Oliver Morris/Getty Images) In response to an Ars report on a court hearing in New York on October 17, New York City and New York Cit
In response to an Ars report on a court hearing in New York on October 17, New York City and New York City Police Department officials attempted to clarify the nature of the issues surrounding a lawsuit filed by the nonprofit legal defense organization Bronx Defenders. In response to reporting that the Property and Evidence Tracking System (PETS) did not have database backups, NYPD Deputy Commissioner Stephen Davis said via e-mail, “Contrary to some published reports suggesting that NYPD does not electronically back up the data in its Property and Evidence Tracking System (PETS), all such data is backed up continuously in multiple data centers.”
That statement would appear to be in direct conflict with an affidavit filed by city attorneys (PDF) in the case, in which NYPD Director of Strategic Technology Programs Christian Schnedler stated, “Currently, there is no secondary or back-up system, and no repository of the data in PETS outside of PETS itself.”
Schindler’s affidavit, which is part of the NYPD’s effort to block an external audit of cash-seizure data recorded in PETS, claims that the system is so fragile that even just using a “Web scraping” tool to retrieve cash-seizure data could collapse the whole system. “The risk of introducing and running a generic Web scraping tool into a complex, functioning law enforcement database, which has no backup system, is to risk disrupting NYPD operations, corrupting and/or losing some or all of the data, without a way to retrieve it,” Schnedler testified under oath.
The NYPD has sought to block a suit by Brooklyn Defenders requesting data on cash seizures by the department, claiming there is no way to export that data from the system, which city attorneys say is not based on an IBM DB2 database. This conflicts with a Capgemini description of the system given when PETS was nominated for an award in 2012. At that time, Capgemini said:
Capgemini applied commercial industry best practices in the materials management and warehouse management areas to the government/public sector: SAP offers a tier one, fully integrated application software solution. Its best practice business processes are used by 80% of Fortune 500 companies worldwide. The solution includes an IBM DB2 database, a leader in total system availability, scalability, and security. The PETS application is delivered on a state-of-the-art IBM z10 mainframe computer platform, dedicated to the SAP solution at NYPD. It integrates with other key NYPD applications to reduce data redundancy, improve efficiency, and help ensure data accuracy.
Another vendor may have replaced IBM DB2, as Capgemini is no longer the contractor supporting PETS, according to Schnedler’s affidavit.
Davis’ statement would appear to conflate NYPD’s business continuity plan with “backups.” The PETS system is replicated across multiple NYPD data centers, but all copies of the system are in active use. That would mean that if something were to corrupt the data in the system, or if there was a local failure at one of the data centers, some data would likely be lost.
The PETS front-end is a Web interface into the SAP ERP system PETS is based on. In the affidavit, Schnedler said that “the use of Web scraping or data mining tools” to extract data from the system to collect cash seizure data would be “inadvisable as to the risk of security breaches and the great risk of damaging or disabling the database.”
“Web scraping”—the use of a tool to pull data from a Web interface to an information system—would be too much of a burden, he suggested, because “NYPD information security experts generally do not permit the use of Web scraping tools from the Internet due to the heightened concern for potential threats to the security, confidentiality, and integrity of law enforcement information… Thus, NYPD is unable to download and utilize a Web scraping or other data mining application without first reviewing its security implications, potentially including penetration testing of the tool and its source code.”
Since commercial screen scraping tools generally use the Web interface to get to data from a trusted client on the network, that would mean NYPD is uncertain of the security of PETS itself. Schnedler testified that the NYPD has no internal expertise in the PETS system’s internals. “The current vendor contract from PETS is maintenance only,” he said in the affidavit. “The original PETS vendor did not provide documentation for upgrades or changes to the software.”