Prison video visitation systems are sometimes the only way family and lawyers can talk to inmates, particularly during the COVID-19 pandemic, but the security of those systems recently suffered a major lapse. Researcher Bob Diachenko told TechCrunch that video visitation provider HomeWAV left a database dashboard publicly accessible without a password since April, exposing “thousands” of calls between inmates and their attorneys. Anyone could read call logs and transcripts.
HomeWAV shut down the dashboard shortly after TC reported the issue. Company chief John Best confirmed the incident and said that a third-party vendor inadvertently removed the password restriction that kept the server private. He also promised to notify inmates, their families and lawyers.
It’s a particularly serious violation. While many US prisons record calls, they’re not supposed to monitor calls with lawyers due to attorney-client privilege — this suggests the calls were recorded in spite of that rule. And when the pandemic prevents in-person visitations, there’s a good chance that more of these calls were intercepted than usual.
This isn’t the only breach in recent months. Diachenko pointed out a flaw at TelMate that left millions of prisoner messages exposed. However, that just underscores the problem — inmates’ security and privacy issues frequently appear to go unnoticed.