthorized movies was found. When Clipper was questioned about whether or not the prison’s servers were searched for a digital copy of any movies, Clipper responded that the servers had not been searched and she didn’t believe she had any further reason to search the servers. Clipper said she was under the belief a CO had brought in an unauthorized movie and that it was not found during the search. A review by investigators of a requested copy of the internal investigation showed that the investigation appeared to have been opened and closed on May 15, 2014. During the interview conducted on July 24, 2014, investigators asked Clipper if she had ever seen the Governor’s memorandum dated April 7, 2011, regarding “illegal or improper activity.” Clipper responded, “I can’t say I was actually given that in regard to training, but I can tell you that I report illegal activity when it’s discovered and it’s verified.” Investigators showed Clipper a copy of the memorandum and noted to her it states that all allegations, whether verified or not, should be reported to her supervisor. Clipper responded that she did not inform her supervisor of every allegation that she had received and noted that she believed it was her job to “weed out” what was accurate and inaccurate. Clipper blamed Conwell for failing to investigate the matter and that if she could do anything differently, “I would have assigned it to somebody else from Jump Street because my acting major completely dropped the ball in regard to this … .” Data Analysis During the course of the analysis of the data received related to the original complaint, a pirated movie file was identified within one of the LorCI employee’s user profiles. Several forensic artifacts of movie files, portions of movie files, or movie trailers were also identified within one of the LorCI employee’s user profiles. These artifacts indicated that a copy of a movie, some portion of a movie, or a movie trailer existed at some point within these profiles; however, it is not possible to determine which of the three existed. 23 On June 12, 2014, at the request of the Office of the Ohio Inspector General, a back-up of the entire file server from LorCI was received from ODRC to analyze and determine if any additional LorCI employee user profiles contained trace evidence of movie files. The analysis determined no active movie files were stored within any LorCI employee user profiles. The one movie file previously identified was no longer present on the server back-up. However, the analysis identified an additional 23 forensic artifacts of movie files, portions of movie files, or movie trailers that once existed within two other LorCI employee user profiles. Again, it was not possible to determine what the original files within the user profiles were, based on the artifacts found. As such, this information is being referred back to ODRC for any administrative action deemed appropriate. During the Office of the Ohio Inspector General’s review of the internal investigation of the two correction officers, it was noted that no evidence of unauthorized, pirated, or illegal movies was found. From a conduct report obtained by investigators, it was learned that during a search of an inmate’s cell on May 14, 2014, an unauthorized DVD titled “The Hobbit 2” was found.12 (Exhibit 5) This DVD was seized by ODRC investigators and treated as contraband. According to Shoemaker, the inmate received a verbal warning on May 16, 2014, and the conduct report was closed on June 4, 2014. CONCLUSION The original complaint from the Ohio Department of Rehabilitation and Correction identified 57 employees believed to have illegally copied JPay audio files to their own user profiles. The analysis conducted by the Office of the Ohio Inspector General of the data received from ODRC definitively identified JPay audio files in 16 of the employees’ user profiles. These 16 employees were the focus of this portion of the investigation. All but one of the employees interviewed acknowledged they had accessed the JPay folder where the audio files were stored. All but one of the employees interviewed said they had played the files on the computer or copied the files to a folder within their user profiles. The remaining 41 employees who had nonJPay audio files within their user profiles were referred back to ODRC for administrative action. The second movie of the Hobbit series was properly titled “The Hobbit: The Desolation of Smaug” and shows a DVD release date of April 8, 2014. 12 24 From ODRC, investigators learned the folders placed on the institution’s servers were created as shared folders and ODRC was told by JPay that this was a requirement of their system. These folders were accessible to everyone who had access to the ODRC system. It was only at the insistence of ODRC, after discovering the access vulnerability, that JPay restricted the access to these shared folders. After this, the folders were no longer visible to the employees and the copying of the audio files ceased. The majority of the 16 employees interviewed believed the folder containing the JPay audio files was visible to everyone who had access to the system, and it was permissible to play the audio files it contained. Many did not feel this was or might be a violation of copyright laws and noted that had they been aware it was a violation, they would not have accessed the folder and played or copied the files. During the investigation, investigators reviewed United States Code, Title 17. Chapters 501 and 506 of the code discuss the “willful infringement” of a copyrighted item. (Exhibit 6) The legal definition of willful is somewhat ambiguous and left for determination by a court of law. The Office of the Ohio Inspector General found no evidence to indicate the employees created anything other than what was found within their user profiles for personal use. Investigators found no evidence that any of the 16 employees profited in any way from copying the audio files. In a few instances, there were copies of the files sent by email to one another within the institution but, there was no evidence to show the files were emailed to anyone outside of the institution or copied to a portable device such as a CD, thumb drive, etc. At the onset of this investigation, the Office of the Ohio Inspector General contacted the U. S. Immigration and Customs Enforcement agency (ICE). After being briefed of the allegations, investigators were told by the ICE duty officer that based on the allegations, barring any significant changes or evidence of sale-for-profit of the copied audio files, ICE would not pursue charges through the United States Attorney’s Office. Regardless of the potential copyright law violations, ODRC policy 05-OIT-10 is clear on the use of ODRC user accounts for recreational purposes and the prohibition of violating copyright laws. 25 Accordingly, the Office of the Ohio Inspector General finds reasonable cause to believe a wrongful act or omission occurred in this instance. During the course of the investigation, investigators learned of another potential violation of copyright laws that possibly involved pirated movies shown to inmates at Lorain Correctional Institution. Warden Clipper had received and responded to two kites sent to her by an inmate complaining of the movies being shown by LorCI staff members. Clipper’s deputy warden responded to a third kite from the same inmate that also complained of pirated movies being shown to inmates by LorCI staff members. Clipper said, during a July 24, 2014, interview, that she did task one of her senior staff members to inquire into the allegations noted in the first kite, but that he apparently did not follow her instruction. However, after receiving the second kite, to which she responded, and a third kite, in which her deputy warden responded, Clipper still did not notify her supervisor, Todd Ishee of the potential misconduct by staff members at the prison. It was not until the inmate who had filed the complaint had been released from LorCI and Clipper spoke with him by telephone and was made aware of a soon-to-be-released article in the media concerning the movies being shown at the prison, that Clipper notified her immediate supervisor, Todd Ishee. Even then, Ishee said he was not aware the alleged movies shown to the inmates were pirated or illegal, only that it was Clipper’s belief a staff member had brought an unauthorized DVD into the prison. The ODRC chief inspector’s office was also unaware of the potential illegal activity until contacted by the Office of the Ohio Inspector General after the media articles had been posted on the Internet and in various news periodicals. During the July 24, 2014, interview, Clipper said she did not like to bombard her supervisor with every allegation purported and preferred to conduct her own investigation to verify if an allegation was true prior to reporting it to her superiors. With regard to the Governor’s memorandum, dated April 7, 2011, Clipper could not recall being given a copy of the memorandum during any training when she became the warden at LorCI. Clipper’s direct supervisor Todd Ishee stated during his interview with investigators, that he could not recall 26 meeting with Clipper to discuss the specific requirements of the memorandum. As such, the Office of the Ohio Inspector General is referring this matter back to ODRC to ensure future compliance with the Governor’s memorandum concerning the reporting of suspected illegal activity by state employees. RECOMMENDATION(S) The Office of the Ohio Inspector General makes the following recommendations and asks the director of the Ohio Department of Rehabilitation and Correction to respond within 60 days with a plan detailing how these recommendations will be implemented. The Ohio Department of Rehabilitation and Correction should: 1. Remove all non-work related data stored within employee user profiles. 2. Limit employee user profiles to a size only necessary for day-to-day operations. 3. Disable the ability for employees to save data and files to the local hard drive of stateowned computers used by ODRC employees. 4. Develop and implement a policy regulating the use of the JPay system. 5. Ensure the ODRC information and technology policies are consistent at all institutions and offices throughout the agency. 6. Ensure that all employees, especially wardens, deputy wardens, and other upper-level management personnel are familiar with and follow the governor’s memorandum on reporting suspected illegal or suspicious activity. REFERRAL(S) The Office of the Ohio Inspector General has determined that no referrals are warranted for this report of investigation. 27 State of Ohio Office of the Inspector General RANDALL J. MEYER, Inspector General NAME OF REPORT: Ohio Department of Rehabilitation and Correction FILE ID #: 2014-CA00022 KEEPER OF RECORDS CERTIFICATION This is a true and correct copy of the report which is required to be prepared by the Office of the Ohio Inspector General pursuant to Section 121.42 of the Ohio Revised Code. Jill Jones KEEPER OF RECORDS CERTIFIED April 7, 2015 Rhodes State Office Tower ◊ 30 East Broad Street – Suite 2940 ◊ Columbus, Ohio 43215-3414 Phone: 614-644-9110 ◊ FAX: 614-644-9504 ◊ Toll Free: 800-686-1525 ◊ E-mail: oig_watchdog@oig.ohio.gov The Ohio Inspector General is on the World Wide Web at www.watchdog.ohio.gov MAILING ADDRESS OFFICE OF THE INSPECTOR GENERAL JAMES A. RHODES STATE OFFICE TOWER 30 EAST BROAD STREET – SUITE 2940 COLUMBUS, OH 43215-3414 TELEPHONE (614) 644-9110 IN STATE TOLL- FREE (800) 686-1525 FAX (614) 644-9504 EMAIL OIG_WATCHDOG@OIG.OHIO.GOV INTERNET WATCHDOG.OHIO.GOV