HomeWAV, the prison’s video-visiting service, exposed private conversations between inmates and lawyers.

Most U.S. prisons still do not allow family members and lawyers to visit inmates because of concerns about the spread of the new coronavirus,media TechCrunch reported. Visitors are unable to see their loved ones who are serving their sentences, forcing friends and family to use expensive video-visiting services, which often do not work. But now the security and privacy of these systems are under review after a St. Louis-based prison video-visiting provider was found to have a security vulnerability that exposed phone calls between thousands of inmates and their families, but also their calls to lawyers, which should be protected by attorney-client privilege.

HomeWAV, the prison's video-visiting service, exposed private conversations between inmates and lawyers.

HomeWAV, which serves more than a dozen prisons across the United States, has a database that is exposed to the Internet without a password, allowing anyone to read, browse and search call logs and transcripts between inmates and their friends and family. The transcript also shows the caller’s phone number, which prisoner, and the time of the call.

Bob Diachenko, a security researcher who discovered the vulnerability, said the database had been public since at least April. TechCrunch reported the problem to HomeWAV, which shut down the system a few hours later.

In an email, HomeWAV CEO John Best confirmed the security breach. He told TechCrunch: “One of our third-party vendors has confirmed that they accidentally removed the password to allow access to the server. Best, who did not name third-party suppliers, said the company would notify prisoners, families and lawyers of the incident.

“What we’ve seen time and time again is that when the system fails, the rights of prisoners are the first to be trampled on — because it always is,” Somil Trivedi, a senior staff attorney for the ACLU’s Criminal Law Reform Program, told TechCrunch. “

“Our justice system is good only for the protection of the most vulnerable. As always, people of color, people who can’t afford a lawyer and people with disabilities will pay the highest price for this mistake. Trivedi said: “Technology does not address the fundamental flaws in the criminal legal system – if we are not careful and careful, it will exacerbate them.” “

Almost all U.S. prisons record inmates’ phone and video calls — even if they are not disclosed at the beginning of each call. Prosecutors and investigators are understood to be listening to the recordings in case the prisoner proves himself guilty during the call. However, due to the privileges of lawyers and clients, calls between prisoners and their lawyers should not be monitored, a rule that protects communications between lawyers and their clients from being used in court.

Nevertheless, there are known cases in which United States prosecutors have used recordings of calls between lawyers and imprisoned clients. Last year, prosecutors in Louisville, Kentucky, allegedly monitored dozens of phone calls between a murder suspect and his lawyer. And, earlier this year, Maine defense lawyers said they were often taped in several county jails, and that their calls under the privilege of lawyers’ clients were handed over to prosecutors in at least four cases.

HomeWAV’s website says: “Visitors will be informed that visits may be recorded and can be monitored unless they have previously registered as clergy or are legal representatives with whom prisoners have the right to communicate privilegedly.” “

But when asked, HomeWAV’s Best would not say why the company recorded and transcripted conversations protected by lawyer-client privilege. Several records reviewed by TechCrunch show that lawyers explicitly declared that their calls were protected by the attorney-client privilege, effectively telling anyone who listened that the calls were off-limits.

TechCrunch spoke with two lawyers whose communications with clients in prison have been recorded and tweed by HomeWAV over the past six months, but asked not to name them or their clients because doing so could harm their clients’ legal defences. Both expressed shock that their calls had been recorded. One of the lawyers said they verbally claimed the privileges of the lawyer and the client during the call, while the other argued that their call was protected by the privileges of the lawyer and the client, but declined to comment further until they spoke to the client.

Another defense attorney, Daniel Repka, confirmed to TechCrunch that a call he had made with a client in prison in September was recorded, tweed and later exposed, but said the call was insensitive. “We didn’t convey any information that was considered protected by attorney-client privilege,” Repka said. “Any time I have a client calling me from prison, I’m very aware of and aware that not only is there a potential security breach, but it’s also possible to be accessed by the county attorney’s office.”

“This is really the only way we can ensure that lawyers can represent their clients in the most effective and enthusiastic way available,” Repka said. He said: “The best practice for lawyers is to always visit your client in person in prison, where you are in a room where you have more privacy than a phone line, you know it has been designated as a recording device. “

But the challenges posed by the outbreak make it difficult to visit in person, or impossible in some states. The Marshall Plan, a nonpartisan group that focuses on U.S. criminal justice, says several states have suspended in-person visits, including legal visits, because of the threat posed by coronavirus. Even before the pandemic, some prisons ended up visiting in person and switched to video calls.

Video-visiting technology is now a multi-billion dollar industry, and companies like Securus make millions of dollars a year by charging callers high fees to call their imprisoned loved ones.

HomeWAV isn’t the only video-visiting service facing security issues. In 2015, an apparent vulnerability in Securus led to the disclosure of about 70 million prisoner phones by anonymous hackers and their sharing with The Intercept. According to the publication, many of the recordings in the cache also contain designated phones protected by attorney-client privilege.

In August, Diachenko reported a similar security breach at TelMate, another prison visiting service, where millions of prisoners’ information was leaked because of a password-free database.