Critics say state police have risked gun buyers' privacy

Maryland State Police used an unencrypted website last week to transfer personal information about firearm purchasers into an online system used for background checks, a practice that gun rights advocates say compromised their privacy and security.

The state agency says it has no evidence that anybody's information was accessed improperly, arguing that it had safeguards in place.


But for some gun owners and lawmakers, the revelation compounded concerns about state efforts to tackle a massive backlog of background check applications. Officials put dozens of data-entry workers on the job from five state agencies, drawing complaints that only police are supposed to have access to applicants' information.

The trained workers were asked to transfer encrypted digital copies of paper applications, which contained buyers' names, addresses and Social Security numbers. But the documents were sent unencrypted into the state database through a site that was accessible to the public.

Experts say that left open the possibility for abuse.

"This is a stepping-stone to a breach: Someone could snoop on a legitimate user to steal his username/password and then breach the site," Michael Hicks, director of the Maryland Cybersecurity Center at the University of Maryland, College Park, said in an email.

He pointed out in an interview that the state was using a login and password system on the site, which is in line with common security practices. The question, he said, is whether such information should be on the Internet at all.

State police spokesman Greg Shipley said the website would not easily have turned up in an Internet search, and an individual could access the site only if they knew the URL.

"The scope, duration and data entry was selected to minimize the exposure to sophisticated hackers," Shipley said.

Patrick Shomo, president of the gun rights group Maryland Shall Issue and a computer programmer, alleged that the data was easily accessible on the open Internet until he and others in his group notified state police. He claims his own personal information was exposed.

"We want people notified and we want them to know their information was out there," Shomo said.