Brad Schimel’s law enforcement career is a strong driver of his data privacy and security agenda as Wisconsin's Attorney General. Schimel quickly brought the state to the forefront of cybercrime enforcement and prevention when he became AG in January 2015, and the state has been on the cutting edge of these issues ever since. Schimel served in the Waukesha County District Attorney’s office for 16 years before becoming Waukesha County District Attorney in 2006. Below, Schimel discusses Wisconsin’s leadership role in prosecuting cybercrimes, the future of data security and consumer protection. 

The Privacy Advisor: How does your experience in law enforcement, first as a District Attorney for over two decades and now as AG, inform your approach to privacy and data security?

Schimel: I have worked directly with countless citizens who have been victims of theft of their personal identification information or fraudulent use of their personal identifying information. The harm usually goes far beyond just the loss of money they experienced from their identifying information being used by another. They typically face tremendous burdens to restore their credit status, close and then reestablish accounts that were compromised, obtain renewed identification documents and change over access codes. It is often a significant challenge just to be sure they have addressed all accounts that may have been compromised. There is often a gap between closing of old accounts and receipt of a new account access card. Some victims have seen their identity misused in ways that harm their reputations. On top of everything else, they are never 100 percent sure that they have fixed every potential vulnerability and are absolutely safe from further misuse of their information.

A persistent source of frustration for prosecutors and law enforcement is that offenders have, in effect, become invincible. Take fraudulent use of a credit card for instance. The card holder will not be held responsible for charges they did not authorize, and the credit card company will absorb the loss. This imposes tremendous costs on all of us in the form of higher fees and so forth. The cost and effort involved in identifying, pursuing and holding accountable the offender is often cost-prohibitive for the credit card company, and they will often elect not pursue an investigation and/or prosecution. Since the cardholder does not lose any money in the end, they lack motivation to go through the hassle of an investigation. The criminal got away with the offense without any consequence, which only encourages them to continue to commit similar crimes.

The Privacy Advisor: You have consistently emphasized prioritizing internet crimes against children, human trafficking, and violence against women. How does data privacy and security factor into your plans in these areas?

Schimel: Data privacy and online security factor into all aspects of internet safety, and are therefore of high concern to the Wisconsin Department of Justice. The Internet Crimes Against Children Task Force works daily to educate children, parents and all community members on staying safe online. This includes awareness surrounding posting too much information or posting personal information online. This topic is an excellent starting point for online safety discussions with young children. 

As children start using technology, we can begin by teaching them about pop-ups, requests for personal information — such as name and address —  and about not sharing their login or password information with anyone except for parents, their caregiver or a trusted adult. We can then use this basic safety information to segue into other safety topics as children age, such as grooming by online predators, sexual solicitation and exploitation and how to respond to and prevent safety concerns such as these.

Our Human Trafficking Bureau focuses on these topics within the realm of online safety, as well. Recognizing red flags and not posting personal information is an important part of preventing trafficking and violence against women and is the best practice for all technology users. We see many incidents of traffickers grooming children and women online through enticing them with gifts and money and by sensationalizing these "incentives."

Data privacy and online security are excellent habits everyone should incorporate into daily living. Similar to how we lock our car or home doors to protect our valuables, and how we don't provide our Social Security numbers over the phone to anyone, it is wise to safeguard our personal and private information in our daily lives. 

The Privacy Advisor: This year, you announced a promising new development in your work to curb internet crimes against children. The Wisconsin Department of Justice  Internet Crimes Against Children (ICAC) Task Force arrested 16 alleged child sex predators and child sex traffickers in an operation focused on child exploitation and online crimes in Wisconsin. You spent a large part of your career prosecuting sensitive crimes against children. Can you speak to some of the trends you are seeing in internet crimes against children?

Schimel: Operations such as the one you describe are fairly common practice at DoJ. We are constantly working to catch and hold accountable those who are using the internet to engage in sexual activity with children. The Wisconsin DoJ, in partnership with ICAC Task Force partners, continues to engage in proactive investigations focusing on child sexual exploitation and human trafficking issues. 

Unfortunately, there is no shortage of people who use technology to facilitate crimes against children. I have participated in multiple undercover operations in which various offenders arranged and traveled to meetings for what they thought was a sex with a child. In some instances, the next offender arrived before we had completely cleared the suspect vehicle and visible law enforcement presence from the previous arrest.  It became an “air traffic control” problem of sorts.

The number of tips referred from the National Center for Missing and Exploited Children grows each year as technology providers have become more active in responding to safety issues and as the number of technology providers grows. We take each tip seriously, but with limited resources, we have to identify and focus on those threats that are most serious and imminent.

As trends have moved toward mobile devices, there is increased access to technology in schools and in homes, and young people, as well as offenders, have switched to social media platforms that leave little or no electronic “paper trail.” That makes it more and more difficult for parents or law enforcement to track the online activities of kids and track down offenders who have attempted improper contact with children. Law enforcement officers constantly train on new technologies and seek ways to effectively investigate crimes in a world that is "going dark." Encryption, data on foreign servers, unlockable devices and the dark web all pose unique problems for public safety professionals. The use of VPNs is increasing rapidly, as is the utilization of cloud storage instead of local storage. Furthermore, perpetrators of these crimes are growing increasingly aggressive, using extortion and threats of violence to further their crimes.

Years ago when I was District Attorney, I prosecuted what may have been the first case to popularize the term “sextortion” in America.  It was an incredibly complex case in which the offender used insidious methods to compromise his victims and extort them into non-consensual sexual activities. The extortion was done through threats of having compromising photos of the victims revealed to classmates. In the years that have followed, this type of criminal activity has become more common nationwide. The internet provides the anonymity and opportunity to deceive others about one’s actual identity and this has certainly facilitated this relatively new type of criminal activity. This poses very difficult challenges for parents, school officials and law enforcement.

The Privacy Advisor: A hot topic in Wisconsin and nationwide is the ability of victims, witnesses and property owners to block police body camera footage from becoming public. Given your deep background in law enforcement, what are your thoughts on policy body camera footage and the right to privacy?

Schimel: In an effort to create transparency for the public and media about law enforcement activities, provide clearer information to law enforcement supervisors about the activities of officers, produce stronger courtroom evidence, and protect officers from false claims, more and more police departments are implementing dash camera and body camera equipment. This technology, however, currently exists in very unclear territory. 

While access to body camera footage can provide helpful information to the public and media, we must balance that access against the privacy rights of citizens, particularly crime victims and witnesses, who may be the subject of the recordings. The effort to seek this balance has proved problematic in many cases, particularly when the recording is not made in a public setting. We are left with many unanswered questions, such as to what degree a homeowner has right to object to release of police camera footage when it was recorded in their home. Currently, public records laws do not squarely address this question. If the answer is that a member of the public has no standing to object to release of the footage, public cooperation with law enforcement may be impaired.

The Privacy Advisor: What do you see as the advantages or disadvantages of multistate collaborations between AGs to police data security and data loss?

Schimel: Multistate collaborations allow for much more powerful forces against specific crimes. Recently, we have seen that our coalition against opioid abuse has made significant strides in finding solutions to the nation’s drug epidemic. While we still have a long way to go, the power of a multi-state collaboration gives us the resources to effectively put an end to something that is tearing our communities apart. Issues only arise when we come to different conclusions. Certain issues may create problems with partisanship, but there is nothing partisan about cyber security, data security or data loss.